TLS kuttl tests

tests/kuttl/common/assert_tls_certs.yaml

@@ -0,0 +1,29 @@
+#
+# Check for:
+#
+# - 2 tls cert secrets
+# - 1 tls ca bundle secrets
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-ovsdbserver-nb-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-ovsdbserver-sb-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-ovnnorthd-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-ovncontroller-svc
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: combined-ca-bundle

tests/kuttl/common/tls_ca_bundle.yaml

@@ -0,0 +1,68 @@
+#
+# Internal CA created with:
+#
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: rootca-kuttl-internal
+#   namespace: openstack
+# spec:
+#   ca:
+#     secretName: rootca-kuttl-internal
+# ---
+# apiVersion: cert-manager.io/v1
+# kind: Certificate
+# metadata:
+#   name: rootca-kuttl-internal
+#   namespace: openstack
+# spec:
+#   commonName: rootca-kuttl-internal
+#   duration: 87600h0m0s
+#   isCA: true
+#   issuerRef:
+#     name: selfsigned-issuer
+#   privateKey:
+#     algorithm: ECDSA
+#     size: 256
+#   secretName: rootca-kuttl-internal
+#
+# External CA created with:
+#
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: rootca-kuttl-public
+#   namespace: openstack
+# spec:
+#   ca:
+#     secretName: rootca-kuttl-public
+# ---
+# apiVersion: cert-manager.io/v1
+# kind: Certificate
+# metadata:
+#   name: rootca-kuttl-public
+#   namespace: openstack
+# spec:
+#   commonName: rootca-kuttl-public
+#   duration: 87600h0m0s
+#   isCA: true
+#   issuerRef:
+#     name: selfsigned-issuer
+#   privateKey:
+#     algorithm: ECDSA
+#     size: 256
+#   secretName: rootca-kuttl-public
+#
+# Then extracted both CAs and created added them as the bundle:
+# oc get secret rootca-kuttl-internal -o jsonpath='{.data.ca\.crt}' | base64 -d >> tls_ca_bundle.pem
+# oc get secret rootca-kuttl-public -o jsonpath='{.data.ca\.crt}' | base64 -d >> tls_ca_bundle.pem
+# cat tls_ca_bundle.pem | base64 -w0
+apiVersion: v1
+data:
+  tls-ca-bundle.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnVENDQVNlZ0F3SUJBZ0lSQU5TYWxJeHdEclZ5TVBLS3RHK0lLbzB3Q2dZSUtvWkl6ajBFQXdJd0lERWUKTUJ3R0ExVUVBeE1WY205dmRHTmhMV3QxZEhSc0xXbHVkR1Z5Ym1Gc01CNFhEVEkwTURJeU1qRTBNRGcwTTFvWApEVE0wTURJeE9URTBNRGcwTTFvd0lERWVNQndHQTFVRUF4TVZjbTl2ZEdOaExXdDFkSFJzTFdsdWRHVnlibUZzCk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTQzd2xOK05BQzhYZnkzSk43S1VaSVMvMjE2OTIKNXpWdHVyYnlpNllmZ3hXbFFONGV4ZU5IcVpGT3ZRcUVoZUVVSFR5K2lpWEVpWDVGcytCeit1eUZWYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZDRHJnYkhICjh4WmlKbnBKY2gzaEZyZEJLL3lKTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUNTY3A2QlE3eldQdnlobW9uK00KcTlvbk1PNlRYSVArczdtZjJGaXkvWkVsQWlFQXRxbkF3VE40UXRKQzIrMUZGVUNNd3dpSTZJTmM5blBDVHc1dgo5M1ZWR2ZNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCZlRDQ0FTT2dBd0lCQWdJUkFLUHZDdEJJblVocmhkQVVId25tb1BVd0NnWUlLb1pJemowRUF3SXdIakVjCk1Cb0dBMVVFQXhNVGNtOXZkR05oTFd0MWRIUnNMWEIxWW14cFl6QWVGdzB5TkRBeU1qSXhOREE0TkRsYUZ3MHoKTkRBeU1Ua3hOREE0TkRsYU1CNHhIREFhQmdOVkJBTVRFM0p2YjNSallTMXJkWFIwYkMxd2RXSnNhV013V1RBVApCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFUZEVDQVQ5dlMyOUtCVmxTWUpEQldOQWowcmhOOTBPL3czCkw4blZXUmxMWDQ1V0hQSjkwcm5heXkwdUFGSXV2SElJS2R6VUIvMEttak4rd3RhUml2SnlvMEl3UURBT0JnTlYKSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWxVVGFnYWRuV00xawo2UjcwbjU0dlExV3ZMNjR3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU56K2JvUExHMmJ6U09xa2M4UmI1ak9qCjZhZGUzZGJQL3RvVlY2MzBaZDh6QWlBcit3SkQyajVzY0E2cEJlOS8rbzhocTRpYVN0Ymx3NEU1U3B3TDUvYzQKWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+kind: Secret
+metadata:
+  labels:
+    combined-ca-bundle: ""
+  name: combined-ca-bundle
+type: Opaque

