e2e test for 'pure' runtime config

Signed-off-by: Ashley Davis <[email protected]>
cert-manager · Jul 26, 2024 · 847882f · 847882f
1 parent 694213b
commit 847882f
Show file tree

Hide file tree

Showing 8 changed files with 494 additions and 1 deletion.
diff --git a/make/config/istio-csr-pure-runtime-values.yaml b/make/config/istio-csr-pure-runtime-values.yaml
@@ -0,0 +1,45 @@
+replicaCount: 2
+
+service:
+  port: 443
+  type: NodePort
+  nodePort: 30443
+
+app:
+  logFormat: json
+  logLevel: 5
+
+  certmanager:
+    namespace: istio-system
+    # WARNING: do not enable this option in production, or environments with
+    # any non-trivial number of workloads for an extended period of time. Doing
+    # so will balloon the resource consumption of both ETCD and the API server,
+    # leading to errors and slow down. This option is intended for debugging
+    # purposes only, for limited periods of time.
+    preserveCertificateRequests: true
+    additionalAnnotations:
+    - name: custom.cert-manager.io/policy-name
+      value: istio-csr
+    issuer:
+      # Explicitly blanked out to test "pure" runtime configuration
+      group: ""
+      kind: ""
+      name: ""
+
+  tls:
+    trustDomain: foo.bar
+    istiodCertificateEnable: "dynamic"
+    certificateDuration: 20s
+    certificateDNSNames:
+    # Name used by the e2e client
+    - istio-csr.cert-manager.svc
+    # Name used within the demo cluster
+    - cert-manager-istio-csr.cert-manager.svc
+
+  server:
+    maxCertificateDuration: 5m
+    serving:
+      address: 0.0.0.0
+      port: 6443
+
+resources: {}
diff --git a/make/test-e2e.mk b/make/test-e2e.mk
@@ -48,11 +48,25 @@ e2e-create-cert-manager-istio-resources: | kind-cluster e2e-setup-cert-manager $
 	$(KUBECTL) create namespace istio-system || true
 	$(KUBECTL) -n istio-system apply --server-side -f ./make/config/cert-manager-bootstrap-resources.yaml
 
+.PHONY: e2e-create-cert-manager-istio-pure-runtime-resources
+e2e-create-cert-manager-istio-pure-runtime-resources: | kind-cluster e2e-setup-cert-manager $(NEEDS_KUBECTL)
+	$(KUBECTL) apply -f test/e2e-pure-runtime/initial-manifests/configmap.yaml
+
+is_e2e_test=
+
 # The "install" target can be run on its own with any currently active cluster,
 # we can't use any other cluster then a target containing "test-e2e" is run.
-# When a "test-e2e" target is run, the currently active cluster must be the kind
+# When a "test-e2e*" target is run, the currently active cluster must be the kind
 # cluster created by the "kind-cluster" target.
 ifeq ($(findstring test-e2e,$(MAKECMDGOALS)),test-e2e)
+is_e2e_test = yes
+endif
+
+ifeq ($(findstring test-e2e-pure-runtime,$(MAKECMDGOALS)),test-e2e-pure-runtime)
+is_e2e_test = yes
+endif
+
+ifdef is_e2e_test
 install: kind-cluster oci-load-manager e2e-create-cert-manager-istio-resources
 endif
 
