diff --git a/Makefile b/Makefile index 979c03d..984e380 100644 --- a/Makefile +++ b/Makefile @@ -294,6 +294,7 @@ setup-gitea: ## Setup the 2 gitea platforms in the cluster .PHONY: cleanup-gitea cleanup-gitea: ## Cleanup the 2 gitea platforms from the cluster. + rm -rf /tmp/gitea-certs helm uninstall gitea -n jupyter kubectl delete ns jupyter helm uninstall gitea -n saturn diff --git a/internal/interceptor/git_pusher.go b/internal/interceptor/git_pusher.go index ba77d48..43a87b3 100644 --- a/internal/interceptor/git_pusher.go +++ b/internal/interceptor/git_pusher.go @@ -33,7 +33,7 @@ type GitPusher struct { gitToken string operation admissionv1.Operation insecureSkipTlsVerify bool - caBundle string + caBundle []byte } type GitPushResponse struct { @@ -58,8 +58,8 @@ func (gp *GitPusher) Push() (GitPushResponse, error) { InsecureSkipTLS: gp.insecureSkipTlsVerify, Progress: io.MultiWriter(&verboseOutput), } - if gp.caBundle != "" { - cloneOption.CABundle = []byte(gp.caBundle) + if gp.caBundle != nil { + cloneOption.CABundle = gp.caBundle } repo, err := git.Clone(memory.NewStorage(), memfs.New(), cloneOption) if err != nil { @@ -268,8 +268,8 @@ func (gp *GitPusher) pushChanges(repo *git.Repository) error { InsecureSkipTLS: gp.insecureSkipTlsVerify, Progress: io.MultiWriter(&verboseOutput), // Capture verbose output } - if gp.caBundle != "" { - pushOptions.CABundle = []byte(gp.caBundle) + if gp.caBundle != nil { + pushOptions.CABundle = gp.caBundle } err := repo.Push(pushOptions) if err != nil { diff --git a/internal/interceptor/webhook_request_checker.go b/internal/interceptor/webhook_request_checker.go index 61a3e8d..3e89bb4 100644 --- a/internal/interceptor/webhook_request_checker.go +++ b/internal/interceptor/webhook_request_checker.go @@ -47,7 +47,7 @@ type wrcDetails struct { commitHash string gitUser gitUser insecureSkipTlsVerify bool - caBundle string + caBundle []byte pushDetails string // Error @@ -419,18 +419,24 @@ func (wrc *WebhookRequestChecker) convertToYaml(details *wrcDetails) error { func (wrc *WebhookRequestChecker) tlsContructor(details *wrcDetails) error { // Step 1: Search for the global CA Bundle of the server located in the syngit namespace - caBundle, caErr := utils.FindGlobalCABundle(wrc.k8sClient, details.repoHost) + caBundle, caErr := utils.FindGlobalCABundle(wrc.k8sClient, strings.Split(details.repoHost, ":")[0]) if caErr != nil && strings.Contains(caErr.Error(), utils.CaSecretWrongTypeErrorMessage) { + details.messageAddition = caErr.Error() return caErr } // Step 2: Search for a specific CA Bundle located in the current namespace caBundleSecretRef := wrc.remoteSyncer.Spec.CABundleSecretRef - caBundleRsy, caErr := utils.FindCABundle(wrc.k8sClient, caBundleSecretRef.Namespace, caBundleSecretRef.Name) + ns := caBundleSecretRef.Namespace + if ns == "" { + ns = wrc.remoteSyncer.Namespace + } + caBundleRsy, caErr := utils.FindCABundle(wrc.k8sClient, ns, caBundleSecretRef.Name) if caErr != nil { + details.messageAddition = caErr.Error() return caErr } - if caBundleRsy != "" { + if caBundleRsy != nil { caBundle = caBundleRsy } diff --git a/pkg/utils/ca-finder.go b/pkg/utils/ca-finder.go index 99952a6..6d33e09 100644 --- a/pkg/utils/ca-finder.go +++ b/pkg/utils/ca-finder.go @@ -12,13 +12,13 @@ import ( const CaSecretWrongTypeErrorMessage = "the CA bundle secret must be of type \"kubernetes.io/ts\"" -func FindGlobalCABundle(client client.Client, host string) (string, error) { - return FindCABundle(client, os.Getenv("MANAGER_NAMESPACE"), host+"-ca-bundle") +func FindGlobalCABundle(client client.Client, host string) ([]byte, error) { + return FindCABundle(client, os.Getenv("MANAGER_NAMESPACE"), host+"-ca-cert") } -func FindCABundle(client client.Client, namespace string, name string) (string, error) { +func FindCABundle(client client.Client, namespace string, name string) ([]byte, error) { if name == "" { - return "", nil + return nil, nil } ctx := context.Background() @@ -27,10 +27,10 @@ func FindCABundle(client client.Client, namespace