diff --git a/test/extended/builds/cluster_config.go b/test/extended/builds/cluster_config.go index dc6a5bb808c9..378d5ac81f95 100644 --- a/test/extended/builds/cluster_config.go +++ b/test/extended/builds/cluster_config.go @@ -3,6 +3,7 @@ package builds import ( "context" "fmt" + "io/ioutil" "time" v1 "k8s.io/api/core/v1" @@ -21,6 +22,12 @@ import ( exutil "github.com/openshift/origin/test/extended/util" ) +const dummyCA = ` +-----BEGIN CERTIFICATE----- +GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m +-----END CERTIFICATE----- +` + // e2e tests of the build controller configuration. // These are tagged [Serial] because each test modifies the cluster-wide build controller config. var _ = g.Describe("[sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration", func() { @@ -32,6 +39,7 @@ var _ = g.Describe("[sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter blacklistConfigFixture = exutil.FixturePath("testdata", "builds", "cluster-config", "registry-blacklist.yaml") whitelistConfigFixture = exutil.FixturePath("testdata", "builds", "cluster-config", "registry-whitelist.yaml") invalidproxyConfigFixture = exutil.FixturePath("testdata", "builds", "cluster-config", "invalid-build-cluster-config.yaml") + caBuildFixture = exutil.FixturePath("testdata", "builds", "cluster-config", "ca-build.yaml") oc = exutil.NewCLI("build-cluster-config") checkPodProxyEnvs = func(containers []v1.Container, proxySpec *configv1.ProxySpec) { o.Expect(containers).NotTo(o.BeNil()) @@ -179,9 +187,7 @@ var _ = g.Describe("[sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter } }) - g.Context("registries config context", func() { - - // Altering registries config does not force an OCM rollout + g.Context("without ocm rollout", func() { g.AfterEach(func() { oc.AsAdmin().Run("apply").Args("-f", defaultConfigFixture).Execute() }) @@ -238,6 +244,69 @@ var _ = g.Describe("[sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter o.Expect(buildLog).To(o.ContainSubstring("Source image rejected")) }) + g.It("should apply a custom PKI from the cluster to the build pod", func() { + ctx := context.Background() + g.By("creating BuildConfig to verify dummy CA") + err := oc.Run("create").Args("-f", caBuildFixture).Execute() + o.Expect(err).NotTo(o.HaveOccurred()) + // Check that the cluster doesn't have a custom PKI already defined + g.By("checking the PKI available on the cluster") + proxyConfig, err := oc.AsAdmin().AdminConfigClient().ConfigV1().Proxies().Get(ctx, "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + o.Expect(proxyConfig).NotTo(o.BeNil()) + caConfigMapName := proxyConfig.Spec.TrustedCA.Name + defer func() { + g.By("restoring proxy config to previous state") + proxy, err := oc.AsAdmin().AdminConfigClient().ConfigV1().Proxies().Get(ctx, "cluster", metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + o.Expect(proxy).NotTo(o.BeNil()) + proxy.Spec.TrustedCA.Name = caConfigMapName + _, err = oc.AsAdmin().AdminConfigClient().ConfigV1().Proxies().Update(ctx, proxy, metav1.UpdateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + }() + var caData string + + if len(proxyConfig.Spec.TrustedCA.Name) > 0 { + caConfigMap, err := oc.AsAdmin().AdminKubeClient().CoreV1().ConfigMaps("openshift-config").Get(ctx, proxyConfig.Spec.TrustedCA.Name, metav1.GetOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + o.Expect(caConfigMap).NotTo(o.BeNil()) + caData = caConfigMap.Data["ca-bundle.crt"] + } + if len(caData) == 0 { + // Fall back to reading the local PKI + // Othwerise things which rely on public CAs will break (ex: image registry on AWS) + g.By("reading the local PKI trust bundle") + pki, err := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem") + o.Expect(err).NotTo(o.HaveOccurred()) + caData = string(pki) + } + // Append the dummy CA and update the cluster PKI + g.By("appending a dummy CA certificate to the cluster PKI") + caData = caData + "\n" + dummyCA + testCAConfigMap := &v1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-user-ca-bundle-build", + Namespace: "openshift-config", + }, + Data: map[string]string{ + "ca-bundle.crt": caData, + }, + } + _, err = oc.AsAdmin().AdminKubeClient().CoreV1().ConfigMaps("openshift-config").Create(ctx, testCAConfigMap, metav1.CreateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + defer oc.AsAdmin().AdminKubeClient().CoreV1().ConfigMaps("openshift-config").Delete(ctx, "test-user-ca-bundle-build", metav1.DeleteOptions{}) + proxyConfig.Spec.TrustedCA.Name = "test-user-ca-bundle-build" + _, err = oc.AsAdmin().AdminConfigClient().ConfigV1().Proxies().Update(ctx, proxyConfig, metav1.UpdateOptions{}) + o.Expect(err).NotTo(o.HaveOccurred()) + g.By("starting build which prints the CA bundle") + br, err := exutil.StartBuildAndWait(oc, "ca-test") + o.Expect(err).NotTo(o.HaveOccurred()) + br.AssertSuccess() + log, err := br.LogsNoTimestamp() + o.Expect(err).NotTo(o.HaveOccurred()) + o.Expect(log).To(o.ContainSubstring("GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m")) + }) + }) g.Context("build config no ocm rollout", func() { diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go index 2ea6e4fb523d..f4ec99284a06 100644 --- a/test/extended/testdata/bindata.go +++ b/test/extended/testdata/bindata.go @@ -84,6 +84,7 @@ // test/extended/testdata/builds/build-timing/test-docker-build.json // test/extended/testdata/builds/build-timing/test-is.json // test/extended/testdata/builds/build-timing/test-s2i-build.json +// test/extended/testdata/builds/cluster-config/ca-build.yaml // test/extended/testdata/builds/cluster-config/invalid-build-cluster-config.yaml // test/extended/testdata/builds/cluster-config/registry-blacklist.yaml // test/extended/testdata/builds/cluster-config/registry-whitelist.yaml @@ -20254,6 +20255,34 @@ func testExtendedTestdataBuildsBuildTimingTestS2iBuildJson() (*asset, error) { return a, nil } +var _testExtendedTestdataBuildsClusterConfigCaBuildYaml = []byte(`kind: BuildConfig +apiVersion: build.openshift.io/v1 +metadata: + name: ca-test +spec: + source: + dockerfile: | + FROM registry.redhat.io/ubi8/ubi:latest + RUN cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + strategy: + dockerStrategy: {} +`) + +func testExtendedTestdataBuildsClusterConfigCaBuildYamlBytes() ([]byte, error) { + return _testExtendedTestdataBuildsClusterConfigCaBuildYaml, nil +} + +func testExtendedTestdataBuildsClusterConfigCaBuildYaml() (*asset, error) { + bytes, err := testExtendedTestdataBuildsClusterConfigCaBuildYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "test/extended/testdata/builds/cluster-config/ca-build.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _testExtendedTestdataBuildsClusterConfigInvalidBuildClusterConfigYaml = []byte(`kind: Build apiVersion: config.openshift.io/v1 metadata: @@ -59401,6 +59430,7 @@ var _bindata = map[string]func() (*asset, error){ "test/extended/testdata/builds/build-timing/test-docker-build.json": testExtendedTestdataBuildsBuildTimingTestDockerBuildJson, "test/extended/testdata/builds/build-timing/test-is.json": testExtendedTestdataBuildsBuildTimingTestIsJson, "test/extended/testdata/builds/build-timing/test-s2i-build.json": testExtendedTestdataBuildsBuildTimingTestS2iBuildJson, + "test/extended/testdata/builds/cluster-config/ca-build.yaml": testExtendedTestdataBuildsClusterConfigCaBuildYaml, "test/extended/testdata/builds/cluster-config/invalid-build-cluster-config.yaml": testExtendedTestdataBuildsClusterConfigInvalidBuildClusterConfigYaml, "test/extended/testdata/builds/cluster-config/registry-blacklist.yaml": testExtendedTestdataBuildsClusterConfigRegistryBlacklistYaml, "test/extended/testdata/builds/cluster-config/registry-whitelist.yaml": testExtendedTestdataBuildsClusterConfigRegistryWhitelistYaml, @@ -59970,6 +60000,7 @@ var _bintree = &bintree{nil, map[string]*bintree{ "test-s2i-build.json": {testExtendedTestdataBuildsBuildTimingTestS2iBuildJson, map[string]*bintree{}}, }}, "cluster-config": {nil, map[string]*bintree{ + "ca-build.yaml": {testExtendedTestdataBuildsClusterConfigCaBuildYaml, map[string]*bintree{}}, "invalid-build-cluster-config.yaml": {testExtendedTestdataBuildsClusterConfigInvalidBuildClusterConfigYaml, map[string]*bintree{}}, "registry-blacklist.yaml": {testExtendedTestdataBuildsClusterConfigRegistryBlacklistYaml, map[string]*bintree{}}, "registry-whitelist.yaml": {testExtendedTestdataBuildsClusterConfigRegistryWhitelistYaml, map[string]*bintree{}}, diff --git a/test/extended/testdata/builds/cluster-config/ca-build.yaml b/test/extended/testdata/builds/cluster-config/ca-build.yaml new file mode 100644 index 000000000000..248b519551ff --- /dev/null +++ b/test/extended/testdata/builds/cluster-config/ca-build.yaml @@ -0,0 +1,11 @@ +kind: BuildConfig +apiVersion: build.openshift.io/v1 +metadata: + name: ca-test +spec: + source: + dockerfile: | + FROM registry.redhat.io/ubi8/ubi:latest + RUN cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + strategy: + dockerStrategy: {} diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go index fc8df98432b5..3486999a3d16 100644 --- a/test/extended/util/annotate/generated/zz_generated.annotations.go +++ b/test/extended/util/annotate/generated/zz_generated.annotations.go @@ -1127,11 +1127,13 @@ var annotations = map[string]string{ "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration build config with ocm rollout Apply toleration override configuration to build pod": "Apply toleration override configuration to build pod [Suite:openshift]", - "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration registries config context should allow registries to be blacklisted": "should allow registries to be blacklisted [Suite:openshift]", + "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration without ocm rollout should allow registries to be blacklisted": "should allow registries to be blacklisted [Suite:openshift]", - "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration registries config context should allow registries to be whitelisted": "should allow registries to be whitelisted [Suite:openshift]", + "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration without ocm rollout should allow registries to be whitelisted": "should allow registries to be whitelisted [Suite:openshift]", - "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration registries config context should default registry search to docker.io for image pulls": "should default registry search to docker.io for image pulls [Suite:openshift]", + "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration without ocm rollout should apply a custom PKI from the cluster to the build pod": "should apply a custom PKI from the cluster to the build pod [Suite:openshift]", + + "[Top Level] [sig-builds][Feature:Builds][Serial][Slow][Disruptive] alter builds via cluster configuration without ocm rollout should default registry search to docker.io for image pulls": "should default registry search to docker.io for image pulls [Suite:openshift]", "[Top Level] [sig-builds][Feature:Builds][Slow] Capabilities should be dropped for s2i builders s2i build with a rootable builder should not be able to switch to root with an assemble script": "should not be able to switch to root with an assemble script [Suite:openshift]",