Be sure to update the DEFAULT cert instead of the per-FederationDomai…

…n cert when the supervisor is using an IP address
vmware-tanzu · Sep 2, 2024 · ca9503e · ca9503e
1 parent dc72a36
commit ca9503e
Show file tree

Hide file tree

Showing 6 changed files with 171 additions and 131 deletions.
diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go
@@ -38,7 +38,6 @@ import (
 	supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
 	idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
 	supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
-	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/crud"
 	"go.pinniped.dev/internal/here"
 	"go.pinniped.dev/internal/testutil"
@@ -66,6 +65,16 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 
 	topSetupCtx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancelFunc()
+	supervisorClient := testlib.NewSupervisorClientset(t)
+	kubeClient := testlib.NewKubernetesClientset(t)
+	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(
+		topSetupCtx,
+		t,
+		env.SupervisorNamespace,
+		env.DefaultTLSCertSecretName(),
+		supervisorClient,
+		kubeClient,
+	)
 
 	// Build pinniped CLI.
 	pinnipedExe := testlib.PinnipedCLIPath(t)
@@ -74,58 +83,28 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 
 	// Generate a CA bundle with which to serve this provider.
 	t.Logf("generating test CA")
-	federationDomainSelfSignedCA, err := certauthority.New("Downstream Test CA", 1*time.Hour)
-	require.NoError(t, err)
-
-	// Save that bundle plus the one that signs the upstream issuer, for test purposes.
-	federationDomainCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem")
-	federationDomainCABundlePEM := federationDomainSelfSignedCA.Bundle()
-	require.NoError(t, os.WriteFile(federationDomainCABundlePath, federationDomainCABundlePEM, 0600))
+	tlsServingCertForSupervisorSecretName := "federation-domain-serving-cert-" + testlib.RandHex(t, 8)
 
-	// Use the CA to issue a TLS server cert.
-	certPEM, keyPEM := supervisorIssuer.IssuerServerCert(t, federationDomainSelfSignedCA)
-
-	supervisorClient := testlib.NewSupervisorClientset(t)
-	temporarilyRemoveAllFederationDomainsAndDefaultTLSCertSecret(
+	federationDomainSelfSignedCA := createTLSServingCertSecretForSupervisor(
 		topSetupCtx,
 		t,
-		env.SupervisorNamespace,
-		env.DefaultTLSCertSecretName(),
-		supervisorClient,
-		testlib.NewKubernetesClientset(t),
+		env,
+		supervisorIssuer,
+		tlsServingCertForSupervisorSecretName,
+		kubeClient,
 	)
 
-	var tlsSpecForFederationDomain *supervisorconfigv1alpha1.FederationDomainTLSSpec
-	if supervisorIssuer.IsIPAddress() {
-		testlib.CreateTestSecretWithName(
-			t,
-			env.SupervisorNamespace,
-			env.DefaultTLSCertSecretName(),
-			corev1.SecretTypeTLS,
-			map[string]string{
-				"tls.crt": string(certPEM),
-				"tls.key": string(keyPEM),
-			},
-		)
-	} else {
-		// Write the serving cert to a secret.
-		federationDomainTLSServingCertSecret := testlib.CreateTestSecret(t,
-			env.SupervisorNamespace,
-			"oidc-provider-tls",
-			corev1.SecretTypeTLS,
-			map[string]string{
-				"tls.crt": string(certPEM),
-				"tls.key": string(keyPEM),
-			},
-		)
-		tlsSpecForFederationDomain = &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: federationDomainTLSServingCertSecret.Name}
-	}
+	// Save that bundle plus the one that signs the upstream issuer, for test purposes.
+	federationDomainCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem")
+	federationDomainCABundlePEM := federationDomainSelfSignedCA.Bundle()
+	require.NoError(t, os.WriteFile(federationDomainCABundlePath, federationDomainCABundlePEM, 0600))
 
 	// Create the downstream FederationDomain.
+	// This helper function will nil out spec.TLS if spec.Issuer is an IP address.
 	federationDomain := testlib.CreateTestFederationDomain(topSetupCtx, t,
 		supervisorconfigv1alpha1.FederationDomainSpec{
 			Issuer: supervisorIssuer.Issuer(),
-			TLS:    tlsSpecForFederationDomain,
+			TLS:    &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: tlsServingCertForSupervisorSecretName},
 		},
 		supervisorconfigv1alpha1.FederationDomainPhaseError, // in phase error until there is an IDP created
 	)
@@ -552,6 +531,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
 		if runtime.GOOS != "darwin" {
 			// For some unknown reason this breaks the pty library on some macOS machines.
 			// The problem doesn't reproduce for everyone, so this is just a workaround.
+			var err error
 			kubectlStdoutPipe, err = kubectlCmd.StdoutPipe()
 			require.NoError(t, err)
 		}

diff --git a/test/integration/securetls_test.go b/test/integration/securetls_test.go
@@ -118,7 +118,15 @@ func TestSecureTLSSupervisor(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	t.Cleanup(cancel)
 
-	startKubectlPortForward(ctx, t, "10448", "443", env.SupervisorAppName+"-nodeport", env.SupervisorNamespace)
+	supervisorIssuer := testlib.NewSupervisorIssuer(t, env.SupervisorHTTPSAddress)
+
+	serviceSuffix := "-nodeport"
+	if supervisorIssuer.IsIPAddress() {
+		// Then there's no nodeport service to connect to, it's a load balancer service!
+		serviceSuffix = "-loadbalancer"
+	}
+
+	startKubectlPortForward(ctx, t, "10448", "443", env.SupervisorAppName+serviceSuffix, env.SupervisorNamespace)
 
 	stdout, stderr := testlib.RunNmapSSLEnum(t, "127.0.0.1", 10448)