string, name string) (string, err := client.Get(ctx, globalNamespacedName, caBundleSecret) if err != nil { - return "", err + return nil, err } if caBundleSecret.Type != "kubernetes.io/tls" { - return "", errors.New(CaSecretWrongTypeErrorMessage) + return nil, errors.New(CaSecretWrongTypeErrorMessage) } - return caBundleSecret.StringData["tls.crt"], nil + return caBundleSecret.Data["tls.crt"], nil } diff --git a/test/e2e/syngit/02_commitonly_cm_test.go b/test/e2e/syngit/02_commitonly_cm_test.go index 2829888..0a14e79 100755 --- a/test/e2e/syngit/02_commitonly_cm_test.go +++ b/test/e2e/syngit/02_commitonly_cm_test.go @@ -68,7 +68,7 @@ var _ = Describe("02 CommitOnly a ConfigMap", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -76,6 +76,7 @@ var _ = Describe("02 CommitOnly a ConfigMap", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBlockAppliedMessage: defaultDeniedMessage, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, diff --git a/test/e2e/syngit/03_commitapply_cm_test.go b/test/e2e/syngit/03_commitapply_cm_test.go index f370097..f769695 100755 --- a/test/e2e/syngit/03_commitapply_cm_test.go +++ b/test/e2e/syngit/03_commitapply_cm_test.go @@ -67,7 +67,7 @@ var _ = Describe("03 CommitApply a ConfigMap", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -75,6 +75,7 @@ var _ = Describe("03 CommitApply a ConfigMap", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, diff --git a/test/e2e/syngit/04_excludedfields_test.go b/test/e2e/syngit/04_excludedfields_test.go index d80f05a..654f1ad 100755 --- a/test/e2e/syngit/04_excludedfields_test.go +++ b/test/e2e/syngit/04_excludedfields_test.go @@ -18,7 +18,6 @@ package e2e_syngit import ( "context" - "fmt" "strings" . "github.com/onsi/ginkgo/v2" @@ -70,7 +69,7 @@ var _ = Describe("04 Create RemoteSyncer with excluded fields", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -78,6 +77,7 @@ var _ = Describe("04 Create RemoteSyncer with excluded fields", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBlockAppliedMessage: defaultDeniedMessage, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, @@ -134,7 +134,6 @@ var _ = Describe("04 Create RemoteSyncer with excluded fields", func() { cm, metav1.CreateOptions{}, ) - fmt.Println(err) return err != nil && strings.Contains(err.Error(), defaultDeniedMessage) }, timeout, interval).Should(BeTrue()) @@ -215,7 +214,7 @@ var _ = Describe("04 Create RemoteSyncer with excluded fields", func() { ) Expect(err).ToNot(HaveOccurred()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -223,6 +222,7 @@ var _ = Describe("04 Create RemoteSyncer with excluded fields", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBlockAppliedMessage: defaultDeniedMessage, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, diff --git a/test/e2e/syngit/05_defaultuser_test.go b/test/e2e/syngit/05_defaultuser_test.go index f1306db..6b4f731 100644 --- a/test/e2e/syngit/05_defaultuser_test.go +++ b/test/e2e/syngit/05_defaultuser_test.go @@ -87,7 +87,7 @@ var _ = Describe("05 Use a default user", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/green.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -95,6 +95,7 @@ var _ = Describe("05 Use a default user", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.UseDefaultUser, ExcludedFields: []string{".metadata.uid"}, diff --git a/test/e2e/syngit/06_objects_lifecycle_test.go b/test/e2e/syngit/06_objects_lifecycle_test.go index 48190fc..0f0441d 100644 --- a/test/e2e/syngit/06_objects_lifecycle_test.go +++ b/test/e2e/syngit/06_objects_lifecycle_test.go @@ -33,11 +33,10 @@ import ( var _ = Describe("06 Test objects lifecycle", func() { const ( - remoteUserLuffyName = "remoteuser-luffy" - remoteUserLuffyJupyterName = "remoteuser-luffy" - remoteUserLuffySaturnName = "remoteuser-luffy-saturn" - remotesyncerValidationWebhookName = "remotesyncer.syngit.io" - remoteSyncerName = "remotesyncer-test6" + remoteUserLuffyName = "remoteuser-luffy" + remoteUserLuffyJupyterName = "remoteuser-luffy" + remoteUserLuffySaturnName = "remoteuser-luffy-saturn" + remoteSyncerName = "remotesyncer-test6" ) It("should properly manage the RemoteUserBinding associated webhooks", func() { @@ -185,7 +184,7 @@ var _ = Describe("06 Test objects lifecycle", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -193,6 +192,7 @@ var _ = Describe("06 Test objects lifecycle", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -222,7 +222,7 @@ var _ = Describe("06 Test objects lifecycle", func() { By("checking that the ValidationWebhhok scopes sts") Wait3() nnValidation := types.NamespacedName{ - Name: remotesyncerValidationWebhookName, + Name: dynamicWebhookName, } getValidation := &admissionv1.ValidatingWebhookConfiguration{} diff --git a/test/e2e/syngit/07_bypass_subject_test.go b/test/e2e/syngit/07_bypass_subject_test.go index 434ded9..b22c26f 100644 --- a/test/e2e/syngit/07_bypass_subject_test.go +++ b/test/e2e/syngit/07_bypass_subject_test.go @@ -71,7 +71,7 @@ var _ = Describe("07 Subject bypasses interception", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -79,6 +79,7 @@ var _ = Describe("07 Subject bypasses interception", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, BypassInterceptionSubjects: []v1.Subject{{ @@ -184,7 +185,7 @@ var _ = Describe("07 Subject bypasses interception", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -192,6 +193,7 @@ var _ = Describe("07 Subject bypasses interception", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, BypassInterceptionSubjects: []v1.Subject{{ diff --git a/test/e2e/syngit/08_webhook_rbac_test.go b/test/e2e/syngit/08_webhook_rbac_test.go index 7bc9ff4..8cebc3c 100644 --- a/test/e2e/syngit/08_webhook_rbac_test.go +++ b/test/e2e/syngit/08_webhook_rbac_test.go @@ -71,7 +71,7 @@ var _ = Describe("08 Webhook rbac checker", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer for ConfigMaps") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -79,6 +79,7 @@ var _ = Describe("08 Webhook rbac checker", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -177,7 +178,7 @@ var _ = Describe("08 Webhook rbac checker", func() { return err == nil }, timeout, interval).Should(BeTrue()) - repoUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + repoUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating a wrong RemoteSyncer for Secrets") remotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -185,6 +186,7 @@ var _ = Describe("08 Webhook rbac checker", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -219,6 +221,7 @@ var _ = Describe("08 Webhook rbac checker", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, diff --git a/test/e2e/syngit/09_multi_remotesyncer_test.go b/test/e2e/syngit/09_multi_remotesyncer_test.go index e9570dd..ed678d3 100644 --- a/test/e2e/syngit/09_multi_remotesyncer_test.go +++ b/test/e2e/syngit/09_multi_remotesyncer_test.go @@ -71,7 +71,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { return err == nil }, timeout, interval).Should(BeTrue()) - blueUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + blueUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer for the blue repo") blueRemotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -79,6 +79,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -103,7 +104,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { err = sClient.As(Luffy).CreateOrUpdate(blueRemotesyncer) Expect(err).ToNot(HaveOccurred()) - greenUrl := "http://" + gitP1Fqdn + "/syngituser/green.git" + greenUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" By("creating the RemoteSyncer for the green repo") greenRemotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -111,6 +112,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -217,7 +219,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { return err == nil }, timeout, interval).Should(BeTrue()) - blueUrl := "http://" + gitP1Fqdn + "/syngituser/blue.git" + blueUrl := "https://" + gitP1Fqdn + "/syngituser/blue.git" By("creating the RemoteSyncer for the blue repo") blueRemotesyncer := &syngit.RemoteSyncer{ ObjectMeta: metav1.ObjectMeta{ @@ -225,6 +227,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, @@ -256,6 +259,7 @@ var _ = Describe("09 Multi RemoteSyncer test", func() { Namespace: namespace, }, Spec: syngit.RemoteSyncerSpec{ + InsecureSkipTlsVerify: true, DefaultBranch: "main", DefaultUnauthorizedUserMode: syngit.Block, ExcludedFields: []string{".metadata.uid"}, diff --git a/test/e2e/syngit/13_tls_test.go b/test/e2e/syngit/13_tls_test.go new file mode 100644 index 0000000..8b32489 --- /dev/null +++ b/test/e2e/syngit/13_tls_test.go @@ -0,0 +1,529 @@ +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e_syngit + +import ( + "context" + "os" + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + syngit "github.com/syngit-org/syngit/pkg/api/v1beta2" + . "github.com/syngit-org/syngit/test/utils" + admissionv1 "k8s.io/api/admissionregistration/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/kubernetes/scheme" +) + +var _ = Describe("13 TLS insecure & custom CA bundle test", func() { + ctx := context.TODO() + + const ( + cmName1 = "test-cm13.1" + cmName2 = "test-cm13.2" + cmName3 = "test-cm13.3" + cmName4 = "test-cm13.4" + cmName5 = "test-cm13.5" + remoteUserLuffyName = "remoteuser-luffy" + remoteSyncerName1 = "remotesyncer-test13.1" + remoteSyncerName2 = "remotesyncer-test13.2" + remoteSyncerName3 = "remotesyncer-test13.3" + remoteSyncerName4 = "remotesyncer-test13.4" + remoteSyncerName5 = "remotesyncer-test13.5" + secretCa1 = "custom-cabundle1" + secretCa2 = "custom-cabundle2" + ) + + It("should interact with gitea using the user CA bundle", func() { + By("adding syngit to scheme") + err := syngit.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + caBundleFile, err := os.ReadFile(os.Getenv("GITEA_TEMP_CERT_DIR") + "/ca.crt") + By("creating the ca bundle secret in the same namespace") + secretCreds := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretCa1, + Namespace: namespace, + }, + Data: map[string][]byte{ + "tls.crt": caBundleFile, + "tls.key": {}, + }, + Type: "kubernetes.io/tls", + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().Secrets(namespace).Create(ctx, + secretCreds, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating the RemoteUser & RemoteUserBinding for Luffy") + luffySecretName := string(Luffy) + "-creds" + remoteUserLuffy := &syngit.RemoteUser{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteUserLuffyName, + Namespace: namespace, + Annotations: map[string]string{ + syngit.RubAnnotation: "true", + }, + }, + Spec: syngit.RemoteUserSpec{ + Email: "sample@email.com", + GitBaseDomainFQDN: gitP1Fqdn, + SecretRef: corev1.SecretReference{ + Name: luffySecretName, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Luffy).CreateOrUpdate(remoteUserLuffy) + return err == nil + }, timeout, interval).Should(BeTrue()) + + repoUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" + By("creating the RemoteSyncer") + remotesyncer := &syngit.RemoteSyncer{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteSyncerName2, + Namespace: namespace, + }, + Spec: syngit.RemoteSyncerSpec{ + CABundleSecretRef: corev1.SecretReference{ + Name: secretCa1, + }, + DefaultBranch: "main", + DefaultUnauthorizedUserMode: syngit.Block, + ExcludedFields: []string{".metadata.uid"}, + ProcessMode: syngit.CommitApply, + PushMode: syngit.SameBranch, + RemoteRepository: repoUrl, + ScopedResources: syngit.ScopedResources{ + Rules: []admissionv1.RuleWithOperations{{ + Operations: []admissionv1.OperationType{ + admissionv1.Create, + }, + Rule: admissionv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Sanji).CreateOrUpdate(remotesyncer) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating a test configmap") + Wait3() + cm := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{Name: cmName2, Namespace: namespace}, + Data: map[string]string{"test": "oui"}, + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().ConfigMaps(namespace).Create(ctx, + cm, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("checking