Add tests for writing the Helm template

pki/helm_test.go

@@ -0,0 +1,104 @@
+package pki
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/smallstep/certificates/cas/apiv1"
+)
+
+func TestPKI_WriteHelmTemplate(t *testing.T) {
+	type fields struct {
+		casOptions apiv1.Options
+		pkiOptions []Option
+	}
+	tests := []struct {
+		name     string
+		fields   fields
+		testFile string
+		wantErr  bool
+	}{
+		{
+			name: "ok/simple",
+			fields: fields{
+				pkiOptions: []Option{
+					WithHelm(),
+				},
+				casOptions: apiv1.Options{
+					Type:      "softcas",
+					IsCreator: true,
+				},
+			},
+			testFile: "testdata/helm/simple.yml",
+			wantErr:  false,
+		},
+		{
+			name: "ok/with-acme",
+			fields: fields{
+				pkiOptions: []Option{
+					WithHelm(),
+					WithACME(),
+				},
+				casOptions: apiv1.Options{
+					Type:      "softcas",
+					IsCreator: true,
+				},
+			},
+			testFile: "testdata/helm/with-acme.yml",
+			wantErr:  false,
+		},
+		{
+			name: "ok/with-admin",
+			fields: fields{
+				pkiOptions: []Option{
+					WithHelm(),
+					WithAdmin(),
+				},
+				casOptions: apiv1.Options{
+					Type:      "softcas",
+					IsCreator: true,
+				},
+			},
+			testFile: "testdata/helm/with-admin.yml",
+			wantErr:  false,
+		},
+		{
+			name: "ok/with-ssh",
+			fields: fields{
+				pkiOptions: []Option{
+					WithHelm(),
+					WithSSH(),
+				},
+				casOptions: apiv1.Options{
+					Type:      "softcas",
+					IsCreator: true,
+				},
+			},
+			testFile: "testdata/helm/with-ssh.yml",
+			wantErr:  false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := tt.fields.casOptions
+			opts := tt.fields.pkiOptions
+			p, err := New(o, opts...)
+			assert.NoError(t, err)
+			w := &bytes.Buffer{}
+			if err := p.WriteHelmTemplate(w); (err != nil) != tt.wantErr {
+				t.Errorf("PKI.WriteHelmTemplate() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			wantBytes, err := os.ReadFile(tt.testFile)
+			assert.NoError(t, err)
+			if diff := cmp.Diff(wantBytes, w.Bytes()); diff != "" {
+				t.Logf("Generated Helm template did not match reference %q\n", tt.testFile)
+				t.Errorf("Diff follows:\n%s\n", diff)
+			}
+		})
+	}
+}

pki/testdata/helm/simple.yml

@@ -0,0 +1,66 @@
+# Helm template
+inject:
+  enabled: true
+  # Config contains the configuration files ca.json and defaults.json
+  config:
+    files:
+      ca.json:
+        root: /home/step/certs/root_ca.crt
+        federateRoots: []
+        crt: /home/step/certs/intermediate_ca.crt
+        key: /home/step/secrets/intermediate_ca_key
+        address: 127.0.0.1:9000
+        dnsNames:
+          - 127.0.0.1
+        logger:
+          format: json
+        db:
+          type: badgerv2
+          dataSource: /home/step/db
+        authority:
+          enableAdmin: false
+          provisioners:
+        tls:
+          cipherSuites:
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          minVersion: 1.2
+          maxVersion: 1.3
+          renegotiation: false
+
+      defaults.json:
+        ca-url: https://127.0.0.1
+        ca-config: /home/step/config/ca.json
+        fingerprint: 
+        root: /home/step/certs/root_ca.crt
+
+  # Certificates contains the root and intermediate certificate and 
+  # optionally the SSH host and user public keys
+  certificates:
+    # intermediate_ca contains the text of the intermediate CA Certificate
+    intermediate_ca: |
+      
+      
+    # root_ca contains the text of the root CA Certificate
+    root_ca: |
+      
+
+  # Secrets contains the root and intermediate keys and optionally the SSH
+  # private keys
+  secrets:
+    # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
+    # This value must be base64 encoded.
+    ca_password: 
+    provisioner_password: 
+
+    x509:
+      # intermediate_ca_key contains the contents of your encrypted intermediate CA key
+      intermediate_ca_key: |
+        
+
+      # root_ca_key contains the contents of your encrypted root CA key
+      # Note that this value can be omitted without impacting the functionality of step-certificates
+      # If supplied, this should be encrypted using a unique password that is not used for encrypting
+      # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
+      root_ca_key: |
+        

