enable more conformance tests

Signed-off-by: Tim Ramlot <[email protected]>

Author: inteon

conformance/framework/helper/validation/certificates/certificates.go

@@ -114,6 +114,23 @@ func ExpectCertificateOrganizationToMatch(certificate *cmapi.Certificate, secret
 	}
 
 	expectedOrganization := pki.OrganizationForCertificate(certificate)
+	if certificate.Spec.LiteralSubject != "" {
+		sequence, err := pki.UnmarshalSubjectStringToRDNSequence(certificate.Spec.LiteralSubject)
+		if err != nil {
+			return err
+		}
+
+		for _, rdns := range sequence {
+			for _, atv := range rdns {
+				if atv.Type.Equal(pki.OIDConstants.Organization) {
+					if str, ok := atv.Value.(string); ok {
+						expectedOrganization = append(expectedOrganization, str)
+					}
+				}
+			}
+		}
+	}
+
 	if !util.EqualUnsorted(cert.Subject.Organization, expectedOrganization) {
 		return fmt.Errorf("Expected certificate valid for O %v, but got a certificate valid for O %v", expectedOrganization, cert.Subject.Organization)
 	}

conformance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go

@@ -323,21 +323,13 @@ func ExpectValidBasicConstraints(csr *certificatesv1.CertificateSigningRequest,
 		return err
 	}
 
-	markedIsCA := false
-	if csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true" {
-		markedIsCA = true
-	}
+	markedIsCA := csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true"
 
 	if cert.IsCA != markedIsCA {
 		return fmt.Errorf("requested certificate does not match expected IsCA, exp=%t got=%t",
 			markedIsCA, cert.IsCA)
 	}
 
-	hasCertSign := (cert.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign
-	if hasCertSign != markedIsCA {
-		return fmt.Errorf("Expected certificate to have KeyUsageCertSign=%t, but got=%t", markedIsCA, hasCertSign)
-	}
-
 	return nil
 }
 

go.mod

@@ -15,11 +15,12 @@ require (
 	k8s.io/apiextensions-apiserver v0.27.3
 	k8s.io/apimachinery v0.27.3
 	k8s.io/client-go v0.27.3
+	k8s.io/component-base v0.27.3
 	k8s.io/klog/v2 v2.100.1
-	k8s.io/kube-aggregator v0.27.1
+	k8s.io/kube-aggregator v0.27.2
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106
 	sigs.k8s.io/controller-runtime v0.15.0
-	sigs.k8s.io/gateway-api v0.6.2
+	sigs.k8s.io/gateway-api v0.7.0
 )
 
 require (
@@ -82,10 +83,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.27.3 // indirect
-	k8s.io/kube-aggregator v0.27.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect
-	sigs.k8s.io/gateway-api v0.7.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect

internal/testsetups/simple/controller/signer.go

@@ -82,8 +82,7 @@ func (Signer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issu
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
 
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 	}
 

internal/testsetups/simple/e2e/conformance/conformance.go

@@ -26,12 +26,7 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
 	kubeClients := testresource.KubeClients(t, ctx)
 
 	unsupportedFeatures := featureset.NewFeatureSet(
-		featureset.DurationFeature,
-		featureset.KeyUsagesFeature,
 		featureset.SaveCAToSecret,
-		featureset.Ed25519FeatureSet,
-		featureset.IssueCAFeature,
-		featureset.LiteralSubjectFeature,
 	)
 
 	issuerBuilder := newIssuerBuilder("SimpleIssuer")
@@ -59,12 +54,7 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
 	kubeClients := testresource.KubeClients(t, ctx)
 
 	unsupportedFeatures := featureset.NewFeatureSet(
-		featureset.DurationFeature,
-		featureset.KeyUsagesFeature,
 		featureset.SaveCAToSecret,
-		featureset.Ed25519FeatureSet,
-		featureset.IssueCAFeature,
-		featureset.LiteralSubjectFeature,
 	)
 
 	clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
@@ -87,35 +77,18 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
 	}).Define()
 })
 
+/*
 var _ = framework.ConformanceDescribe("RBAC", func() {
 	t := &mockTest{}
 	ctx := testresource.EnsureTestDependencies(t, context.TODO(), testresource.EndToEndTest)
 	kubeClients := testresource.KubeClients(t, ctx)
 
-	unsupportedFeatures := featureset.NewFeatureSet(
-		featureset.DurationFeature,
-		featureset.KeyUsagesFeature,
-		featureset.SaveCAToSecret,
-		featureset.Ed25519FeatureSet,
-		featureset.IssueCAFeature,
-		featureset.LiteralSubjectFeature,
-	)
+	kubeConfig := rest.CopyConfig(kubeClients.Rest)
+	kubeConfig.Impersonate.UserName = "system:serviceaccount:my-namespace:simple-issuer-controller-manager"
+	kubeConfig.Impersonate.Groups = []string{"system:authenticated"}
 
-	issuerBuilder := newIssuerBuilder("SimpleIssuer")
-	(&certificates.Suite{
-		KubeClientConfig:    kubeClients.Rest,
-		Name:                "External Issuer",
-		CreateIssuerFunc:    issuerBuilder.create,
-		DeleteIssuerFunc:    issuerBuilder.delete,
-		UnsupportedFeatures: unsupportedFeatures,
-	}).Define()
-
-	clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
-	(&certificates.Suite{
-		KubeClientConfig:    kubeClients.Rest,
-		Name:                "External ClusterIssuer",
-		CreateIssuerFunc:    clusterIssuerBuilder.create,
-		DeleteIssuerFunc:    clusterIssuerBuilder.delete,
-		UnsupportedFeatures: unsupportedFeatures,
+	(&rbac.Suite{
+		KubeClientConfig: kubeConfig,
 	}).Define()
 })
+*/

make/e2e-setup.mk

@@ -78,7 +78,8 @@ e2e-setup-cert-manager: | kind-cluster images $(NEEDS_HELM) $(NEEDS_KUBECTL)
 		--namespace cert-manager \
 		--repo https://charts.jetstack.io \
 		--set installCRDs=true \
-		--set featureGates=ServerSideApply=true \
+		--set featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
+		--set webhook.featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
 		--set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \
 		--set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \
 		--set image.pullPolicy=Never \