Commit 73e5d3a2 authored by Tiger's avatar Tiger

Validate kubernetes cluster CA certificate

No certificate is still accepted, but if one is provided it must
be valid. Only run validation if the certificate has changed to
avoid making existing records invalid.
parent 2cea4fd0
...@@ -43,6 +43,7 @@ module Clusters ...@@ -43,6 +43,7 @@ module Clusters
# We expect to be `active?` only when enabled and cluster is created (the api_url is assigned) # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
validates :api_url, url: true, presence: true validates :api_url, url: true, presence: true
validates :token, presence: true validates :token, presence: true
validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
validate :prevent_modification, on: :update validate :prevent_modification, on: :update
......
---
title: Validate kubernetes cluster CA certificate
merge_request: 24990
author:
type: changed
...@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do ...@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) } let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
let(:api_url) { 'https://kube.domain.com' } let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' } let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
let(:token) { 'token' } let(:token) { 'token' }
let(:kubeconfig) do let(:kubeconfig) do
......
...@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ...@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
end end
end end
context 'ca_cert' do
let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
context 'with a valid certificate' do
let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
it { is_expected.to be_truthy }
end
context 'with an invalid certificate' do
let(:ca_pem) { "invalid" }
it { is_expected.to be_falsey }
context 'but the certificate is not being updated' do
before do
allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
end
it { is_expected.to be_truthy }
end
end
context 'with no certificate' do
let(:ca_pem) { "" }
it { is_expected.to be_truthy }
end
end
describe 'when using reserved namespaces' do describe 'when using reserved namespaces' do
subject { build(:cluster_platform_kubernetes, namespace: namespace) } subject { build(:cluster_platform_kubernetes, namespace: namespace) }
...@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching ...@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) } let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) } let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
let(:api_url) { 'https://kube.domain.com' } let(:api_url) { 'https://kube.domain.com' }
let(:ca_pem) { 'CA PEM DATA' } let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
subject { kubernetes.predefined_variables(project: cluster.project) } subject { kubernetes.predefined_variables(project: cluster.project) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment