test: Verify registry server certificate rotation

mesosphere · Nov 11, 2024 · c035cf5 · c035cf5
1 parent 8687f4e
commit c035cf5
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/test/e2e/helmbundle/helpers/helpers.go b/test/e2e/helmbundle/helpers/helpers.go
@@ -176,6 +176,7 @@ func GenerateCertificateAndKeyWithIPSAN(
 
 func ValidateChartIsAvailable(
 	t ginkgo.GinkgoTInterface,
+	g gomega.Gomega,
 	addr string,
 	port int,
 	chartName, chartVersion string,
@@ -196,9 +197,9 @@ func ValidateChartIsAvailable(
 		chartVersion,
 		pullOpts...,
 	)
-	gomega.ExpectWithOffset(1, err).NotTo(gomega.HaveOccurred())
+	g.ExpectWithOffset(1, err).NotTo(gomega.HaveOccurred())
 	chrt, err := helm.LoadChart(d)
-	gomega.ExpectWithOffset(1, err).NotTo(gomega.HaveOccurred())
-	gomega.ExpectWithOffset(1, chrt.Metadata.Name).To(gomega.Equal(chartName))
-	gomega.ExpectWithOffset(1, chrt.Metadata.Version).To(gomega.Equal(chartVersion))
+	g.ExpectWithOffset(1, err).NotTo(gomega.HaveOccurred())
+	g.ExpectWithOffset(1, chrt.Metadata.Name).To(gomega.Equal(chartName))
+	g.ExpectWithOffset(1, chrt.Metadata.Version).To(gomega.Equal(chartVersion))
 }
diff --git a/test/e2e/helmbundle/push_bundle_test.go b/test/e2e/helmbundle/push_bundle_test.go
@@ -76,6 +76,7 @@ var _ = Describe("Push Bundle", func() {
 
 		helpers.ValidateChartIsAvailable(
 			GinkgoT(),
+			Default,
 			"127.0.0.1",
 			port,
 			"podinfo",
@@ -85,6 +86,7 @@ var _ = Describe("Push Bundle", func() {
 
 		helpers.ValidateChartIsAvailable(
 			GinkgoT(),
+			Default,
 			"127.0.0.1",
 			port,
 			"node-feature-discovery",

diff --git a/test/e2e/helmbundle/serve_bundle_test.go b/test/e2e/helmbundle/serve_bundle_test.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"strconv"
+	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -68,6 +69,7 @@ var _ = Describe("Serve Helm Bundle", func() {
 
 		helpers.ValidateChartIsAvailable(
 			GinkgoT(),
+			Default,
 			"127.0.0.1",
 			port,
 			"podinfo",
@@ -77,6 +79,7 @@ var _ = Describe("Serve Helm Bundle", func() {
 
 		helpers.ValidateChartIsAvailable(
 			GinkgoT(),
+			Default,
 			"127.0.0.1",
 			port,
 			"node-feature-discovery",
@@ -126,9 +129,26 @@ var _ = Describe("Serve Helm Bundle", func() {
 
 		helpers.WaitForTCPPort(GinkgoT(), ipAddr.String(), port)
 
-		helpers.ValidateChartIsAvailable(GinkgoT(), ipAddr.String(), port, "podinfo", "6.2.0", helm.CAFileOpt(caCertFile))
+		// First check mindthegap is // First check that the helm chart is accessible with the old certificate.
+		helpers.ValidateChartIsAvailable(GinkgoT(), Default, ipAddr.String(), port, "podinfo", "6.2.0", helm.CAFileOpt(caCertFile))
 
-		helpers.ValidateChartIsAvailable(GinkgoT(), ipAddr.String(), port, "node-feature-discovery", "0.15.2", helm.CAFileOpt(caCertFile))
+		helpers.ValidateChartIsAvailable(GinkgoT(), Default, ipAddr.String(), port, "node-feature-discovery", "0.15.2", helm.CAFileOpt(caCertFile))
+
+		// Create a new certificate. This can happen at any time the server is running,
+		// and the server is expected to eventually use the new certificate.
+		// This also generates a new CA file which is even better because we can check
+		// that the server is using the certificate issued by the new CA.
+		caCertFile, _, _, _ = helpers.GenerateCertificateAndKeyWithIPSAN(
+			GinkgoT(),
+			tempCertDir,
+			ipAddr,
+		)
+
+		Eventually(func(g Gomega) {
+			helpers.ValidateChartIsAvailable(GinkgoT(), g, ipAddr.String(), port, "podinfo", "6.2.0", helm.CAFileOpt(caCertFile))
+
+			helpers.ValidateChartIsAvailable(GinkgoT(), g, ipAddr.String(), port, "node-feature-discovery", "0.15.2", helm.CAFileOpt(caCertFile))
+		}).WithTimeout(time.Second * 5).WithPolling(time.Second * 1).Should(Succeed())
 
 		close(stopCh)