e2e: ensure registry addon CA exists and matches the root CA

Author: dkoshkin

test/e2e/quick_start_test.go

@@ -295,7 +295,6 @@ var _ = Describe("Quick start", func() {
 														),
 													},
 												)
-
 												WaitForCoreDNSToBeReadyInWorkloadCluster(
 													ctx,
 													WaitForCoreDNSToBeReadyInWorkloadClusterInput{
@@ -307,6 +306,15 @@ var _ = Describe("Quick start", func() {
 														),
 													},
 												)
+
+												EnsureClusterCAForRegistryAddon(
+													ctx,
+													EnsureClusterCAForRegistryAddonInput{
+														Registry:        addonsConfig.Registry,
+														WorkloadCluster: workloadCluster,
+														ClusterProxy:    proxy,
+													},
+												)
 											},
 										}
 									})

test/e2e/registry.go

@@ -8,12 +8,16 @@ package e2e
 import (
 	"context"
 
+	. "github.com/onsi/gomega"
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/test/framework"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	handlersutils "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/utils"
 )
 
 type WaitForRegistryAddonToBeReadyInWorkloadClusterInput struct {
@@ -56,3 +60,44 @@ func WaitForRegistryAddonToBeReadyInWorkloadCluster(
 		},
 	}, input.StatefulSetIntervals...)
 }
+
+type EnsureClusterCAForRegistryAddonInput struct {
+	Registry        *v1alpha1.RegistryAddon
+	WorkloadCluster *clusterv1.Cluster
+	ClusterProxy    framework.ClusterProxy
+}
+
+// EnsureClusterCAForRegistryAddon verifies that the cluster CA data exists and matches the root CA.
+func EnsureClusterCAForRegistryAddon(
+	ctx context.Context,
+	input EnsureClusterCAForRegistryAddonInput, //nolint:gocritic // This hugeParam is OK in tests.
+) {
+	if input.Registry == nil {
+		return
+	}
+
+	cl := input.ClusterProxy.GetClient()
+
+	rootCASecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      handlersutils.RegistryAddonRootCASecretName,
+			Namespace: corev1.NamespaceDefault,
+		},
+	}
+	err := cl.Get(ctx, ctrlclient.ObjectKeyFromObject(rootCASecret), rootCASecret)
+	Expect(err).NotTo(HaveOccurred())
+	Expect(rootCASecret.Data).ToNot(BeEmpty())
+
+	clusterCASecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      handlersutils.SecretNameForRegistryAddonCA(input.WorkloadCluster),
+			Namespace: input.WorkloadCluster.Namespace,
+		},
+	}
+	err = cl.Get(ctx, ctrlclient.ObjectKeyFromObject(clusterCASecret), clusterCASecret)
+	Expect(err).NotTo(HaveOccurred())
+	Expect(clusterCASecret.Data).ToNot(BeEmpty())
+
+	const caCrtKey = "ca.crt"
+	Expect(rootCASecret.Data[caCrtKey]).To(Equal(rootCASecret.Data[caCrtKey]))
+}

test/e2e/self_hosted_test.go

@@ -168,6 +168,15 @@ var _ = Describe("Self-hosted", Serial, func() {
 															),
 														},
 													)
+
+													EnsureClusterCAForRegistryAddon(
+														ctx,
+														EnsureClusterCAForRegistryAddonInput{
+															Registry:        addonsConfig.Registry,
+															WorkloadCluster: workloadCluster,
+															ClusterProxy:    proxy,
+														},
+													)
 												},
 											}
 										},