diff options
| author | Tiger <twatson@gitlab.com> | 2019-02-07 15:56:08 +1100 |
|---|---|---|
| committer | Tiger <twatson@gitlab.com> | 2019-02-08 10:05:05 +1100 |
| commit | 73e5d3a2693d0469fdad925c398b6c464803c4b3 (patch) | |
| tree | 16c20ef1d87b437e5a62ef041cb02772e489942b | |
| parent | 2cea4fd067e2b78600b93202e0e71b58bccbe3d1 (diff) | |
| download | gitlab-ce-55447-validate-k8s-ca-cert.tar.gz | |
Validate kubernetes cluster CA certificate55447-validate-k8s-ca-cert
No certificate is still accepted, but if one is provided it must
be valid. Only run validation if the certificate has changed to
avoid making existing records invalid.
| -rw-r--r-- | app/models/clusters/platforms/kubernetes.rb | 1 | ||||
| -rw-r--r-- | changelogs/unreleased/55447-validate-k8s-ca-cert.yml | 5 | ||||
| -rw-r--r-- | spec/fixtures/clusters/sample_cert.pem | 2 | ||||
| -rw-r--r-- | spec/models/clusters/kubernetes_namespace_spec.rb | 2 | ||||
| -rw-r--r-- | spec/models/clusters/platforms/kubernetes_spec.rb | 32 |
5 files changed, 39 insertions, 3 deletions
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index 8f3424db295..ed6bbfb4c64 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -43,6 +43,7 @@ module Clusters # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned) validates :api_url, url: true, presence: true validates :token, presence: true + validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed? validate :prevent_modification, on: :update diff --git a/changelogs/unreleased/55447-validate-k8s-ca-cert.yml b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml new file mode 100644 index 00000000000..e0448d403da --- /dev/null +++ b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml @@ -0,0 +1,5 @@ +--- +title: Validate kubernetes cluster CA certificate +merge_request: 24990 +author: +type: changed diff --git a/spec/fixtures/clusters/sample_cert.pem b/spec/fixtures/clusters/sample_cert.pem index e39a2b34416..00e6ce44d87 100644 --- a/spec/fixtures/clusters/sample_cert.pem +++ b/spec/fixtures/clusters/sample_cert.pem @@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag== ------END CERTIFICATE----- +-----END CERTIFICATE-----
\ No newline at end of file diff --git a/spec/models/clusters/kubernetes_namespace_spec.rb b/spec/models/clusters/kubernetes_namespace_spec.rb index 235e2ee4e69..b865909c7fd 100644 --- a/spec/models/clusters/kubernetes_namespace_spec.rb +++ b/spec/models/clusters/kubernetes_namespace_spec.rb @@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) } let(:api_url) { 'https://kube.domain.com' } - let(:ca_pem) { 'CA PEM DATA' } + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } let(:token) { 'token' } let(:kubeconfig) do diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index 6c8a223092e..ce8269d8024 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching end end + context 'ca_cert' do + let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) } + + context 'with a valid certificate' do + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } + + it { is_expected.to be_truthy } + end + + context 'with an invalid certificate' do + let(:ca_pem) { "invalid" } + + it { is_expected.to be_falsey } + + context 'but the certificate is not being updated' do + before do + allow(kubernetes).to receive(:ca_cert_changed?).and_return(false) + end + + it { is_expected.to be_truthy } + end + end + + context 'with no certificate' do + let(:ca_pem) { "" } + + it { is_expected.to be_truthy } + end + end + describe 'when using reserved namespaces' do subject { build(:cluster_platform_kubernetes, namespace: namespace) } @@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) } let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) } let(:api_url) { 'https://kube.domain.com' } - let(:ca_pem) { 'CA PEM DATA' } + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } subject { kubernetes.predefined_variables(project: cluster.project) } |