test(*): add tests for new tls support

Adds a testdata directory to hold tls certs at the root of the project. The tests cover pkg/tlsutil, cmd/helm, and cmd/helm/installer. Closes helm#2289
mynameiswhm · Apr 18, 2017 · 73e6399 · 73e6399
1 parent bba0214
commit 73e6399
Show file tree

Hide file tree

Showing 7 changed files with 448 additions and 2 deletions.
diff --git a/cmd/helm/init_test.go b/cmd/helm/init_test.go
@@ -20,6 +20,8 @@ import (
 	"bytes"
 	"io/ioutil"
 	"os"
+	"path/filepath"
+	"reflect"
 	"strings"
 	"testing"
 
@@ -33,6 +35,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"
 
+	"k8s.io/helm/cmd/helm/installer"
 	"k8s.io/helm/pkg/helm/helmpath"
 )
 
@@ -217,3 +220,85 @@ func TestEnsureHome(t *testing.T) {
 		t.Errorf("%s should not be a directory", fi)
 	}
 }
+
+func TestInitCmd_tlsOptions(t *testing.T) {
+	const testDir = "../../testdata"
+
+	// tls certificates in testDir
+	var (
+		testCaCertFile = filepath.Join(testDir, "ca.pem")
+		testCertFile   = filepath.Join(testDir, "crt.pem")
+		testKeyFile    = filepath.Join(testDir, "key.pem")
+	)
+
+	// these tests verify the effects of permuting the "--tls" and "--tls-verify" flags
+	// and the install options yieled as a result of (*initCmd).tlsOptions()
+	// during helm init.
+	var tests = []struct {
+		certFile string
+		keyFile  string
+		caFile   string
+		enable   bool
+		verify   bool
+		describe string
+	}{
+		{ // --tls and --tls-verify specified (--tls=true,--tls-verify=true)
+			certFile: testCertFile,
+			keyFile:  testKeyFile,
+			caFile:   testCaCertFile,
+			enable:   true,
+			verify:   true,
+			describe: "--tls and --tls-verify specified (--tls=true,--tls-verify=true)",
+		},
+		{ // --tls-verify implies --tls (--tls=false,--tls-verify=true)
+			certFile: testCertFile,
+			keyFile:  testKeyFile,
+			caFile:   testCaCertFile,
+			enable:   false,
+			verify:   true,
+			describe: "--tls-verify implies --tls (--tls=false,--tls-verify=true)",
+		},
+		{ // no --tls-verify (--tls=true,--tls-verify=false)
+			certFile: testCertFile,
+			keyFile:  testKeyFile,
+			caFile:   "",
+			enable:   true,
+			verify:   false,
+			describe: "no --tls-verify (--tls=true,--tls-verify=false)",
+		},
+		{ // tls is disabled (--tls=false,--tls-verify=false)
+			certFile: "",
+			keyFile:  "",
+			caFile:   "",
+			enable:   false,
+			verify:   false,
+			describe: "tls is disabled (--tls=false,--tls-verify=false)",
+		},
+	}
+
+	for _, tt := range tests {
+		// emulate tls file specific flags
+		tlsCaCertFile, tlsCertFile, tlsKeyFile = tt.caFile, tt.certFile, tt.keyFile
+
+		// emulate tls enable/verify flags
+		tlsEnable, tlsVerify = tt.enable, tt.verify
+
+		cmd := &initCmd{}
+		if err := cmd.tlsOptions(); err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		// expected result options
+		expect := installer.Options{
+			TLSCaCertFile: tt.caFile,
+			TLSCertFile:   tt.certFile,
+			TLSKeyFile:    tt.keyFile,
+			VerifyTLS:     tt.verify,
+			EnableTLS:     tt.enable || tt.verify,
+		}
+
+		if !reflect.DeepEqual(cmd.opts, expect) {
+			t.Errorf("%s: got %#+v, want %#+v", tt.describe, cmd.opts, expect)
+		}
+	}
+}
diff --git a/cmd/helm/installer/install_test.go b/cmd/helm/installer/install_test.go
@@ -17,6 +17,8 @@ limitations under the License.
 package installer // import "k8s.io/helm/cmd/helm/installer"
 
 import (
+	"os"
+	"path/filepath"
 	"reflect"
 	"testing"
 
@@ -32,7 +34,6 @@ import (
 )
 
 func TestDeploymentManifest(t *testing.T) {
-
 	tests := []struct {
 		name            string
 		image           string
@@ -69,6 +70,52 @@ func TestDeploymentManifest(t *testing.T) {
 	}
 }
 
