diff --git a/.action_templates/jobs/tests.yaml b/.action_templates/jobs/tests.yaml index 9c893c38c..037749fab 100644 --- a/.action_templates/jobs/tests.yaml +++ b/.action_templates/jobs/tests.yaml @@ -25,6 +25,8 @@ tests: distro: ubuntu - test-name: replica_set_tls distro: ubuntu + - test-name: replica_set_tls_pem_file + distro: ubuntu - test-name: replica_set_tls_upgrade distro: ubuntu - test-name: statefulset_arbitrary_config @@ -65,6 +67,8 @@ tests: distro: ubi - test-name: replica_set_tls_upgrade distro: ubi + - test-name: replica_set_tls_pem_file + distro: ubi - test-name: statefulset_arbitrary_config distro: ubi - test-name: statefulset_arbitrary_config_update diff --git a/.github/workflows/e2e-fork.yml b/.github/workflows/e2e-fork.yml index d6bb954bc..0e2f6b0b9 100644 --- a/.github/workflows/e2e-fork.yml +++ b/.github/workflows/e2e-fork.yml @@ -107,6 +107,8 @@ jobs: distro: ubuntu - test-name: replica_set_tls distro: ubuntu + - test-name: replica_set_tls_pem_file + distro: ubuntu - test-name: replica_set_tls_upgrade distro: ubuntu - test-name: statefulset_arbitrary_config @@ -147,6 +149,8 @@ jobs: distro: ubi - test-name: replica_set_tls_upgrade distro: ubi + - test-name: replica_set_tls_pem_file + distro: ubi - test-name: statefulset_arbitrary_config distro: ubi - test-name: statefulset_arbitrary_config_update diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 4d695e8fc..d00ca1800 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -112,6 +112,8 @@ jobs: distro: ubuntu - test-name: replica_set_tls distro: ubuntu + - test-name: replica_set_tls_pem_file + distro: ubuntu - test-name: replica_set_tls_upgrade distro: ubuntu - test-name: statefulset_arbitrary_config @@ -152,6 +154,8 @@ jobs: distro: ubi - test-name: replica_set_tls_upgrade distro: ubi + - test-name: replica_set_tls_pem_file + distro: ubi - test-name: statefulset_arbitrary_config distro: ubi - test-name: statefulset_arbitrary_config_update diff --git a/api/v1/mongodbcommunity_types.go b/api/v1/mongodbcommunity_types.go index cfec1a43c..33d3f8005 100644 --- a/api/v1/mongodbcommunity_types.go +++ b/api/v1/mongodbcommunity_types.go @@ -321,6 +321,8 @@ type TLS struct { // CertificateKeySecret is a reference to a Secret containing a private key and certificate to use for TLS. // The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt". // This is the same format used for the standard "kubernetes.io/tls" Secret type, but no specific type is required. + // Alternatively, an entry tls.pem, containing the concatenation of cert and key, can be provided. + // If all of tls.pem, tls.crt and tls.key are present, the tls.pem one needs to be equal to the concatenation of tls.crt and tls.key // +optional CertificateKeySecret LocalObjectReference `json:"certificateKeySecretRef"` diff --git a/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml b/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml index 7db8ac068..1bec50498 100644 --- a/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml +++ b/config/crd/bases/mongodbcommunity.mongodb.com_mongodbcommunity.yaml @@ -207,7 +207,11 @@ spec: The key and cert are expected to be PEM encoded and available at "tls.key" and "tls.crt". This is the