@@ -99,3 +113,29 @@ test-e2e: test-e2e-deps | kind-cluster $(NEEDS_GINKGO) $(NEEDS_KUBECTL)
 		--kubeconfig-path $(CURDIR)/$(kind_kubeconfig) \
 		--kubectl-path $(KUBECTL) \
 		--runtime-issuance-config-map-name=$(E2E_RUNTIME_CONFIG_MAP_NAME)
+
+test-e2e-pure-runtime-deps: INSTALL_OPTIONS :=
+test-e2e-pure-runtime-deps: INSTALL_OPTIONS += --set image.repository=$(oci_manager_image_name_development)
+test-e2e-pure-runtime-deps: INSTALL_OPTIONS += --set app.runtimeIssuanceConfigMap=$(E2E_RUNTIME_CONFIG_MAP_NAME)
+test-e2e-pure-runtime-deps: INSTALL_OPTIONS += -f ./make/config/istio-csr-pure-runtime-values.yaml
+test-e2e-pure-runtime-deps: e2e-setup-cert-manager
+test-e2e-pure-runtime-deps: e2e-create-cert-manager-istio-resources
+test-e2e-pure-runtime-deps: e2e-create-cert-manager-istio-pure-runtime-resources
+test-e2e-pure-runtime-deps: install
+test-e2e-pure-runtime-deps: e2e-setup-istio
+
+# "Pure" runtime configuration e2e tests require different installation values
+.PHONY: test-e2e-pure-runtime
+test-e2e-pure-runtime: test-e2e-pure-runtime-deps | kind-cluster $(NEEDS_GINKGO) $(NEEDS_KUBECTL)
+	$(GINKGO) \
+		--output-dir=$(ARTIFACTS) \
+		--focus="$(E2E_FOCUS)" \
+		--junit-report=junit-go-e2e.xml \
+		$(EXTRA_GINKGO_FLAGS) \
+		./test/e2e-pure-runtime/ \
+		-ldflags $(go_manager_ldflags) \
+		-- \
+		--istioctl-path $(CURDIR)/$(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) \
+		--kubeconfig-path $(CURDIR)/$(kind_kubeconfig) \
+		--kubectl-path $(KUBECTL) \
+		--runtime-issuance-config-map-name=$(E2E_RUNTIME_CONFIG_MAP_NAME)
diff --git a/test/e2e-pure-runtime/e2e_test.go b/test/e2e-pure-runtime/e2e_test.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package e2e
+
+import (
+	"flag"
+	"testing"
+	"time"
+
+	ginkgo "github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/cert-manager/istio-csr/test/e2e/framework/config"
+
+	_ "github.com/cert-manager/istio-csr/test/e2e-pure-runtime/suite"
+)
+
+func init() {
+	config.GetConfig().AddFlags(flag.CommandLine)
+
+	wait.ForeverTestTimeout = time.Second * 60
+}
+
+func TestE2E(t *testing.T) {
+	flag.Parse()
+
+	gomega.RegisterFailHandler(ginkgo.Fail)
+
+	suiteConfig, reporterConfig := ginkgo.GinkgoConfiguration()
+
+	// Turn on verbose by default to get spec names
+	reporterConfig.Verbose = true
+	// Turn on EmitSpecProgress to get spec progress (especially on interrupt)
+	suiteConfig.EmitSpecProgress = true
+	// Randomize specs as well as suites
+	suiteConfig.RandomizeAllSpecs = true
+
+	ginkgo.RunSpecs(t, "cert-manager istio agent e2e suite (pure runtime)", suiteConfig, reporterConfig)
+}
diff --git a/test/e2e-pure-runtime/initial-manifests/README.md b/test/e2e-pure-runtime/initial-manifests/README.md
@@ -0,0 +1 @@
+"Initial" manifests are manifests which should be applied before any tests are run
diff --git a/test/e2e-pure-runtime/initial-manifests/configmap.yaml b/test/e2e-pure-runtime/initial-manifests/configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runtime-config-map
+  namespace: cert-manager
+data:
+  issuer-group: cert-manager.io
+  issuer-kind: Issuer
+  issuer-name: istio-ca
diff --git a/test/e2e-pure-runtime/manifests/issuer.yaml b/test/e2e-pure-runtime/manifests/issuer.yaml
@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: runtimeconfig-ca
+  namespace: istio-system
+spec:
+  isCA: true
+  commonName: runtimeconfig-ca
+  secretName: runtimeconfig-ca-secret
+  duration: 2160h # 90d
+  subject:
+    organizations:
+    - cluster.local
+    - cert-manager
+    organizationalUnits:
+    - runtimeconfig
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: istio-ca
+    kind: Issuer
+    group: cert-manager.io
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: runtimeconfig-ca-issuer
+  namespace: istio-system
+spec:
+  ca:
+    secretName: runtimeconfig-ca-secret
diff --git a/test/e2e-pure-runtime/manifests/sleep.yaml b/test/e2e-pure-runtime/manifests/sleep.yaml
@@ -0,0 +1,65 @@
+# Copyright Istio Authors
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+##################################################################################################
+# Sleep service
+##################################################################################################
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sleep
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sleep
+  labels:
+    app: sleep
+    service: sleep
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: sleep
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sleep
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sleep
+  template:
+    metadata:
+      labels:
+        app: sleep
+    spec:
+      serviceAccountName: sleep
+      containers:
+      - image: quay.io/curl/curl:8.5.0
+        imagePullPolicy: Never
+        name: sleep
+        command: ["/bin/sleep", "3650d"]
+        volumeMounts:
+        - mountPath: /etc/sleep/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: sleep-secret
+          optional: true
+---
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		"Initial" manifests are manifests which should be applied before any tests are run