Merge pull request #405 from application-stacks/test-manage-tls

Adding manageTLS tests

Author: arturdzm

bundle/tests/scorecard/kuttl/manage-tls/00-assert.yaml

@@ -0,0 +1,75 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+# Check creation of CertManager certificates and secret
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: runtime-component-operator
+spec:
+  commonName: Runtime Component Operator
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: manage-tls-rc-svc-tls-cm
+spec:
+  secretName: manage-tls-rc-svc-tls-cm
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    cert-manager.io/certificate-name: manage-tls-rc-svc-tls-cm
+  name: manage-tls-rc-svc-tls-cm
+---
+# Verify the pod template spec uses *-cm naming convention
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manage-tls-rc
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: TLS_DIR
+          value: /etc/x509/certs
+        - name: SA_RESOURCE_VERSION
+        - name: SERVICE_CERT_SECRET_RESOURCE_VERSION
+        volumeMounts:
+        - name: svc-certificate
+          mountPath: /etc/x509/certs
+          readOnly: true
+      volumes:
+      - name: svc-certificate
+        secret:
+          defaultMode: 420
+          secretName: manage-tls-rc-svc-tls-cm
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: manage-tls-rc
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: manage-tls-rc
+spec:
+  host: runtimecomponentoperator.test
+  to:
+    kind: Service
+    name: manage-tls-rc
+    weight: 100
+  port:
+    targetPort: 9443-tcp
+  tls:
+    termination: reencrypt

bundle/tests/scorecard/kuttl/manage-tls/00-certmanager-with-manage-tls.yaml

@@ -0,0 +1,14 @@
+# Verify that manageTLS=true is enabled by default
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: manage-tls-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  expose: true
+  service:
+    port: 9443
+  route:
+    host: runtimecomponentoperator.test
+    termination: reencrypt

bundle/tests/scorecard/kuttl/manage-tls/01-assert.yaml

@@ -0,0 +1,41 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: manage-tls-rc
+spec:
+  template:
+    spec:
+      containers:
+        - ports:
+            - name: 9443-tcp
+              containerPort: 9443
+              protocol: TCP
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: manage-tls-rc
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: manage-tls-rc
+spec:
+  host: runtimecomponentoperator.test
+  to:
+    kind: Service
+    name: manage-tls-rc
+    weight: 100
+  port:
+    targetPort: 9443-tcp
+  tls:
+    termination: reencrypt
+  wildcardPolicy: None

bundle/tests/scorecard/kuttl/manage-tls/01-certmanager-without-manage-tls.yaml

@@ -0,0 +1,14 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: manage-tls-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  expose: true
+  manageTLS: false # Deletes the *-svc-tls-cm CertManager Certificate
+  service:
+    port: 9443
+  route:
+    host: runtimecomponentoperator.test
+    termination: reencrypt

bundle/tests/scorecard/kuttl/manage-tls/01-errors.yaml

@@ -0,0 +1,33 @@
+# Verify that CertManager Certificate *-svc-tls-cm is deleted
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: manage-tls-rc-svc-tls-cm
+---
+# Verify that the pod template spec does not manage TLS
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manage-tls-rc
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: TLS_DIR
+          value: /etc/x509/certs
+        - name: SA_RESOURCE_VERSION
+        - name: SERVICE_CERT_SECRET_RESOURCE_VERSION
+        volumeMounts:
+        - name: svc-certificate
+          mountPath: /etc/x509/certs
+          readOnly: true
+      volumes:
+      - name: svc-certificate
+        secret:
+          defaultMode: 420
+          secretName: manage-tls-rc-svc-tls-cm

bundle/tests/scorecard/kuttl/manage-tls/02-assert.yaml

@@ -0,0 +1,46 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+# Verify that the deleted Certificate has been restored
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: manage-tls-rc-svc-tls-cm
+spec:
+  secretName: manage-tls-rc-svc-tls-cm
+---
+# Verify the pod template spec defaults and that secretName uses *-cm naming convention
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: manage-tls-rc
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: TLS_DIR
+          value: /etc/x509/certs
+        - name: SA_RESOURCE_VERSION
+        - name: SERVICE_CERT_SECRET_RESOURCE_VERSION
+        volumeMounts:
+        - name: svc-certificate
+          mountPath: /etc/x509/certs
+          readOnly: true
+        - name: pvc
+          mountPath: /mnt/data
+      volumes:
+      - name: svc-certificate
+        secret:
+          defaultMode: 420
+          secretName: manage-tls-rc-svc-tls-cm
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: manage-tls-rc

bundle/tests/scorecard/kuttl/manage-tls/02-certmanager-statefulset-with-manage-tls.yaml

@@ -0,0 +1,18 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: manage-tls-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  expose: true
+  manageTLS: true
+  service:
+    port: 9443
+  statefulSet:
+    storage:
+      size: "10Mi"
+      mountPath: "/mnt/data"
+  route:
+    host: runtimecomponentoperator.test
+    termination: reencrypt

bundle/tests/scorecard/kuttl/manage-tls/02-errors.yaml

@@ -0,0 +1,5 @@
+# Verify removal of the Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manage-tls-rc

bundle/tests/scorecard/kuttl/manage-tls/03-assert.yaml

@@ -0,0 +1,49 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 60
+---
+# Verify the pod template spec defaults and that secretName uses *-ocp naming convention
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: manage-tls-rc
+status:
+  replicas: 1
+  readyReplicas: 1
+  updatedReplicas: 1
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: TLS_DIR
+          value: /etc/x509/certs
+        - name: SA_RESOURCE_VERSION
+        - name: SERVICE_CERT_SECRET_RESOURCE_VERSION
+        volumeMounts:
+        - name: svc-certificate
+          mountPath: /etc/x509/certs
+          readOnly: true
+        - name: pvc
+          mountPath: /mnt/data
+      volumes:
+      - name: svc-certificate
+        secret:
+          defaultMode: 420
+          secretName: manage-tls-rc-svc-tls-ocp
+---
+# Verify the service annotation
+kind: Service
+apiVersion: v1
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: manage-tls-rc-svc-tls-ocp
+  name: manage-tls-rc
+---
+# Check that Openshift service CA generates the secret
+kind: Secret
+apiVersion: v1
+metadata:
+  name: manage-tls-rc-svc-tls-ocp
+  annotations:
+    service.beta.openshift.io/originating-service-name: manage-tls-rc

bundle/tests/scorecard/kuttl/manage-tls/03-service-ca-statefulset-with-manage-tls.yaml

@@ -0,0 +1,16 @@
+apiVersion: rc.app.stacks/v1beta2
+kind: RuntimeComponent
+metadata:
+  name: manage-tls-rc
+spec:
+  applicationImage: k8s.gcr.io/pause:2.0
+  replicas: 1
+  expose: true
+  service:
+    annotations:
+      service.beta.openshift.io/serving-cert-secret-name: manage-tls-rc-svc-tls-ocp # Enables usage of OpenShift service CA
+    port: 9443
+  statefulSet:
+    storage:
+      size: "10Mi"
+      mountPath: "/mnt/data"