istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/external_ca/main_test.go (about)

     1  //go:build integ
     2  // +build integ
     3  
     4  //  Copyright Istio Authors
     5  //
     6  //  Licensed under the Apache License, Version 2.0 (the "License");
     7  //  you may not use this file except in compliance with the License.
     8  //  You may obtain a copy of the License at
     9  //
    10  //      http://www.apache.org/licenses/LICENSE-2.0
    11  //
    12  //  Unless required by applicable law or agreed to in writing, software
    13  //  distributed under the License is distributed on an "AS IS" BASIS,
    14  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15  //  See the License for the specific language governing permissions and
    16  //  limitations under the License.
    17  
    18  package externalca
    19  
    20  import (
    21  	"testing"
    22  
    23  	"istio.io/istio/pkg/kube"
    24  	csrctrl "istio.io/istio/pkg/test/csrctrl/controllers"
    25  	"istio.io/istio/pkg/test/framework"
    26  	"istio.io/istio/pkg/test/framework/components/echo/common/deployment"
    27  	"istio.io/istio/pkg/test/framework/components/istio"
    28  	"istio.io/istio/pkg/test/framework/label"
    29  	"istio.io/istio/pkg/test/framework/resource"
    30  	"istio.io/istio/pkg/test/util/tmpl"
    31  )
    32  
    33  var (
    34  	apps     deployment.SingleNamespaceView
    35  	stopChan = make(chan struct{})
    36  )
    37  
    38  func TestMain(m *testing.M) {
    39  	// Integration test for testing interoperability with external CA's that are integrated with K8s CSR API
    40  	// Refer to https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
    41  	// nolint: staticcheck
    42  	var certs []csrctrl.SignerRootCert
    43  	framework.NewSuite(m).
    44  		Label(label.CustomSetup).
    45  		RequireMinVersion(19).
    46  		Setup(func(ctx resource.Context) error {
    47  			var clients []kube.Client
    48  			for _, c := range ctx.AllClusters() {
    49  				clients = append(clients, c)
    50  			}
    51  			var err error
    52  			certs, err = csrctrl.RunCSRController("clusterissuers.istio.io/signer1,clusterissuers.istio.io/signer2", stopChan, clients)
    53  			return err
    54  		}).
    55  		Setup(istio.Setup(nil, func(ctx resource.Context, cfg *istio.Config) {
    56  			var isExternalControlPlane bool
    57  			for _, cluster := range ctx.AllClusters() {
    58  				if cluster.IsExternalControlPlane() {
    59  					isExternalControlPlane = true
    60  				}
    61  			}
    62  
    63  			cfg.ControlPlaneValues = generateConfigYaml(certs, false, isExternalControlPlane)
    64  			cfg.ConfigClusterValues = generateConfigYaml(certs, true, false)
    65  		})).
    66  		Setup(deployment.SetupSingleNamespace(&apps, deployment.Config{})).
    67  		Run()
    68  	stopChan <- struct{}{}
    69  	close(stopChan)
    70  }
    71  
    72  func generateConfigYaml(certs []csrctrl.SignerRootCert, isConfigCluster bool, isExternalControlPlane bool) string {
    73  	cert1 := certs[0]
    74  	cert2 := certs[1]
    75  
    76  	cfgYaml := tmpl.MustEvaluate(`
    77  values:
    78    pilot:
    79      env:
    80        EXTERNAL_CA: ISTIOD_RA_KUBERNETES_API
    81    meshConfig:
    82      defaultConfig:
    83        proxyMetadata:
    84          ISTIO_META_CERT_SIGNER: signer1
    85      trustDomainAliases: [some-other, trust-domain-foo]
    86      caCertificates:
    87      - pem: |
    88  {{.rootcert1 | indent 8}}
    89        certSigners:
    90        - {{.signer1}}
    91      - pem: |
    92  {{.rootcert2 | indent 8}}
    93        certSigners:
    94        - {{.signer2}}
    95  {{- if not .isConfigCluster}}
    96  components:
    97    pilot:
    98      enabled: true
    99      k8s:
   100        env:
   101        - name: CERT_SIGNER_DOMAIN
   102          value: clusterissuers.istio.io
   103        - name: PILOT_CERT_PROVIDER
   104          value: k8s.io/clusterissuers.istio.io/signer2
   105        overlays:
   106          # Amend ClusterRole to add permission for istiod to approve certificate signing by custom signer
   107          - kind: ClusterRole
   108            name: istiod-clusterrole-istio-system
   109            patches:
   110              - path: rules[-1]
   111                value: |
   112                  apiGroups:
   113                  - certificates.k8s.io
   114                  resourceNames:
   115                  - clusterissuers.istio.io/*
   116                  resources:
   117                  - signers
   118                  verbs:
   119                  - approve
   120  {{- end }}
   121  {{- if .isExternalControlPlane}}
   122          - kind: Deployment
   123            name: istiod
   124            patches:
   125              - path: spec.template.spec.volumes[100]
   126                value: |-
   127                  name: config-volume
   128                  configMap:
   129                    name: istio
   130              - path: spec.template.spec.volumes[100]
   131                value: |-
   132                  name: inject-volume
   133                  configMap:
   134                    name: istio-sidecar-injector
   135              - path: spec.template.spec.containers[0].volumeMounts[100]
   136                value: |-
   137                  name: config-volume
   138                  mountPath: /etc/istio/config
   139              - path: spec.template.spec.containers[0].volumeMounts[100]
   140                value: |-
   141                  name: inject-volume
   142                  mountPath: /var/lib/istio/inject
   143  {{- end }}
   144  `, map[string]any{
   145  		"rootcert1":              cert1.Rootcert,
   146  		"signer1":                cert1.Signer,
   147  		"rootcert2":              cert2.Rootcert,
   148  		"signer2":                cert2.Signer,
   149  		"isConfigCluster":        isConfigCluster,
   150  		"isExternalControlPlane": isExternalControlPlane,
   151  	})
   152  	return cfgYaml
   153  }