add e2e certificate hash tests

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
cert-manager · Jan 7, 2024 · 6f2f221 · 6f2f221
1 parent b789bd9
commit 6f2f221
Showing 1 changed file with 200 additions and 0 deletions.
diff --git a/test/e2e/suite/certificates/certificatehash.go b/test/e2e/suite/certificates/certificatehash.go
@@ -0,0 +1,200 @@
+/*
+Copyright 2022 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certificates
+
+import (
+	"context"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/util/retry"
+
+	"github.com/cert-manager/cert-manager/e2e-tests/framework"
+	e2eutil "github.com/cert-manager/cert-manager/e2e-tests/util"
+	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	"github.com/cert-manager/cert-manager/test/unit/gen"
+)
+
+var _ = framework.CertManagerDescribe("Certificate Hash", func() {
+	const (
+		issuerName = "certificate-hash-name"
+		secretName = "test-hash-name"
+	)
+
+	f := framework.NewDefaultFramework("certificates-hash-name")
+	ctx := context.Background()
+
+	createCertificate := func(f *framework.Framework) *cmapi.Certificate {
+		crt := &cmapi.Certificate{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "test-hash-name-",
+				Namespace:    f.Namespace.Name,
+			},
+			Spec: cmapi.CertificateSpec{
+				CommonName: "test",
+				SecretName: secretName,
+				PrivateKey: &cmapi.CertificatePrivateKey{
+					RotationPolicy: cmapi.RotationPolicyAlways,
+				},
+				IssuerRef: cmmeta.ObjectReference{
+					Name:  issuerName,
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			},
+		}
+
+		By("creating Certificate")
+
+		crt, err := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Create(context.Background(), crt, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		return crt
+	}
+
+	BeforeEach(func() {
+		By("creating a self-signing issuer")
+		issuer := gen.Issuer(issuerName,
+			gen.SetIssuerNamespace(f.Namespace.Name),
+			gen.SetIssuerSelfSigned(cmapi.SelfSignedIssuer{}))
+		Expect(f.CRClient.Create(context.Background(), issuer)).To(Succeed())
+
+		By("Waiting for Issuer to become Ready")
+		err := e2eutil.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name),
+			issuerName, cmapi.IssuerCondition{Type: cmapi.IssuerConditionReady, Status: cmmeta.ConditionTrue})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		Expect(f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Delete(context.Background(), issuerName, metav1.DeleteOptions{})).NotTo(HaveOccurred())
+	})
+
+	It("A newly created certificate should have a hash annotation and changes to the spec should be detected even after delting the certificate request", func() {
+		crt := createCertificate(f)
+		var secretBytes []byte
+
+		By("Waiting for Certificate to become Ready")
+		_, err := f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has a hash annotation")
+		secret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		secretBytes = secret.Data["tls.crt"]
+
+		By("Deleting the CertificateRequest")
+		Expect(f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).DeleteCollection(context.Background(), metav1.DeleteOptions{}, metav1.ListOptions{})).NotTo(HaveOccurred())
+
+		By("Deleting and recreating the Certificate")
+		Expect(f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Delete(context.Background(), crt.Name, metav1.DeleteOptions{})).NotTo(HaveOccurred())
+		crt = createCertificate(f)
+
+		By("Waiting for Certificate to become Ready")
+		_, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has same hash annotation and has not been updated")
+		secret, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		Expect(secret.Data["tls.crt"]).To(Equal(secretBytes))
+
+		By("Updating the Certificate spec")
+		Expect(retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			crt, err := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Get(ctx, crt.Name, metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred())
+			crt.Spec.CommonName = "test2"
+			_, err = f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Update(ctx, crt, metav1.UpdateOptions{})
+			return err
+		})).NotTo(HaveOccurred())
+
+		By("Waiting for Certificate to become Ready")
+		_, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has a new hash annotation & has been updated")
+		secret, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		Expect(secret.Data["tls.crt"]).NotTo(Equal(secretBytes))
+	})
+
+	It("An existing certificate without hash annotation should get a hash annotation without reissuance", func() {
+		crt := createCertificate(f)
+		var secretBytes []byte
+
+		By("Waiting for Certificate to become Ready")
+		_, err := f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has a hash annotation")
+		secret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		secretBytes = secret.Data["tls.crt"]
+
+		By("Deleting the CertificateRequest")
+		Expect(f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).DeleteCollection(context.Background(), metav1.DeleteOptions{}, metav1.ListOptions{})).NotTo(HaveOccurred())
+
+		By("Deleting and recreating the Certificate")
+		Expect(f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Delete(context.Background(), crt.Name, metav1.DeleteOptions{})).NotTo(HaveOccurred())
+		crt = createCertificate(f)
+
+		By("Removing the hash annotation")
+		Expect(retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			secret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred())
+
+			delete(secret.Annotations, cmapi.CertificateHashAnnotationKey)
+			_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Update(context.Background(), secret, metav1.UpdateOptions{})
+			return err
+		})).NotTo(HaveOccurred())
+
+		By("Waiting for Certificate to become Ready")
+		_, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has same hash annotation and has not been updated")
+		secret, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		Expect(secret.Data["tls.crt"]).To(Equal(secretBytes))
+
+		By("Updating the Certificate spec")
+		Expect(retry.RetryOnConflict(retry.DefaultRetry, func() error {
+			crt, err := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Get(ctx, crt.Name, metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred())
+			crt.Spec.CommonName = "test2"
+			_, err = f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Update(ctx, crt, metav1.UpdateOptions{})
+			return err
+		})).NotTo(HaveOccurred())
+
+		By("Waiting for Certificate to become Ready")
+		_, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(crt, time.Second*10)
+		Expect(err).NotTo(HaveOccurred(), "failed to wait for Certificate to become Ready")
+
+		By("Checking that the Certificate Secret has a new hash annotation & has been updated")
+		secret, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Get(context.Background(), secretName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		Expect(secret.Annotations).To(HaveKeyWithValue(cmapi.CertificateHashAnnotationKey, Not(BeEmpty())))
+		Expect(secret.Data["tls.crt"]).NotTo(Equal(secretBytes))
+	})
+})