diff --git a/.github/workflows/kubernetes-tests.yml b/.github/workflows/kubernetes-tests.yml index 92b5d07f4ad..102742ffedd 100644 --- a/.github/workflows/kubernetes-tests.yml +++ b/.github/workflows/kubernetes-tests.yml @@ -199,7 +199,29 @@ jobs: - name: Tenant KES run: | "${GITHUB_WORKSPACE}/testing/console-tenant+kes.sh" - + test-cert-manager: + timeout-minutes: 30 + runs-on: ${{ matrix.os }} + needs: + - operator + strategy: + matrix: + go-version: [ 1.21.x ] + os: [ ubuntu-latest ] + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v4 + with: + go-version: ${{ matrix.go-version }} + - uses: actions/cache@v3 + name: Operator Binary Cache + with: + path: | + ./minio-operator + key: ${{ runner.os }}-binary-${{ github.run_id }} + - name: Deploy Tenant with cert-manager + run: | + "${GITHUB_WORKSPACE}/testing/deploy-cert-manager-tenant.sh" test-policy-binding: timeout-minutes: 30 runs-on: ${{ matrix.os }} diff --git a/shared-functions/shared-code.sh b/shared-functions/shared-code.sh index ba8df5780de..cdb5405f57b 100755 --- a/shared-functions/shared-code.sh +++ b/shared-functions/shared-code.sh @@ -59,6 +59,7 @@ function wait_for_resource_field_selector() { fi echo "Waiting for $resourcetype \"$fieldselector\" for \"$condition\" ($timeout timeout)" + echo "namespace: ${namespace}" kubectl wait -n "$namespace" "$resourcetype" \ --for=$condition \ --field-selector $fieldselector \ diff --git a/testing/common.sh b/testing/common.sh index bb12bf3998f..f45169c5f3c 100644 --- a/testing/common.sh +++ b/testing/common.sh @@ -56,6 +56,17 @@ function setup_kind() { try kubectl get nodes } +# Function Intended to Test cert-manager for Tenant's certificate. +function install_cert_manager() { + # https://cert-manager.io/docs/installation/ + try kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml + + echo "Wait until cert-manager pods are running:" + try kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s + try kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s + try kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s +} + function install_operator() { # To compile current branch @@ -244,6 +255,31 @@ function check_tenant_status() { echo "Done." } +# To install tenant with cert-manager from our example provided. +function install_cert_manager_tenant() { + + echo "Install cert-manager tenant from our example:" + try kubectl apply -k github.com/minio/operator/examples/kustomization/tenant-certmanager + + echo "Wait until tenant-certmanager-tls secret is generated by cert-manager..." + while ! kubectl get secret tenant-certmanager-tls --namespace tenant-certmanager + do + echo "Waiting for my secret. Current secrets are:" + kubectl get secrets -n tenant-certmanager + sleep 1 + done + + # https://github.com/minio/operator/blob/master/docs/cert-manager.md + echo "# Pass the CA cert to our Operator to trust the tenant:" + echo "## First get the CA from cert-manager secret..." + try kubectl get secrets -n tenant-certmanager tenant-certmanager-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > public.crt + echo "## Then create the secret in operator's namespace..." + try kubectl create secret generic operator-ca-tls --from-file=public.crt -n minio-operator + echo "## Finally restart minio operator pods to catch up and trust tenant..." + try kubectl rollout restart deployment.apps/minio-operator -n minio-operator + +} + # Install tenant function is being used by deploy-tenant and check-prometheus function install_tenant() { # Check if we are going to install helm, latest in this branch or a particular version diff --git a/testing/deploy-cert-manager-tenant.sh b/testing/deploy-cert-manager-tenant.sh new file mode 100755 index 00000000000..88326608e6f --- /dev/null +++ b/testing/deploy-cert-manager-tenant.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# Copyright (C) 2023, MinIO, Inc. +# +# This code is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License, version 3, +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License, version 3, +# along with this program. If not, see + +# This script requires: kubectl, kind + +SCRIPT_DIR=$(dirname "$0") +export SCRIPT_DIR + +source "${SCRIPT_DIR}/common.sh" + +# This test is intended to validate the creation of certificates for the tenant +# through cert-manager and ensure that our Operator can trust the tenant using this certificate. +function main() { + destroy_kind + + setup_kind + + install_cert_manager + + install_operator + + install_cert_manager_tenant + + check_tenant_status tenant-certmanager myminio + + destroy_kind +} + +main "$@"