tests/kuttl/tests/ovn_tls/00-assert.yaml

@@ -0,0 +1 @@
+../../common/assert_tls_certs.yaml

tests/kuttl/tests/ovn_tls/00-tls_ca_bundle.yaml

@@ -0,0 +1 @@
+../../common/tls_ca_bundle.yaml

tests/kuttl/tests/ovn_tls/00-tls_certs.yaml

@@ -0,0 +1 @@
+../../common/tls_certs.yaml

tests/kuttl/tests/ovn_tls/01-assert.yaml

@@ -0,0 +1,92 @@
+apiVersion: ovn.openstack.org/v1beta1
+kind: OVNNorthd
+metadata:
+  name: ovnnorthd-sample
+spec:
+  tls:
+    caBundleSecretName: combined-ca-bundle
+    secretName: cert-ovnnorthd-svc
+status:
+  readyCount: 1
+---
+apiVersion: ovn.openstack.org/v1beta1
+kind: OVNDBCluster
+metadata:
+  name: ovndbcluster-nb-sample
+spec:
+  tls:
+    caBundleSecretName: combined-ca-bundle
+    secretName: cert-ovsdbserver-nb-svc
+status:
+  readyCount: 1
+---
+apiVersion: ovn.openstack.org/v1beta1
+kind: OVNDBCluster
+metadata:
+  name: ovndbcluster-sb-sample
+spec:
+  tls:
+    caBundleSecretName: combined-ca-bundle
+    secretName: cert-ovsdbserver-sb-svc
+status:
+  readyCount: 1
+---
+apiVersion: ovn.openstack.org/v1beta1
+kind: OVNController
+metadata:
+  name: ovncontroller-sample
+spec:
+  tls:
+    caBundleSecretName: combined-ca-bundle
+    secretName: cert-ovncontroller-svc
+status:
+  conditions:
+  - message: Setup complete
+    reason: Ready
+    status: "True"
+    type: Ready
+  - message: Deployment completed
+    reason: Ready
+    status: "True"
+    type: DeploymentReady
+  - message: Input data complete
+    reason: Ready
+    status: "True"
+    type: InputReady
+  - message: NetworkAttachments completed
+    reason: Ready
+    status: "True"
+    type: NetworkAttachmentsReady
+  - message: RoleBinding created
+    reason: Ready
+    status: "True"
+    type: RoleBindingReady
+  - message: Role created
+    reason: Ready
+    status: "True"
+    type: RoleReady
+  - message: ServiceAccount created
+    reason: Ready
+    status: "True"
+    type: ServiceAccountReady
+  - message: Service config create completed
+    reason: Ready
+    status: "True"
+    type: ServiceConfigReady
+  - message: Input data complete
+    reason: Ready
+    status: "True"
+    type: TLSInputReady
+---
+# check the DB uri scheme is ssl
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: |
+      template='{{.status.internalDbAddress}}{{"\n"}}'
+      regex="ssl:.*"
+      dbUri=$(oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb-sample -o go-template="$template")
+      matches=$(echo "$dbUri" | sed -e "s?$regex??")
+      if [[ -n "$matches" ]]; then
+        exit 1
+      fi

tests/kuttl/tests/ovn_tls/01-deploy-ovn.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      cp ../../../../config/samples/ovn_* deploy/
+      oc kustomize deploy | oc apply -n $NAMESPACE -f -

tests/kuttl/tests/ovn_tls/02-cleanup.yaml

@@ -0,0 +1 @@
+../../common/cleanup-ovn.yaml

tests/kuttl/tests/ovn_tls/02-errors.yaml

@@ -0,0 +1 @@
+../../common/errors_cleanup_ovn.yaml

tests/kuttl/tests/ovn_tls/deploy/kustomization.yaml

@@ -0,0 +1,41 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ovn_v1beta1_ovnnorthd.yaml
+- ovn_v1beta1_ovndbcluster.yaml
+- ovn_v1beta1_ovncontroller.yaml
+patches:
+- patch: |-
+    - op: add
+      path: /spec/tls
+      value:
+        caBundleSecretName: combined-ca-bundle
+        secretName: cert-ovsdbserver-nb-svc
+  target:
+    kind: OVNDBCluster
+    name: ovndbcluster-nb-sample
+- patch: |-
+    - op: add
+      path: /spec/tls
+      value:
+        caBundleSecretName: combined-ca-bundle
+        secretName: cert-ovsdbserver-sb-svc
+  target:
+    kind: OVNDBCluster
+    name: ovndbcluster-sb-sample
+- patch: |-
+    - op: add
+      path: /spec/tls
+      value:
+        caBundleSecretName: combined-ca-bundle
+        secretName: cert-ovnnorthd-svc
+  target:
+    kind: OVNNorthd
+- patch: |-
+    - op: add
+      path: /spec/tls
+      value:
+        caBundleSecretName: combined-ca-bundle
+        secretName: cert-ovncontroller-svc
+  target:
+    kind: OVNController