Merge pull request Kuadrant#325 from martinhesko/letsencrypt-test

extend MGC tests to Let's Encrypt certificates

testsuite/gateway/gateway_api/gateway.py

@@ -125,7 +125,7 @@ def get_tls_cert(self) -> Optional[Certificate]:
         tls_cert = Certificate(
             key=tls_cert_secret["tls.key"],
             certificate=tls_cert_secret["tls.crt"],
-            chain=tls_cert_secret["ca.crt"],
+            chain=tls_cert_secret["ca.crt"] if "ca.crt" in tls_cert_secret else None,
         )
         return tls_cert
 

testsuite/gateway/gateway_api/hostname.py

@@ -68,4 +68,6 @@ def __init__(self, base_domain, tls_cert: Certificate = None):
         self.tls_cert = tls_cert
 
     def expose_hostname(self, name, gateway: Gateway) -> Hostname:
-        return StaticHostname(f"{name}.{self.base_domain}", gateway.get_tls_cert())
+        return StaticHostname(
+            f"{name}.{self.base_domain}", gateway.get_tls_cert() if self.tls_cert is None else self.tls_cert
+        )

testsuite/resources/letsencrypt-stg-root-x1.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
+BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
+ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
+jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
+wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
+oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
+TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
+fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
+rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
+FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
+mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
+GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
+mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
+9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
+nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
+qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
+qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
+sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
+CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
+5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
+fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
+gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
+7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+-----END CERTIFICATE-----

testsuite/tests/mgc/conftest.py

@@ -51,7 +51,7 @@ def hub_gateway(request, hub_openshift, blame, base_domain, module_label) -> MGC
 
 
 @pytest.fixture(scope="session")
-def self_signed_cluster_issuer():
+def cluster_issuer():
     """Reference to cluster self-signed certificate issuer"""
     return CustomReference(
         group="cert-manager.io",
@@ -111,13 +111,13 @@ def dns_policy(blame, hub_gateway, module_label):
 
 
 @pytest.fixture(scope="module")
-def tls_policy(blame, hub_gateway, module_label, self_signed_cluster_issuer):
+def tls_policy(blame, hub_gateway, module_label, cluster_issuer):
     """TLSPolicy fixture"""
     policy = TLSPolicy.create_instance(
         hub_gateway.openshift,
         blame("tls"),
         parent=hub_gateway,
-        issuer=self_signed_cluster_issuer,
+        issuer=cluster_issuer,
         labels={"app": module_label},
     )
     return policy

testsuite/tests/mgc/test_external_ca.py

@@ -0,0 +1,79 @@
+"""
+This module contains the most basic happy path test for both DNSPolicy and TLSPolicy
+for a cluster with Let's Encrypt ClusterIssuer
+
+Prerequisites:
+* multi-cluster-gateways ns is created and set as openshift["project"]
+* managedclustersetbinding is created in openshift["project"]
+* gateway class "kuadrant-multi-cluster-gateway-instance-per-cluster" is created
+* cert-manager Operator installed
+* Let's Encrypt ClusterIssuer object configured on the cluster matching the template:
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: <email_address>
+    preferredChain: ISRG Root X1
+    privateKeySecretRef:
+      name: letsencrypt-private-key
+    server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
+    solvers:
+      - dns01:
+          route53:
+            accessKeyID: <aws_key_id>
+            hostedZoneID: <hosted_zone_id>
+            region: <region_name>
+            secretAccessKeySecretRef:
+              key: awsSecretAccessKey
+              name: aws-secret
+"""
+
+import dataclasses
+from importlib import resources
+
+import pytest
+from openshift_client import selector
+from openshift_client.model import OpenShiftPythonException
+
+from testsuite.gateway import Exposer, CustomReference
+from testsuite.gateway.gateway_api.hostname import DNSPolicyExposer
+
+pytestmark = [pytest.mark.mgc]
+
+
+@pytest.fixture(scope="module")
+def cluster_issuer(hub_openshift):
+    """Reference to cluster Let's Encrypt certificate issuer"""
+    try:
+        selector("clusterissuer/letsencrypt-staging", static_context=hub_openshift.context).object()
+    except OpenShiftPythonException as exc:
+        pytest.skip(f"letsencrypt-staging ClusterIssuer is not present on the cluster: {exc}")
+    return CustomReference(
+        group="cert-manager.io",
+        kind="ClusterIssuer",
+        name="letsencrypt-staging",
+    )
+
+
+@pytest.fixture(scope="module")
+def exposer(base_domain, hub_gateway) -> Exposer:
+    """DNSPolicyExposer setup with expected TLS certificate"""
+    root_cert = resources.files("testsuite.resources").joinpath("letsencrypt-stg-root-x1.pem").read_text()
+    old_cert = hub_gateway.get_tls_cert()
+    return DNSPolicyExposer(base_domain, tls_cert=dataclasses.replace(old_cert, chain=old_cert.certificate + root_cert))
+
+
+# Reduce scope of the base_domain fixture so the test only runs on aws-mz ManagedZone
+@pytest.mark.parametrize("base_domain", ["aws-mz"], indirect=True)
+def test_smoke_letsencrypt(client):
+    """
+    Tests whether the backend, exposed using the HTTPRoute and Gateway, was exposed correctly,
+    having a tls secured endpoint with a hostname managed by MGC
+    """
+
+    result = client.get("/get")
+    assert not result.has_dns_error()
+    assert not result.has_cert_verify_error()
+    assert result.status_code == 200