feat: Add e2e testcases for 'auth-tls-secret' and 'ssl-cipher' (#354)

test/ingress/conformance/utils/kubernetes/cert.go

@@ -20,7 +20,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/pem"
 	"fmt"
 	"io"
 	"math/big"
@@ -35,11 +34,8 @@ import (
 
 	// ensure auth plugins are loaded
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
-)
 
-const (
-	rsaBits  = 2048
-	validFor = 365 * 24 * time.Hour
+	"github.com/alibaba/higress/test/ingress/conformance/utils/cert"
 )
 
 // MustCreateSelfSignedCertSecret creates a self-signed SSL certificate and stores it in a secret
@@ -47,49 +43,56 @@ func MustCreateSelfSignedCertSecret(t *testing.T, namespace, secretName string,
 	require.Greater(t, len(hosts), 0, "require a non-empty hosts for Subject Alternate Name values")
 
 	var serverKey, serverCert bytes.Buffer
-
 	host := strings.Join(hosts, ",")
-
 	require.NoError(t, generateRSACert(host, &serverKey, &serverCert), "failed to generate RSA certificate")
 
-	data := map[string][]byte{
-		corev1.TLSCertKey:       serverCert.Bytes(),
-		corev1.TLSPrivateKeyKey: serverKey.Bytes(),
-	}
+	return ConstructTLSSecret(namespace, secretName, serverCert.Bytes(), serverKey.Bytes())
+}
 
-	newSecret := &corev1.Secret{
+// ConstructTLSSecret constructs a secret of type "kubernetes.io/tls"
+func ConstructTLSSecret(namespace, secretName string, cert, key []byte) *corev1.Secret {
+	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 			Name:      secretName,
 		},
 		Type: corev1.SecretTypeTLS,
-		Data: data,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       cert,
+			corev1.TLSPrivateKeyKey: key,
+		},
 	}
-
-	return newSecret
 }
 
-// generateRSACert generates a basic self signed certificate valir for a year
-func generateRSACert(host string, keyOut, certOut io.Writer) error {
-	priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
-	if err != nil {
-		return fmt.Errorf("failed to generate key: %w", err)
+// ConstructCASecret construct a CA secret of type "Opaque"
+func ConstructCASecret(namespace, secretName string, cert []byte) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      secretName,
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			corev1.ServiceAccountRootCAKey: cert,
+		},
 	}
-	notBefore := time.Now()
-	notAfter := notBefore.Add(validFor)
+}
 
+// generateRSACert generates a basic self signed certificate valid for a year
+func generateRSACert(host string, keyOut, certOut io.Writer) error {
+	notBefore := time.Now()
+	notAfter := notBefore.Add(cert.ValidFor)
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-
 	if err != nil {
 		return fmt.Errorf("failed to generate serial number: %w", err)
 	}
 
-	template := x509.Certificate{
+	template := &x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			CommonName:   "default",
-			Organization: []string{"Acme Co"},
+			Organization: []string{"Higress E2E Test"},
 		},
 		NotBefore: notBefore,
 		NotAfter:  notAfter,
@@ -108,18 +111,13 @@ func generateRSACert(host string, keyOut, certOut io.Writer) error {
 		}
 	}
 
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-
+	priv, err := rsa.GenerateKey(rand.Reader, cert.RSABits)
 	if err != nil {
-		return fmt.Errorf("failed to create certificate: %w", err)
+		return fmt.Errorf("failed to generate key: %w", err)
 	}
-
-	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
-		return fmt.Errorf("failed creating cert: %w", err)
-	}
-
-	if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
-		return fmt.Errorf("failed creating key: %w", err)
+	certOut, keyOut, err = cert.GenerateCert(template, priv, template, nil)
+	if err != nil {
+		return fmt.Errorf("failed to generate rsa certificate: %w", err)
 	}
 
 	return nil