fix permissions in operator cert, add basic e2e test

xrstf · xrstf · commit 04b478af0c9d · 2025-09-03T14:28:59.000+02:00
On-behalf-of: @SAP christoph.mewes@sap.com
diff --git a/hack/ci/run-e2e-tests.sh b/hack/ci/run-e2e-tests.sh
@@ -109,6 +109,6 @@ WHAT="${WHAT:-./test/e2e/...}"
 TEST_ARGS="${TEST_ARGS:--timeout 2h -v}"
 E2E_PARALLELISM=${E2E_PARALLELISM:-2}
 
-(set -x; go test -tags e2e -p $E2E_PARALLELISM $TEST_ARGS "$WHAT")
+(set -x; go test -tags e2e -parallel $E2E_PARALLELISM $TEST_ARGS "$WHAT")
 
 echo "Done. :-)"
diff --git a/hack/run-e2e-tests.sh b/hack/run-e2e-tests.sh
@@ -19,8 +19,11 @@ set -euo pipefail
 KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-e2e}"
 DATA_DIR=".e2e-$KIND_CLUSTER_NAME"
 OPERATOR_PID=0
+PROTOKOL_PID=0
+NO_TEARDOWN=${NO_TEARDOWN:-false}
 
 mkdir -p "$DATA_DIR"
+rm -rf "$DATA_DIR/kind-logs"
 echo "Logs are stored in $DATA_DIR/."
 DATA_DIR="$(realpath "$DATA_DIR")"
 
@@ -32,14 +35,26 @@ kind create cluster --name "$KIND_CLUSTER_NAME"
 chmod 600 "$KUBECONFIG"
 
 teardown_kind() {
-  echo "Stopping kcp-operator…"
-  kill -TERM $OPERATOR_PID
-  wait $OPERATOR_PID
+  if [[ $OPERATOR_PID -gt 0 ]]; then
+    echo "Stopping kcp-operator…"
+    kill -TERM $OPERATOR_PID
+    wait $OPERATOR_PID
+  fi
+
+  if [[ $PROTOKOL_PID -gt 0 ]]; then
+    echo "Stopping protokol…"
+    kill -TERM $PROTOKOL_PID
+    # no wait because protokol ends quickly and wait would fail
+  fi
 
   kind delete cluster --name "$KIND_CLUSTER_NAME"
   rm "$KUBECONFIG"
 }
-trap teardown_kind EXIT
+
+if ! $NO_TEARDOWN; then
+  echo "Will tear down kind cluster once the script has finished."
+  trap teardown_kind EXIT
+fi
 
 echo "Kubeconfig is in $KUBECONFIG."
 
@@ -75,6 +90,14 @@ _build/manager \
 OPERATOR_PID=$!
 echo "Running as process $OPERATOR_PID."
 
+if command -v protokol &> /dev/null; then
+  protokol --namespace 'e2e-*' --output "$DATA_DIR/kind-logs" 2>/dev/null &
+  PROTOKOL_PID=$!
+else
+  echo "Install https://codeberg.org/xrstf/protokol to automatically"
+  echo "collect logs from the kind cluster."
+fi
+
 echo "Running e2e tests…"
 
 export HELM_BINARY="$(realpath _tools/helm)"
@@ -84,4 +107,4 @@ WHAT="${WHAT:-./test/e2e/...}"
 TEST_ARGS="${TEST_ARGS:--timeout 2h -v}"
 E2E_PARALLELISM=${E2E_PARALLELISM:-2}
 
-(set -x; go test -tags e2e -p $E2E_PARALLELISM $TEST_ARGS "$WHAT")
+(set -x; go test -tags e2e -parallel $E2E_PARALLELISM $TEST_ARGS "$WHAT")
diff --git a/internal/controller/rootshard/controller.go b/internal/controller/rootshard/controller.go
@@ -144,6 +144,7 @@ func (r *RootShardReconciler) reconcile(ctx context.Context, rootShard *operator
 		rootshard.VirtualWorkspacesCertificateReconciler(rootShard),
 		rootshard.LogicalClusterAdminCertificateReconciler(rootShard),
 		rootshard.ExternalLogicalClusterAdminCertificateReconciler(rootShard),
+		rootshard.OperatorClientCertificateReconciler(rootShard),
 	}
 
