Adding e2e test for cert renewal with given private key pem file (#931)

Signed-off-by: Pravin Pushkar <[email protected]>

Author: pravinpushkar

pkg/kubernetes/renew_certificate.go

@@ -18,6 +18,7 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -154,7 +155,11 @@ func GenerateNewCertificates(validUntil time.Duration, privateKeyFile string) ([
 		if err != nil {
 			return nil, nil, nil, err
 		}
-		rootKey, err = x509.ParseECPrivateKey(privateKeyBytes)
+		privateKeyPemBlock, _ := pem.Decode(privateKeyBytes)
+		if privateKeyPemBlock == nil {
+			return nil, nil, nil, errors.New("provided private key file is not pem encoded")
+		}
+		rootKey, err = x509.ParseECPrivateKey(privateKeyPemBlock.Bytes)
 		if err != nil {
 			return nil, nil, nil, err
 		}

tests/e2e/common/common.go

@@ -424,6 +424,34 @@ func GenerateNewCertAndRenew(details VersionDetails, opts TestOptions) func(t *t
 	}
 }
 
+func UseProvidedPrivateKeyAndRenewCerts(details VersionDetails, opts TestOptions) func(t *testing.T) {
+	return func(t *testing.T) {
+		daprPath := getDaprPath()
+		args := []string{
+			"mtls", "renew-certificate", "-k",
+			"--private-key", "../testdata/example-root.key",
+			"--valid-until", "20",
+		}
+		output, err := spawn.Command(daprPath, args...)
+		t.Log(output)
+		require.NoError(t, err, "expected no error on certificate renewal")
+
+		done := make(chan struct{})
+		podsRunning := make(chan struct{})
+
+		go waitAllPodsRunning(t, DaprTestNamespace, opts.HAEnabled, done, podsRunning)
+		select {
+		case <-podsRunning:
+			t.Logf("verified all pods running in namespace %s are running after certficate change", DaprTestNamespace)
+		case <-time.After(2 * time.Minute):
+			done <- struct{}{}
+			t.Logf("timeout verifying all pods running in namespace %s", DaprTestNamespace)
+			t.FailNow()
+		}
+		assert.Contains(t, output, "Certificate rotation is successful!")
+	}
+}
+
 func UseProvidedNewCertAndRenew(details VersionDetails, opts TestOptions) func(t *testing.T) {
 	return func(t *testing.T) {
 		daprPath := getDaprPath()

tests/e2e/kubernetes/kubernetes_test.go

@@ -265,3 +265,44 @@ func TestRenewCertificateMTLSDisabled(t *testing.T) {
 		t.Run(tc.Name, tc.Callable)
 	}
 }
+
+func TestRenewCertWithPrivateKey(t *testing.T) {
+	common.EnsureUninstall(true)
+
+	tests := []common.TestCase{}
+	var installOpts = common.TestOptions{
+		HAEnabled:             false,
+		MTLSEnabled:           true,
+		ApplyComponentChanges: true,
+		CheckResourceExists: map[common.Resource]bool{
+			common.CustomResourceDefs:  true,
+			common.ClusterRoles:        true,
+			common.ClusterRoleBindings: true,
+		},
+	}
+
+	tests = append(tests, common.GetTestsOnInstall(currentVersionDetails, installOpts)...)
+
+	// tests for certifcate renewal with newly generated certificates when pem encoded private root.key file is provided
+	tests = append(tests, []common.TestCase{
+		{"Renew certificate which expires in less than 30 days", common.UseProvidedPrivateKeyAndRenewCerts(currentVersionDetails, installOpts)},
+	}...)
+
+	tests = append(tests, common.GetTestsPostCertificateRenewal(currentVersionDetails, installOpts)...)
+	tests = append(tests, []common.TestCase{
+		{"Cert Expiry warning message check " + currentVersionDetails.RuntimeVersion, common.CheckMTLSStatus(currentVersionDetails, installOpts, true)},
+	}...)
+
+	// teardown everything
+	tests = append(tests, common.GetTestsOnUninstall(currentVersionDetails, common.TestOptions{
+		CheckResourceExists: map[common.Resource]bool{
+			common.CustomResourceDefs:  true,
+			common.ClusterRoles:        false,
+			common.ClusterRoleBindings: false,
+		},
+	})...)
+
+	for _, tc := range tests {
+		t.Run(tc.Name, tc.Callable)
+	}
+}

tests/e2e/testdata/example-root.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHAXJW1CiSkXb4T1+Hx9Kefsd+CF+s4KzJl+P95Y4FnaoAoGCCqGSM49
+AwEHoUQDQgAE4c8Fq5Ol7n4FkDnaEp9VjklE2fBNybcq5vwZOdFTjCsNE9HivnPd
+qXIeSTyYAZ87E3BP5tvlcwCmxiM/p8FIpQ==
+-----END EC PRIVATE KEY-----