Skip to content
Permalink
Browse files

test(*): add tests for new tls support

Adds a testdata directory to hold tls certs at the root
of the project. The tests cover pkg/tlsutil, cmd/helm,
and cmd/helm/installer.

Closes #2289
  • Loading branch information...
fibonacci1729 committed Apr 18, 2017
1 parent bba0214 commit 73e63992945029e7dca05b1b60aa9021a73cc457
Showing with 448 additions and 2 deletions.
  1. +85 −0 cmd/helm/init_test.go
  2. +161 −1 cmd/helm/installer/install_test.go
  3. +4 −1 pkg/tlsutil/cfg.go
  4. +83 −0 pkg/tlsutil/tlsutil_test.go
  5. +35 −0 testdata/ca.pem
  6. +29 −0 testdata/crt.pem
  7. +51 −0 testdata/key.pem
@@ -20,6 +20,8 @@ import (
"bytes"
"io/ioutil"
"os"
"path/filepath"
"reflect"
"strings"
"testing"

@@ -33,6 +35,7 @@ import (
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/fake"

"k8s.io/helm/cmd/helm/installer"
"k8s.io/helm/pkg/helm/helmpath"
)

@@ -217,3 +220,85 @@ func TestEnsureHome(t *testing.T) {
t.Errorf("%s should not be a directory", fi)
}
}

func TestInitCmd_tlsOptions(t *testing.T) {
const testDir = "../../testdata"

// tls certificates in testDir
var (
testCaCertFile = filepath.Join(testDir, "ca.pem")
testCertFile = filepath.Join(testDir, "crt.pem")
testKeyFile = filepath.Join(testDir, "key.pem")
)

// these tests verify the effects of permuting the "--tls" and "--tls-verify" flags
// and the install options yieled as a result of (*initCmd).tlsOptions()
// during helm init.
var tests = []struct {
certFile string
keyFile string
caFile string
enable bool
verify bool
describe string
}{
{ // --tls and --tls-verify specified (--tls=true,--tls-verify=true)
certFile: testCertFile,
keyFile: testKeyFile,
caFile: testCaCertFile,
enable: true,
verify: true,
describe: "--tls and --tls-verify specified (--tls=true,--tls-verify=true)",
},
{ // --tls-verify implies --tls (--tls=false,--tls-verify=true)
certFile: testCertFile,
keyFile: testKeyFile,
caFile: testCaCertFile,
enable: false,
verify: true,
describe: "--tls-verify implies --tls (--tls=false,--tls-verify=true)",
},
{ // no --tls-verify (--tls=true,--tls-verify=false)
certFile: testCertFile,
keyFile: testKeyFile,
caFile: "",
enable: true,
verify: false,
describe: "no --tls-verify (--tls=true,--tls-verify=false)",
},
{ // tls is disabled (--tls=false,--tls-verify=false)
certFile: "",
keyFile: "",
caFile: "",
enable: false,
verify: false,
describe: "tls is disabled (--tls=false,--tls-verify=false)",
},
}

for _, tt := range tests {
// emulate tls file specific flags
tlsCaCertFile, tlsCertFile, tlsKeyFile = tt.caFile, tt.certFile, tt.keyFile

// emulate tls enable/verify flags
tlsEnable, tlsVerify = tt.enable, tt.verify

cmd := &initCmd{}
if err := cmd.tlsOptions(); err != nil {
t.Fatalf("unexpected error: %v", err)
}

// expected result options
expect := installer.Options{
TLSCaCertFile: tt.caFile,
TLSCertFile: tt.certFile,
TLSKeyFile: tt.keyFile,
VerifyTLS: tt.verify,
EnableTLS: tt.enable || tt.verify,
}

if !reflect.DeepEqual(cmd.opts, expect) {
t.Errorf("%s: got %#+v, want %#+v", tt.describe, cmd.opts, expect)
}
}
}
@@ -17,6 +17,8 @@ limitations under the License.
package installer // import "k8s.io/helm/cmd/helm/installer"

import (
"os"
"path/filepath"
"reflect"
"testing"