 	// Intermediate CAs that we need to generate a certificate and an issuer for.
diff --git a/internal/resources/resources.go b/internal/resources/resources.go
@@ -39,6 +39,12 @@ const (
 	ShardLabel      = "operator.kcp.io/shard"
 	FrontProxyLabel = "operator.kcp.io/front-proxy"
 	KubeconfigLabel = "operator.kcp.io/kubeconfig"
+
+	// OperatorUsername is the common name embedded in the operator's admin certificate
+	// that is created for each RootShard. This name alone has no special meaning, as
+	// the certificate also has system:masters as an organization, which is what ultimately
+	// grants the operator its permissions.
+	OperatorUsername = "system:kcp-operator"
 )
 
 func GetImageSettings(imageSpec *operatorv1alpha1.ImageSpec) (string, []corev1.LocalObjectReference) {
diff --git a/internal/resources/rootshard/certificates.go b/internal/resources/rootshard/certificates.go
@@ -231,3 +231,43 @@ func ExternalLogicalClusterAdminCertificateReconciler(rootShard *operatorv1alpha
 		}
 	}
 }
+
+func OperatorClientCertificateReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.NamedCertificateReconcilerFactory {
+	const certKind = operatorv1alpha1.OperatorCertificate
+
+	name := resources.GetRootShardCertificateName(rootShard, certKind)
+	template := rootShard.Spec.CertificateTemplates.CertificateTemplate(certKind)
+
+	return func() (string, reconciling.CertificateReconciler) {
+		return name, func(cert *certmanagerv1.Certificate) (*certmanagerv1.Certificate, error) {
+			cert.SetLabels(resources.GetRootShardResourceLabels(rootShard))
+			cert.Spec = certmanagerv1.CertificateSpec{
+				CommonName:  resources.OperatorUsername,
+				SecretName:  name,
+				Duration:    &operatorv1alpha1.DefaultCertificateDuration,
+				RenewBefore: &operatorv1alpha1.DefaultCertificateRenewal,
+
+				PrivateKey: &certmanagerv1.CertificatePrivateKey{
+					Algorithm: certmanagerv1.RSAKeyAlgorithm,
+					Size:      4096,
+				},
+
+				Subject: &certmanagerv1.X509Subject{
+					Organizations: []string{"system:kcp:admin"},
+				},
+
+				Usages: []certmanagerv1.KeyUsage{
+					certmanagerv1.UsageClientAuth,
+				},
+
+				IssuerRef: certmanagermetav1.ObjectReference{
+					Name:  resources.GetRootShardCAName(rootShard, operatorv1alpha1.FrontProxyClientCA),
+					Kind:  "Issuer",
+					Group: "cert-manager.io",
+				},
+			}
+
+			return utils.ApplyCertificateTemplate(cert, &template), nil
+		}
+	}
+}
diff --git a/sdk/apis/operator/v1alpha1/common.go b/sdk/apis/operator/v1alpha1/common.go
@@ -85,6 +85,10 @@ const (
 	AdminKubeconfigClientCertificate       Certificate = "admin-kubeconfig"
 	LogicalClusterAdminCertificate         Certificate = "logical-cluster-admin"
 	ExternalLogicalClusterAdminCertificate Certificate = "external-logical-cluster-admin"
+
+	// OperatorCertificate is created for a RootShard and used by the operator to
+	// connect
+	OperatorCertificate Certificate = "kcp-operator"
 )
 
