github.com/IBM-Blockchain/fabric-operator@v1.0.4/integration/autorenew/autorenew_test.go (about) 1 /* 2 * Copyright contributors to the Hyperledger Fabric Operator project 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at: 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package autorenew_test 20 21 import ( 22 "bytes" 23 "context" 24 "encoding/base64" 25 "encoding/json" 26 "fmt" 27 "time" 28 29 current "github.com/IBM-Blockchain/fabric-operator/api/v1beta1" 30 "github.com/IBM-Blockchain/fabric-operator/integration/helper" 31 "github.com/IBM-Blockchain/fabric-operator/pkg/offering/common" 32 . "github.com/onsi/ginkgo/v2" 33 . "github.com/onsi/gomega" 34 k8serrors "k8s.io/apimachinery/pkg/api/errors" 35 36 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 37 ) 38 39 var _ = Describe("Autorenew", func() { 40 AfterEach(func() { 41 // Set flag if a test falls 42 if CurrentGinkgoTestDescription().Failed { 43 testFailed = true 44 } 45 }) 46 47 Context("orderer", func() { 48 var ( 49 node1 helper.Orderer 50 51 tlscert []byte 52 ecert []byte 53 ) 54 55 BeforeEach(func() { 56 node1 = orderer.Nodes[0] 57 Eventually(node1.PodCreated, time.Second*60, time.Second*2).Should((Equal(true))) 58 }) 59 60 AfterEach(func() { 61 // Set flag if a test falls 62 if CurrentGinkgoTestDescription().Failed { 63 testFailed = true 64 } 65 }) 66 67 BeforeEach(func() { 68 ecertSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("ecert-%s-signcert", node1.Name), metav1.GetOptions{}) 69 Expect(err).NotTo(HaveOccurred()) 70 ecert = ecertSecret.Data["cert.pem"] 71 72 tlsSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("tls-%s-signcert", node1.Name), metav1.GetOptions{}) 73 Expect(err).NotTo(HaveOccurred()) 74 tlscert = tlsSecret.Data["cert.pem"] 75 }) 76 77 When("signcert certificate is up for renewal and enrollment spec exists", func() { 78 It("only renews the ecert when timer goes off", func() { 79 // signcert certificates expire in 1 year (31536000s) from creation; 80 // NumSecondsWarningPeriod has been set to 1 year - 60s to make 81 // renewal occur when test runs 82 83 By("setting status to warning", func() { 84 Eventually(orderer.PollForParentCRStatus).Should(Equal(current.Warning)) 85 }) 86 87 By("backing up old ecert signcert", func() { 88 Eventually(func() bool { 89 backup := GetBackup("ecert", node1.Name) 90 if len(backup.List) > 0 { 91 return backup.List[len(backup.List)-1].SignCerts == base64.StdEncoding.EncodeToString(ecert) 92 } 93 94 return false 95 }).Should(Equal(true)) 96 97 }) 98 99 By("reenrolling identity and updating ecert certificate secret", func() { 100 Eventually(func() bool { 101 updatedEcertSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("ecert-%s-signcert", node1.Name), metav1.GetOptions{}) 102 Expect(err).NotTo(HaveOccurred()) 103 104 return bytes.Equal(ecert, updatedEcertSecret.Data["cert.pem"]) 105 }).Should(Equal(false)) 106 }) 107 108 By("not updating tls signcert secret", func() { 109 Eventually(func() bool { 110 updatedTLSSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("tls-%s-signcert", node1.Name), metav1.GetOptions{}) 111 Expect(err).NotTo(HaveOccurred()) 112 113 return bytes.Equal(tlscert, updatedTLSSecret.Data["cert.pem"]) 114 }).Should(Equal(true)) 115 }) 116 117 By("returning to Deployed status as tls cert won't expire for 10 years", func() { 118 Eventually(orderer.PollForParentCRStatus).Should(Equal(current.Deployed)) 119 }) 120 121 }) 122 }) 123 }) 124 125 Context("peer", func() { 126 var ( 127 tlscert []byte 128 ecert []byte 129 ) 130 131 BeforeEach(func() { 132 Eventually(org1peer.PodCreated, time.Second*60, time.Second*2).Should((Equal(true))) 133 }) 134 135 AfterEach(func() { 136 // Set flag if a test falls 137 if CurrentGinkgoTestDescription().Failed { 138 testFailed = true 139 } 140 }) 141 142 BeforeEach(func() { 143 ecertSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("ecert-%s-signcert", org1peer.Name), metav1.GetOptions{}) 144 Expect(err).NotTo(HaveOccurred()) 145 ecert = ecertSecret.Data["cert.pem"] 146 147 tlsSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("tls-%s-signcert", org1peer.Name), metav1.GetOptions{}) 148 Expect(err).NotTo(HaveOccurred()) 149 tlscert = tlsSecret.Data["cert.pem"] 150 }) 151 152 When("signcert certificate is up for renewal and enrollment spec exists", func() { 153 It("only renews the ecert when timer goes off", func() { 154 // signcert certificates expire in 1 year (31536000s) from creation; 155 // NumSecondsWarningPeriod has been set to 1 year - 60s to make 156 // renewal occur when test runs 157 158 By("setting status to warning", func() { 159 Eventually(org1peer.PollForCRStatus).Should(Equal(current.Warning)) 160 }) 161 162 By("backing up old ecert signcert", func() { 163 Eventually(func() bool { 164 backup := GetBackup("ecert", org1peer.Name) 165 if len(backup.List) > 0 { 166 return backup.List[len(backup.List)-1].SignCerts == base64.StdEncoding.EncodeToString(ecert) 167 } 168 169 return false 170 }).Should(Equal(true)) 171 }) 172 173 By("reenrolling identity and updating ecert certificate secret", func() { 174 Eventually(func() bool { 175 updatedEcertSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("ecert-%s-signcert", org1peer.Name), metav1.GetOptions{}) 176 Expect(err).NotTo(HaveOccurred()) 177 178 return bytes.Equal(ecert, updatedEcertSecret.Data["cert.pem"]) 179 }).Should(Equal(false)) 180 }) 181 182 By("not updating tls signcert secret", func() { 183 Eventually(func() bool { 184 updatedTLSSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("tls-%s-signcert", org1peer.Name), metav1.GetOptions{}) 185 Expect(err).NotTo(HaveOccurred()) 186 187 return bytes.Equal(tlscert, updatedTLSSecret.Data["cert.pem"]) 188 }).Should(Equal(true)) 189 }) 190 191 By("returning to Deployed status as tls cert won't expire for 10 years", func() { 192 Eventually(org1peer.PollForCRStatus).Should(Equal(current.Deployed)) 193 }) 194 195 }) 196 }) 197 }) 198 }) 199 200 func GetBackup(certType, name string) *common.Backup { 201 backupSecret, err := kclient.CoreV1().Secrets(namespace).Get(context.TODO(), fmt.Sprintf("%s-crypto-backup", name), metav1.GetOptions{}) 202 if err != nil { 203 Expect(k8serrors.IsNotFound(err)).To(Equal(true)) 204 return &common.Backup{} 205 } 206 207 backup := &common.Backup{} 208 key := fmt.Sprintf("%s-backup.json", certType) 209 err = json.Unmarshal(backupSecret.Data[key], backup) 210 Expect(err).NotTo(HaveOccurred()) 211 212 return backup 213 }