@@ -32,7 +34,6 @@ import (
)

func TestDeploymentManifest(t *testing.T) {

tests := []struct {
name string
image string
@@ -69,6 +70,52 @@ func TestDeploymentManifest(t *testing.T) {
}
}

func TestDeploymentManifest_WithTLS(t *testing.T) {
tests := []struct {
opts Options
name string
enable string
verify string
}{
{
Options{Namespace: api.NamespaceDefault, EnableTLS: true, VerifyTLS: true},
"tls enable (true), tls verify (true)",
"1",
"1",
},
{
Options{Namespace: api.NamespaceDefault, EnableTLS: true, VerifyTLS: false},
"tls enable (true), tls verify (false)",
"1",
"",
},
{
Options{Namespace: api.NamespaceDefault, EnableTLS: false, VerifyTLS: true},
"tls enable (false), tls verify (true)",
"1",
"1",
},
}
for _, tt := range tests {
o, err := DeploymentManifest(&tt.opts)
if err != nil {
t.Fatalf("%s: error %q", tt.name, err)
}

var d extensions.Deployment
if err := yaml.Unmarshal([]byte(o), &d); err != nil {
t.Fatalf("%s: error %q", tt.name, err)
}
// verify environment variable in deployment reflect the use of tls being enabled.
if got := d.Spec.Template.Spec.Containers[0].Env[1].Value; got != tt.verify {
t.Errorf("%s: expected tls verify env value %q, got %q", tt.name, tt.verify, got)
}
if got := d.Spec.Template.Spec.Containers[0].Env[2].Value; got != tt.enable {
t.Errorf("%s: expected tls enable env value %q, got %q", tt.name, tt.enable, got)
}
}
}

func TestServiceManifest(t *testing.T) {
o, err := ServiceManifest(api.NamespaceDefault)
if err != nil {
@@ -84,6 +131,39 @@ func TestServiceManifest(t *testing.T) {
}
}

func TestSecretManifest(t *testing.T) {
o, err := SecretManifest(&Options{
VerifyTLS: true,
EnableTLS: true,
Namespace: api.NamespaceDefault,
TLSKeyFile: tlsTestFile(t, "key.pem"),
TLSCertFile: tlsTestFile(t, "crt.pem"),
TLSCaCertFile: tlsTestFile(t, "ca.pem"),
})

if err != nil {
t.Fatalf("error %q", err)
}

var obj api.Secret
if err := yaml.Unmarshal([]byte(o), &obj); err != nil {
t.Fatalf("error %q", err)
}

if got := obj.ObjectMeta.Namespace; got != api.NamespaceDefault {
t.Errorf("expected namespace %s, got %s", api.NamespaceDefault, got)
}
if _, ok := obj.Data["tls.key"]; !ok {
t.Errorf("missing 'tls.key' in generated secret object")
}
if _, ok := obj.Data["tls.crt"]; !ok {
t.Errorf("missing 'tls.crt' in generated secret object")
}
if _, ok := obj.Data["ca.crt"]; !ok {
t.Errorf("missing 'ca.crt' in generated secret object")
}
}

func TestInstall(t *testing.T) {
image := "gcr.io/kubernetes-helm/tiller:v2.0.0"

@@ -123,6 +203,77 @@ func TestInstall(t *testing.T) {
}
}

func TestInstall_WithTLS(t *testing.T) {
image := "gcr.io/kubernetes-helm/tiller:v2.0.0"
name := "tiller-secret"

fc := &fake.Clientset{}
fc.AddReactor("create", "deployments", func(action testcore.Action) (bool, runtime.Object, error) {
obj := action.(testcore.CreateAction).GetObject().(*extensions.Deployment)
l := obj.GetLabels()
if reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
t.Errorf("expected labels = '', got '%s'", l)
}
i := obj.Spec.Template.Spec.Containers[0].Image
if i != image {
t.Errorf("expected image = '%s', got '%s'", image, i)
}
return true, obj, nil
})
fc.AddReactor("create", "services", func(action testcore.Action) (bool, runtime.Object, error) {
obj := action.(testcore.CreateAction).GetObject().(*api.Service)
l := obj.GetLabels()
if reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
t.Errorf("expected labels = '', got '%s'", l)
}
n := obj.ObjectMeta.Namespace
if n != api.NamespaceDefault {
t.Errorf("expected namespace = '%s', got '%s'", api.NamespaceDefault, n)
}
return true, obj, nil
})
fc.AddReactor("create", "secrets", func(action testcore.Action) (bool, runtime.Object, error) {
obj := action.(testcore.CreateAction).GetObject().(*api.Secret)
if l := obj.GetLabels(); reflect.DeepEqual(l, map[string]string{"app": "helm"}) {
t.Errorf("expected labels = '', got '%s'", l)
}
if n := obj.ObjectMeta.Namespace; n != api.NamespaceDefault {
t.Errorf("expected namespace = '%s', got '%s'", api.NamespaceDefault, n)
}
if s := obj.ObjectMeta.Name; s != name {
t.Errorf("expected name = '%s', got '%s'", name, s)
}
if _, ok := obj.Data["tls.key"]; !ok {
t.Errorf("missing 'tls.key' in generated secret object")
}
if _, ok := obj.Data["tls.crt"]; !ok {
t.Errorf("missing 'tls.crt' in generated secret object")
}
if _, ok := obj.Data["ca.crt"]; !ok {
t.Errorf("missing 'ca.crt' in generated secret object")
}
return true, obj, nil
})

