diff --git a/test/config/another-ca1.pem b/test/config/another-ca1.pem new file mode 100644 index 00000000..50825d47 --- /dev/null +++ b/test/config/another-ca1.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUQZjM/5qoAF78qIDyc+rKi4qBdOIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAxMNa3ViZXJuZXRlcy1jYTAeFw0yMjAzMjIxNDQzMDBaFw0z +MjAzMTkxNDQzMDBaMBgxFjAUBgNVBAMTDWt1YmVybmV0ZXMtY2EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGkG7g+UjpDhZ7A4Pm7Hme+RWs5IHz4I2X +IclvtO3LuJ26yzz2S8VaXFFeUqzEPb2G1RxFGvoAVN7qrTw0n5MQJCFLAA4dI7oY +8XLRJ7KgTBBIw1jYpgKb2zyHPIJE6VmslliKUiX+QDovdRU/dsbdup2EucrnGw4+ +QNNAc3XMbXgm6lubA6znYZlSpcQ8BKer3tq75q4KUZicIjS6gKQyZjk9a6fcOuCS +ybtlAKp9lYzcwxZkNrx+V1PJMQ1qaJWPnMAVi7Oj5Dm3Jmf1WHBcNEh52Q/0vYlt +4WSaeM5t/Py/m/7c4Ve97f5m2X6EhYyUbzov4qeZOnIJI3MnU1FxAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSl1qyt +jd96WstRE8h9x5qkCvZUvjANBgkqhkiG9w0BAQsFAAOCAQEAJt55qYvBaniAwvgO +tbO79g1FcQGrxpMX45TuoCE/K+MWDjrr6bp+FbLOqT8MwOsbGwwJIRTHGvkEkVso +5AWI5aSNs3hWnltOdz27ZSHeX77WB4daK1tLK6ggZrp3v9iIpbBwWBFdmAqsPvEs +H17K2BgAzdh6xRKPQd0BGTUpJBfk50R2gDMj7FKyIzBN69IOGytBfAXBhHzEGy4+ +MvtTEIMUjR//KgCrpNeyDuaWHttR5FdnuRxFO7O3BAfyNSaNmd/IEHQf7DIGgzOy ++xWLyH/HRHj5C70qAqjbnrgBODI99BsA9U7oXTuyPLdIboAcFt2zD5DIYgZET52X +53w4jA== +-----END CERTIFICATE----- diff --git a/test/config/another-ca2.pem b/test/config/another-ca2.pem new file mode 100644 index 00000000..53be72e8 --- /dev/null +++ b/test/config/another-ca2.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUHW3OPnmuTquJ0YgbGpmm/blsY2QwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAxMNa3ViZXJuZXRlcy1jYTAeFw0yMjAzMjIxNDQ0MDBaFw0z +MjAzMTkxNDQ0MDBaMBgxFjAUBgNVBAMTDWt1YmVybmV0ZXMtY2EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLMEJs5agS0hNQBxPTtsI6dIhIi/pY8liI +sNukbi5KwKf80FYNyRXqE8ufDVyTFzOc+MG96jnHjDaBWjrVN9On0PgUBo4nPyd4 +DtyvYx2jMzwToSEIo/Z1aroMx1oGywCgdS4/3FWAbhlSbyXKJmhfh6gX0TxWz+dV +zqNuqQq9EWuRhOMg9vgzjfp3mjiPE10lW8pT0j5JT3PI/eGO+C2Z7z33LJXb6GM2 +nXvhGFMGY+7XG65pqJ3L8g1mk+LjPiwyIItw8wPtrnrZ2VXMklMd5Mn+jgCTNe1B +om0nPpPIiTblCr6gcNcVjy5WGN37OKlqrT0JTuSPHcxSUp05LFjDAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQvV/sB +wbR3UwjkLAMN+6P3fZ/3OjANBgkqhkiG9w0BAQsFAAOCAQEACAk4EQwCkw2EBsSR +2SKoa1SjYFkZzIr/0/TB2YcMUvHF+RpvlD5vQ8/RJjeAl1kc6/niZ9TWCemjBLqI +hPoFe49zr49DyQjC2ZfsXVJvFCr6g7o4q4DtQ6ltyBuTJbkn1hI+aB8zgvpofG44 +mKj18Y7tPvgXtRua4SaeBq777+22AOvKxPied9p4PTrMN4RKTP6+yIbLflej7dBD +zQDjfmmYsH0T2ZRtBpE1dYrUbU3tkizcMZRJBgreoxoff+r5coibMIm/7gh+YoSb +BCItCaeuGSKQ8CJb8DElcPUd6nKUjmeiQL68ztsG/+CXLiL/TZb914VaaCXvPInw +49jJ7w== +-----END CERTIFICATE----- diff --git a/test/config/concatenated-ca.kubeconfig b/test/config/concatenated-ca.kubeconfig new file mode 100644 index 00000000..ed20e4dd --- /dev/null +++ b/test/config/concatenated-ca.kubeconfig @@ -0,0 +1,20 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority: concatenated-ca.pem + server: https://localhost:6443 + name: local +contexts: +- context: + cluster: local + namespace: default + user: user + name: Default +current-context: Default +kind: Config +preferences: {} +users: +- name: user + user: + client-certificate: external-cert.pem + client-key: external-key.rsa diff --git a/test/config/concatenated-ca.pem b/test/config/concatenated-ca.pem new file mode 100644 index 00000000..330f04ae --- /dev/null +++ b/test/config/concatenated-ca.pem @@ -0,0 +1,57 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUQZjM/5qoAF78qIDyc+rKi4qBdOIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAxMNa3ViZXJuZXRlcy1jYTAeFw0yMjAzMjIxNDQzMDBaFw0z +MjAzMTkxNDQzMDBaMBgxFjAUBgNVBAMTDWt1YmVybmV0ZXMtY2EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGkG7g+UjpDhZ7A4Pm7Hme+RWs5IHz4I2X +IclvtO3LuJ26yzz2S8VaXFFeUqzEPb2G1RxFGvoAVN7qrTw0n5MQJCFLAA4dI7oY +8XLRJ7KgTBBIw1jYpgKb2zyHPIJE6VmslliKUiX+QDovdRU/dsbdup2EucrnGw4+ +QNNAc3XMbXgm6lubA6znYZlSpcQ8BKer3tq75q4KUZicIjS6gKQyZjk9a6fcOuCS +ybtlAKp9lYzcwxZkNrx+V1PJMQ1qaJWPnMAVi7Oj5Dm3Jmf1WHBcNEh52Q/0vYlt +4WSaeM5t/Py/m/7c4Ve97f5m2X6EhYyUbzov4qeZOnIJI3MnU1FxAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSl1qyt +jd96WstRE8h9x5qkCvZUvjANBgkqhkiG9w0BAQsFAAOCAQEAJt55qYvBaniAwvgO +tbO79g1FcQGrxpMX45TuoCE/K+MWDjrr6bp+FbLOqT8MwOsbGwwJIRTHGvkEkVso +5AWI5aSNs3hWnltOdz27ZSHeX77WB4daK1tLK6ggZrp3v9iIpbBwWBFdmAqsPvEs +H17K2BgAzdh6xRKPQd0BGTUpJBfk50R2gDMj7FKyIzBN69IOGytBfAXBhHzEGy4+ +MvtTEIMUjR//KgCrpNeyDuaWHttR5FdnuRxFO7O3BAfyNSaNmd/IEHQf7DIGgzOy ++xWLyH/HRHj5C70qAqjbnrgBODI99BsA9U7oXTuyPLdIboAcFt2zD5DIYgZET52X +53w4jA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUVL5Bj6YYpqFeUclFcIGSH37AIqkwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAxMNa3ViZXJuZXRlcy1jYTAeFw0yMjAzMjIxNDQ3MDBaFw0z +MjAzMTkxNDQ3MDBaMBgxFjAUBgNVBAMTDWt1YmVybmV0ZXMtY2EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQXnD7p7ah6sM/2zRPTnnljBM9iGS63xXi +i7pD4NTHTljQ2lRIM0+M7SBXJn7WtaOLlDMQcLOr9gtRIJwEfiyWfyMag448x45W +Oq+k7ebzJNBwKHDT4fa6xbs+zw7wxgXPwFBtkOr7MBkuXnCqc8W9Ak8RQxcZsMq4 +yI48ZOEcuTBTFCQELqd+UWpvLEY7xde16/XZLtn+qYEb5ZEO/E1JfYhDiY5AUgjq +DvKQXwpKbZd4mxnBUG/EY7hleIOClwh6NGY+Rhhwim5J25qWtyeBOIbhqNoSdN/o +YsO6uf/56mlPsNJ6cWcvTKb9ZXVy2wWaERXesf9C3jMOh4IreRgxAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSbQUCs +0sOCZ2QbE/g4FWo/7mtyIjANBgkqhkiG9w0BAQsFAAOCAQEAU2Tq1GuOHks8ccYV +7HrXQYvEoPsGRouD25J5pc0I2o4d3aReUritNg167zw1AssmhqDICWUFKUAbTMVy +vsE2MiRHhMccBTFiSP8OWcVdML7XEB4R2am5UjGP82DpzBHoPmqhWPqU+/sZ+O2P +Uf3R68ywidVp/dxhr70eBYiV8nkzuSYktIa31zOiwwbTHuNDd811NmLYr9sWnUrY +VdMEkMlPtlYkpcOUkpNoZUL1/ZPJEdsG3RzLFLvNya6pD4Xs6HKYvMwGMcIaEZRA +Xbd06RNtHi4DdlDmdi4U31sUW37voylA2alDqfr9IyjoUwWh6kEFjY7RgUwQpBt7 +HRPemg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUHW3OPnmuTquJ0YgbGpmm/blsY2QwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAxMNa3ViZXJuZXRlcy1jYTAeFw0yMjAzMjIxNDQ0MDBaFw0z +MjAzMTkxNDQ0MDBaMBgxFjAUBgNVBAMTDWt1YmVybmV0ZXMtY2EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLMEJs5agS0hNQBxPTtsI6dIhIi/pY8liI +sNukbi5KwKf80FYNyRXqE8ufDVyTFzOc+MG96jnHjDaBWjrVN9On0PgUBo4nPyd4 +DtyvYx2jMzwToSEIo/Z1aroMx1oGywCgdS4/3FWAbhlSbyXKJmhfh6gX0TxWz+dV +zqNuqQq9EWuRhOMg9vgzjfp3mjiPE10lW8pT0j5JT3PI/eGO+C2Z7z33LJXb6GM2 +nXvhGFMGY+7XG65pqJ3L8g1mk+LjPiwyIItw8wPtrnrZ2VXMklMd5Mn+jgCTNe1B +om0nPpPIiTblCr6gcNcVjy5WGN37OKlqrT0JTuSPHcxSUp05LFjDAgMBAAGjQjBA +MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQvV/sB +wbR3UwjkLAMN+6P3fZ/3OjANBgkqhkiG9w0BAQsFAAOCAQEACAk4EQwCkw2EBsSR +2SKoa1SjYFkZzIr/0/TB2YcMUvHF+RpvlD5vQ8/RJjeAl1kc6/niZ9TWCemjBLqI +hPoFe49zr49DyQjC2ZfsXVJvFCr6g7o4q4DtQ6ltyBuTJbkn1hI+aB8zgvpofG44 +mKj18Y7tPvgXtRua4SaeBq777+22AOvKxPied9p4PTrMN4RKTP6+yIbLflej7dBD +zQDjfmmYsH0T2ZRtBpE1dYrUbU3tkizcMZRJBgreoxoff+r5coibMIm/7gh+YoSb +BCItCaeuGSKQ8CJb8DElcPUd6nKUjmeiQL68ztsG/+CXLiL/TZb914VaaCXvPInw +49jJ7w== +-----END CERTIFICATE----- diff --git a/test/config/update_certs_k0s.rb b/test/config/update_certs_k0s.rb index 84059bf4..2632d726 100755 --- a/test/config/update_certs_k0s.rb +++ b/test/config/update_certs_k0s.rb @@ -33,6 +33,8 @@ def sh!(*cmd) # The rest could easily be extracted from allinone.kubeconfig, but the test is more robust # if we don't reuse YAML and/or Kubeclient::Config parsing to construct test data. sh! "#{DOCKER} exec #{CONTAINER} cat /var/lib/k0s/pki/ca.crt > test/config/external-ca.pem" +sh! 'cat test/config/another-ca1.pem test/config/external-ca.pem '\ + ' test/config/another-ca2.pem > test/config/concatenated-ca.pem' sh! "#{DOCKER} exec #{CONTAINER} cat /var/lib/k0s/pki/admin.crt > test/config/external-cert.pem" sh! "#{DOCKER} exec #{CONTAINER} cat /var/lib/k0s/pki/admin.key > test/config/external-key.rsa" diff --git a/test/test_config.rb b/test/test_config.rb index 98d2114f..d246624c 100644 --- a/test/test_config.rb +++ b/test/test_config.rb @@ -44,6 +44,12 @@ def test_external_nopath_absolute end end + def test_concatenated_ca + config = Kubeclient::Config.read(config_file('concatenated-ca.kubeconfig')) + assert_equal(['Default'], config.contexts) + check_context(config.context, ssl: true) + end + def test_nouser config = Kubeclient::Config.read(config_file('nouser.kubeconfig')) assert_equal(['default/localhost:6443/nouser'], config.contexts) diff --git a/test/test_real_cluster.rb b/test/test_real_cluster.rb index 568c9374..5c1f4cf9 100644 --- a/test/test_real_cluster.rb +++ b/test/test_real_cluster.rb @@ -57,6 +57,23 @@ def test_real_cluster_verify_none check_cert_accepted(client2) end + def test_real_cluster_concatenated_ca + config = Kubeclient::Config.read(config_file('concatenated-ca.kubeconfig')) + context = config.context + client1 = Kubeclient::Client.new( + HOSTNAME_COVERED_BY_CERT, 'v1', + ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER), + auth_options: context.auth_options + ) + check_cert_accepted(client1) + client2 = Kubeclient::Client.new( + HOSTNAME_NOT_ON_CERT, 'v1', + ssl_options: context.ssl_options.merge(verify_ssl: OpenSSL::SSL::VERIFY_PEER), + auth_options: context.auth_options + ) + check_cert_rejected(client2) + end + private # Test cert checking on discovery, CRUD, and watch code paths.