diff --git a/pki/helm_test.go b/pki/helm_test.go new file mode 100644 index 00000000..703e6cb8 --- /dev/null +++ b/pki/helm_test.go @@ -0,0 +1,104 @@ +package pki + +import ( + "bytes" + "os" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + + "github.com/smallstep/certificates/cas/apiv1" +) + +func TestPKI_WriteHelmTemplate(t *testing.T) { + type fields struct { + casOptions apiv1.Options + pkiOptions []Option + } + tests := []struct { + name string + fields fields + testFile string + wantErr bool + }{ + { + name: "ok/simple", + fields: fields{ + pkiOptions: []Option{ + WithHelm(), + }, + casOptions: apiv1.Options{ + Type: "softcas", + IsCreator: true, + }, + }, + testFile: "testdata/helm/simple.yml", + wantErr: false, + }, + { + name: "ok/with-acme", + fields: fields{ + pkiOptions: []Option{ + WithHelm(), + WithACME(), + }, + casOptions: apiv1.Options{ + Type: "softcas", + IsCreator: true, + }, + }, + testFile: "testdata/helm/with-acme.yml", + wantErr: false, + }, + { + name: "ok/with-admin", + fields: fields{ + pkiOptions: []Option{ + WithHelm(), + WithAdmin(), + }, + casOptions: apiv1.Options{ + Type: "softcas", + IsCreator: true, + }, + }, + testFile: "testdata/helm/with-admin.yml", + wantErr: false, + }, + { + name: "ok/with-ssh", + fields: fields{ + pkiOptions: []Option{ + WithHelm(), + WithSSH(), + }, + casOptions: apiv1.Options{ + Type: "softcas", + IsCreator: true, + }, + }, + testFile: "testdata/helm/with-ssh.yml", + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + o := tt.fields.casOptions + opts := tt.fields.pkiOptions + p, err := New(o, opts...) + assert.NoError(t, err) + w := &bytes.Buffer{} + if err := p.WriteHelmTemplate(w); (err != nil) != tt.wantErr { + t.Errorf("PKI.WriteHelmTemplate() error = %v, wantErr %v", err, tt.wantErr) + return + } + wantBytes, err := os.ReadFile(tt.testFile) + assert.NoError(t, err) + if diff := cmp.Diff(wantBytes, w.Bytes()); diff != "" { + t.Logf("Generated Helm template did not match reference %q\n", tt.testFile) + t.Errorf("Diff follows:\n%s\n", diff) + } + }) + } +} diff --git a/pki/testdata/helm/simple.yml b/pki/testdata/helm/simple.yml new file mode 100644 index 00000000..1c3049c3 --- /dev/null +++ b/pki/testdata/helm/simple.yml @@ -0,0 +1,66 @@ +# Helm template +inject: + enabled: true + # Config contains the configuration files ca.json and defaults.json + config: + files: + ca.json: + root: /home/step/certs/root_ca.crt + federateRoots: [] + crt: /home/step/certs/intermediate_ca.crt + key: /home/step/secrets/intermediate_ca_key + address: 127.0.0.1:9000 + dnsNames: + - 127.0.0.1 + logger: + format: json + db: + type: badgerv2 + dataSource: /home/step/db + authority: + enableAdmin: false + provisioners: + tls: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + minVersion: 1.2 + maxVersion: 1.3 + renegotiation: false + + defaults.json: + ca-url: https://127.0.0.1 + ca-config: /home/step/config/ca.json + fingerprint: + root: /home/step/certs/root_ca.crt + + # Certificates contains the root and intermediate certificate and + # optionally the SSH host and user public keys + certificates: + # intermediate_ca contains the text of the intermediate CA Certificate + intermediate_ca: | + + + # root_ca contains the text of the root CA Certificate + root_ca: | + + + # Secrets contains the root and intermediate keys and optionally the SSH + # private keys + secrets: + # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key + # This value must be base64 encoded. + ca_password: + provisioner_password: + + x509: + # intermediate_ca_key contains the contents of your encrypted intermediate CA key + intermediate_ca_key: | + + + # root_ca_key contains the contents of your encrypted root CA key + # Note that this value can be omitted without impacting the functionality of step-certificates + # If supplied, this should be encrypted using a unique password that is not used for encrypting + # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. + root_ca_key: | + diff --git a/pki/testdata/helm/with-acme.yml b/pki/testdata/helm/with-acme.yml new file mode 100644 index 00000000..17ff6f81 --- /dev/null +++ b/pki/testdata/helm/with-acme.yml @@ -0,0 +1,67 @@ +# Helm template +inject: + enabled: true + # Config contains the configuration files ca.json and defaults.json + config: + files: + ca.json: + root: /home/step/certs/root_ca.crt + federateRoots: [] + crt: /home/step/certs/intermediate_ca.crt + key: /home/step/secrets/intermediate_ca_key + address: 127.0.0.1:9000 + dnsNames: + - 127.0.0.1 + logger: + format: json + db: + type: badgerv2 + dataSource: /home/step/db + authority: + enableAdmin: false + provisioners: + - {"type":"ACME","name":"acme"} + tls: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + minVersion: 1.2 + maxVersion: 1.3 + renegotiation: false + + defaults.json: + ca-url: https://127.0.0.1 + ca-config: /home/step/config/ca.json + fingerprint: + root: /home/step/certs/root_ca.crt + + # Certificates contains the root and intermediate certificate and + # optionally the SSH host and user public keys + certificates: + # intermediate_ca contains the text of the intermediate CA