Skip to content

Commit

Permalink
[v4.y] Test VERIFY_PEER / VERIFY_NONE work against real cluster
Browse files Browse the repository at this point in the history
Followup to #540,
tests that it really fixes #525.
  • Loading branch information
cben committed Feb 27, 2022
1 parent 22ae420 commit 71a5ab8
Show file tree
Hide file tree
Showing 4 changed files with 98 additions and 5 deletions.
9 changes: 8 additions & 1 deletion test/config/update_certs_k0s.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@ def sh!(*cmd)
sh! "#{DOCKER} exec #{CONTAINER} cat /var/lib/k0s/pki/admin.crt > test/config/external-cert.pem"
sh! "#{DOCKER} exec #{CONTAINER} cat /var/lib/k0s/pki/admin.key > test/config/external-key.rsa"

sh! 'bundle exec rake test'
sh? 'curl -v --cacert test/config/external-ca.pem https://127.0.0.1:6443/'
p $CHILD_STATUS
sh? 'curl -v --cacert test/config/external-ca.pem https://127.0.0.2:6443/'
p $CHILD_STATUS

sh! 'env KUBECLIENT_TEST_REAL_CLUSTER=true bundle exec rake test'

sh! "#{DOCKER} rm -f #{CONTAINER}"

puts 'If you run this only for tests, cleanup by running: git restore test/config/'
4 changes: 0 additions & 4 deletions test/test_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -193,10 +193,6 @@ def check_context(context, ssl: true)
end
end

def config_file(name)
File.join(File.dirname(__FILE__), 'config', name)
end

def stub_exec(command_regexp, creds)
st = Minitest::Mock.new
st.expect(:success?, true)
Expand Down
8 changes: 8 additions & 0 deletions test/test_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ def open_test_file(name)
File.new(File.join(File.dirname(__FILE__), name.split('.').last, name))
end

# kubeconfig files deviate from above convention.
# They link to relaved certs etc. with various extensions, all in same dir.
def config_file(name)
File.join(File.dirname(__FILE__), 'config', name)
end

WebMock.disable_net_connect!

def stub_core_api_list
stub_request(:get, %r{/api/v1$})
.to_return(body: open_test_file('core_api_resource_list.json'), status: 200)
Expand Down
82 changes: 82 additions & 0 deletions test/test_real_cluster.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
require_relative 'test_helper'

class KubeclientRealClusterTest < MiniTest::Test
# Tests here actually connect to a cluster!
# For simplicity, these tests use same config/*.kubeconfig files as test_config.rb,
# so are intended to run from config/update_certs_k0s.rb script.
def setup
if ENV['KUBECLIENT_TEST_REAL_CLUSTER'] == 'true'
WebMock.enable_net_connect!
else
skip('Requires real cluster, see test/config/update_certs_k0s.rb.')
end
end

def teardown
WebMock.disable_net_connect! # Don't allow any connections in other tests.
end

def test_real_cluster_verify_peer
config = Kubeclient::Config.read(config_file('external.kubeconfig'))
context = config.context
# localhost and 127.0.0.1 are among names on the certificate
client1 = Kubeclient::Client.new(
'https://127.0.0.1:6443', 'v1',
ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER),
auth_options: context.auth_options
)
client1.discover
client1.get_nodes
exercise_watcher_with_timeout(client1.watch_nodes)
# 127.0.0.2 also means localhost but is not included in the certificate.
client2 = Kubeclient::Client.new(
'https://127.0.0.2:6443', 'v1',
ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER),
auth_options: context.auth_options
)
# TODO: all OpenSSL exceptions should be wrapped with Kubeclient error.
assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do
client2.discover
end
# Since discovery fails, methods like .get_nodes, .watch_nodes would all fail
# on method_missing -> discover. Call lower-level methods to test actual connection.
assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do
client2.get_entities('Node', 'nodes', {})
end
assert_raises(Kubeclient::HttpError, OpenSSL::SSL::SSLError) do
exercise_watcher_with_timeout(client2.watch_entities('nodes'))
end
end

def test_real_cluster_verify_none
config = Kubeclient::Config.read(config_file('external.kubeconfig'))
context = config.context
# localhost and 127.0.0.1 are among names on the certificate
client1 = Kubeclient::Client.new(
'https://127.0.0.1:6443', 'v1',
ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_NONE),
auth_options: context.auth_options
)
client1.get_nodes
# 127.0.0.2 also means localhost but is not included in the certificate.
client2 = Kubeclient::Client.new(
'https://127.0.0.2:6443', 'v1',
ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_NONE),
auth_options: context.auth_options
)
client2.get_nodes
end

private

def exercise_watcher_with_timeout(watcher)
thread = Thread.new do
sleep(1)
watcher.finish
end
watcher.each do |_notice|
break
end
thread.join
end
end

0 comments on commit 71a5ab8

Please sign in to comment.