Merge pull request #866 from oracle/develop-REST-cert-chain-tests

Develop rest cert chain tests

Author: rjeberhard

integration-tests/src/test/java/oracle/kubernetes/operator/ITOperator.java

@@ -11,6 +11,7 @@
 import oracle.kubernetes.operator.utils.ExecCommand;
 import oracle.kubernetes.operator.utils.ExecResult;
 import oracle.kubernetes.operator.utils.Operator;
+import oracle.kubernetes.operator.utils.Operator.RESTCertType;
 import oracle.kubernetes.operator.utils.TestUtils;
 import org.junit.AfterClass;
 import org.junit.Assume;
@@ -34,6 +35,7 @@ public class ITOperator extends BaseTest {
   private static final String opForDelYamlFile1 = "operator_del1.yaml";
   private static final String opForDelYamlFile2 = "operator_del2.yaml";
   private static final String opForBackwardCompatibility = "operator_bc.yaml";
+  private static final String opForRESTCertChain = "operator_chain.yaml";
 
   // property file used to customize domain properties for domain inputs yaml
   private static String domain1YamlFile = "domain1.yaml";
@@ -61,6 +63,7 @@ public class ITOperator extends BaseTest {
   private static Operator operatorForDel2;
 
   private static Operator operatorForBackwardCompatibility;
+  private static Operator operatorForRESTCertChain;
 
   private static boolean QUICKTEST;
   private static boolean SMOKETEST;
@@ -403,7 +406,7 @@ public void test8CreateDomainOnExistingDir() throws Exception {
    *
    * @throws Exception
    */
-  // @Test
+  // //@DisabledTest
   public void testACreateDomainApacheLB() throws Exception {
     Assume.assumeFalse(QUICKTEST);
 
@@ -598,13 +601,35 @@ public void testRESTIdentityBackwardCompatibility() throws Exception {
     logTestBegin("testRESTIdentityBackwardCompatibility");
     logger.info("Checking if operatorForBackwardCompatibility is running, if not creating");
     if (operatorForBackwardCompatibility == null) {
-      operatorForBackwardCompatibility = TestUtils.createOperator(opForBackwardCompatibility, true);
+      operatorForBackwardCompatibility =
+          TestUtils.createOperator(opForBackwardCompatibility, RESTCertType.LEGACY);
     }
+    operatorForBackwardCompatibility.verifyOperatorExternalRESTEndpoint();
     logger.info("Operator using legacy REST identity created successfully");
     operatorForBackwardCompatibility.destroy();
     logger.info("SUCCESS - testRESTIdentityBackwardCompatibility");
   }
 
+  /**
+   * Create operator and enable external rest endpoint using a certificate chain. This test uses the
+   * operator backward compatibility operator because that operator is destroyed.
+   *
+   * @throws Exception
+   */
+  @Test
+  public void testOperatorRESTUsingCertificateChain() throws Exception {
+    Assume.assumeFalse(QUICKTEST);
+
+    logTestBegin("testOperatorRESTUsingCertificateChain");
+    logger.info("Checking if operatorForBackwardCompatibility is running, if not creating");
+    if (operatorForRESTCertChain == null) {
+      operatorForRESTCertChain = TestUtils.createOperator(opForRESTCertChain, RESTCertType.CHAIN);
+    }
+    operatorForRESTCertChain.verifyOperatorExternalRESTEndpoint();
+    logger.info("Operator using legacy REST identity created successfully");
+    logger.info("SUCCESS - testOperatorRESTUsingCertificateChain");
+  }
+
   /**
    * Create Operator and create domain with some junk value for t3 channel public address and using
    * custom situational config override replace with valid public address using secret Verify the

integration-tests/src/test/java/oracle/kubernetes/operator/utils/Operator.java

@@ -17,6 +17,16 @@
 /** Operator class with all the utility methods for Operator. */
 public class Operator {
 
+  public static enum RESTCertType {
+    /*self-signed certificate and public key stored in a kubernetes tls secret*/
+    SELF_SIGNED,
+    /*Certificate signed by an auto-created CA signed by an auto-created root certificate,
+     * both and stored in a kubernetes tls secret*/
+    CHAIN,
+    /*Certificate and public key, and stored in a kubernetes tls secret*/
+    LEGACY
+  };
+
   public static final String CREATE_OPERATOR_SCRIPT_MESSAGE =
       "The Oracle WebLogic Server Kubernetes Operator is deployed";
 
@@ -36,6 +46,7 @@ public class Operator {
 
   private static int maxIterationsOp = BaseTest.getMaxIterationsPod(); // 50 * 5 = 250 seconds
   private static int waitTimeOp = BaseTest.getWaitTimePod();
+  private static RESTCertType restCertType = RESTCertType.SELF_SIGNED;
 
   /**
    * Takes operator input properties which needs to be customized and generates a operator input
@@ -44,9 +55,10 @@ public class Operator {
    * @param inputYaml
    * @throws Exception
    */
-  public Operator(String inputYaml, boolean useLegacyRESTIdentity) throws Exception {
+  public Operator(String inputYaml, RESTCertType restCertType) throws Exception {
+    this.restCertType = restCertType;
     initialize(inputYaml);
-    generateInputYaml(useLegacyRESTIdentity);
+    generateInputYaml();
     callHelmInstall();
   }
 
