mirror of
https://github.com/siderolabs/talos.git
synced 2025-08-07 23:27:07 +02:00
98 lines
2.7 KiB
Go
98 lines
2.7 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
//go:build integration_api
|
|
|
|
package api
|
|
|
|
import (
|
|
"context"
|
|
"io"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/siderolabs/talos/internal/integration/base"
|
|
"github.com/siderolabs/talos/pkg/machinery/client"
|
|
"github.com/siderolabs/talos/pkg/machinery/config/types/security"
|
|
"github.com/siderolabs/talos/pkg/machinery/constants"
|
|
)
|
|
|
|
// TrustedRootsSuite ...
|
|
type TrustedRootsSuite struct {
|
|
base.APISuite
|
|
|
|
ctx context.Context //nolint:containedctx
|
|
ctxCancel context.CancelFunc
|
|
}
|
|
|
|
// SuiteName ...
|
|
func (suite *TrustedRootsSuite) SuiteName() string {
|
|
return "api.TrustedRootsSuite"
|
|
}
|
|
|
|
// SetupTest ...
|
|
func (suite *TrustedRootsSuite) SetupTest() {
|
|
suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 1*time.Minute)
|
|
}
|
|
|
|
// TearDownTest ...
|
|
func (suite *TrustedRootsSuite) TearDownTest() {
|
|
if suite.ctxCancel != nil {
|
|
suite.ctxCancel()
|
|
}
|
|
}
|
|
|
|
func (suite *TrustedRootsSuite) readTrustedRoots(nodeCtx context.Context) string {
|
|
r, err := suite.Client.Read(nodeCtx, constants.DefaultTrustedCAFile)
|
|
suite.Require().NoError(err)
|
|
|
|
value, err := io.ReadAll(r)
|
|
suite.Require().NoError(err)
|
|
|
|
suite.Require().NoError(r.Close())
|
|
|
|
return string(value)
|
|
}
|
|
|
|
// TestTrustedRoots verifies default and custom trusted CA roots.
|
|
func (suite *TrustedRootsSuite) TestTrustedRoots() {
|
|
// pick up a random node to test the TrustedRoots on, and use it throughout the test
|
|
node := suite.RandomDiscoveredNodeInternalIP()
|
|
|
|
suite.T().Logf("testing TrustedRoots on node %s", node)
|
|
|
|
// build a Talos API context which is tied to the node
|
|
nodeCtx := client.WithNode(suite.ctx, node)
|
|
|
|
const name = "test-ca"
|
|
|
|
cfgDocument := security.NewTrustedRootsConfigV1Alpha1()
|
|
cfgDocument.MetaName = name
|
|
cfgDocument.Certificates = "--- BEGIN CERTIFICATE ---\nMIIC0DCCAbigAwIBAgIUI\n--- END CERTIFICATE ---\n"
|
|
|
|
// clean up custom config if it exists
|
|
suite.RemoveMachineConfigDocuments(nodeCtx, cfgDocument.MetaKind)
|
|
|
|
certificates := suite.readTrustedRoots(nodeCtx)
|
|
suite.Require().Contains(certificates, "Bundle of CA Root Certificates")
|
|
|
|
// enable custom trusted roots
|
|
suite.PatchMachineConfig(nodeCtx, cfgDocument)
|
|
|
|
suite.Require().Eventually(func() bool {
|
|
return strings.Contains(suite.readTrustedRoots(nodeCtx), name)
|
|
}, 5*time.Second, 100*time.Millisecond)
|
|
|
|
// deactivate the TrustedRoots
|
|
suite.RemoveMachineConfigDocuments(nodeCtx, cfgDocument.MetaKind)
|
|
|
|
suite.Require().Eventually(func() bool {
|
|
return !strings.Contains(suite.readTrustedRoots(nodeCtx), name)
|
|
}, 5*time.Second, 100*time.Millisecond)
|
|
}
|
|
|
|
func init() {
|
|
allSuites = append(allSuites, new(TrustedRootsSuite))
|
|
}
|