same format used for the standard "kubernetes.io/tls" Secret type, but no - specific type is required. + specific type is required. Alternatively, an entry tls.pem, + containing the concatenation of cert and key, can be provided. + If all of tls.pem, tls.crt and tls.key are present, the + tls.pem one needs to be equal to the concatenation of tls.crt + and tls.key properties: name: type: string diff --git a/controllers/mongodb_tls.go b/controllers/mongodb_tls.go index eda541f46..7ca9d6b8e 100644 --- a/controllers/mongodb_tls.go +++ b/controllers/mongodb_tls.go @@ -5,8 +5,6 @@ import ( "fmt" "strings" - "github.com/pkg/errors" - "github.com/mongodb/mongodb-kubernetes-operator/controllers/construct" "github.com/mongodb/mongodb-kubernetes-operator/pkg/automationconfig" @@ -28,6 +26,7 @@ const ( tlsOperatorSecretMountPath = "/var/lib/tls/server/" //nolint tlsSecretCertName = "tls.crt" //nolint tlsSecretKeyName = "tls.key" + tlsSecretPemName = "tls.pem" ) // validateTLSConfig will check that the configured ConfigMap and Secret exist and that they have the correct fields. @@ -56,7 +55,7 @@ func (r *ReplicaSetReconciler) validateTLSConfig(mdb mdbv1.MongoDBCommunity) (bo } // Ensure Secret exists - secretData, err := secret.ReadStringData(r.client, mdb.TLSSecretNamespacedName()) + _, err = secret.ReadStringData(r.client, mdb.TLSSecretNamespacedName()) if err != nil { if apiErrors.IsNotFound(err) { r.log.Warnf(`Secret "%s" not found`, mdb.TLSSecretNamespacedName()) @@ -66,13 +65,11 @@ func (r *ReplicaSetReconciler) validateTLSConfig(mdb mdbv1.MongoDBCommunity) (bo return false, err } - // Ensure Secret has "tls.crt" and "tls.key" fields - if key, ok := secretData[tlsSecretKeyName]; !ok || key == "" { - r.log.Warnf(`Secret "%s" should have a key in field "%s"`, mdb.TLSSecretNamespacedName(), tlsSecretKeyName) - return false, nil - } - if cert, ok := secretData[tlsSecretCertName]; !ok || cert == "" { - r.log.Warnf(`Secret "%s" should have a certificate in field "%s"`, mdb.TLSSecretNamespacedName(), tlsSecretKeyName) + // validate whether the secret contains "tls.crt" and "tls.key", or it contains "tls.pem" + // if it contains all three, then the pem entry should be equal to the concatenation of crt and key + _, err = getPemOrConcatenatedCrtAndKey(r.client, mdb) + if err != nil { + r.log.Warnf(err.Error()) return false, nil } @@ -90,7 +87,7 @@ func getTLSConfigModification(getUpdateCreator secret.GetUpdateCreator, mdb mdbv return automationconfig.NOOP(), nil } - certKey, err := getCertAndKey(getUpdateCreator, mdb) + certKey, err := getPemOrConcatenatedCrtAndKey(getUpdateCreator, mdb) if err != nil { return automationconfig.NOOP(), err } @@ -99,18 +96,27 @@ func getTLSConfigModification(getUpdateCreator secret.GetUpdateCreator, mdb mdbv } // getCertAndKey will fetch the certificate and key from the user-provided Secret. -func getCertAndKey(getter secret.Getter, mdb mdbv1.MongoDBCommunity) (string, error) { +func getCertAndKey(getter secret.Getter, mdb mdbv1.MongoDBCommunity) string { cert, err := secret.ReadKey(getter, tlsSecretCertName, mdb.TLSSecretNamespacedName()) if err != nil { - return "", err + return "" } key, err := secret.ReadKey(getter, tlsSecretKeyName, mdb.TLSSecretNamespacedName()) if