@@ -195,8 +207,7 @@ public void scale(String domainUid, String clusterName, int numOfMS) throws Exce
             .append(clusterName)
             .append("/scale");
 
-    TestUtils.makeOperatorPostRestCall(
-        operatorNS, myOpRestApiUrl.toString(), myJsonObjStr, userProjectsDir);
+    TestUtils.makeOperatorPostRestCall(this, myOpRestApiUrl.toString(), myJsonObjStr);
     // give sometime to complete
     logger.info("Wait 30 sec for scaling to complete...");
     Thread.sleep(30 * 1000);
@@ -217,7 +228,23 @@ public void verifyDomainExists(String domainUid) throws Exception {
             .append(externalRestHttpsPort)
             .append("/operator/latest/domains/")
             .append(domainUid);
-    TestUtils.makeOperatorGetRestCall(operatorNS, myOpRestApiUrl.toString(), userProjectsDir);
+    TestUtils.makeOperatorGetRestCall(this, myOpRestApiUrl.toString());
+  }
+
+  /**
+   * Verify the Operator's REST Api is working fine over TLS
+   *
+   * @throws Exception
+   */
+  public void verifyOperatorExternalRESTEndpoint() throws Exception {
+    // Operator REST external API URL to scale
+    StringBuffer myOpRestApiUrl =
+        new StringBuffer("https://")
+            .append(TestUtils.getHostName())
+            .append(":")
+            .append(externalRestHttpsPort)
+            .append("/operator/");
+    TestUtils.makeOperatorGetRestCall(this, myOpRestApiUrl.toString());
   }
 
   public Map<String, Object> getOperatorMap() {
@@ -258,23 +285,28 @@ private String getExecFailure(String cmd, ExecResult result) throws Exception {
   }
 
   private void generateInputYaml() throws Exception {
-    generateInputYaml(false);
-  }
-
-  private void generateInputYaml(boolean useLegacyRESTIdentity) throws Exception {
     Path parentDir =
         Files.createDirectories(Paths.get(userProjectsDir + "/weblogic-operators/" + operatorNS));
     generatedInputYamlFile = parentDir + "/weblogic-operator-values.yaml";
     TestUtils.createInputFile(operatorMap, generatedInputYamlFile);
     StringBuilder sb = new StringBuilder(200);
     sb.append(BaseTest.getProjectRoot());
-    if (useLegacyRESTIdentity) {
-      sb.append(
-          "/integration-tests/src/test/resources/scripts/legacy-generate-external-rest-identity.sh ");
-    } else {
-      sb.append("/kubernetes/samples/scripts/rest/generate-external-rest-identity.sh ");
-      sb.append(" -n ");
-      sb.append(operatorNS);
+    switch (restCertType) {
+      case LEGACY:
+        sb.append(
+            "/integration-tests/src/test/resources/scripts/legacy-generate-external-rest-identity.sh ");
+        break;
+      case CHAIN:
+        sb.append(
+            "/integration-tests/src/test/resources/scripts/generate-external-rest-identity-chain.sh ");
+        sb.append(" -n ");
+        sb.append(operatorNS);
+        break;
+      case SELF_SIGNED:
+        sb.append("/kubernetes/samples/scripts/rest/generate-external-rest-identity.sh ");
+        sb.append(" -n ");
+        sb.append(operatorNS);
+        break;
     }
     sb.append(" DNS:");
     sb.append(TestUtils.getHostName());
@@ -395,4 +427,16 @@ private void initialize(String yamlFile) throws Exception {
           operatorNS);
     }
   }
+
+  public String getOperatorNamespace() {
+    return operatorNS;
+  }
+
+  public String getUserProjectsDir() {
+    return userProjectsDir;
+  }
+
+  public RESTCertType getRestCertType() {
+    return restCertType;
+  }
 }

integration-tests/src/test/java/oracle/kubernetes/operator/utils/PEMImporter.java

@@ -14,6 +14,7 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -34,12 +35,11 @@ public class PEMImporter {
    * @param certificatePem the certificate(s) PEM file
    * @param the password to set to protect the private key
    */
-  public static KeyStore createKeyStore(
-      File privateKeyPem, File certificatePem, final String password)
+  public static KeyStore createKeyStore(File certificatePem, final String password)
       throws Exception, KeyStoreException, IOException, NoSuchAlgorithmException,
           CertificateException {
     // Import certificate pem file
-    final X509Certificate[] cert = createCertificates(certificatePem);
+    final X509Certificate[] certChain = createCertificates(certificatePem);
 
     // Create a Keystore obj if the type "JKS"
     final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -48,10 +48,13 @@ public static KeyStore createKeyStore(
     keystore.load(null);
 
     // Import private key
-    final PrivateKey key = createPrivateKey(privateKeyPem);
+    //    final PrivateKey key = createPrivateKey(privateKeyPem);
 
     // Load cert and key files into the Keystore obj and create it
-    keystore.setKeyEntry(privateKeyPem.getName(), key, password.toCharArray(), cert);
+    //    keystore.setKeyEntry(privateKeyPem.getName(), key, password.toCharArray(), cert);
+    for (Certificate cert : certChain) {
+      keystore.setCertificateEntry("operator", cert);
+    }
 
     return keystore;
   }