Get mutual SSL working with helm tiller

author: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-24 14:02:35 +0300
committer: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-30 16:08:30 +0300
commit: 11edbcccef37f08b089386c41d3914df7f48a677 (patch)
tree: 3017e5e2904d11023075c5e84ddba5320e2b623f /spec/models
parent: ce897f11a0650b0d6938cb506a030ef00160ab7a (diff)
5 files changed, 118 insertions, 17 deletions
diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb
index 0eb1e3876e2..535e9f15919 100644
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -6,13 +6,24 @@ describe Clusters::Applications::Helm do
   describe '.installed' do
     subject { described_class.installed }
 
-    let!(:cluster) { create(:clusters_applications_helm, :installed) }
+    let!(:installed_cluster) { create(:clusters_applications_helm, :installed) }
 
     before do
       create(:clusters_applications_helm, :errored)
     end
 
-    it { is_expected.to contain_exactly(cluster) }
+    it { is_expected.to contain_exactly(installed_cluster) }
+  end
+
+  describe '#issue_cert' do
+    let(:application) { create(:clusters_applications_helm) }
+    subject { application.issue_cert }
+
+    it 'returns a new cert' do
+      is_expected.to be_kind_of(Gitlab::Kubernetes::Helm::Certificate)
+      expect(subject.cert_string).not_to eq(application.ca_cert)
+      expect(subject.key_string).not_to eq(application.ca_key)
+    end
   end
 
   describe '#install_command' do
@@ -25,5 +36,13 @@ describe Clusters::Applications::Helm do
     it 'should be initialized with 1 arguments' do
       expect(subject.name).to eq('helm')
     end
+
+    it 'should have cert files' do
+      expect(subject.files[:'ca.pem']).to be_present
+      expect(subject.files[:'ca.pem']).to eq(helm.ca_cert)
+
+      expect(subject.files[:'cert.pem']).to be_present
+      expect(subject.files[:'key.pem']).to be_present
+    end
   end
 end
diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb
index fbb3c18319f..6426818d349 100644
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -79,7 +79,9 @@ describe Clusters::Applications::Ingress do
   end
 
   describe '#files' do
-    let(:values) { ingress.files[:'values.yaml'] }
+    let(:application) { ingress }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
 
     it 'should include ingress valid keys in values' do
       expect(values).to include('image')
@@ -87,5 +89,25 @@ describe Clusters::Applications::Ingress do
       expect(values).to include('stats')
       expect(values).to include('podAnnotations')
     end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
   end
 end
diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb
index 0e2847592fc..4a470bbea74 100644
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -43,9 +43,29 @@ describe Clusters::Applications::Jupyter do
   end
 
   describe '#files' do
-    let(:jupyter) { create(:clusters_applications_jupyter) }
+    let(:application) { create(:clusters_applications_jupyter) }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
 
-    let(:values) { jupyter.files[:'values.yaml'] }
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
 
     it 'should include valid values' do
       expect(values).to include('ingress')
@@ -53,8 +73,8 @@ describe Clusters::Applications::Jupyter do
       expect(values).to include('rbac')
       expect(values).to include('proxy')
       expect(values).to include('auth')
-      expect(values).to match(/clientId: '?#{jupyter.oauth_application.uid}/)
-      expect(values).to match(/callbackUrl: '?#{jupyter.callback_url}/)
+      expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
+      expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
     end
   end
 end
diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb
index 013cb8da22b..c506d3a69e2 100644
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -158,9 +158,29 @@ describe Clusters::Applications::Prometheus do
   end
 
   describe '#files' do
-    let(:prometheus) { create(:clusters_applications_prometheus) }
+    let(:application) { create(:clusters_applications_prometheus) }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
 
-    let(:values) { prometheus.files[:'values.yaml'] }
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
 
     it 'should include prometheus valid values' do
       expect(values).to include('alertmanager')
diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb
index 4ac136a6274..ab37603e4ec 100644
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -38,11 +38,31 @@ describe Clusters::Applications::Runner do
   end
 
   describe '#files' do
-    let(:gitlab_runner) { create(:clusters_applications_runner, runner: ci_runner) }
+    let(:application) { create(:clusters_applications_runner, runner: ci_runner) }
 
-    subject { gitlab_runner.files }
+    subject { application.files }
     let(:values) { subject[:'values.yaml'] }
 
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
+
     it 'should include runner valid values' do
       expect(values).to include('concurrent')
       expect(values).to include('checkInterval')
@@ -57,8 +77,8 @@ describe Clusters::Applications::Runner do
 
     context 'without a runner' do
       let(:project) { create(:project) }
-      let(:cluster) { create(:cluster, projects: [project]) }
-      let(:gitlab_runner) { create(:clusters_applications_runner, cluster: cluster) }
+      let(:cluster) { create(:cluster, :with_installed_helm, projects: [project]) }
+      let(:application) { create(:clusters_applications_runner, cluster: cluster) }
 
       it 'creates a runner' do
         expect do
@@ -67,13 +87,13 @@ describe Clusters::Applications::Runner do
       end
 
       it 'uses the new runner token' do
-        expect(values).to match(/runnerToken: '?#{gitlab_runner.reload.runner.token}/)
+        expect(values).to match(/runnerToken: '?#{application.reload.runner.token}/)
       end
 
       it 'assigns the new runner to runner' do
         subject
 
-        expect(gitlab_runner.reload.runner).to be_project_type
+        expect(application.reload.runner).to be_project_type
       end
     end
 
@@ -97,11 +117,11 @@ describe Clusters::Applications::Runner do
       end
 
       before do
-        allow(gitlab_runner).to receive(:chart_values).and_return(stub_values)
+        allow(application).to receive(:chart_values).and_return(stub_values)
       end
 
       it 'should overwrite values.yaml' do
-        expect(values).to match(/privileged: '?#{gitlab_runner.privileged}/)
+        expect(values).to match(/privileged: '?#{application.privileged}/)
       end
     end
   end
author	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-24 14:02:35 +0300
committer	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-30 16:08:30 +0300
commit	11edbcccef37f08b089386c41d3914df7f48a677 (patch)
tree	3017e5e2904d11023075c5e84ddba5320e2b623f /spec/models
parent	ce897f11a0650b0d6938cb506a030ef00160ab7a (diff)