err != nil { - return "", err + return "" } - return combineCertificateAndKey(cert, key), nil + return combineCertificateAndKey(cert, key) +} + +// getPem will fetch the pem from the user-provided secret +func getPem(getter secret.Getter, mdb mdbv1.MongoDBCommunity) string { + pem, err := secret.ReadKey(getter, tlsSecretPemName, mdb.TLSSecretNamespacedName()) + if err != nil { + return "" + } + return pem } func combineCertificateAndKey(cert, key string) string { @@ -119,12 +125,34 @@ func combineCertificateAndKey(cert, key string) string { return fmt.Sprintf("%s\n%s", trimmedCert, trimmedKey) } +// getPemOrConcatenatedCrtAndKey will get the final PEM to write to the secret. +// This is either the tls.pem entry in the given secret, or the concatenation +// of tls.crt and tls.key +// It performs a basic validation on the entries. +func getPemOrConcatenatedCrtAndKey(getter secret.Getter, mdb mdbv1.MongoDBCommunity) (string, error) { + certKey := getCertAndKey(getter, mdb) + pem := getPem(getter, mdb) + if certKey == "" && pem == "" { + return "", fmt.Errorf(`Neither "%s" nor the pair "%s"/"%s" were present in the TLS secret`, tlsSecretPemName, tlsSecretCertName, tlsSecretKeyName) + } + if certKey == "" { + return pem, nil + } + if pem == "" { + return certKey, nil + } + if certKey != pem { + return "", fmt.Errorf(`If all of "%s", "%s" and "%s" are present in the secret, the entry for "%s" must be equal to the concatenation of "%s" with "%s"`, tlsSecretCertName, tlsSecretKeyName, tlsSecretPemName, tlsSecretPemName, tlsSecretCertName, tlsSecretKeyName) + } + return certKey, nil +} + // ensureTLSSecret will create or update the operator-managed Secret containing // the concatenated certificate and key from the user-provided Secret. func ensureTLSSecret(getUpdateCreator secret.GetUpdateCreator, mdb mdbv1.MongoDBCommunity) error { - certKey, err := getCertAndKey(getUpdateCreator, mdb) + certKey, err := getPemOrConcatenatedCrtAndKey(getUpdateCreator, mdb) if err != nil { - return errors.Errorf("could not get cert and key: %s", err) + return err } // Calculate file name from certificate and key fileName := tlsOperatorSecretFileName(certKey) diff --git a/controllers/mongodb_tls_test.go b/controllers/mongodb_tls_test.go index 650fd264f..983d343c4 100644 --- a/controllers/mongodb_tls_test.go +++ b/controllers/mongodb_tls_test.go @@ -23,7 +23,10 @@ func TestStatefulSet_IsCorrectlyConfiguredWithTLS(t *testing.T) { mdb := newTestReplicaSetWithTLS() mgr := client.NewManager(&mdb) - err := createTLSSecretAndConfigMap(mgr.GetClient(), mdb) + client := mdbClient.NewClient(mgr.GetClient()) + err := createTLSSecret(client, mdb, "CERT", "KEY", "") + assert.NoError(t, err) + err = createTLSConfigMap(client, mdb) assert.NoError(t, err) r := NewReconciler(mgr) @@ -82,7 +85,9 @@ func TestStatefulSet_IsCorrectlyConfiguredWithTLS(t *testing.T) { func TestAutomationConfig_IsCorrectlyConfiguredWithTLS(t *testing.T) { createAC := func(mdb mdbv1.MongoDBCommunity) automationconfig.AutomationConfig { client := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) - err := createTLSSecretAndConfigMap(client, mdb) + err := createTLSSecret(client, mdb, "CERT", "KEY", "") + assert.NoError(t, err) + err = createTLSConfigMap(client, mdb) assert.NoError(t, err) tlsModification, err := getTLSConfigModification(client, mdb) @@ -151,7 +156,9 @@ func TestTLSOperatorSecret(t *testing.T) { t.Run("Secret is created if it doesn't exist", func(t *testing.T) { mdb := newTestReplicaSetWithTLS() c := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) - err := createTLSSecretAndConfigMap(c, mdb) + err := createTLSSecret(c, mdb, "CERT", "KEY", "") + assert.NoError(t, err) + err = createTLSConfigMap(c, mdb) assert.NoError(t, err) r := NewReconciler(client.NewManagerWithClient(c)) @@ -159,7 +166,7 @@ func TestTLSOperatorSecret(t *testing.T) { err = r.ensureTLSResources(mdb) assert.NoError(t, err) - // Operator-managed secret should have been created and contain the + // Operator-managed secret should have been created and contains the // concatenated certificate and key. expectedCertificateKey := "CERT\nKEY" certificateKey, err := secret.ReadKey(c, tlsOperatorSecretFileName(expectedCertificateKey), mdb.TLSOperatorSecretNamespacedName()) @@ -170,7 +177,9 @@ func TestTLSOperatorSecret(t *testing.T) { t.Run("Secret is updated if it already exists", func(t *testing.T) { mdb := newTestReplicaSetWithTLS() k8sclient := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) - err := createTLSSecretAndConfigMap(k8sclient, mdb) + err := createTLSSecret(k8sclient, mdb, "CERT", "KEY", "") + assert.NoError(t, err) + err = createTLSConfigMap(k8sclient, mdb) assert.NoError(t, err) // Create operator-managed secret @@ -215,29 +224,89 @@ func TestCombineCertificateAndKey(t *testing.T) { } } -func createTLSSecretAndConfigMap(c k8sClient.Client, mdb mdbv1.MongoDBCommunity) error { - s := secret.Builder(). - SetName(mdb.Spec.Security.TLS.CertificateKeySecret.Name). - SetNamespace(mdb.Namespace). - SetField("tls.crt", "CERT"). - SetField("tls.key", "KEY"). - Build() +func TestPemSupport(t *testing.T) { + t.Run("Success if only pem is provided", func(t *testing.T) { + mdb := newTestReplicaSetWithTLS() + c := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) + err := createTLSSecret(c, mdb, "", "", "CERT\nKEY") + assert.NoError(t, err) + err = createTLSConfigMap(c, mdb) + assert.NoError(t, err) - err := c.Create(context.TODO(), &s) - if err != nil { - return err - } + r := NewReconciler(client.NewManagerWithClient(c)) + + err = r.ensureTLSResources(mdb) + assert.NoError(t, err) + + // Operator-managed secret should have been created and contains the + // concatenated certificate and key. + expectedCertificateKey := "CERT\nKEY" + certificateKey, err := secret.ReadKey(c, tlsOperatorSecretFileName(expectedCertificateKey), mdb.TLSOperatorSecretNamespacedName()) + assert.NoError(t, err) + assert.Equal(t, expectedCertificateKey, certificateKey) + }) + t.Run("Success if pem is equal to cert+key", func(t *testing.T) { + mdb := newTestReplicaSetWithTLS() + c := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) + err := createTLSSecret(c, mdb, "CERT", "KEY", "CERT\nKEY") + assert.NoError(t, err) + err = createTLSConfigMap(c, mdb) + assert.NoError(t, err) + + r := NewReconciler(client.NewManagerWithClient(c)) + + err = r.ensureTLSResources(mdb) + assert.NoError(t, err) + + // Operator-managed