if the configmap is present on the repo") + Wait3() + repo := &Repo{ + Fqdn: gitP1Fqdn, + Owner: "syngituser", + Name: "green", + } + exists, err := IsObjectInRepo(*repo, cm) + Expect(err).ToNot(HaveOccurred()) + Expect(exists).To(BeTrue()) + + By("checking that the configmap is present on the cluster") + nnCm := types.NamespacedName{ + Name: cmName2, + Namespace: namespace, + } + getCm := &corev1.ConfigMap{} + + Eventually(func() bool { + err := sClient.As(Luffy).Get(nnCm, getCm) + return err == nil + }, timeout, interval).Should(BeTrue()) + + }) + + It("should interact with gitea using the user CA bundle in the same namespace", func() { + By("adding syngit to scheme") + err := syngit.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + caBundleFile, err := os.ReadFile(os.Getenv("GITEA_TEMP_CERT_DIR") + "/ca.crt") + By("creating the ca bundle secret in the same namespace") + secretCreds := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: secretCa2, + Namespace: namespace, + }, + Data: map[string][]byte{ + "tls.crt": caBundleFile, + "tls.key": {}, + }, + Type: "kubernetes.io/tls", + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().Secrets(namespace).Create(ctx, + secretCreds, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating the RemoteUser & RemoteUserBinding for Luffy") + luffySecretName := string(Luffy) + "-creds" + remoteUserLuffy := &syngit.RemoteUser{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteUserLuffyName, + Namespace: namespace, + Annotations: map[string]string{ + syngit.RubAnnotation: "true", + }, + }, + Spec: syngit.RemoteUserSpec{ + Email: "sample@email.com", + GitBaseDomainFQDN: gitP1Fqdn, + SecretRef: corev1.SecretReference{ + Name: luffySecretName, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Luffy).CreateOrUpdate(remoteUserLuffy) + return err == nil + }, timeout, interval).Should(BeTrue()) + + repoUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" + By("creating the RemoteSyncer") + remotesyncer := &syngit.RemoteSyncer{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteSyncerName3, + Namespace: namespace, + }, + Spec: syngit.RemoteSyncerSpec{ + CABundleSecretRef: corev1.SecretReference{ + Name: secretCa2, + Namespace: namespace, + }, + DefaultBranch: "main", + DefaultUnauthorizedUserMode: syngit.Block, + ExcludedFields: []string{".metadata.uid"}, + ProcessMode: syngit.CommitApply, + PushMode: syngit.SameBranch, + RemoteRepository: repoUrl, + ScopedResources: syngit.ScopedResources{ + Rules: []admissionv1.RuleWithOperations{{ + Operations: []admissionv1.OperationType{ + admissionv1.Create, + }, + Rule: admissionv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Sanji).CreateOrUpdate(remotesyncer) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating a test configmap") + Wait3() + cm := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{Name: cmName3, Namespace: namespace}, + Data: map[string]string{"test": "oui"}, + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().ConfigMaps(namespace).Create(ctx, + cm, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("checking if the configmap is present on the repo") + Wait3() + repo := &Repo{ + Fqdn: gitP1Fqdn, + Owner: "syngituser", + Name: "green", + } + exists, err := IsObjectInRepo(*repo, cm) + Expect(err).ToNot(HaveOccurred()) + Expect(exists).To(BeTrue()) + + By("checking that the configmap is present on the cluster") + nnCm := types.NamespacedName{ + Name: cmName3, + Namespace: namespace, + } + getCm := &corev1.ConfigMap{} + + Eventually(func() bool { + err := sClient.As(Luffy).Get(nnCm, getCm) + return err == nil + }, timeout, interval).Should(BeTrue()) + + }) + + It("should interact with gitea using the user CA bundle of the operator namespace", func() { + By("adding syngit to scheme") + err := syngit.