Skip to content

Prepare for v0.2.2 release #123

Prepare for v0.2.2 release

Prepare for v0.2.2 release #123

Workflow file for this run

name: Smoke Test
on:
pull_request: {}
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
name: Build and test
steps:
- name: Create the target kind cluster
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
with:
go-version-file: 'go.mod'
- name: Build the certgen binary
run: |
go build -o certgen .
- name: Create the configuration file
run: |
cat <<EOF > config.yaml
certs:
- name: foo
namespace: ladybird
commonName: foo.cilium.io
hosts:
- foo.cilium.io
- qux.cilium.io
- 192.0.2.237
usage:
- signing
- key encipherment
- server auth
validity: 24h
- name: bar
namespace: ladybird
commonName: bar.cilium.io
usage:
- signing
- key encipherment
- client auth
validity: 3h
EOF
- name: Run and test
run: |
assert_equal() {
local got=$1
local expected=$2
if [[ "$got" != "$expected" ]]; then
echo "Equality assertion failed:"
echo "- expected: $expected"
echo "- got: $got"
return 1
fi
return 0
}
assert_not_equal() {
local first="$1"
local second="$2"
if [[ "$first" == "$second" ]]; then
echo "Inequality assertion failed:"
echo "- first: $first"
echo "- second: $second"
return 1
fi
return 0
}
assert_foo_cert() {
local crt="$1"
local ca="$2"
openssl verify -CAfile ${ca} ${crt}
assert_equal "$(openssl x509 -subject -noout -in ${crt})" "subject=CN = foo.cilium.io"
assert_equal "$(openssl x509 -ext subjectAltName -noout -in ${crt} | tail -n 1 | sed 's/^ *//')" "DNS:foo.cilium.io, DNS:qux.cilium.io, IP Address:192.0.2.237"
assert_equal "$(openssl x509 -ext keyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "Digital Signature, Key Encipherment"
assert_equal "$(openssl x509 -ext extendedKeyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "TLS Web Server Authentication"
openssl x509 -checkend 85800 -noout -in ${crt} # 25h50m
openssl x509 -checkend 87000 -noout -in ${crt} && exit 1 # 24h10m
return 0
}
assert_bar_cert() {
local crt="$1"
local ca="$2"
openssl verify -CAfile ${ca} ${crt}
assert_equal "$(openssl x509 -subject -noout -in ${crt})" "subject=CN = bar.cilium.io"
assert_equal "$(openssl x509 -ext subjectAltName -noout -in ${crt})" ""
assert_equal "$(openssl x509 -ext keyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "Digital Signature, Key Encipherment"
assert_equal "$(openssl x509 -ext extendedKeyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "TLS Web Client Authentication"
openssl x509 -checkend 10200 -noout -in ${crt} # 2h50m
openssl x509 -checkend 11400 -noout -in ${crt} && exit 1 # 3h10m
return 0
}
# Create the target namespaces
kubectl create namespace weasel
kubectl create namespace ladybird
echo
echo "Generating certificates"
./certgen \
--k8s-kubeconfig-path=${HOME}/.kube/config \
--ca-generate --ca-reuse-secret \
--ca-secret-namespace=weasel \
--ca-secret-name=the-ca \
--ca-common-name="The CA" \
--ca-validity-duration=48h \
--config-file=config.yaml
echo
echo "Retrieving and verifying CA certificate"
kubectl get secret -n weasel the-ca --template='{{ index .data "ca.crt" }}' | base64 -d > ca.crt
openssl x509 -text -noout -in ca.crt
openssl verify -CAfile ca.crt ca.crt
assert_equal "$(openssl x509 -subject -noout -in ca.crt)" "subject=CN = The CA"
openssl x509 -checkend 172200 -noout -in ca.crt # 47h50m
openssl x509 -checkend 173400 -noout -in ca.crt && exit 1 # 48h10m
echo
echo "Retrieving and verifying 'foo' certificate"
kubectl get secret -n ladybird foo --template='{{ index .data "tls.crt" }}' | base64 -d > foo.crt
kubectl get secret -n ladybird foo --template='{{ index .data "ca.crt" }}' | base64 -d > foo.ca.crt
openssl x509 -text -noout -in foo.crt
assert_foo_cert foo.crt ca.crt
assert_equal "$(cat foo.ca.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'bar' certificate"
kubectl get secret -n ladybird bar --template='{{ index .data "tls.crt" }}' | base64 -d > bar.crt
kubectl get secret -n ladybird bar --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in bar.crt
assert_bar_cert bar.crt ca.crt
assert_equal "$(cat bar.ca.crt)" "$(cat ca.crt)"
echo
echo "Regenerating certificates"
CILIUM_CERTGEN_CONFIG="$(cat config.yaml)" ./certgen \
--k8s-kubeconfig-path=${HOME}/.kube/config \
--ca-generate --ca-reuse-secret \
--ca-secret-namespace=weasel \
--ca-secret-name=the-ca \
--ca-common-name="The CA" \
--ca-validity-duration=48h
echo
echo "Retrieving and verifying CA certificate"
kubectl get secret -n weasel the-ca --template='{{ index .data "ca.crt" }}' | base64 -d > ca.new.crt
openssl x509 -text -noout -in ca.new.crt
# The CA certificate should not have been regenerated
assert_equal "$(cat ca.new.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'foo' certificate"
kubectl get secret -n ladybird foo --template='{{ index .data "tls.crt" }}' | base64 -d > foo.new.crt
kubectl get secret -n ladybird foo --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in foo.new.crt
# The foo certificate should have been regenerated
assert_not_equal "$(openssl x509 -serial -noout -in foo.crt)" "$(openssl x509 -serial -noout -in foo.new.crt)"
assert_foo_cert foo.new.crt ca.crt
assert_equal "$(cat foo.ca.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'bar' certificate"
kubectl get secret -n ladybird bar --template='{{ index .data "tls.crt" }}' | base64 -d > bar.new.crt
kubectl get secret -n ladybird bar --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in bar.new.crt
# The bar certificate should have been regenerated
assert_not_equal "$(openssl x509 -serial -noout -in bar.crt)" "$(openssl x509 -serial -noout -in bar.new.crt)"
assert_bar_cert bar.new.crt ca.crt
assert_equal "$(cat bar.ca.crt)" "$(cat ca.crt)"