Skip to content

Commit

Permalink
Merge pull request #2960 from neolit123/1.29-add-test-job-super-admin…
Browse files Browse the repository at this point in the history 
….conf

kinder: add tests for /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Nov 13, 2023
2 parents d8525d5 + 5ee3ff5 commit 7405997
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 10 deletions.
29 changes: 24 additions & 5 deletions kinder/ci/tools/update-workflows/templates/workflows/super-admin-tasks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,18 +62,24 @@ tasks:
${CMD} kubeadm init phase certs ca || exit 1
${CMD} kubeadm init phase kubeconfig admin || exit 1
${CMD} kubeadm init phase kubeconfig super-admin || exit 1
${CMD} kubeadm init phase certs apiserver-kubelet-client || exit 1
# Both admin.conf and super-admin.conf must exist
# Both admin.conf and super-admin.conf must exist, also apiserver-kubelet-client.crt
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
${CMD} test -f /etc/kubernetes/pki/apiserver-kubelet-client.crt || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Make sure that the check-expiration and renew commands do not return errors
${CMD} kubeadm certs renew admin.conf || exit 1
${CMD} kubeadm certs renew super-admin.conf || exit 1
${CMD} kubeadm certs renew apiserver-kubelet-client || exit 1
${CMD} kubeadm certs check-expiration || exit 1
# Delete super-admin.conf and make sure check-expiration and renew do not return errors
Expand All @@ -83,6 +89,7 @@ tasks:
# Cleanup
${CMD} rm -f /etc/kubernetes/pki/ca.*
${CMD} rm -f /etc/kubernetes/pki/apiserver-kubelet-client.crt
${CMD} rm -f /etc/kubernetes/*.conf
# Ensure exit status of 0
Expand Down Expand Up @@ -115,10 +122,13 @@ tasks:
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Delete super-admin.conf to make sure this version of kubeadm creates it on upgrade
${CMD} rm -f /etc/kubernetes/super-admin.conf
Expand Down Expand Up @@ -153,9 +163,12 @@ tasks:
# super-admin.conf must not exist
${CMD} test -f /etc/kubernetes/super-admin.conf && exit 1
# Check certificate subject
# Check certificate subject for admin.conf
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if 'kubeadm init' created the RBAC permissions for the admin.conf user
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand Down Expand Up @@ -188,10 +201,13 @@ tasks:
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if the admin.conf user still has RBAC permissions
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand All @@ -217,6 +233,9 @@ tasks:
# Check certificate subject
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if the admin.conf user still has the RBAC permissions
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand Down
29 changes: 24 additions & 5 deletions kinder/ci/workflows/super-admin-tasks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,18 +63,24 @@ tasks:
${CMD} kubeadm init phase certs ca || exit 1
${CMD} kubeadm init phase kubeconfig admin || exit 1
${CMD} kubeadm init phase kubeconfig super-admin || exit 1
${CMD} kubeadm init phase certs apiserver-kubelet-client || exit 1
# Both admin.conf and super-admin.conf must exist
# Both admin.conf and super-admin.conf must exist, also apiserver-kubelet-client.crt
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
${CMD} test -f /etc/kubernetes/pki/apiserver-kubelet-client.crt || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Make sure that the check-expiration and renew commands do not return errors
${CMD} kubeadm certs renew admin.conf || exit 1
${CMD} kubeadm certs renew super-admin.conf || exit 1
${CMD} kubeadm certs renew apiserver-kubelet-client || exit 1
${CMD} kubeadm certs check-expiration || exit 1
# Delete super-admin.conf and make sure check-expiration and renew do not return errors
Expand All @@ -84,6 +90,7 @@ tasks:
# Cleanup
${CMD} rm -f /etc/kubernetes/pki/ca.*
${CMD} rm -f /etc/kubernetes/pki/apiserver-kubelet-client.crt
${CMD} rm -f /etc/kubernetes/*.conf
# Ensure exit status of 0
Expand Down Expand Up @@ -116,10 +123,13 @@ tasks:
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Delete super-admin.conf to make sure this version of kubeadm creates it on upgrade
${CMD} rm -f /etc/kubernetes/super-admin.conf
Expand Down Expand Up @@ -154,9 +164,12 @@ tasks:
# super-admin.conf must not exist
${CMD} test -f /etc/kubernetes/super-admin.conf && exit 1
# Check certificate subject
# Check certificate subject for admin.conf
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if 'kubeadm init' created the RBAC permissions for the admin.conf user
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand Down Expand Up @@ -189,10 +202,13 @@ tasks:
${CMD} test -f /etc/kubernetes/admin.conf || exit 1
${CMD} test -f /etc/kubernetes/super-admin.conf || exit 1
# Check certificate subjects
# Check certificate subject for .conf files
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
${CMD} grep 'client-certificate-data' /etc/kubernetes/super-admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = system:masters, CN = kubernetes-super-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if the admin.conf user still has RBAC permissions
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand All @@ -218,6 +234,9 @@ tasks:
# Check certificate subject
${CMD} grep 'client-certificate-data' /etc/kubernetes/admin.conf | awk '{print $2}' | base64 -d | openssl x509 -subject -noout | grep "subject=O = kubeadm:cluster-admins, CN = kubernetes-admin" || exit 1
# Check certificate subject for apiserver-kubelet-client.crt
${CMD} openssl x509 -subject -noout -in /etc/kubernetes/pki/apiserver-kubelet-client.crt | grep "subject=O = kubeadm:cluster-admins, CN = kube-apiserver-kubelet-client" || exit 1
# Check if the admin.conf user still has the RBAC permissions
${CMD} kubectl -n kube-system --kubeconfig /etc/kubernetes/admin.conf get cm kubeadm-config || exit 1
Expand Down

0 comments on commit 7405997

Please sign in to comment.