...

Source file src/k8s.io/kubernetes/test/e2e/lifecycle/bootstrap/bootstrap_signer.go

Documentation: k8s.io/kubernetes/test/e2e/lifecycle/bootstrap 

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package bootstrap
    18  
    19  import (
    20  	"context"
    21  
    22  	"github.com/onsi/ginkgo/v2"
    23  
    24  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25  	clientset "k8s.io/client-go/kubernetes"
    26  	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
    27  	"k8s.io/kubernetes/test/e2e/feature"
    28  	"k8s.io/kubernetes/test/e2e/framework"
    29  	"k8s.io/kubernetes/test/e2e/lifecycle"
    30  	admissionapi "k8s.io/pod-security-admission/api"
    31  )
    32  
    33  const (
    34  	// TokenIDBytes is the length of the byte array to generate tokenID.
    35  	TokenIDBytes = 3
    36  
    37  	// TokenSecretBytes is the length of the byte array to generate tokenSecret.
    38  	TokenSecretBytes = 8
    39  )
    40  
    41  var _ = lifecycle.SIGDescribe(feature.BootstrapTokens, func() {
    42  
    43  	var c clientset.Interface
    44  
    45  	f := framework.NewDefaultFramework("bootstrap-signer")
    46  	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
    47  	ginkgo.AfterEach(func(ctx context.Context) {
    48  		if len(secretNeedClean) > 0 {
    49  			ginkgo.By("delete the bootstrap token secret")
    50  			err := c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(ctx, secretNeedClean, metav1.DeleteOptions{})
    51  			framework.ExpectNoError(err)
    52  			secretNeedClean = ""
    53  		}
    54  	})
    55  	ginkgo.BeforeEach(func() {
    56  		c = f.ClientSet
    57  	})
    58  
    59  	ginkgo.It("should sign the new added bootstrap tokens", func(ctx context.Context) {
    60  		ginkgo.By("create a new bootstrap token secret")
    61  		tokenID, err := GenerateTokenID()
    62  		framework.ExpectNoError(err)
    63  		secret := newTokenSecret(tokenID, "tokenSecret")
    64  		_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{})
    65  		secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenID
    66  
    67  		framework.ExpectNoError(err)
    68  
    69  		ginkgo.By("wait for the bootstrap token secret be signed")
    70  		err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID)
    71  		framework.ExpectNoError(err)
    72  	})
    73  
    74  	f.It("should resign the bootstrap tokens when the clusterInfo ConfigMap updated", f.WithSerial(), f.WithDisruptive(), func(ctx context.Context) {
    75  		ginkgo.By("create a new bootstrap token secret")
    76  		tokenID, err := GenerateTokenID()
    77  		framework.ExpectNoError(err)
    78  		secret := newTokenSecret(tokenID, "tokenSecret")
    79  		_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{})
    80  		framework.ExpectNoError(err)
    81  		secretNeedClean = bootstrapapi.BootstrapTokenSecretPrefix + tokenID
    82  
    83  		ginkgo.By("wait for the bootstrap token secret be signed")
    84  		err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID)
    85  		framework.ExpectNoError(err)
    86  
    87  		cfgMap, err := f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(ctx, bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
    88  		framework.ExpectNoError(err)
    89  		signedToken, ok := cfgMap.Data[bootstrapapi.JWSSignatureKeyPrefix+tokenID]
    90  		if !ok {
    91  			framework.Failf("expected signed token with key %q not found in %+v", bootstrapapi.JWSSignatureKeyPrefix+tokenID, cfgMap.Data)
    92  		}
    93  
    94  		ginkgo.By("update the cluster-info ConfigMap")
    95  		originalData := cfgMap.Data[bootstrapapi.KubeConfigKey]
    96  		updatedKubeConfig, err := randBytes(20)
    97  		framework.ExpectNoError(err)
    98  		cfgMap.Data[bootstrapapi.KubeConfigKey] = updatedKubeConfig
    99  		_, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(ctx, cfgMap, metav1.UpdateOptions{})
   100  		framework.ExpectNoError(err)
   101  		defer func() {
   102  			ginkgo.By("update back the cluster-info ConfigMap")
   103  			cfgMap, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Get(ctx, bootstrapapi.ConfigMapClusterInfo, metav1.GetOptions{})
   104  			framework.ExpectNoError(err)
   105  			cfgMap.Data[bootstrapapi.KubeConfigKey] = originalData
   106  			_, err = f.ClientSet.CoreV1().ConfigMaps(metav1.NamespacePublic).Update(ctx, cfgMap, metav1.UpdateOptions{})
   107  			framework.ExpectNoError(err)
   108  		}()
   109  
   110  		ginkgo.By("wait for signed bootstrap token updated")
   111  		err = WaitForSignedClusterInfoGetUpdatedByBootstrapToken(c, tokenID, signedToken)
   112  		framework.ExpectNoError(err)
   113  	})
   114  
   115  	ginkgo.It("should delete the signed bootstrap tokens from clusterInfo ConfigMap when bootstrap token is deleted", func(ctx context.Context) {
   116  		ginkgo.By("create a new bootstrap token secret")
   117  		tokenID, err := GenerateTokenID()
   118  		framework.ExpectNoError(err)
   119  		secret := newTokenSecret(tokenID, "tokenSecret")
   120  		_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Create(ctx, secret, metav1.CreateOptions{})
   121  		framework.ExpectNoError(err)
   122  
   123  		ginkgo.By("wait for the bootstrap secret be signed")
   124  		err = WaitforSignedClusterInfoByBootStrapToken(c, tokenID)
   125  		framework.ExpectNoError(err)
   126  
   127  		ginkgo.By("delete the bootstrap token secret")
   128  		err = c.CoreV1().Secrets(metav1.NamespaceSystem).Delete(ctx, bootstrapapi.BootstrapTokenSecretPrefix+tokenID, metav1.DeleteOptions{})
   129  		framework.ExpectNoError(err)
   130  
   131  		ginkgo.By("wait for the bootstrap token removed from cluster-info ConfigMap")
   132  		err = WaitForSignedClusterInfoByBootstrapTokenToDisappear(c, tokenID)
   133  		framework.ExpectNoError(err)
   134  	})
   135  })
   136  

View as plain text