-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #274 from SpectralHiss/hef/csr-p384-generation-fix
Hef/csr p384 generation fix
- Loading branch information
Showing
21 changed files
with
632 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Copyright 2023 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
.PHONY: test-ecc | ||
## ecc test | ||
## @category Testing | ||
test-ecc: kind_cluster_name := "istio-csr-ecc" | ||
test-ecc: e2e-setup-cert-manager oci-load-manager | $(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) $(NEEDS_KUBECTL) $(NEEDS_HELM) $(NEEDS_KIND) $(NEEDS_GOJQ) | ||
$(eval oci_image_tar := $(bin_dir)/scratch/image/oci-layout-manager.$(oci_manager_image_tag).docker.tar) | ||
|
||
ARTIFACTS=$(ARTIFACTS) \ | ||
ISTIO_CSR_IMAGE=$(oci_manager_image_name_development) \ | ||
ISTIO_CSR_IMAGE_TAG=$(oci_manager_image_tag) \ | ||
KIND_CLUSTER_NAME=$(kind_cluster_name) \ | ||
ISTIO_BIN=$(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) \ | ||
KUBECTL_BIN=$(KUBECTL) \ | ||
HELM_BIN=$(HELM) \ | ||
KIND_BIN=$(KIND) \ | ||
JQ_BIN=$(GOJQ) \ | ||
./test/ecc/run.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
/ca.pem | ||
/istio-csr-serving.pems |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2021 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
set -o nounset | ||
set -o errexit | ||
set -o pipefail | ||
|
||
echo "======================================" | ||
echo ">> cleaning up resources" | ||
|
||
rm -f "$TEST_DIR/ca.pem" | ||
#rm -f "${ISTIO_CSR_SERVING_CERTFILE}" | ||
echo ">> exporting kind loads" | ||
$KIND_BIN export logs "$ARTIFACTS" --name "$KIND_CLUSTER_NAME" | ||
|
||
echo ">> deleting cluster..." | ||
$KIND_BIN delete cluster --name "$KIND_CLUSTER_NAME" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2021 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
export ARTIFACTS="${ARTIFACTS:-./_bin/artifacts}" | ||
export ISTIO_CSR_IMAGE="${ISTIO_CSR_IMAGE:-cert-manager.local/cert-manager-istio-csr}" | ||
export ISTIO_CSR_IMAGE_TAG="${ISTIO_CSR_IMAGE_TAG:-canary}" | ||
export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-istio-ca-ecc}" | ||
|
||
export ISTIO_BIN="${ISTIO_BIN:-./_bin/scratch/istioctl-1.20.2}" | ||
export KUBECTL_BIN="${KUBECTL_BIN:-./_bin/tools/kubectl}" | ||
export HELM_BIN="${HELM_BIN:-./_bin/tools/helm}" | ||
export KIND_BIN="${KIND_BIN:-./_bin/tools/kind}" | ||
export JQ_BIN="${JQ_BIN:-./_bin/tools/jq}" | ||
export RED="\e[31m" | ||
export GREEN="\e[32m" | ||
export ENDCOLOR="\e[0m" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: istio-root-1 | ||
namespace: istio-system | ||
spec: | ||
isCA: true | ||
duration: 2160h | ||
secretName: istio-root-1 | ||
commonName: istio-root-1 | ||
subject: | ||
organizations: | ||
- cluster.local | ||
- cert-manager-root-1 | ||
issuerRef: | ||
name: selfsigned | ||
kind: Issuer | ||
group: cert-manager.io | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: istio-root-1 | ||
namespace: istio-system | ||
spec: | ||
ca: | ||
secretName: istio-root-1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: selfsigned | ||
namespace: istio-system | ||
spec: | ||
selfSigned: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2021 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
set -o nounset | ||
set -o errexit | ||
set -o pipefail | ||
|
||
echo "======================================" | ||
echo ">> resetting Istio + istio-csr for another test" | ||
|
||
echo ">> $HELM_BIN uninstall cert-manager-istio-csr -n cert-manager" | ||
