Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: f11b6cf217
Branches Tags
custom-kube-...
/
kubernetes
/
cmd
/
kubeadm
/
app
/
phases
/
certs
/
renewal
/
manager_test.go

manager_test.go 8.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275 
  1. /*
    2. 

  2. Copyright 2019 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package renewal
    18. 

  18. 

  19. import (
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"crypto/x509/pkix"
    22. 

  22. 	"fmt"
    23. 

  23. 	"net"
    24. 

  24. 	"os"
    25. 

  25. 	"path/filepath"
    26. 

  26. 	"testing"
    27. 

  27. 	"time"
    28. 

  28. 

  29. 	certutil "k8s.io/client-go/util/cert"
    30. 

  30. 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
    31. 

  31. 	certtestutil "k8s.io/kubernetes/cmd/kubeadm/app/util/certs"
    32. 

  32. 	"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
    33. 

  33. 	testutil "k8s.io/kubernetes/cmd/kubeadm/test"
    34. 

  34. )
    35. 

  35. 

  36. var (
    37. 

  37. 	testCACertCfg = &pkiutil.CertConfig{
    38. 

  38. 		Config: certutil.Config{CommonName: "kubernetes"},
    39. 

  39. 	}
    40. 

  40. 

  41. 	testCACert, testCAKey, _ = pkiutil.NewCertificateAuthority(testCACertCfg)
    42. 

  42. 

  43. 	testCertCfg = &pkiutil.CertConfig{
    44. 

  44. 		Config: certutil.Config{
    45. 

  45. 			CommonName:   "test-common-name",
    46. 

  46. 			Organization: []string{"sig-cluster-lifecycle"},
    47. 

  47. 			AltNames: certutil.AltNames{
    48. 

  48. 				IPs:      []net.IP{net.ParseIP("10.100.0.1")},
    49. 

  49. 				DNSNames: []string{"test-domain.space"},
    50. 

  50. 			},
    51. 

  51. 			Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
    52. 

  52. 		},
    53. 

  53. 	}
    54. 

  54. )
    55. 

  55. 

  56. func TestNewManager(t *testing.T) {
    57. 

  57. 	tests := []struct {
    58. 

  58. 		name                 string
    59. 

  59. 		cfg                  *kubeadmapi.ClusterConfiguration
    60. 

  60. 		expectedCertificates int
    61. 

  61. 	}{
    62. 

  62. 		{
    63. 

  63. 			name:                 "cluster with local etcd",
    64. 

  64. 			cfg:                  &kubeadmapi.ClusterConfiguration{},
    65. 

  65. 			expectedCertificates: 10, //[admin apiserver apiserver-etcd-client apiserver-kubelet-client controller-manager etcd/healthcheck-client etcd/peer etcd/server front-proxy-client scheduler]
    66. 

  66. 		},
    67. 

  67. 		{
    68. 

  68. 			name: "cluster with external etcd",
    69. 

  69. 			cfg: &kubeadmapi.ClusterConfiguration{
    70. 

  70. 				Etcd: kubeadmapi.Etcd{
    71. 

  71. 					External: &kubeadmapi.ExternalEtcd{},
    72. 

  72. 				},
    73. 

  73. 			},
    74. 

  74. 			expectedCertificates: 6, // [admin apiserver apiserver-kubelet-client controller-manager front-proxy-client scheduler]
    75. 

  75. 		},
    76. 

  76. 	}
    77. 

  77. 

  78. 	for _, test := range tests {
    79. 

  79. 		t.Run(test.name, func(t *testing.T) {
    80. 

  80. 			rm, err := NewManager(test.cfg, "")
    81. 

  81. 			if err != nil {
    82. 

  82. 				t.Fatalf("Failed to create the certificate renewal manager: %v", err)
    83. 

  83. 			}
    84. 

  84. 

  85. 			if len(rm.Certificates()) != test.expectedCertificates {
    86. 

  86. 				t.Errorf("Expected %d certificates, saw %d", test.expectedCertificates, len(rm.Certificates()))
    87. 

  87. 			}
    88. 

  88. 		})
    89. 

  89. 	}
    90. 

  90. }
    91. 

  91. 

  92. func TestRenewUsingLocalCA(t *testing.T) {
    93. 

  93. 	dir := testutil.SetupTempDir(t)
    94. 

  94. 	defer os.RemoveAll(dir)
    95. 

  95. 

  96. 	if err := pkiutil.WriteCertAndKey(dir, "ca", testCACert, testCAKey); err != nil {
    97. 

  97. 		t.Fatalf("couldn't write out CA certificate to %s", dir)
    98. 

  98. 	}
    99. 

  99. 

  100. 	cfg := &kubeadmapi.ClusterConfiguration{
    101. 

  101. 		CertificatesDir: dir,
    102. 

  102. 	}
    103. 

  103. 	rm, err := NewManager(cfg, dir)
    104. 

  104. 	if err != nil {
    105. 