+func TestDeploymentManifest_WithTLS(t *testing.T) {
+	tests := []struct {
+		opts   Options
+		name   string
+		enable string
+		verify string
+	}{
+		{
+			Options{Namespace: api.NamespaceDefault, EnableTLS: true, VerifyTLS: true},
+			"tls enable (true), tls verify (true)",
+			"1",
+			"1",
+		},
+		{
+			Options{Namespace: api.NamespaceDefault, EnableTLS: true, VerifyTLS: false},
+			"tls enable (true), tls verify (false)",
+			"1",
+			"",
+		},
+		{
+			Options{Namespace: api.NamespaceDefault, EnableTLS: false, VerifyTLS: true},
+			"tls enable (false), tls verify (true)",
+			"1",
+			"1",
+		},
+	}
+	for _, tt := range tests {
+		o, err := DeploymentManifest(&tt.opts)
+		if err != nil {
+			t.Fatalf("%s: error %q", tt.name, err)
+		}
+
+		var d extensions.Deployment
+		if err := yaml.Unmarshal([]byte(o), &d); err != nil {
+			t.Fatalf("%s: error %q", tt.name, err)
+		}
+		// verify environment variable in deployment reflect the use of tls being enabled.
+		if got := d.Spec.Template.Spec.Containers[0].Env[1].Value; got != tt.verify {
+			t.Errorf("%s: expected tls verify env value %q, got %q", tt.name, tt.verify, got)
+		}
+		if got := d.Spec.Template.Spec.Containers[0].Env[2].Value; got != tt.enable {
+			t.Errorf("%s: expected tls enable env value %q, got %q", tt.name, tt.enable, got)
+		}
+	}
+}
+
 func TestServiceManifest(t *testing.T) {
 	o, err := ServiceManifest(api.NamespaceDefault)
 	if err != nil {
@@ -84,6 +131,39 @@ func TestServiceManifest(t *testing.T) {
 	}
 }
 
+func TestSecretManifest(t *testing.T) {
+	o, err := SecretManifest(&Options{
+		VerifyTLS:     true,
+		EnableTLS:     true,
+		Namespace:     api.NamespaceDefault,
+		TLSKeyFile:    tlsTestFile(t, "key.pem"),
+		TLSCertFile:   tlsTestFile(t, "crt.pem"),
+		TLSCaCertFile: tlsTestFile(t, "ca.pem"),
+	})
+
+	if err != nil {
+		t.Fatalf("error %q", err)
+	}
+
+	var obj api.Secret
+	if err := yaml.Unmarshal([]byte(o), &obj); err != nil {
+		t.Fatalf("error %q", err)
+	}
+
+	if got := obj.ObjectMeta.Namespace; got != api.NamespaceDefault {
+		t.Errorf("expected namespace %s, got %s", api.NamespaceDefault, got)
+	}
+	if _, ok := obj.Data["tls.key"]; !ok {
+		t.Errorf("missing 'tls.key' in generated secret object")
+	}
+	if _, ok := obj.Data["tls.crt"]; !ok {
+		t.Errorf("missing 'tls.crt' in generated secret object")
+	}
+	if _, ok := obj.Data["ca.crt"]; !ok {
+		t.Errorf("missing 'ca.crt' in generated secret object")
+	}
+}
+
 func TestInstall(t *testing.T) {
 	image := "gcr.io/kubernetes-helm/tiller:v2.0.0"
 
