Skip to content

Commit

Permalink
Use privateCA for Rancher on dev environment
Browse files Browse the repository at this point in the history
Signed-off-by: Andrea Mazzotti <[email protected]>
  • Loading branch information
anmazzotti committed Oct 1, 2024
1 parent 08f6cda commit 12f522e
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 2 deletions.
61 changes: 59 additions & 2 deletions tests/e2e/e2e_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"io"
"net/http"
"os"
"os/exec"
"path/filepath"
"strings"
"testing"
Expand Down Expand Up @@ -199,7 +200,49 @@ var _ = BeforeSuite(func() {
}, 5*time.Minute, 2*time.Second).Should(BeTrue())
})

By("installing rancher: "+e2eCfg.RancherVersion, func() {
By("creating cattle-system namespace", func() {
Expect(kubectl.Apply(testRegistryNamespace, "../manifests/cattle-system-namespace.yaml")).To(Succeed())
})

By("installing a self-signed CA", func() {
Expect(kubectl.Apply("cattle-system", "../manifests/test-private-ca.yaml")).To(Succeed())

Eventually(func() bool {
return doesSecretExist("cattle-system", "tls-ca")
}, 5*time.Minute, 2*time.Second).Should(BeTrue())
Eventually(func() bool {
return doesSecretExist("cattle-system", "tls-rancher-ingress")
}, 5*time.Minute, 2*time.Second).Should(BeTrue())

// We need to cope with the arbitrary and hardcoded `cacerts.pem` secret key
// See https://github.com/rancher/rancher/issues/36994

// For this reason we fetch the cert-manager generated data['tls.crt'] from the tls-ca secret,
// and we copy its value to data['cacerts.pem'] where Rancher expects it.
// See the rancher Deployment in cattle-system namespace for more info on how this is mounted.

printCA := "-n cattle-system get secret tls-ca -o jsonpath=\"{.data['tls\\.crt']}\""
caCert, err := kubectl.Run(strings.Split(printCA, " ")...)
caCert = strings.ReplaceAll(caCert, `"`, "")
Expect(err).ShouldNot(HaveOccurred())

//patch := fmt.Sprintf(`-n cattle-system patch secret tls-ca -p "{\"data\":{\"cacerts.pem\":\"%s\"}}"`, caCert)
//_, err = kubectl.Run(strings.Split(patch, " ")...)
//Expect(err).ShouldNot(HaveOccurred())

// If you wonder what the heck is happening here with the bash script, uncomment the lines above and knock yourself out.
// It has been a long day.
patchScript := fmt.Sprintf(`kubectl -n cattle-system patch secret tls-ca -p '{"data":{"cacerts.pem":"%s"}}'`, caCert)
os.WriteFile("/tmp/kubectl-patch-tls-ca.sh", []byte(patchScript), os.ModePerm)
cmd := exec.Command("bash", "/tmp/kubectl-patch-tls-ca.sh")
output, err := cmd.CombinedOutput()
if err != nil {
fmt.Printf("Failed to patch tls-ca: %s\n", string(output))
}
Expect(err).ShouldNot(HaveOccurred())
})

By("installing rancher"+e2eCfg.RancherVersion, func() {
if isAlreadyInstalled(cattleSystemNamespace) {
By("already installed")
return
Expand All @@ -218,8 +261,8 @@ var _ = BeforeSuite(func() {
"--set", "extraEnv[0].value=https://"+hostname,
"--set", "extraEnv[1].name=CATTLE_BOOTSTRAP_PASSWORD",
"--set", "extraEnv[1].value="+password,
"--set", "privateCA=true",
"--namespace", cattleSystemNamespace,
"--create-namespace",
)).To(Succeed())

Eventually(func() bool {
Expand Down Expand Up @@ -380,6 +423,20 @@ func isDeploymentReady(namespace, name string) bool {
return false
}

func doesSecretExist(namespace, name string) bool {
secret := &corev1.Secret{}
if err := cl.Get(ctx,
runtimeclient.ObjectKey{
Namespace: namespace,
Name: name,
},
secret,
); err != nil {
return false
}
return true
}

func collectArtifacts() {
By("Creating artifact directory")
if _, err := os.Stat(e2eCfg.ArtifactsDir); os.IsNotExist(err) {
Expand Down
4 changes: 4 additions & 0 deletions tests/manifests/cattle-system-namespace.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
46 changes: 46 additions & 0 deletions tests/manifests/test-private-ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-ca
namespace: cattle-system
spec:
commonName: elemental-selfsigned-ca
duration: 94800h
isCA: true
issuerRef:
kind: Issuer
name: elemental-selfsigned
renewBefore: 360h
secretName: tls-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-rancher-ingress
namespace: cattle-system
spec:
dnsNames:
- 172.18.0.2.sslip.io
duration: 9480h
issuerRef:
kind: Issuer
name: elemental-ca
renewBefore: 360h
secretName: tls-rancher-ingress
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: elemental-ca
namespace: cattle-system
spec:
ca:
secretName: tls-ca
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: elemental-selfsigned
namespace: cattle-system
spec:
selfSigned: {}

0 comments on commit 12f522e

Please sign in to comment.