test: Fix certificate being not trusted on MacOS

.config/starte2e.sh

@@ -10,6 +10,14 @@ export PATH="${PATH}:/usr/bin"
 touch tests/environment/zitadel/service-user.json
 chmod a+rw tests/environment/zitadel/service-user.json
 
+# We only take down ldap if the cert are too old and need regeneration
+ldap_down=""
+file_creation=$(date -r ./tests/environment/certs/ca.crt +%s || echo 0)
+if [ $(( $(date +%s) - $file_creation )) -gt 2160000 ]; # 25 days old?
+then
+ldap_down="-v ldap"
+fi
+
 # Shut down any still running test-setup first
-docker compose --project-directory ./tests/environment down -v test-setup || true
+docker compose --project-directory ./tests/environment down -v test-setup $ldap_down || true
 docker compose --project-directory ./tests/environment up --wait

.gitignore

@@ -2,3 +2,6 @@
 /target
 /tests/environment/zitadel/service-user.json
 /tests/environment/config.yaml
+/tests/environment/certs/*.crt
+/tests/environment/certs/*.key
+.DS_Store

tests/environment/certs/generate-certs.sh

@@ -1,20 +1,36 @@
 #!/bin/sh
 set -eux
 
-openssl req -x509 -new -nodes -sha256 -newkey rsa:2048 \
-		-keyout server.key \
-		-out server.crt \
-		-subj "/C=DE/CN=example.org" \
-		-addext "subjectAltName = DNS:zitadel, DNS:localhost"
-
-# These keys are not actually secret, and when passed into the docker
-# container the server key needs to be readable by the container user
-chmod go+r server.key
-
-openssl x509 -outform pem -in server.crt -out ca.crt
-openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:2048 \
-		-CAkey server.key \
-		-CA ca.crt \
-		-keyout client.key \
-		-out client.crt \
-		-subj "/CN=admin.example.org"
+script_dir=$(dirname $0)
+
+file_creation=$(date -r $script_dir/ca.crt +%s || echo 0)
+
+if [ $(( $(date +%s) - $file_creation )) -gt 2160000 ]; # 25 days old?
+then
+
+	# We need to set EKUs (extendedKeyUsage) otherwise MacOS won't trust
+	# the certificate
+	openssl req -x509 -new -nodes -sha256 -newkey rsa:2048 \
+			-keyout $script_dir/server.key \
+			-out $script_dir/server.crt \
+			-subj "/C=DE/CN=example.org" \
+			-addext "subjectAltName = DNS:zitadel, DNS:localhost" \
+			-addext "extendedKeyUsage = serverAuth, clientAuth"
+
+	# These keys are not actually secret, and when passed into the docker
+	# container the server key needs to be readable by the container user
+	chmod go+r $script_dir/server.key
+
+	openssl x509 -outform pem -in $script_dir/server.crt -out $script_dir/ca.crt
+	openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:2048 \
+			-CAkey $script_dir/server.key \
+			-CA $script_dir/ca.crt \
+			-keyout $script_dir/client.key \
+			-out $script_dir/client.crt \
+			-subj "/CN=admin.example.org"
+
+	chmod a+r $script_dir/client.key
+	chmod a+r $script_dir/client.crt
+	chmod a+r $script_dir/server.crt
+
+fi

tests/environment/docker-compose.yaml

@@ -1,4 +1,12 @@
 services:
+  certs:
+    image: alpine/openssl:3.3.2
+    volumes:
+      - type: bind
+        source: ./certs
+        target: /certs
+    entrypoint: /certs/generate-certs.sh
+
   ldap:
     image: bitnami/openldap:2.5.18
     ports:
@@ -15,6 +23,9 @@ services:
         source: ./certs
         target: /certs
         read_only: true
+    depends_on:
+      certs:
+        condition: 'service_completed_successfully'
 
   test-setup:
     image: famedly/famedly-sync-testenv