projectcontour · sunjayBhatia · Jan 23, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 23, 2024
@@ -16,6 +16,9 @@
 // kubernetes helpers
 
 import (
+	"github.com/projectcontour/contour/internal/dag"
+	"github.com/projectcontour/contour/internal/fixture"
+	"github.com/tsaarni/certyaml"
 	v1 "k8s.io/api/core/v1"
 	networking_v1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -32,77 +35,74 @@
 	}
 }
 
-// nolint:revive,gosec
-const (
-	// CERTIFICATE generated by
-	// openssl genrsa -out example-key.pem 2048
-	// openssl req -new -x509 -days 18250 -key example-key.pem -sha256 -subj "/CN=www.example.com" -out example.pem
-	CERTIFICATE = `-----BEGIN CERTIFICATE-----
-MIIDFzCCAf+gAwIBAgIUZULFakfIJl0qaJXAVPCz2nzvB38wDQYJKoZIhvcNAQEL
-BQAwGjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMCAXDTIyMDgxOTExMDkxNVoY
-DzIwNzIwODA2MTEwOTE1WjAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS9S4d/ea6wqiib8UeyHMptoks
-w+q2DNuF75NQHLh5Z2rUnE/N8/KVhpIx81QdId1maWS0b3392hCRRFY3sDlMpRk/
-1uoQgzLdk8pjw1JiqoDpvTiKZsADmVuUcCdHLNEzYtcLWBv0VyyNyE5pdrnVnMbx
-w1aiQ8w2lcBCJQ8Y4DAc5oKlvBu49aUsvfFZwjL6Cr1qafQiYylqQcz7zqGBYjXc
-iMzN+4fE1XQlw1iy6XmVZiHQr8Sb7EBI+g0iJapgNv7tBunzywSvAYK8N42QQOll
-1sKEVf7thoNEmJTIUFo6m57Fys7LQ/B8in5JwBU+1FjqNWLJ1Gj+zIc93oc3AgMB
-AAGjUzBRMB0GA1UdDgQWBBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAfBgNVHSMEGDAW
-gBS/BZ2Uu1Y0//Um8bOqyyWz9LnPvzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4IBAQCTZ6ZDi7aU7NjZdGWNLrRCBEt+FcD+mdvtRcaSp2K7m+WObnWl
-rDM7V/s8ziu8ffwfwEbaBKYVLO7Mww8ke0WclBp1sq6A5AWy1sBCQYJuPCdOJNY0
-fLaZObhUSQvNGw1wAXkgczrsOa/5QII356UsLiqhninXWYTMvNehab4+QW6Dldqo
-EyxKgX2Ls984ZN5CDvvXfRnkeQW1/K705ReZq8qmtmCwU5wHYy0IoJGNapeX45VY
-6s2n5I5CpH4L9Ua4NLgqphjC/QYK4q71GHTZD89mfTsmE+0flgFDS+wrv5SusK8u
-CY2iW9j8VptZU8LVs9FrhgecEtfXbTA3MeSo
------END CERTIFICATE-----`
-
-	CERTIFICATE_WITH_TEXT = CERTIFICATE + "\t\r\n"
-
-	RSA_PRIVATE_KEY = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA0vUuHf3musKoom/FHshzKbaJLMPqtgzbhe+TUBy4eWdq1JxP
-zfPylYaSMfNUHSHdZmlktG99/doQkURWN7A5TKUZP9bqEIMy3ZPKY8NSYqqA6b04
-imbAA5lblHAnRyzRM2LXC1gb9FcsjchOaXa51ZzG8cNWokPMNpXAQiUPGOAwHOaC
-pbwbuPWlLL3xWcIy+gq9amn0ImMpakHM+86hgWI13IjMzfuHxNV0JcNYsul5lWYh
