mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-11-05 10:51:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
talos/internal/app/machined/pkg/controllers/secrets/kubernetes_test.go
Andrey Smirnov 7a68504b6b
feat: support rotating Kubernetes CA 
Fixes #8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-04-01 22:08:02 +04:00

114 lines
3.6 KiB
Go
Raw Blame History

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package secrets_test
import (
"net/netip"
"net/url"
"testing"
"time"
"github.com/cosi-project/runtime/pkg/resource"
"github.com/cosi-project/runtime/pkg/resource/rtestutils"
"github.com/siderolabs/crypto/x509"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/suite"
"k8s.io/client-go/tools/clientcmd"
"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
secretsctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/secrets"
"github.com/siderolabs/talos/pkg/machinery/config/machine"
"github.com/siderolabs/talos/pkg/machinery/resources/config"
"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
timeresource "github.com/siderolabs/talos/pkg/machinery/resources/time"
)
func TestKubernetesSuite(t *testing.T) {
suite.Run(t, &KubernetesSuite{
DefaultSuite: ctest.DefaultSuite{
Timeout: 5 * time.Second,
AfterSetup: func(suite *ctest.DefaultSuite) {
suite.Require().NoError(suite.Runtime().RegisterController(&secretsctrl.KubernetesController{}))
},
},
})
}
type KubernetesSuite struct {
ctest.DefaultSuite
}
func (suite *KubernetesSuite) TestReconcile() {
rootSecrets := secrets.NewKubernetesRoot(secrets.KubernetesRootID)
k8sCA, err := x509.NewSelfSignedCertificateAuthority(
x509.Organization("kubernetes"),
x509.ECDSA(true),
)
suite.Require().NoError(err)
aggregatorCA, err := x509.NewSelfSignedCertificateAuthority(
x509.Organization("kubernetes"),
x509.ECDSA(true),
)
suite.Require().NoError(err)
serviceAccount, err := x509.NewECDSAKey()
suite.Require().NoError(err)
rootSecrets.TypedSpec().Name = "cluster1"
rootSecrets.TypedSpec().Endpoint, err = url.Parse("https://some.url:6443/")
suite.Require().NoError(err)
rootSecrets.TypedSpec().LocalEndpoint, err = url.Parse("https://localhost:6443/")
suite.Require().NoError(err)
rootSecrets.TypedSpec().IssuingCA = &x509.PEMEncodedCertificateAndKey{
Crt: k8sCA.CrtPEM,
Key: k8sCA.KeyPEM,
}
rootSecrets.TypedSpec().AggregatorCA = &x509.PEMEncodedCertificateAndKey{
Crt: aggregatorCA.CrtPEM,
Key: aggregatorCA.KeyPEM,
}
rootSecrets.TypedSpec().ServiceAccount = &x509.PEMEncodedKey{
Key: serviceAccount.KeyPEM,
}
rootSecrets.TypedSpec().CertSANs = []string{"example.com"}
rootSecrets.TypedSpec().APIServerIPs = []netip.Addr{netip.MustParseAddr("10.4.3.2"), netip.MustParseAddr("10.2.1.3")}
rootSecrets.TypedSpec().DNSDomain = "cluster.svc"
suite.Require().NoError(suite.State().Create(suite.Ctx(), rootSecrets))
machineType := config.NewMachineType()
machineType.SetMachineType(machine.TypeControlPlane)
suite.Require().NoError(suite.State().Create(suite.Ctx(), machineType))
timeSync := timeresource.NewStatus()
*timeSync.TypedSpec() = timeresource.StatusSpec{
Synced: true,
}
suite.Require().NoError(suite.State().Create(suite.Ctx(), timeSync))
rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{secrets.KubernetesID},
func(certs *secrets.Kubernetes, assertion *assert.Assertions) {
kubernetesCerts := certs.TypedSpec()
for _, kubeconfig := range []string{
kubernetesCerts.ControllerManagerKubeconfig,
kubernetesCerts.SchedulerKubeconfig,
kubernetesCerts.LocalhostAdminKubeconfig,
kubernetesCerts.AdminKubeconfig,
} {
config, err := clientcmd.Load([]byte(kubeconfig))
assertion.NoError(err)
if err != nil {
return
}
assertion.NoError(clientcmd.ConfirmUsable(*config, config.CurrentContext))
}
})
}
Reference in New Issue View Git Blame Copy Permalink