pki/testdata/helm/with-acme.yml

@@ -0,0 +1,67 @@
+# Helm template
+inject:
+  enabled: true
+  # Config contains the configuration files ca.json and defaults.json
+  config:
+    files:
+      ca.json:
+        root: /home/step/certs/root_ca.crt
+        federateRoots: []
+        crt: /home/step/certs/intermediate_ca.crt
+        key: /home/step/secrets/intermediate_ca_key
+        address: 127.0.0.1:9000
+        dnsNames:
+          - 127.0.0.1
+        logger:
+          format: json
+        db:
+          type: badgerv2
+          dataSource: /home/step/db
+        authority:
+          enableAdmin: false
+          provisioners:
+            - {"type":"ACME","name":"acme"}
+        tls:
+          cipherSuites:
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          minVersion: 1.2
+          maxVersion: 1.3
+          renegotiation: false
+
+      defaults.json:
+        ca-url: https://127.0.0.1
+        ca-config: /home/step/config/ca.json
+        fingerprint: 
+        root: /home/step/certs/root_ca.crt
+
+  # Certificates contains the root and intermediate certificate and 
+  # optionally the SSH host and user public keys
+  certificates:
+    # intermediate_ca contains the text of the intermediate CA Certificate
+    intermediate_ca: |
+      
+      
+    # root_ca contains the text of the root CA Certificate
+    root_ca: |
+      
+
+  # Secrets contains the root and intermediate keys and optionally the SSH
+  # private keys
+  secrets:
+    # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
+    # This value must be base64 encoded.
+    ca_password: 
+    provisioner_password: 
+
+    x509:
+      # intermediate_ca_key contains the contents of your encrypted intermediate CA key
+      intermediate_ca_key: |
+        
+
+      # root_ca_key contains the contents of your encrypted root CA key
+      # Note that this value can be omitted without impacting the functionality of step-certificates
+      # If supplied, this should be encrypted using a unique password that is not used for encrypting
+      # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
+      root_ca_key: |
+        

pki/testdata/helm/with-admin.yml

@@ -0,0 +1,66 @@
+# Helm template
+inject:
+  enabled: true
+  # Config contains the configuration files ca.json and defaults.json
+  config:
+    files:
+      ca.json:
+        root: /home/step/certs/root_ca.crt
+        federateRoots: []
+        crt: /home/step/certs/intermediate_ca.crt
+        key: /home/step/secrets/intermediate_ca_key
+        address: 127.0.0.1:9000
+        dnsNames:
+          - 127.0.0.1
+        logger:
+          format: json
+        db:
+          type: badgerv2
+          dataSource: /home/step/db
+        authority:
+          enableAdmin: true
+          provisioners:
+        tls:
+          cipherSuites:
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          minVersion: 1.2
+          maxVersion: 1.3
+          renegotiation: false
+
+      defaults.json:
+        ca-url: https://127.0.0.1
+        ca-config: /home/step/config/ca.json
+        fingerprint: 
+        root: /home/step/certs/root_ca.crt
+
+  # Certificates contains the root and intermediate certificate and 
+  # optionally the SSH host and user public keys
+  certificates:
+    # intermediate_ca contains the text of the intermediate CA Certificate
+    intermediate_ca: |
+      
+      
+    # root_ca contains the text of the root CA Certificate
+    root_ca: |
+      
+
+  # Secrets contains the root and intermediate keys and optionally the SSH
+  # private keys
+  secrets:
+    # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
+    # This value must be base64 encoded.
+    ca_password: 
+    provisioner_password: 
+
+    x509:
+      # intermediate_ca_key contains the contents of your encrypted intermediate CA key
+      intermediate_ca_key: |
+        
+
+      # root_ca_key contains the contents of your encrypted root CA key
+      # Note that this value can be omitted without impacting the functionality of step-certificates
+      # If supplied, this should be encrypted using a unique password that is not used for encrypting
+      # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
+      root_ca_key: |
+        

pki/testdata/helm/with-ssh.yml

@@ -0,0 +1,82 @@
+# Helm template
+inject:
+  enabled: true
+  # Config contains the configuration files ca.json and defaults.json
+  config:
+    files:
+      ca.json:
+        root: /home/step/certs/root_ca.crt
+        federateRoots: []
+        crt: /home/step/certs/intermediate_ca.crt
+        key: /home/step/secrets/intermediate_ca_key
+        ssh:
+          hostKey: /home/step/secrets/ssh_host_ca_key
+          userKey: /home/step/secrets/ssh_user_ca_key
+        address: 127.0.0.1:9000
+        dnsNames:
+          - 127.0.0.1
+        logger:
+          format: json
+        db:
+          type: badgerv2
+          dataSource: /home/step/db
+        authority:
+          enableAdmin: false
+          provisioners:
+        tls:
+          cipherSuites:
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          minVersion: 1.2
+          maxVersion: 1.3
+          renegotiation: false
+
+      defaults.json:
+        ca-url: https://127.0.0.1
+        ca-config: /home/step/config/ca.json
+        fingerprint: 
+        root: /home/step/certs/root_ca.crt
+
+  # Certificates contains the root and intermediate certificate and 
+  # optionally the SSH host and user public keys
+  certificates:
+    # intermediate_ca contains the text of the intermediate CA Certificate
+    intermediate_ca: |
+      
+      
+    # root_ca contains the text of the root CA Certificate
+    root_ca: |
+      
+    # ssh_host_ca contains the text of the public ssh key for the SSH root CA
+    ssh_host_ca: 
+
+    # ssh_user_ca contains the text of the public ssh key for the SSH root CA
+    ssh_user_ca: 
+
+  # Secrets contains the root and intermediate keys and optionally the SSH
+  # private keys
+  secrets:
+    # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
+    # This value must be base64 encoded.
+    ca_password: 
+    provisioner_password: 
+
+    x509:
+      # intermediate_ca_key contains the contents of your encrypted intermediate CA key
+      intermediate_ca_key: |
+        
+
+      # root_ca_key contains the contents of your encrypted root CA key
+      # Note that this value can be omitted without impacting the functionality of step-certificates
+      # If supplied, this should be encrypted using a unique password that is not used for encrypting
+      # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
+      root_ca_key: |
+        
+    ssh:
+      # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
+      host_ca_key: |
+        
+
+      # ssh_user_ca_key contains the contents of your encrypted SSH User CA key
+      user_ca_key: |
+