-0K/Em+xASPoNIiWqYDb+7Qbp88sErwGCvDeNkEDpZdbChFX+7YaDRJiUyFBaOpue
-xcrOy0PwfIp+ScAVPtRY6jViydRo/syHPd6HNwIDAQABAoIBAEf36RHGSu6v9gPk
-iaUk0VULtuSUuf/9hu68es873Rtd0q5R3U/vx3SHglyUHMALi5Kipf6AgsUVnc1R
-OPCqqAGj2WdUFGopuDKrdsJuIi8S6APVz/I3d45CxWFwmZXIjl4vfBmcp3zGOKbu
-DQIhxOhBIgXclDOrWYHNuNdX+TyMr9cBe9bPtsWmN6Wl8V26kLzboQ3bIsM9taL+
-sizVNrLL4U7oqbsKVhmI1m78+VaucQeK+XuyvuT6toOxY/Mgidcp4Mwq06aOTFug
-N/u+VyXNen3Vk6/kMTxbaM9aQ05cnOrKqrgJAhiFGb+lcqvvGlwGxNqGcBABYkqf
-ejhNdEECgYEA/3shOSl4GmEGZZXTARo0bDnelSpSJgmlStBeAGraq+lm/4IrTCCB
-2tmJkEs6uiCEH7vkbbI/lLlhNjM2gKDovP3UwTQHGfiHlcIYYICMIpbp7+Ar9+ex
-4KPXmgqqhTKC4xQYGoUE6INlpZcQ4blA4AtQbhgcC4Cp8FD/QbXp0xECgYEA02Ll
-EAxzHZBNoK/5oPL0LiDUW/zPdOWCQCW8oGW5gDUvCLQ/lntegL8Qzubt7PZ4xgeg
-m2ENTDcp1Zfn9s0T1V2T9Sba8gShUCvm9nLVCj4OQ3lwDufwHFuhKFpj1BVnHD5y
-9yhXfyrFgvhamepEjq6LZUCrL1HxZqgOezv6JccCgYBqM1oFNArcFFcfZV+YRrdi
-AdBX+4a4jyvp5KIe1ExgSB7rucWb2KuCOQmpNMyN0LR7qJR1UTKC9WjGqhVO9RSq
-c228fo8xKZHbHBscCnO2cTt/3pUIcYUM167pNuPZiLzF/nVimMcIjI51fk2jN2oT
-eECP82+9DFgYMONbAm7XsQKBgH/Y3ztenDz0Ks8Vv3/FkUNY3bco5vwHV0ieyj+k
-ZpYRFHpKMe88fEKXzH2mk53uz8rNkCiJgTZoYqfpcQUGsYkpSLRLpL4daMcJVm4V
-s523PH84sjqBsuojzQuP57K8oxkk9/ld79VctAprVLikRISbMnmxrBc5kywIVoHY
-G4m/AoGBAPV0wuytURR3CbPHz28wrKRh/xnHrW+Fp3ooRfj8Pr/4zDVsqqNz2gA3
-yVb6kAEpg2ON9NOWSfoUfC+THitOnRm8pKL1QL7oiq/2+s3IiK+jSevEU7TUfjio
-1LwtUqv1MbKdv7TgkU0YQ99iLocWF4F4oWF6AX86/BL9y7gcbE0y
------END RSA PRIVATE KEY-----`
-
-	CRL = `-----BEGIN X509 CRL-----
-MIHlMIGMAgEBMAoGCCqGSM49BAMCMBsxGTAXBgNVBAMTEGNsaWVudC1yb290LWNh
-LTEXDTIyMDYyMTA5NDQ0NVoXDTIyMDYyODA5NDQ0NVowGzAZAggW+pmWu/XnExcN
-MjIwNjIxMDk0NDQ1WqAjMCEwHwYDVR0jBBgwFoAULRlmjBtfjbzwV2WeO9Vj5pWO
-h5gwCgYIKoZIzj0EAwIDSAAwRQIhANVFCqByuASAcbz6ovyvi5KCtPfNjHjxVaNT
-x69LFPN1AiA5pF5rqHy1FBctZBTW+3LTEEX35j3p1++zcNu8oHMO/w==
------END X509 CRL-----`
-)
+var CACertificate = certyaml.Certificate{
+	Subject: "CN=ca",
+}
+
+var ServerCertificate = certyaml.Certificate{
+	Issuer:          &CACertificate,
+	Subject:         "CN=www.example.com",
+	SubjectAltNames: []string{"DNS:www.example.com"},
+}
+
+var ClientCertificate = certyaml.Certificate{
+	Issuer:  &CACertificate,
+	Subject: "CN=client",
+}
 
