Validate kubernetes cluster CA certificate

No certificate is still accepted, but if one is provided it must be valid. Only run validation if the certificate has changed to avoid making existing records invalid.
author: Tiger <twatson@gitlab.com> 2019-02-07 07:56:08 +0300
committer: Tiger <twatson@gitlab.com> 2019-02-08 02:05:05 +0300
commit: 73e5d3a2693d0469fdad925c398b6c464803c4b3 (patch)
tree: 16c20ef1d87b437e5a62ef041cb02772e489942b
parent: 2cea4fd067e2b78600b93202e0e71b58bccbe3d1 (diff)
5 files changed, 39 insertions, 3 deletions
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 8f3424db295..ed6bbfb4c64 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -43,6 +43,7 @@ module Clusters
       # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
       validates :api_url, url: true, presence: true
       validates :token, presence: true
+      validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
 
       validate :prevent_modification, on: :update
 
diff --git a/changelogs/unreleased/55447-validate-k8s-ca-cert.yml b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
new file mode 100644
index 00000000000..e0448d403da
--- /dev/null
+++ b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
@@ -0,0 +1,5 @@
+---
+title: Validate kubernetes cluster CA certificate
+merge_request: 24990
+author:
+type: changed
diff --git a/spec/fixtures/clusters/sample_cert.pem b/spec/fixtures/clusters/sample_cert.pem
index e39a2b34416..00e6ce44d87 100644
--- a/spec/fixtures/clusters/sample_cert.pem
+++ b/spec/fixtures/clusters/sample_cert.pem
@@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ
 Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A
 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u
 texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag==
------END CERTIFICATE-----
+-----END CERTIFICATE-----
+\ No newline at end of file
diff --git a/spec/models/clusters/kubernetes_namespace_spec.rb b/spec/models/clusters/kubernetes_namespace_spec.rb
index 235e2ee4e69..b865909c7fd 100644
--- a/spec/models/clusters/kubernetes_namespace_spec.rb
+++ b/spec/models/clusters/kubernetes_namespace_spec.rb
@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
     let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
 
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
     let(:token) { 'token' }
 
     let(:kubeconfig) do
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index 6c8a223092e..ce8269d8024 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
     end
 
+    context 'ca_cert' do
+      let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
+
+      context 'with a valid certificate' do
+        let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'with an invalid certificate' do
+        let(:ca_pem) { "invalid" }
+
+        it { is_expected.to be_falsey }
+
+        context 'but the certificate is not being updated' do
+          before do
+            allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
+          end
+
+          it { is_expected.to be_truthy }
+        end
+      end
+
+      context 'with no certificate' do
+        let(:ca_pem) { "" }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
     describe 'when using reserved namespaces' do
       subject { build(:cluster_platform_kubernetes, namespace: namespace) }
 
@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
     let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
     let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
 
     subject { kubernetes.predefined_variables(project: cluster.project) }
author	Tiger <twatson@gitlab.com>	2019-02-07 07:56:08 +0300
committer	Tiger <twatson@gitlab.com>	2019-02-08 02:05:05 +0300
commit	73e5d3a2693d0469fdad925c398b6c464803c4b3 (patch)
tree	16c20ef1d87b437e5a62ef041cb02772e489942b
parent	2cea4fd067e2b78600b93202e0e71b58bccbe3d1 (diff)