istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/bootstrap/istio_ca_test.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package bootstrap
    16  
    17  import (
    18  	"os"
    19  	"path"
    20  	"testing"
    21  
    22  	. "github.com/onsi/gomega"
    23  	v1 "k8s.io/api/core/v1"
    24  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25  
    26  	"istio.io/istio/pkg/kube"
    27  	"istio.io/istio/pkg/kube/kclient/clienttest"
    28  	"istio.io/istio/pkg/test"
    29  	"istio.io/istio/pkg/test/env"
    30  	"istio.io/istio/security/pkg/pki/ca"
    31  )
    32  
    33  const testNamespace = "istio-system"
    34  
    35  func TestRemoteCerts(t *testing.T) {
    36  	g := NewWithT(t)
    37  
    38  	dir := t.TempDir()
    39  
    40  	s := Server{
    41  		kubeClient: kube.NewFakeClient(),
    42  	}
    43  	s.kubeClient.RunAndWait(test.NewStop(t))
    44  	caOpts := &caOptions{
    45  		Namespace: testNamespace,
    46  	}
    47  
    48  	// Should do nothing because cacerts doesn't exist.
    49  	err := s.loadCACerts(caOpts, dir)
    50  	g.Expect(err).Should(BeNil())
    51  
    52  	_, err = os.Stat(path.Join(dir, "root-cert.pem"))
    53  	g.Expect(os.IsNotExist(err)).Should(Equal(true))
    54  
    55  	// Should load remote cacerts successfully.
    56  	createCASecret(t, s.kubeClient)
    57  
    58  	err = s.loadCACerts(caOpts, dir)
    59  	g.Expect(err).Should(BeNil())
    60  
    61  	expectedRoot, err := readSampleCertFromFile("root-cert.pem")
    62  	g.Expect(err).Should(BeNil())
    63  
    64  	g.Expect(os.ReadFile(path.Join(dir, "root-cert.pem"))).Should(Equal(expectedRoot))
    65  
    66  	// Should do nothing because certs already exist locally.
    67  	err = s.loadCACerts(caOpts, dir)
    68  	g.Expect(err).Should(BeNil())
    69  }
    70  
    71  func TestRemoteTLSCerts(t *testing.T) {
    72  	g := NewWithT(t)
    73  
    74  	dir := t.TempDir()
    75  
    76  	s := Server{
    77  		kubeClient: kube.NewFakeClient(),
    78  	}
    79  	s.kubeClient.RunAndWait(test.NewStop(t))
    80  	caOpts := &caOptions{
    81  		Namespace: testNamespace,
    82  	}
    83  
    84  	// Should do nothing because cacerts doesn't exist.
    85  	err := s.loadCACerts(caOpts, dir)
    86  	g.Expect(err).Should(BeNil())
    87  
    88  	_, err = os.Stat(path.Join(dir, "ca.crt"))
    89  	g.Expect(os.IsNotExist(err)).Should(Equal(true))
    90  
    91  	// Should load remote cacerts successfully.
    92  	createCATLSSecret(t, s.kubeClient)
    93  
    94  	err = s.loadCACerts(caOpts, dir)
    95  	g.Expect(err).Should(BeNil())
    96  
    97  	expectedRoot, err := readSampleCertFromFile("root-cert.pem")
    98  	g.Expect(err).Should(BeNil())
    99  
   100  	g.Expect(os.ReadFile(path.Join(dir, "ca.crt"))).Should(Equal(expectedRoot))
   101  
   102  	// Should do nothing because certs already exist locally.
   103  	err = s.loadCACerts(caOpts, dir)
   104  	g.Expect(err).Should(BeNil())
   105  }
   106  
   107  func createCATLSSecret(t test.Failer, client kube.Client) {
   108  	var caCert, caKey, rootCert []byte
   109  	var err error
   110  	if caCert, err = readSampleCertFromFile("ca-cert.pem"); err != nil {
   111  		t.Fatal(err)
   112  	}
   113  	if caKey, err = readSampleCertFromFile("ca-key.pem"); err != nil {
   114  		t.Fatal(err)
   115  	}
   116  	if rootCert, err = readSampleCertFromFile("root-cert.pem"); err != nil {
   117  		t.Fatal(err)
   118  	}
   119  
   120  	secret := &v1.Secret{
   121  		ObjectMeta: metav1.ObjectMeta{
   122  			Namespace: testNamespace,
   123  			Name:      "cacerts",
   124  		},
   125  		Type: v1.SecretTypeTLS,
   126  		Data: map[string][]byte{
   127  			"tls.crt": caCert,
   128  			"tls.key": caKey,
   129  			"ca.crt":  rootCert,
   130  		},
   131  	}
   132  	clienttest.NewWriter[*v1.Secret](t, client).Create(secret)
   133  }
   134  
   135  func createCASecret(t test.Failer, client kube.Client) {
   136  	var caCert, caKey, certChain, rootCert []byte
   137  	var err error
   138  	if caCert, err = readSampleCertFromFile("ca-cert.pem"); err != nil {
   139  		t.Fatal(err)
   140  	}
   141  	if caKey, err = readSampleCertFromFile("ca-key.pem"); err != nil {
   142  		t.Fatal(err)
   143  	}
   144  	if certChain, err = readSampleCertFromFile("cert-chain.pem"); err != nil {
   145  		t.Fatal(err)
   146  	}
   147  	if rootCert, err = readSampleCertFromFile("root-cert.pem"); err != nil {
   148  		t.Fatal(err)
   149  	}
   150  
   151  	secret := &v1.Secret{
   152  		ObjectMeta: metav1.ObjectMeta{
   153  			Namespace: testNamespace,
   154  			Name:      "cacerts",
   155  		},
   156  		Data: map[string][]byte{
   157  			ca.CACertFile:       caCert,
   158  			ca.CAPrivateKeyFile: caKey,
   159  			ca.CertChainFile:    certChain,
   160  			ca.RootCertFile:     rootCert,
   161  		},
   162  	}
   163  
   164  	clienttest.NewWriter[*v1.Secret](t, client).Create(secret)
   165  }
   166  
   167  func readSampleCertFromFile(f string) ([]byte, error) {
   168  	return os.ReadFile(path.Join(env.IstioSrc, "samples/certs", f))
   169  }