-func Secretdata(cert, key string) map[string][]byte {
-	return map[string][]byte{
-		v1.TLSCertKey:       []byte(cert),
-		v1.TLSPrivateKeyKey: []byte(key),
+var CRL = certyaml.CRL{
+	Issuer: &CACertificate,
+}
+
+func TLSSecret(name string, credential *certyaml.Certificate) *v1.Secret {
+	cert, key, err := credential.PEM()
+	if err != nil {
+		panic(err)
+	}
+	return &v1.Secret{
+		ObjectMeta: fixture.ObjectMeta(name),
+		Type:       v1.SecretTypeTLS,
+		Data: map[string][]byte{
+			v1.TLSCertKey:       cert,
+			v1.TLSPrivateKeyKey: key,
+		},
 	}
 }
 
+func CASecret(name string, credential *certyaml.Certificate) *v1.Secret {
+	cert, _, err := credential.PEM()
+	if err != nil {
+		panic(err)
+	}
+	return &v1.Secret{
+		ObjectMeta: fixture.ObjectMeta(name),
+		Type:       v1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			dag.CACertificateKey: cert,
+		},
+	}
+}
+
+func CRLSecret(name string, credential *certyaml.CRL) *v1.Secret {
+	crl, err := credential.PEM()
+	if err != nil {
+		panic(err)
+	}
+
+	return &v1.Secret{
+		ObjectMeta: fixture.ObjectMeta(name),
+		Type:       v1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			dag.CRLKey: crl,
+		},
+	}
+}
+
+func PEMBytes(cert *certyaml.Certificate) []byte {
+	c, _, _ := cert.PEM()
+	return c
+}
+
 func Endpoints(ns, name string, subsets ...v1.EndpointSubset) *v1.Endpoints {
 	return &v1.Endpoints{
 		ObjectMeta: metav1.ObjectMeta{

@@ -86,12 +86,7 @@ func authzResponseTimeout(t *testing.T, rh ResourceEventHandlerWrapper, c *Conto
 					envoy_v3.TLSInspector(),
 				),
 				FilterChains: []*envoy_listener_v3.FilterChain{
-					filterchaintls(fqdn,
-						&corev1.Secret{
-							ObjectMeta: fixture.ObjectMeta("certificate"),
-							Type:       "kubernetes.io/tls",
-							Data:       featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
-						},
+					filterchaintls(fqdn, featuretests.TLSSecret("certificate", &featuretests.ServerCertificate),
 						authzFilterFor(
 							fqdn,
 							&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
@@ -172,12 +167,7 @@ func authzFailOpen(t *testing.T, rh ResourceEventHandlerWrapper, c *Contour) {
 					envoy_v3.TLSInspector(),
 				),
 				FilterChains: []*envoy_listener_v3.FilterChain{
-					filterchaintls(fqdn,
-						&corev1.Secret{
-							ObjectMeta: fixture.ObjectMeta("certificate"),
-							Type:       "kubernetes.io/tls",
-							Data:       featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
-						},
+					filterchaintls(fqdn, featuretests.TLSSecret("certificate", &featuretests.ServerCertificate),
 						authzFilterFor(
 							fqdn,
 							&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
@@ -487,12 +477,7 @@ func authzInvalidReference(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 					envoy_v3.TLSInspector(),
 				),
 				FilterChains: []*envoy_listener_v3.FilterChain{
-					filterchaintls(fqdn,
-						&corev1.Secret{
-							ObjectMeta: fixture.ObjectMeta("certificate"),
-							Type:       "kubernetes.io/tls",
-							Data:       featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
-						},
+					filterchaintls(fqdn, featuretests.TLSSecret("certificate", &featuretests.ServerCertificate),
 						authzFilterFor(
 							fqdn,
 							&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
@@ -551,12 +536,7 @@ func authzWithRequestBodyBufferSettings(t *testing.T, rh ResourceEventHandlerWra
 					envoy_v3.TLSInspector(),
 				),
 				FilterChains: []*envoy_listener_v3.FilterChain{
-					filterchaintls(fqdn,
-						&corev1.Secret{
-							ObjectMeta: fixture.ObjectMeta("certificate"),
-							Type:       "kubernetes.io/tls",
-							Data:       featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
-						},
+					filterchaintls(fqdn, featuretests.TLSSecret("certificate", &featuretests.ServerCertificate),
 						authzFilterFor(
 							fqdn,
 							&envoy_config_filter_http_ext_authz_v3.ExtAuthz{
@@ -631,12 +611,7 @@ func TestAuthorization(t *testing.T) {
 				Ports:     featuretests.Ports(featuretests.Port("", 80)),
 			}))
 