$HELM_BIN uninstall cert-manager-istio-csr -n cert-manager | ||
|
||
|
||
echo ">> resetting Istio for another test" | ||
echo ">> $ISTIO_BIN uninstall -y -f \"$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml\"" | ||
|
||
$ISTIO_BIN uninstall -y --purge -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml" | ||
$KUBECTL_BIN delete cr --all -n istio-system | ||
$KUBECTL_BIN delete mutatingwebhookconfigurations istio-revision-tag-default | ||
rm -f "${ISTIO_CSR_SERVING_CERTFILE}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2021 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
set -o nounset | ||
set -o errexit | ||
set -o pipefail | ||
|
||
TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | ||
ISTIO_CSR_SERVING_CERTFILE="${TEST_DIR}"/istio-csr-serving.pems | ||
|
||
export TEST_DIR | ||
# This will contain the signed certificate of "istio-csr-serving" CertificateRequests to run assertions against | ||
export ISTIO_CSR_SERVING_CERTFILE | ||
source "$TEST_DIR/env.sh" | ||
|
||
# Ensure we always clean up after ourselves. | ||
cleanup() { | ||
"$TEST_DIR/cleanup.sh" | ||
} | ||
trap cleanup EXIT | ||
|
||
echo "======================================" | ||
echo ">> running full ECC 256 and 384 support" | ||
|
||
export KEY_SIZE="256" | ||
"$TEST_DIR/setup.sh" | ||
"$TEST_DIR/test.sh" | ||
|
||
"$TEST_DIR/reset-istio-csr.sh" | ||
export KEY_SIZE="384" | ||
"$TEST_DIR/setup.sh" | ||
"$TEST_DIR/test.sh" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
#!/usr/bin/env bash | ||
|
||
# Copyright 2021 The cert-manager Authors. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
set -o nounset | ||
set -o errexit | ||
set -o pipefail | ||
|
||
echo "======================================" | ||
echo ">> creating root of trust" | ||
|
||
echo ">> creating cert-manager issuers" | ||
$KUBECTL_BIN create namespace istio-system || true | ||
$KUBECTL_BIN apply -f "$TEST_DIR/issuers/." | ||
|
||
echo ">> waiting for issuers to become ready" | ||
$KUBECTL_BIN get issuers -n istio-system | ||
$KUBECTL_BIN wait --timeout=180s -n istio-system --for=condition=ready issuer istio-root-1 | ||
$KUBECTL_BIN get issuers -n istio-system | ||
|
||
echo ">> extracting root of trust" | ||
$KUBECTL_BIN get secret -n istio-system istio-root-1 -o jsonpath="{.data['ca\.crt']}" | base64 -d > "$TEST_DIR/ca.pem" | ||
|
||
echo ">> creating root of trust secret" | ||
$KUBECTL_BIN create secret generic istio-root-certs --from-file=ca.pem="$TEST_DIR/ca.pem" -n cert-manager || true | ||
|
||
echo "======================================" | ||
echo ">> installing istio-csr with roots of trust, using issuer from root-1" | ||
|
||
echo ">> installing cert-manager-istio-csr with using ecdsa key type" | ||
echo "$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr -n cert-manager --values $TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml --wait" | ||
|
||
$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr \ | ||
-n cert-manager \ | ||
--values "$TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml" \ | ||
--set image.repository="$ISTIO_CSR_IMAGE" \ | ||
--set image.tag="$ISTIO_CSR_IMAGE_TAG" \ | ||
--wait | ||
|
||
echo ">> installing istio" | ||
$ISTIO_BIN install -y -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml" | ||
|
||
echo ">> enforcing mTLS everywhere" | ||
$KUBECTL_BIN apply -n istio-system -f - <<EOF | ||
apiVersion: "security.istio.io/v1beta1" | ||
kind: "PeerAuthentication" | ||
metadata: | ||
name: "default" | ||
spec: | ||
mtls: | ||
mode: STRICT | ||
EOF | ||
|
Oops, something went wrong.