Certificate + intermediate_ca: | + + + # root_ca contains the text of the root CA Certificate + root_ca: | + + + # Secrets contains the root and intermediate keys and optionally the SSH + # private keys + secrets: + # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key + # This value must be base64 encoded. + ca_password: + provisioner_password: + + x509: + # intermediate_ca_key contains the contents of your encrypted intermediate CA key + intermediate_ca_key: | + + + # root_ca_key contains the contents of your encrypted root CA key + # Note that this value can be omitted without impacting the functionality of step-certificates + # If supplied, this should be encrypted using a unique password that is not used for encrypting + # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. + root_ca_key: | + diff --git a/pki/testdata/helm/with-admin.yml b/pki/testdata/helm/with-admin.yml new file mode 100644 index 00000000..75fd1999 --- /dev/null +++ b/pki/testdata/helm/with-admin.yml @@ -0,0 +1,66 @@ +# Helm template +inject: + enabled: true + # Config contains the configuration files ca.json and defaults.json + config: + files: + ca.json: + root: /home/step/certs/root_ca.crt + federateRoots: [] + crt: /home/step/certs/intermediate_ca.crt + key: /home/step/secrets/intermediate_ca_key + address: 127.0.0.1:9000 + dnsNames: + - 127.0.0.1 + logger: + format: json + db: + type: badgerv2 + dataSource: /home/step/db + authority: + enableAdmin: true + provisioners: + tls: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + minVersion: 1.2 + maxVersion: 1.3 + renegotiation: false + + defaults.json: + ca-url: https://127.0.0.1 + ca-config: /home/step/config/ca.json + fingerprint: + root: /home/step/certs/root_ca.crt + + # Certificates contains the root and intermediate certificate and + # optionally the SSH host and user public keys + certificates: + # intermediate_ca contains the text of the intermediate CA Certificate + intermediate_ca: | + + + # root_ca contains the text of the root CA Certificate + root_ca: | + + + # Secrets contains the root and intermediate keys and optionally the SSH + # private keys + secrets: + # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key + # This value must be base64 encoded. + ca_password: + provisioner_password: + + x509: + # intermediate_ca_key contains the contents of your encrypted intermediate CA key + intermediate_ca_key: | + + + # root_ca_key contains the contents of your encrypted root CA key + # Note that this value can be omitted without impacting the functionality of step-certificates + # If supplied, this should be encrypted using a unique password that is not used for encrypting + # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. + root_ca_key: | + diff --git a/pki/testdata/helm/with-ssh.yml b/pki/testdata/helm/with-ssh.yml new file mode 100644 index 00000000..b2ba96f6 --- /dev/null +++ b/pki/testdata/helm/with-ssh.yml @@ -0,0 +1,82 @@ +# Helm template +inject: + enabled: true + # Config contains the configuration files ca.json and defaults.json + config: + files: + ca.json: + root: /home/step/certs/root_ca.crt + federateRoots: [] + crt: /home/step/certs/intermediate_ca.crt + key: /home/step/secrets/intermediate_ca_key + ssh: + hostKey: /home/step/secrets/ssh_host_ca_key + userKey: /home/step/secrets/ssh_user_ca_key + address: 127.0.0.1:9000 + dnsNames: + - 127.0.0.1 + logger: + format: json + db: + type: badgerv2 + dataSource: /home/step/db + authority: + enableAdmin: false + provisioners: + tls: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + minVersion: 1.2 + maxVersion: 1.3 + renegotiation: false + + defaults.json: + ca-url: https://127.0.0.1 + ca-config: /home/step/config/ca.json + fingerprint: + root: /home/step/certs/root_ca.crt + + # Certificates contains the root and intermediate certificate and + # optionally the SSH host and user public keys + certificates: + # intermediate_ca contains the text of the intermediate CA Certificate + intermediate_ca: | + + + # root_ca contains the text of the root CA Certificate + root_ca: | + + # ssh_host_ca contains the text of the public ssh key for the SSH root CA + ssh_host_ca: + + # ssh_user_ca contains the text of the public ssh key for the SSH root CA + ssh_user_ca: + + # Secrets contains the root and intermediate keys and optionally the SSH + # private keys + secrets: + # ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key + # This value must be base64 encoded. + ca_password: + provisioner_password: + + x509: + # intermediate_ca_key contains the contents of your encrypted intermediate CA key + intermediate_ca_key: | + + + # root_ca_key contains the contents of your encrypted root CA key + # Note that this value can be omitted without impacting the functionality of step-certificates + # If supplied, this should be encrypted using a unique password that is not used for encrypting + # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key. + root_ca_key: | + + ssh: + # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key + host_ca_key: | + + + # ssh_user_ca_key contains the contents of your encrypted SSH User CA key + user_ca_key: | +