-			rh.OnAdd(&corev1.Secret{
-				ObjectMeta: fixture.ObjectMeta("certificate"),
-				Type:       "kubernetes.io/tls",
-				Data:       featuretests.Secretdata(featuretests.CERTIFICATE, featuretests.RSA_PRIVATE_KEY),
-			})
-
+			rh.OnAdd(featuretests.TLSSecret("certificate", &featuretests.ServerCertificate))
 			f(t, rh, c)
 		})
 	}

@@ -18,28 +18,17 @@ import (
 
 	envoy_discovery_v3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
 	contour_api_v1 "github.com/projectcontour/contour/apis/projectcontour/v1"
-	"github.com/projectcontour/contour/internal/dag"
 	"github.com/projectcontour/contour/internal/featuretests"
 	"github.com/projectcontour/contour/internal/fixture"
 	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
 func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 	rh, c, done := setup(t)
 	defer done()
 
-	secret := &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "foo",
-			Namespace: "default",
-		},
-		Type: v1.SecretTypeOpaque,
-		Data: map[string][]byte{
-			dag.CACertificateKey: []byte(featuretests.CERTIFICATE),
-		},
-	}
+	caSecret := featuretests.CASecret("foo", &featuretests.CACertificate)
 
 	svc := fixture.NewService("default/kuard").
 		Annotate("projectcontour.io/upstream-protocol.tls", "securebackend,443").
@@ -60,7 +49,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 			}},
 		},
 	}
-	rh.OnAdd(secret)
+	rh.OnAdd(caSecret)
 	rh.OnAdd(svc)
 	rh.OnAdd(p1)
 
@@ -93,7 +82,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 					Name: svc.Name,
 					Port: 443,
 					UpstreamValidation: &contour_api_v1.UpstreamValidation{
-						CACertificate: secret.Name,
+						CACertificate: caSecret.Name,
 						SubjectName:   "subjname",
 					},
 				}},
@@ -114,7 +103,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 	// assert that the cluster now has a certificate and subject name.
 	c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{
 		Resources: resources(t,
-			tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil),
+			tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil),
 		),
 		TypeUrl: clusterType,
 	})
@@ -140,7 +129,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 					Name: svc.Name,
 					Port: 443,
 					UpstreamValidation: &contour_api_v1.UpstreamValidation{
-						CACertificate: secret.Name,
+						CACertificate: caSecret.Name,
 						SubjectName:   "subjname",
 					},
 				}},
@@ -161,7 +150,7 @@ func TestClusterServiceTLSBackendCAValidation(t *testing.T) {
 	// assert that the cluster now has a certificate and subject name.
 	c.Request(clusterType).Equals(&envoy_discovery_v3.DiscoveryResponse{
 		Resources: resources(t,
-			tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), []byte(featuretests.CERTIFICATE), "subjname", "", nil, nil),
+			tlsCluster(cluster("default/kuard/443/c6ccd34de5", "default/kuard/securebackend", "default_kuard_443"), caSecret, "subjname", "", nil, nil),
 		),
 		TypeUrl: clusterType,
 	})