opts := &Options{
Namespace: api.NamespaceDefault,
ImageSpec: image,
EnableTLS: true,
VerifyTLS: true,
TLSKeyFile: tlsTestFile(t, "key.pem"),
TLSCertFile: tlsTestFile(t, "crt.pem"),
TLSCaCertFile: tlsTestFile(t, "ca.pem"),
}

if err := Install(fc, opts); err != nil {
t.Errorf("unexpected error: %#+v", err)
}

if actions := fc.Actions(); len(actions) != 3 {
t.Errorf("unexpected actions: %v, expected 3 actions got %d", actions, len(actions))
}
}

func TestInstall_canary(t *testing.T) {
fc := &fake.Clientset{}
fc.AddReactor("create", "deployments", func(action testcore.Action) (bool, runtime.Object, error) {
@@ -226,3 +377,12 @@ func TestUpgrade_serviceNotFound(t *testing.T) {
t.Errorf("unexpected actions: %v, expected 4 actions got %d", actions, len(actions))
}
}

func tlsTestFile(t *testing.T, path string) string {
const tlsTestDir = "../../../testdata"
path = filepath.Join(tlsTestDir, path)
if _, err := os.Stat(path); os.IsNotExist(err) {
t.Fatalf("tls test file %s does not exist", path)
}
return path
}
@@ -44,7 +44,10 @@ func ClientConfig(opts Options) (cfg *tls.Config, err error) {

if opts.CertFile != "" || opts.KeyFile != "" {
if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil {
return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
if os.IsNotExist(err) {
return nil, fmt.Errorf("could not load x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
}
return nil, fmt.Errorf("could not read x509 key pair (cert: %q, key: %q): %v", opts.CertFile, opts.KeyFile, err)
}
}
if !opts.InsecureSkipVerify && opts.CaCertFile != "" {
@@ -0,0 +1,83 @@
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package tlsutil

import (
"crypto/tls"
"path/filepath"
"testing"
)

const tlsTestDir = "../../testdata"

const (
testCaCertFile = "ca.pem"
testCertFile = "crt.pem"
testKeyFile = "key.pem"
)

func TestClientConfig(t *testing.T) {
opts := Options{
CaCertFile: testfile(t, testCaCertFile),
CertFile: testfile(t, testCertFile),
KeyFile: testfile(t, testKeyFile),
InsecureSkipVerify: false,
}

cfg, err := ClientConfig(opts)
if err != nil {
t.Fatalf("error building tls client config: %v", err)
}

if got := len(cfg.Certificates); got != 1 {
t.Fatalf("expecting 1 client certificates, got %d", got)
}
if cfg.InsecureSkipVerify {
t.Fatalf("insecure skip verify mistmatch, expecting false")
}
if cfg.RootCAs == nil {
t.Fatalf("mismatch tls RootCAs, expecting non-nil")
}
}

func TestServerConfig(t *testing.T) {
opts := Options{
CaCertFile: testfile(t, testCaCertFile),
CertFile: testfile(t, testCertFile),
KeyFile: testfile(t, testKeyFile),
ClientAuth: tls.RequireAndVerifyClientCert,
}

cfg, err := ServerConfig(opts)
if err != nil {
t.Fatalf("error building tls server config: %v", err)
}
if got := cfg.MinVersion; got != tls.VersionTLS12 {
t.Errorf("expecting TLS version 1.2, got %d", got)
}
if got := cfg.ClientCAs; got == nil {
t.Errorf("expecting non-nil CA pool")
}
}

func testfile(t *testing.T, file string) (path string) {
var err error
if path, err = filepath.Abs(filepath.Join(tlsTestDir, file)); err != nil {
t.Fatalf("error getting absolute path to test file %q: %v", file, err)
}
return path
}
Oops, something went wrong.

0 comments on commit 73e6399

Please sign in to comment.
You can’t perform that action at this time.