secret should have been created and contains the + // concatenated certificate and key. + expectedCertificateKey := "CERT\nKEY" + certificateKey, err := secret.ReadKey(c, tlsOperatorSecretFileName(expectedCertificateKey), mdb.TLSOperatorSecretNamespacedName()) + assert.NoError(t, err) + assert.Equal(t, expectedCertificateKey, certificateKey) + }) + t.Run("Failure if pem is different from cert+key", func(t *testing.T) { + mdb := newTestReplicaSetWithTLS() + c := mdbClient.NewClient(client.NewManager(&mdb).GetClient()) + err := createTLSSecret(c, mdb, "CERT1", "KEY1", "CERT\nKEY") + assert.NoError(t, err) + err = createTLSConfigMap(c, mdb) + assert.NoError(t, err) + + r := NewReconciler(client.NewManagerWithClient(c)) + + err = r.ensureTLSResources(mdb) + assert.Error(t, err) + assert.Contains(t, err.Error(), `If all of "tls.crt", "tls.key" and "tls.pem" are present in the secret, the entry for "tls.pem" must be equal to the concatenation of "tls.crt" with "tls.key"`) + + }) +} +func createTLSConfigMap(c k8sClient.Client, mdb mdbv1.MongoDBCommunity) error { configMap := configmap.Builder(). SetName(mdb.Spec.Security.TLS.CaConfigMap.Name). SetNamespace(mdb.Namespace). SetField("ca.crt", "CERT"). Build() - err = c.Create(context.TODO(), &configMap) - if err != nil { - return err + return c.Create(context.TODO(), &configMap) +} + +func createTLSSecret(c k8sClient.Client, mdb mdbv1.MongoDBCommunity, crt string, key string, pem string) error { + sBuilder := secret.Builder(). + SetName(mdb.Spec.Security.TLS.CertificateKeySecret.Name). + SetNamespace(mdb.Namespace) + + if crt != "" { + sBuilder.SetField(tlsSecretCertName, crt) + } + if key != "" { + sBuilder.SetField(tlsSecretKeyName, key) + } + if pem != "" { + sBuilder.SetField(tlsSecretPemName, pem) } - return nil + s := sBuilder.Build() + return c.Create(context.TODO(), &s) } diff --git a/docs/RELEASE_NOTES.md b/docs/RELEASE_NOTES.md index 649393502..e2b5667f6 100644 --- a/docs/RELEASE_NOTES.md +++ b/docs/RELEASE_NOTES.md @@ -4,7 +4,8 @@ - Changes - MongoDB database of the statefulSet is managed using distinct Role, ServiceAccount and RoleBinding. - + - TLS Secret can also contain a single "tls.pem" entry, containing the concatenation of the certificate and key + - If a TLS secret contains all of "tls.key", "tls.crt" and "tls.pem" entries, the operator will raise an error if the "tls.pem" one is not equal to the concatenation of "tls.crt" with "tls.key" ## Updated Image Tags - mongodb-kubernetes-operator:0.7.1 diff --git a/test/e2e/replica_set_tls/replica_set_tls_test.go b/test/e2e/replica_set_tls/replica_set_tls_test.go index 67241f779..ba35611ee 100644 --- a/test/e2e/replica_set_tls/replica_set_tls_test.go +++ b/test/e2e/replica_set_tls/replica_set_tls_test.go @@ -33,7 +33,7 @@ func TestReplicaSetTLS(t *testing.T) { t.Fatal(err) } - if err := setup.CreateTLSResources(mdb.Namespace, ctx); err != nil { + if err := setup.CreateTLSResources(mdb.Namespace, ctx, setup.CertKeyPair); err != nil { t.Fatalf("Failed to set up TLS resources: %s", err) } diff --git a/test/e2e/replica_set_tls_pem_file/replica_set_pem_file_test.go b/test/e2e/replica_set_tls_pem_file/replica_set_pem_file_test.go