 type CA string
diff --git a/test/e2e/rootshards/proxy_test.go b/test/e2e/rootshards/proxy_test.go
@@ -0,0 +1,144 @@
+//go:build e2e
+
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rootshards
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/go-logr/logr"
+	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	kcptenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	ctrlruntime "sigs.k8s.io/controller-runtime"
+	ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+	"github.com/kcp-dev/kcp-operator/test/utils"
+)
+
+func TestRootShardProxy(t *testing.T) {
+	ctrlruntime.SetLogger(logr.Discard())
+
+	client := utils.GetKubeClient(t)
+	ctx := context.Background()
+	namespaceSuffix := "rootshard-proxy"
+
+	namespace := utils.CreateSelfDestructingNamespace(t, ctx, client, namespaceSuffix)
+	externalHostname := fmt.Sprintf("front-proxy-front-proxy.e2e-%s.svc.cluster.local", namespaceSuffix)
+
+	// deploy a root shard incl. etcd
+	rootShard := utils.DeployRootShard(ctx, t, client, namespace.Name, externalHostname)
+
+	// deploy a 2nd shard incl. etcd
+	shardName := "aadvark"
+	utils.DeployShard(ctx, t, client, namespace.Name, shardName, rootShard.Name)
+
+	// deploy front-proxy
+	utils.DeployFrontProxy(ctx, t, client, namespace.Name, rootShard.Name, externalHostname)
+
+	configSecretName := "kubeconfig"
+
+	rsConfig := operatorv1alpha1.Kubeconfig{}
+	rsConfig.Name = "test"
+	rsConfig.Namespace = namespace.Name
+
+	rsConfig.Spec = operatorv1alpha1.KubeconfigSpec{
+		Target: operatorv1alpha1.KubeconfigTarget{
+			RootShardRef: &corev1.LocalObjectReference{
+				Name: rootShard.Name,
+			},
+		},
+		Username: "e2e",
+		Validity: metav1.Duration{Duration: 2 * time.Hour},
+		SecretRef: corev1.LocalObjectReference{
+			Name: configSecretName,
+		},
+		Groups: []string{"system:kcp:admin"},
+	}
+
+	t.Log("Creating kubeconfig for RootShard…")
+	if err := client.Create(ctx, &rsConfig); err != nil {
+		t.Fatal(err)
+	}
+	utils.WaitForObject(t, ctx, client, &corev1.Secret{}, types.NamespacedName{Namespace: rsConfig.Namespace, Name: rsConfig.Spec.SecretRef.Name})
+
+	t.Log("Connecting to RootShard…")
+	rootShardClient := utils.ConnectWithKubeconfig(t, ctx, client, namespace.Name, rsConfig.Name)
+
+	// wait until the 2nd shard has registered itself successfully at the root shard
+	shardKey := types.NamespacedName{Name: shardName}
+	t.Log("Waiting for Shard to register itself on the RootShard…")
+	utils.WaitForObject(t, ctx, rootShardClient, &kcpcorev1alpha1.Shard{}, shardKey)
+
+	// create workspace that we want to have scheduled onto the 2nd shard
+	t.Log("Creating workspace with its logicalcluster on the 2nd Shard…")
+	workspace := &kcptenancyv1alpha1.Workspace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test",
+		},
+		Spec: kcptenancyv1alpha1.WorkspaceSpec{
+			Type: kcptenancyv1alpha1.WorkspaceTypeReference{
+				Name: "universal",
+			},
+			Location: &kcptenancyv1alpha1.WorkspaceLocation{
+				Selector: &metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"name": shardName,
+					},
+				},
+			},
+		},
+	}
+	if err := rootShardClient.Create(ctx, workspace); err != nil {
+		t.Fatalf("Failed to create workspace: %v", err)
+	}
+
+	err := wait.PollUntilContextTimeout(ctx, 500*time.Millisecond, 30*time.Second, false, func(ctx context.Context) (done bool, err error) {
+		err = rootShardClient.Get(ctx, ctrlruntimeclient.ObjectKeyFromObject(workspace), workspace)
+		if err != nil {
+			return false, err
+		}
+
+		return workspace.Status.Phase == kcpcorev1alpha1.LogicalClusterPhaseReady, nil
+	})
+	if err != nil {
+		t.Fatalf("Failed to wait for workspace to become ready: %v", err)
+	}
+
+	// build a client through the proxy to the new workspace
+	proxyClient := utils.ConnectWithRootShardProxy(t, ctx, client, &rootShard, logicalcluster.NewPath("root").Join(workspace.Name))
+	if err != nil {
+		t.Fatalf("Failed to create root shard proxy client: %v", err)
+	}
+
+	// proof of life: list something every logicalcluster in kcp has
+	t.Log("Should be able to list Secrets in the new workspace.")
+	secrets := &corev1.SecretList{}
+	if err := proxyClient.List(ctx, secrets); err != nil {
+		t.Fatalf("Failed to list secrets in workspace: %v", err)
+	}
+}
diff --git a/test/utils/deploy.go b/test/utils/deploy.go
@@ -159,6 +159,21 @@ func DeployRootShard(ctx context.Context, t *testing.T, client ctrlruntimeclient
 				},
 			},
 		}),
+		Proxy: &operatorv1alpha1.RootShardProxySpec{
+			CertificateTemplates: operatorv1alpha1.CertificateTemplateMap{
+				string(operatorv1alpha1.ServerCertificate): operatorv1alpha1.CertificateTemplate{
+					Spec: &operatorv1alpha1.CertificateSpecTemplate{
+						DNSNames: []string{"localhost"},
+					},
+				},
+			},
+		},
+	}
+
+	if tag := getKcpTag(); tag != "" {
+		rootShard.Spec.Proxy.Image = &operatorv1alpha1.ImageSpec{
+			Tag: tag,
+		}
 	}
 
 	for _, patch := range patches {
diff --git a/test/utils/utils.go b/test/utils/utils.go

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,7 @@ func (r RootShardReconciler) reconcile(ctx context.Context, rootShard operator`
`144`	`144`	`rootshard.VirtualWorkspacesCertificateReconciler(rootShard),`
`145`	`145`	`rootshard.LogicalClusterAdminCertificateReconciler(rootShard),`
`146`	`146`	`rootshard.ExternalLogicalClusterAdminCertificateReconciler(rootShard),`
	`147`	`+ rootshard.OperatorClientCertificateReconciler(rootShard),`
`147`	`148`	`}`
`148`	`149`
`149`	`150`	`// Intermediate CAs that we need to generate a certificate and an issuer for.`