  105. 		t.Fatalf("Failed to create the certificate renewal manager: %v", err)
    106. 

  106. 	}
    107. 

  107. 

  108. 	tests := []struct {
    109. 

  109. 		name           string
    110. 

  110. 		certName       string
    111. 

  111. 		createCertFunc func() *x509.Certificate
    112. 

  112. 	}{
    113. 

  113. 		{
    114. 

  114. 			name:     "Certificate renewal for a PKI certificate",
    115. 

  115. 			certName: "apiserver",
    116. 

  116. 			createCertFunc: func() *x509.Certificate {
    117. 

  117. 				return writeTestCertificate(t, dir, "apiserver", testCACert, testCAKey)
    118. 

  118. 			},
    119. 

  119. 		},
    120. 

  120. 		{
    121. 

  121. 			name:     "Certificate renewal for a certificate embedded in a kubeconfig file",
    122. 

  122. 			certName: "admin.conf",
    123. 

  123. 			createCertFunc: func() *x509.Certificate {
    124. 

  124. 				return writeTestKubeconfig(t, dir, "admin.conf", testCACert, testCAKey)
    125. 

  125. 			},
    126. 

  126. 		},
    127. 

  127. 	}
    128. 

  128. 

  129. 	for _, test := range tests {
    130. 

  130. 		t.Run(test.name, func(t *testing.T) {
    131. 

  131. 			cert := test.createCertFunc()
    132. 

  132. 

  133. 			time.Sleep(1 * time.Second)
    134. 

  134. 

  135. 			_, err := rm.RenewUsingLocalCA(test.certName)
    136. 

  136. 			if err != nil {
    137. 

  137. 				t.Fatalf("error renewing certificate: %v", err)
    138. 

  138. 			}
    139. 

  139. 

  140. 			newCert, err := rm.certificates[test.certName].readwriter.Read()
    141. 

  141. 			if err != nil {
    142. 

  142. 				t.Fatalf("error reading renewed certificate: %v", err)
    143. 

  143. 			}
    144. 

  144. 

  145. 			if newCert.SerialNumber.Cmp(cert.SerialNumber) == 0 {
    146. 

  146. 				t.Fatal("expected new certificate, but renewed certificate has same serial number")
    147. 

  147. 			}
    148. 

  148. 

  149. 			if !newCert.NotAfter.After(cert.NotAfter) {
    150. 

  150. 				t.Fatalf("expected new certificate with updated expiration, but renewed certificate has same NotAfter value: saw %s, expected greather than %s", newCert.NotAfter, cert.NotAfter)
    151. 

  151. 			}
    152. 

  152. 

  153. 			certtestutil.AssertCertificateIsSignedByCa(t, newCert, testCACert)
    154. 

  154. 			certtestutil.AssertCertificateHasClientAuthUsage(t, newCert)
    155. 

  155. 			certtestutil.AssertCertificateHasOrganizations(t, newCert, testCertCfg.Organization...)
    156. 

  156. 			certtestutil.AssertCertificateHasCommonName(t, newCert, testCertCfg.CommonName)
    157. 

  157. 			certtestutil.AssertCertificateHasDNSNames(t, newCert, testCertCfg.AltNames.DNSNames...)
    158. 

  158. 			certtestutil.AssertCertificateHasIPAddresses(t, newCert, testCertCfg.AltNames.IPs...)
    159. 

  159. 		})
    160. 

  160. 	}
    161. 

  161. }
    162. 

  162. 

  163. func TestCreateRenewCSR(t *testing.T) {
    164. 

  164. 	dir := testutil.SetupTempDir(t)
    165. 

  165. 	defer os.RemoveAll(dir)
    166. 

  166. 

  167. 	outdir := filepath.Join(dir, "out")
    168. 

  168. 

  169. 	if err := os.MkdirAll(outdir, 0755); err != nil {
    170. 

  170. 		t.Fatalf("couldn't create %s", outdir)
    171. 

  171. 	}
    172. 

  172. 

  173. 	if err := pkiutil.WriteCertAndKey(dir, "ca", testCACert, testCAKey); err != nil {
    174. 

  174. 		t.Fatalf("couldn't write out CA certificate to %s", dir)
    175. 

  175. 	}
    176. 

  176. 

  177. 	cfg := &kubeadmapi.ClusterConfiguration{
    178. 

  178. 		CertificatesDir: dir,
    179. 

  179. 	}
    180. 

  180. 	rm, err := NewManager(cfg, dir)
    181. 

  181. 	if err != nil {
    182. 

  182. 		t.Fatalf("Failed to create the certificate renewal manager: %v", err)
    183. 

  183. 	}
    184. 

  184. 

  185. 	tests := []struct {
    186. 

  186. 		name           string
    187. 

  187. 		certName       string
    188. 

  188. 		createCertFunc func() *x509.Certificate
    189. 

  189. 	}{
    190. 

  190. 		{
    191. 

  191. 			name:     "Creation of a CSR request for renewal of a PKI certificate",
    192. 