new file mode 100644 index 000000000..6b7d1121c --- /dev/null +++ b/test/e2e/replica_set_tls_pem_file/replica_set_pem_file_test.go @@ -0,0 +1,62 @@ +package replica_set_tls + +import ( + "fmt" + "os" + "testing" + + . "github.com/mongodb/mongodb-kubernetes-operator/test/e2e/util/mongotester" + + e2eutil "github.com/mongodb/mongodb-kubernetes-operator/test/e2e" + "github.com/mongodb/mongodb-kubernetes-operator/test/e2e/mongodbtests" + setup "github.com/mongodb/mongodb-kubernetes-operator/test/e2e/setup" +) + +func TestMain(m *testing.M) { + code, err := e2eutil.RunTest(m) + if err != nil { + fmt.Println(err) + } + os.Exit(code) +} + +func TestReplicaSetTLS(t *testing.T) { + ctx := setup.Setup(t) + defer ctx.Teardown() + + mdb, user := e2eutil.NewTestMongoDB(ctx, "mdb-tls", "") + scramUser := mdb.GetScramUsers()[0] + mdb.Spec.Security.TLS = e2eutil.NewTestTLSConfig(false) + + _, err := setup.GeneratePasswordForUser(ctx, user, "") + if err != nil { + t.Fatal(err) + } + + if err := setup.CreateTLSResources(mdb.Namespace, ctx, setup.Pem); err != nil { + t.Fatalf("Failed to set up TLS resources: %s", err) + } + + tester, err := FromResource(t, mdb) + if err != nil { + t.Fatal(err) + } + + t.Run("Create MongoDB Resource", mongodbtests.CreateMongoDBResource(&mdb, ctx)) + t.Run("Basic tests", mongodbtests.BasicFunctionality(&mdb)) + mongodbtests.SkipTestIfLocal(t, "Ensure MongoDB TLS Configuration", func(t *testing.T) { + t.Run("Has TLS Mode", tester.HasTlsMode("requireSSL", 60, WithTls())) + t.Run("Basic Connectivity Succeeds", tester.ConnectivitySucceeds(WithTls())) + t.Run("SRV Connectivity Succeeds", tester.ConnectivitySucceeds(WithURI(mdb.MongoSRVURI()), WithTls())) + t.Run("Basic Connectivity With Generated Connection String Secret Succeeds", + tester.ConnectivitySucceeds(WithURI(mongodbtests.GetConnectionStringForUser(mdb, scramUser)), WithTls())) + t.Run("SRV Connectivity With Generated Connection String Secret Succeeds", + tester.ConnectivitySucceeds(WithURI(mongodbtests.GetSrvConnectionStringForUser(mdb, scramUser)), WithTls())) + t.Run("Connectivity Fails", tester.ConnectivityFails(WithoutTls())) + t.Run("Ensure authentication is configured", tester.EnsureAuthenticationIsConfigured(3, WithTls())) + }) + t.Run("TLS is disabled", mongodbtests.DisableTLS(&mdb)) + t.Run("MongoDB Reaches Failed Phase", mongodbtests.MongoDBReachesFailedPhase(&mdb)) + t.Run("TLS is enabled", mongodbtests.EnableTLS(&mdb)) + t.Run("MongoDB Reaches Running Phase", mongodbtests.MongoDBReachesRunningPhase(&mdb)) +} diff --git a/test/e2e/replica_set_tls_rotate/replica_set_tls_rotate_test.go b/test/e2e/replica_set_tls_rotate/replica_set_tls_rotate_test.go index 07f496cc8..d083023d9 100644 --- a/test/e2e/replica_set_tls_rotate/replica_set_tls_rotate_test.go +++ b/test/e2e/replica_set_tls_rotate/replica_set_tls_rotate_test.go @@ -34,7 +34,7 @@ func TestReplicaSetTLSRotate(t *testing.T) { t.Fatal(err) } - if err := setup.CreateTLSResources(mdb.Namespace, ctx); err != nil { + if err := setup.CreateTLSResources(mdb.Namespace, ctx, setup.CertKeyPair); err != nil { t.Fatalf("Failed to set up TLS resources: %s", err) } tester, err := FromResource(t, mdb) diff --git