@@ -123,6 +203,77 @@ func TestInstall(t *testing.T) {
 	}
 }
 
+func TestInstall_WithTLS(t *testing.T) {
+	image := "gcr.io/kubernetes-helm/tiller:v2.0.0"
+	name := "tiller-secret"
+
+	fc := &fake.Clientset{}
+	fc.AddReactor("create", "deployments", func(action testcore.Action) (bool, runtime.Object, error) {
+		obj := action.(testcore.CreateAction).GetObject().(*extensions.Deployment)
+		l := obj.GetLabels()
+		if reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
+			t.Errorf("expected labels = '', got '%s'", l)
+		}
+		i := obj.Spec.Template.Spec.Containers[0].Image
+		if i != image {
+			t.Errorf("expected image = '%s', got '%s'", image, i)
+		}
+		return true, obj, nil
+	})
+	fc.AddReactor("create", "services", func(action testcore.Action) (bool, runtime.Object, error) {
+		obj := action.(testcore.CreateAction).GetObject().(*api.Service)
+		l := obj.GetLabels()
+		if reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
+			t.Errorf("expected labels = '', got '%s'", l)
+		}
+		n := obj.ObjectMeta.Namespace
+		if n != api.NamespaceDefault {
+			t.Errorf("expected namespace = '%s', got '%s'", api.NamespaceDefault, n)
+		}
+		return true, obj, nil
+	})
+	fc.AddReactor("create", "secrets", func(action testcore.Action) (bool, runtime.Object, error) {
+		obj := action.(testcore.CreateAction).GetObject().(*api.Secret)
+		if l := obj.GetLabels(); reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
+			t.Errorf("expected labels = '', got '%s'", l)
+		}
+		if n := obj.ObjectMeta.Namespace; n != api.NamespaceDefault {
+			t.Errorf("expected namespace = '%s', got '%s'", api.NamespaceDefault, n)
+		}
+		if s := obj.ObjectMeta.Name; s != name {
+			t.Errorf("expected name = '%s', got '%s'", name, s)
+		}
+		if _, ok := obj.Data["tls.key"]; !ok {
+			t.Errorf("missing 'tls.key' in generated secret object")
+		}
+		if _, ok := obj.Data["tls.crt"]; !ok {
+			t.Errorf("missing 'tls.crt' in generated secret object")
+		}
+		if _, ok := obj.Data["ca.crt"]; !ok {
+			t.Errorf("missing 'ca.crt' in generated secret object")
+		}
+		return true, obj, nil
+	})
+
+	opts := &Options{
+		Namespace:     api.NamespaceDefault,
+		ImageSpec:     image,
+		EnableTLS:     true,
+		VerifyTLS:     true,
+		TLSKeyFile:    tlsTestFile(t, "key.pem"),
+		TLSCertFile:   tlsTestFile(t, "crt.pem"),
+		TLSCaCertFile: tlsTestFile(t, "ca.pem"),
+	}
+
+	if err := Install(fc, opts); err != nil {
+		t.Errorf("unexpected error: %#+v", err)
+	}
+
+	if actions := fc.Actions(); len(actions) != 3 {
+		t.Errorf("unexpected actions: %v, expected 3 actions got %d", actions, len(actions))
+	}
+}
+
 func TestInstall_canary(t *testing.T) {
 	fc := &fake.Clientset{}
 	fc.AddReactor("create", "deployments", func(action testcore.Action) (bool, runtime.Object, error) {
@@ -226,3 +377,12 @@ func TestUpgrade_serviceNotFound(t *testing.T) {
 		t.Errorf("unexpected actions: %v, expected 4 actions got %d", actions, len(actions))
 	}
 }
+
+func tlsTestFile(t *testing.T, path string) string {
+	const tlsTestDir = "../../../testdata"
+	path = filepath.Join(tlsTestDir, path)
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		t.Fatalf("tls test file %s does not exist", path)
+	}
+	return path
+}
diff --git a/pkg/tlsutil/cfg.go b/pkg/tlsutil/cfg.go
@@ -44,7 +44,10 @@ func ClientConfig(opts Options) (cfg *tls.Config, err error) {
 
 	if opts.CertFile != "" || opts.KeyFile != "" {
 		if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil {
-			return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
+			if os.IsNotExist(err) {
+				return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
+			}
+			return nil, fmt.Errorf("could not read x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
 		}
 	}
 	if !opts.InsecureSkipVerify && opts.CaCertFile != "" {

diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tlsutil
+
+import (
+	"crypto/tls"
+	"path/filepath"
+	"testing"
+)
+
+const tlsTestDir = "../../testdata"
+
+const (
+	testCaCertFile = "ca.pem"
+	testCertFile   = "crt.pem"
+	testKeyFile    = "key.pem"
+)
+
+func TestClientConfig(t *testing.T) {
+	opts := Options{
+		CaCertFile:         testfile(t, testCaCertFile),
+		CertFile:           testfile(t, testCertFile),
+		KeyFile:            testfile(t, testKeyFile),
+		InsecureSkipVerify: false,
+	}
+
+	cfg, err := ClientConfig(opts)
+	if err != nil {
+		t.Fatalf("error building tls client config: %v", err)
+	}
+
+	if got := len(cfg.Certificates); got != 1 {
+		t.Fatalf("expecting 1 client certificates, got %d", got)
+	}
+	if cfg.InsecureSkipVerify {
+		t.Fatalf("insecure skip verify mistmatch, expecting false")
+	}
+	if cfg.RootCAs == nil {
+		t.Fatalf("mismatch tls RootCAs, expecting non-nil")
+	}
+}
+
+func TestServerConfig(t *testing.T) {
+	opts := Options{
+		CaCertFile: testfile(t, testCaCertFile),
+		CertFile:   testfile(t, testCertFile),
+		KeyFile:    testfile(t, testKeyFile),
+		ClientAuth: tls.RequireAndVerifyClientCert,
+	}
+
+	cfg, err := ServerConfig(opts)
+	if err != nil {
+		t.Fatalf("error building tls server config: %v", err)
+	}
+	if got := cfg.MinVersion; got != tls.VersionTLS12 {
+		t.Errorf("expecting TLS version 1.2, got %d", got)
+	}
+	if got := cfg.ClientCAs; got == nil {
+		t.Errorf("expecting non-nil CA pool")
+	}
+}
+
+func testfile(t *testing.T, file string) (path string) {
+	var err error
+	if path, err = filepath.Abs(filepath.Join(tlsTestDir, file)); err != nil {
+		t.Fatalf("error getting absolute path to test file %q: %v", file, err)
+	}
+	return path
+}