  192. 			certName: "apiserver",
    193. 

  193. 			createCertFunc: func() *x509.Certificate {
    194. 

  194. 				return writeTestCertificate(t, dir, "apiserver", testCACert, testCAKey)
    195. 

  195. 			},
    196. 

  196. 		},
    197. 

  197. 		{
    198. 

  198. 			name:     "Creation of a CSR request for renewal of a certificate embedded in a kubeconfig file",
    199. 

  199. 			certName: "admin.conf",
    200. 

  200. 			createCertFunc: func() *x509.Certificate {
    201. 

  201. 				return writeTestKubeconfig(t, dir, "admin.conf", testCACert, testCAKey)
    202. 

  202. 			},
    203. 

  203. 		},
    204. 

  204. 	}
    205. 

  205. 

  206. 	for _, test := range tests {
    207. 

  207. 		t.Run(test.name, func(t *testing.T) {
    208. 

  208. 			test.createCertFunc()
    209. 

  209. 

  210. 			time.Sleep(1 * time.Second)
    211. 

  211. 

  212. 			err := rm.CreateRenewCSR(test.certName, outdir)
    213. 

  213. 			if err != nil {
    214. 

  214. 				t.Fatalf("error renewing certificate: %v", err)
    215. 

  215. 			}
    216. 

  216. 

  217. 			file := fmt.Sprintf("%s.key", test.certName)
    218. 

  218. 			if _, err := os.Stat(filepath.Join(outdir, file)); os.IsNotExist(err) {
    219. 

  219. 				t.Errorf("Expected file %s does not exist", file)
    220. 

  220. 			}
    221. 

  221. 

  222. 			file = fmt.Sprintf("%s.csr", test.certName)
    223. 

  223. 			if _, err := os.Stat(filepath.Join(outdir, file)); os.IsNotExist(err) {
    224. 

  224. 				t.Errorf("Expected file %s does not exist", file)
    225. 

  225. 			}
    226. 

  226. 		})
    227. 

  227. 	}
    228. 

  228. 

  229. }
    230. 

  230. 

  231. func TestCertToConfig(t *testing.T) {
    232. 

  232. 	expectedConfig := &certutil.Config{
    233. 

  233. 		CommonName:   "test-common-name",
    234. 

  234. 		Organization: []string{"sig-cluster-lifecycle"},
    235. 

  235. 		AltNames: certutil.AltNames{
    236. 

  236. 			IPs:      []net.IP{net.ParseIP("10.100.0.1")},
    237. 

  237. 			DNSNames: []string{"test-domain.space"},
    238. 

  238. 		},
    239. 

  239. 		Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
    240. 

  240. 	}
    241. 

  241. 

  242. 	cert := &x509.Certificate{
    243. 

  243. 		Subject: pkix.Name{
    244. 

  244. 			CommonName:   "test-common-name",
    245. 

  245. 			Organization: []string{"sig-cluster-lifecycle"},
    246. 

  246. 		},
    247. 

  247. 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
    248. 

  248. 		DNSNames:    []string{"test-domain.space"},
    249. 

  249. 		IPAddresses: []net.IP{net.ParseIP("10.100.0.1")},
    250. 

  250. 	}
    251. 

  251. 

  252. 	cfg := certToConfig(cert)
    253. 

  253. 

  254. 	if cfg.CommonName != expectedConfig.CommonName {
    255. 

  255. 		t.Errorf("expected common name %q, got %q", expectedConfig.CommonName, cfg.CommonName)
    256. 

  256. 	}
    257. 

  257. 

  258. 	if len(cfg.Organization) != 1 || cfg.Organization[0] != expectedConfig.Organization[0] {
    259. 

  259. 		t.Errorf("expected organization %v, got %v", expectedConfig.Organization, cfg.Organization)
    260. 

  260. 

  261. 	}
    262. 

  262. 

  263. 	if len(cfg.Usages) != 1 || cfg.Usages[0] != expectedConfig.Usages[0] {
    264. 

  264. 		t.Errorf("expected ext key usage %v, got %v", expectedConfig.Usages, cfg.Usages)
    265. 

  265. 	}
    266. 

  266. 

  267. 	if len(cfg.AltNames.IPs) != 1 || cfg.AltNames.IPs[0].String() != expectedConfig.AltNames.IPs[0].String() {
    268. 

  268. 		t.Errorf("expected SAN IPs %v, got %v", expectedConfig.AltNames.IPs, cfg.AltNames.IPs)
    269. 

  269. 	}
    270. 

  270. 

  271. 	if len(cfg.AltNames.DNSNames) != 1 || cfg.AltNames.DNSNames[0] != expectedConfig.AltNames.DNSNames[0] {
    272. 

  272. 		t.Errorf("expected SAN DNSNames %v, got %v", expectedConfig.AltNames.DNSNames, cfg.AltNames.DNSNames)
    273. 

  273. 	}
    274. 

  274. }
    275. 

  275.