Skip to content

Commit 7dd46d3

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #6268 from pacevedom/OCPBUGS-77079
USHIFT-6635: Add service account token CA bundle test
2 parents 6bc3e73 + e9474b0 commit 7dd46d3

1 file changed

Lines changed: 45 additions & 0 deletions

File tree

test/suites/standard2/validate-service-account-ca-bundle.robot

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
*** Settings ***
2+
Documentation Tests validating the service account CA bundle contents
3+
... by checking the kube-root-ca.crt ConfigMap that gets
4+
... automatically created in every namespace.
5+
6+
Resource ../../resources/common.resource
7+
Resource ../../resources/oc.resource
8+
Resource ../../resources/kubeconfig.resource
9+
10+
Suite Setup Setup Suite With Namespace
11+
Suite Teardown Teardown Suite With Namespace
12+
13+
Test Tags certificates
14+
15+
16+
*** Variables ***
17+
${USHIFT_HOST} ${EMPTY}
18+
${USHIFT_USER} ${EMPTY}
19+
${ROOT_CA_CONFIGMAP_NAME} kube-root-ca.crt
20+
21+
22+
*** Test Cases ***
23+
Root CA ConfigMap Contains All Signers
24+
[Documentation] Verify that the kube-root-ca.crt ConfigMap contains certificates
25+
... from all required signers: kube-apiserver-localhost-signer,
26+
... kube-apiserver-service-network-signer, and kube-apiserver-external-signer
27+
${configmap}= Oc Get configmap ${NAMESPACE} ${ROOT_CA_CONFIGMAP_NAME}
28+
VAR ${ca_bundle}= ${configmap.data['ca.crt']}
29+
Should Not Be Empty ${ca_bundle}
30+
31+
${subjects}= Get Certificate Subjects From Bundle ${ca_bundle}
32+
Should Contain ${subjects} kube-apiserver-localhost-signer
33+
Should Contain ${subjects} kube-apiserver-service-network-signer
34+
Should Contain ${subjects} kube-apiserver-external-signer
35+
36+
37+
*** Keywords ***
38+
Get Certificate Subjects From Bundle
39+
[Documentation] Extract all certificate subjects from a PEM-encoded CA bundle string.
40+
... For CA certificates, the Subject field contains the signer name.
41+
[Arguments] ${ca_bundle}
42+
${subjects}= Run With Kubeconfig
43+
... echo "${ca_bundle}" | openssl crl2pkcs7 -nocrl -certfile /dev/stdin 2>/dev/null | openssl pkcs7 -print_certs -text -noout 2>/dev/null | grep "Subject:"
44+
Log CA Bundle Subjects: ${subjects}
45+
RETURN ${subjects}

0 commit comments

Comments
 (0)