a/test/e2e/replica_set_tls_upgrade/replica_set_tls_upgrade_test.go b/test/e2e/replica_set_tls_upgrade/replica_set_tls_upgrade_test.go index 8ed5ba7ee..88849b896 100644 --- a/test/e2e/replica_set_tls_upgrade/replica_set_tls_upgrade_test.go +++ b/test/e2e/replica_set_tls_upgrade/replica_set_tls_upgrade_test.go @@ -33,7 +33,7 @@ func TestReplicaSetTLSUpgrade(t *testing.T) { t.Fatal(err) } - if err := setup.CreateTLSResources(mdb.Namespace, ctx); err != nil { + if err := setup.CreateTLSResources(mdb.Namespace, ctx, setup.CertKeyPair); err != nil { t.Fatalf("Failed to set up TLS resources: %s", err) } diff --git a/test/e2e/setup/setup.go b/test/e2e/setup/setup.go index 1eaace825..4f991ab43 100644 --- a/test/e2e/setup/setup.go +++ b/test/e2e/setup/setup.go @@ -34,10 +34,15 @@ import ( mdbv1 "github.com/mongodb/mongodb-kubernetes-operator/api/v1" ) +type tlsSecretType string + const ( performCleanupEnv = "PERFORM_CLEANUP" deployDirEnv = "DEPLOY_DIR" roleDirEnv = "ROLE_DIR" + + CertKeyPair tlsSecretType = "CERTKEYPAIR" + Pem tlsSecretType = "PEM" ) func Setup(t *testing.T) *e2eutil.Context { @@ -56,7 +61,7 @@ func Setup(t *testing.T) *e2eutil.Context { // CreateTLSResources will setup the CA ConfigMap and cert-key Secret necessary for TLS // The certificates and keys are stored in testdata/tls -func CreateTLSResources(namespace string, ctx *e2eutil.Context) error { //nolint +func CreateTLSResources(namespace string, ctx *e2eutil.Context, secretType tlsSecretType) error { tlsConfig := e2eutil.NewTestTLSConfig(false) // Create CA ConfigMap @@ -77,22 +82,31 @@ func CreateTLSResources(namespace string, ctx *e2eutil.Context) error { //nolint return err } - // Create server key and certificate secret - cert, err := ioutil.ReadFile(path.Join(testDataDir, "server.crt")) - if err != nil { - return err + certKeySecretBuilder := secret.Builder(). + SetName(tlsConfig.CertificateKeySecret.Name). + SetNamespace(namespace) + + if secretType == CertKeyPair { + // Create server key and certificate secret + cert, err := ioutil.ReadFile(path.Join(testDataDir, "server.crt")) + if err != nil { + return err + } + key, err := ioutil.ReadFile(path.Join(testDataDir, "server.key")) + if err != nil { + return err + } + certKeySecretBuilder.SetField("tls.crt", string(cert)).SetField("tls.key", string(key)) } - key, err := ioutil.ReadFile(path.Join(testDataDir, "server.key")) - if err != nil { - return err + if secretType == Pem { + pem, err := ioutil.ReadFile(path.Join(testDataDir, "server.pem")) + if err != nil { + return err + } + certKeySecretBuilder.SetField("tls.pem", string(pem)) } - certKeySecret := secret.Builder(). - SetName(tlsConfig.CertificateKeySecret.Name). - SetNamespace(namespace). - SetField("tls.crt", string(cert)). - SetField("tls.key", string(key)). - Build() + certKeySecret := certKeySecretBuilder.Build() return e2eutil.TestClient.Create(context.TODO(), &certKeySecret, &e2eutil.CleanupOptions{TestContext: ctx}) } diff --git a/testdata/tls/server.pem b/testdata/tls/server.pem new file mode 100644 index 000000000..fa38bc24c --- /dev/null +++ b/testdata/tls/server.pem @@ -0,0 +1,53 @@ +-----BEGIN CERTIFICATE----- +MIIEWjCCAkKgAwIBAgIUKXYivNfzneHnf77o/hmGJPPZmiMwDQYJKoZIhvcNAQEL +BQAwJDEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMTA0 +MjgxMjI0MjRaFw0zNTAxMDUxMjI0MjRaMDkxCzAJBgNVBAYTAlVTMQswCQYDVQQI +DAJOWTELMAkGA1UEBwwCTlkxEDAOBgNVBAoMB01vbmdvREIwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDMgVLGC5blAlvcmbggfnmFZ0wHAstOxbjOPija +53TzvKi9L2Smrwf5/RtRQSZ6cgNfTLzDbz+jKHn5v0jWqSW5TzWSL1VcDiYSoito ++RwJcRmrLBuceqP8anUjCgqmDH5xFL2w+QNh9knGdOvbUkGr+gaUxeQxNclup8jV +v9qyRva2an8MB7VbSG8ZVDVkcBkH2xlO+S1ITl/SPBXKsDbOB/hWEAqkOoEom5lQ +6a4IjUYU8HUhebzERH71Jhgc53hcs1RourMLQmAZQoqy7E8On6B/jZxMqq4HsqiQ +PYV/FLPlT12hgKMBZ6POwIFxEueTGVuGzHU37aoxPwNT7cp/AgMBAAGjbzBtMB8G +A1UdIwQYMBaAFNKgRS9B32CXr3UdG9LwGmMUi6WbMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgTwMDIGA1UdEQQrMCmCJyoubWRiLXRscy1zdmMuZGVmYXVsdC5zdmMuY2x1 +c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAgEAeeVcqSuI3UjmThAufNN5I+Z5 +jIUyU/kTcOHUr5hDA83+W8IuEHo/g+ZsvtCVqTqiXNd5Ehn5rdO+YB8fqXC2jgUr +VLbel87qdxqTwdZ6pO3X0StO1AuSN/ZydnfZqRyI7fJn28A0fzTHP5AZdOAYtGBR +nld9omH85p2EsZkhtdsZpRPr11mQoFnJ9lGcz2z/6GRbrlEYrM9nU4Ij8cBAlhrM +hkqNpQT56XM1QxJ6MdEwYQv4Fbkr5Aa75NGyb0m6uQNYDPyXgvvkSZ+lZTXBhVl1 +5GouRqRMe+hlGPYL4VKy23PAwag7dNlQ1GQLur+pWkXfHLdKIaoPLDwFx4m8PWGr +rErXOXKKYZIw+xsQYKOXNePMM3/bRlEZTt52wrBEDB3LNhNkuKB8J1+/dfE557l1 +5/Gyt+MuRAq/gi+ffR7KxuzYDipGSUmmWzFF/5LyOCAS9lKi8xyKzsYpdDDkcx8k +aC86zOjYseMKytk2hgOmNPjva9iG4mlQQ/S7FgOn01jJadpu9X0zVgmq7uKIemUM +6ts8qEK3zIGir10FfT0zxwaXQOMLMHrLvELGJEhHJPTQDMjPopKVEXtk9Upeveas +PK3QLsn3xE2XytH2HJnAHL3GR1nLT3HgdyrOlJlV37ZPXr3di7nfQQM4UJoghyWH +JZ6umbgvvVMWeLFX/IE= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzIFSxguW5QJb3Jm4IH55hWdMBwLLTsW4zj4o2ud087yovS9k +pq8H+f0bUUEmenIDX0y8w28/oyh5+b9I1qkluU81ki9VXA4mEqIraPkcCXEZqywb +nHqj/Gp1IwoKpgx+cRS9sPkDYfZJxnTr21JBq/oGlMXkMTXJbqfI1b/askb2tmp/ +DAe1W0hvGVQ1ZHAZB9sZTvktSE5f0jwVyrA2zgf4VhAKpDqBKJuZUOmuCI1GFPB1 +IXm8xER+9SYYHOd4XLNUaLqzC0JgGUKKsuxPDp+gf42cTKquB7KokD2FfxSz5U9d +oYCjAWejzsCBcRLnkxlbhsx1N+2qMT8DU+3KfwIDAQABAoIBAQC7HjVbim0l25Or +9Gb6LF8KhiqVW6Qkzls7Mrr1GMT045FNkRi6PvrAbSvanA8WCE43m6I3/AmxQy7g +Knr+FsSymtw8htzGnxeNAx9PLGfP59GBwpj9A2YaZloJln2J03K6Cy1JyX6j2tNE +J+VKxyfZsKrm427Y7AsEGbd0hNgZN5s9l70q0FSCkFcb37b497k0gYcE+63wEaq3 +FHGoYvbjUVKqp1YpVQyALlHk2toDMOOVBt4MQzP6RsVQJ3LY7K0ZYlNu83EWutsJ +oIMjDwMoCpDtFqrUDzCgbYoDPAaREOBFJZcUrqQ3oTMCo8qEZgiinOVQks6vqnpd +vke/qfsRAoGBAPcm/4AkVeRCmEmR16U9K8pk2KyOJxbXvSvLPO55ytAHSeHEQYaE +FevTOYj+Whd5B/OWOcGXrvby0OpzfEizpE/cLyCGPQqONh5RyJUeG9mzmSCGfJKw +dru99Sg2njU+ZYmHtf6FtY6RGZ4OrwiifVzk/slGE9r0LJt0uVJ/Db83AoGBANPT +fWAetG/JJVG8RoQnddHzZhpmJAnqQt6QbKiYZ/WsH5mchsuJg2oybY9uf9TL1OMy +yxhCie1vFBBRD1s6j06btqF38i9D2H6R55i2PtP5AKFD6S9wucpFRiR0A5r5r69V +KwnYA1fu0uA6tYw457f0vS8NfIaiEDmERfiy4qL5AoGBANYsXUzWL/hWHVHjqFPw +5nnFWl5t8UHCQpQo0ux1bmNHbabPQ1kmLTjnGfy1La0ZnOJhVDuHDn/Be3kwCouV +4NWzoMM2kL8M7ajohkFyjf/hutiMsncLpFidDE2ExySspaDAkd22UNbytphZcSSy +aqCNcJ1KtPoQjndIdzAeGfORAoGABbbm4vjxFTLv9syFens2CnvufTfUMRBIzYhH +5iR2aYJDN/mpCUSkbvD9U6k/eZYmIBr2r6jb37PnbqlBKMzjoNNCkgiSWAQUixWU +keIYv88v3Snf2I/J81L7GXCnyD6EJs69Yn6ZWH3w4muzCh1e4u+PSv2qJleo6GRR +Hux0gMECgYBN0BaeyUPqRLgq3JsrPTK0VQ+8J5+3la7wZWU5vCr2cvLftzb7Devj +m5K901mFCPdtO5LJ8OdeOi1PHnG/+WCfuwDitN8OufPJ+tdSteG+F9XIu5sTMGLB +QJeIyHolsPZhW4OA3C7p6uZHAeDIqIpkv8j7974cLBWhGlQJx9403A== +-----END RSA PRIVATE KEY-----