Testing tool for cert-manager in Kubernetes.
The vision for this project is to be the standard open-source testing tool for cert-manager deployments adopted by the Kubernetes community.
Please go to Chaos Issuer Wiki for further information.
You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster.
Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info
shows).
You will need the following command line tools installed on your PATH:
- Git
- Golang v1.17+
- Docker v17.03+
- Kind v0.9.0+
- Kubectl v1.11.3+
- Kubebuilder v2.3.1+
- Kustomize v3.8.1+
- lolcat
You may also want to read: the Kubebuilder Book and the cert-manager Concepts Documentation for further background information.
- Install Instances of Custom Resources:
kubectl apply -f config/samples/
- Build and push your image to the location specified by
IMG
:
make docker-build docker-push IMG=<some-registry>/venafi-test-wizard:tag
- Deploy the controller to the cluster with the image specified by
IMG
:
make deploy IMG=<some-registry>/venafi-test-wizard:tag
To delete the CRDs from the cluster:
make uninstall
UnDeploy the controller to the cluster:
make undeploy
This project aims to follow the Kubernetes Operator pattern
It uses Controllers which provides a reconcile function responsible for synchronizing resources untile the desired state is reached on the cluster
Note: We hold no intellectual property of cert-manager resources and are merely using a modified local version for manual testing of our testing wizard. Resources: Building cert-manager, Developing with Kind
- create a folder outside this github directory
mkdir cert-manager-local
cd cert-manager-local
- git clone cert-manager
git clone https://github.com/cert-manager/cert-manager.git
-
Make sure you have all dependencies installed which are git, curl, GNU make, jq, docker and go.
-
go inside cert-manager git repository you cloned.
cd cert-manager
- For modifying the certificate duration and renew before time:
- go inside cert-manager/internal/apis/certmanager/validation/certificate.go
- import "time" module in certificate.go
- replace the ValidateDuration function to the one given below.
- the function below changes the minimum cert duration of cert-manager to 4 minutes and mininum certificate renewal time to 2 minutes.
func ValidateDuration(crt *internalcmapi.CertificateSpec, fldPath *field.Path) field.ErrorList {
el := field.ErrorList{}
duration := util.DefaultCertDuration(crt.Duration)
MinimumCertificateDuration := time.Minute * 4
MinimumRenewBefore := time.Minute * 2
if duration < MinimumCertificateDuration { //was cmapi.MinimumCertificateDuration
el = append(el, field.Invalid(fldPath.Child("duration"), duration, fmt.Sprintf("certificate duration must be greater than %s", MinimumCertificateDuration))) // was cmapi.MinimumCertificateDuration
}
// If spec.renewBefore is set, check that it is not less than the minimum.
if crt.RenewBefore != nil && crt.RenewBefore.Duration < MinimumRenewBefore { //was cmapi.MinimumRenewBefore
el = append(el, field.Invalid(fldPath.Child("renewBefore"), crt.RenewBefore.Duration, fmt.Sprintf("certificate renewBefore must be greater than %s", MinimumRenewBefore))) // was cmapi.MinimumRenewBefore
}
// If spec.renewBefore is set, it must be less than the duration.
if crt.RenewBefore != nil && crt.RenewBefore.Duration >= duration {
el = append(el, field.Invalid(fldPath.Child("renewBefore"), crt.RenewBefore.Duration, fmt.Sprintf("certificate duration %s must be greater than renewBefore %s", duration, crt.RenewBefore.Duration)))
}
return el
}
- Run cert-manager using this command (our Chaos Issuer runs on K8S_VERSION=1.25). This command will deploy a kind cluster nameed kind and deploy cert-manager resources in it:
make K8S_VERSION=1.25 e2e-setup-kind e2e-setup-certmanager
Note: Running cert-manager locally takes 3-5 minutes to successfully deploy.
After configuring cert-manager, the environment folder containing cert-manager and our venafi-chaos-issuer repo should look like:
├── _Your Main Folder
│ ├── cert-manager repository
│ └── venafi-chaos-issuer repository
NOTE: Make sure you enable kubectl to port forward for ports 80 & 443 by (For more info: stackoverflow):
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/kubectl (or /usr/local/bin/kubectl. Depends on where it is installed)
Incase of line ending problems if using on Mac or WSL2:
sed -i -e 's/\r$//' chaos_script.sh
- Run the script
.\chaos_script.sh
- Create the environment with the dependencies for chaos-testing:
chaos setup
- Deploy the chaos issuer:
chaos deploy issuer
- Deploy the certificate:
chaos deploy cert
- To see available certificates:
chaos show cert
- To delete the resources allocated:
chaos terminate
- Open a Terminal, and make sure your CRDs are compiled properly before installing them:
make generate manifests
go mod tidy
- Create a Cluster using Kind (our cluster name is sample-test):
kind create cluster --name sample-test
- Install Cert-Manager into the cluster:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
- Open a new Terminal, Install the CRDs into the cluster:
make deploy
- In this new Terminal, Run your controller (this will run in the foreground, so switch to the old terminal where you created the cluster if you want to leave it running):
make run
- In your older Terminal, create a namespace for our issuer and certificate (the name of our namespace is chaos here):
kubectl create namespace chaos
- Install Chaos Issuer using the yaml file provided in the /config/samples:
kubectl apply -f config/samples/self-signed-issuer_v1alpha1_chaosissuer.yaml
- Deploy a certificate to be signed by our self-signed Chaos Issuer using the yaml file provided in the /config/samples:
kubectl apply -f config/samples/certificate_chaosissuer.yaml
NOTE: You can also run this in one step by running: make install run
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
NOTE: Run make --help
for more information on all potential make
targets
More information can be found via the Kubebuilder Documentation
check out EXTERNAL PULL REQUEST on how to submit a pull request to this project.
Copyright 2022 CMU-SV.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.