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + caBundleFile, err := os.ReadFile(os.Getenv("GITEA_TEMP_CERT_DIR") + "/ca.crt") + By("creating the ca bundle secret in the same namespace using the host as name") + caBundleName := strings.Split(gitP1Fqdn, ":")[0] + "-ca-cert" + secretCreds := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: caBundleName, + Namespace: operatorNamespace, + }, + Data: map[string][]byte{ + "tls.crt": caBundleFile, + "tls.key": {}, + }, + Type: "kubernetes.io/tls", + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().Secrets(operatorNamespace).Create(ctx, + secretCreds, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating the RemoteUser & RemoteUserBinding for Luffy") + luffySecretName := string(Luffy) + "-creds" + remoteUserLuffy := &syngit.RemoteUser{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteUserLuffyName, + Namespace: namespace, + Annotations: map[string]string{ + syngit.RubAnnotation: "true", + }, + }, + Spec: syngit.RemoteUserSpec{ + Email: "sample@email.com", + GitBaseDomainFQDN: gitP1Fqdn, + SecretRef: corev1.SecretReference{ + Name: luffySecretName, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Luffy).CreateOrUpdate(remoteUserLuffy) + return err == nil + }, timeout, interval).Should(BeTrue()) + + repoUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" + By("creating the RemoteSyncer") + remotesyncer := &syngit.RemoteSyncer{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteSyncerName4, + Namespace: namespace, + }, + Spec: syngit.RemoteSyncerSpec{ + DefaultBranch: "main", + DefaultUnauthorizedUserMode: syngit.Block, + ExcludedFields: []string{".metadata.uid"}, + ProcessMode: syngit.CommitApply, + PushMode: syngit.SameBranch, + RemoteRepository: repoUrl, + ScopedResources: syngit.ScopedResources{ + Rules: []admissionv1.RuleWithOperations{{ + Operations: []admissionv1.OperationType{ + admissionv1.Create, + }, + Rule: admissionv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Sanji).CreateOrUpdate(remotesyncer) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating a test configmap") + Wait3() + cm := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{Name: cmName4, Namespace: namespace}, + Data: map[string]string{"test": "oui"}, + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().ConfigMaps(namespace).Create(ctx, + cm, + metav1.CreateOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("checking if the configmap is present on the repo") + Wait3() + repo := &Repo{ + Fqdn: gitP1Fqdn, + Owner: "syngituser", + Name: "green", + } + exists, err := IsObjectInRepo(*repo, cm) + Expect(err).ToNot(HaveOccurred()) + Expect(exists).To(BeTrue()) + + By("checking that the configmap is present on the cluster") + nnCm := types.NamespacedName{ + Name: cmName4, + Namespace: namespace, + } + getCm := &corev1.ConfigMap{} + + Eventually(func() bool { + err := sClient.As(Luffy).Get(nnCm, getCm) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("deleting the ca bundle secret in the same namespace using the host as name") + Eventually(func() bool { + err = sClient.KAs(Luffy).CoreV1().Secrets(operatorNamespace).Delete(ctx, + caBundleName, + metav1.DeleteOptions{}, + ) + return err == nil + }, timeout, interval).Should(BeTrue()) + }) + + It("should get a x509 error ", func() { + By("adding syngit to scheme") + err := syngit.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + By("creating the RemoteUser & RemoteUserBinding for Luffy") + luffySecretName := string(Luffy) + "-creds" + remoteUserLuffy := &syngit.RemoteUser{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteUserLuffyName, + Namespace: namespace, + Annotations: map[string]string{ + syngit.RubAnnotation: "true", + }, + }, + Spec: syngit.RemoteUserSpec{ + Email: "sample@email.com", + GitBaseDomainFQDN: gitP1Fqdn, + SecretRef: corev1.SecretReference{ + Name: luffySecretName, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Luffy).CreateOrUpdate(remoteUserLuffy) + return err == nil + }, timeout, interval).Should(BeTrue()) + + repoUrl := "https://" + gitP1Fqdn + "/syngituser/green.git" + By("creating the RemoteSyncer") + remotesyncer := &syngit.RemoteSyncer{ + ObjectMeta: metav1.ObjectMeta{ + Name: remoteSyncerName5, + Namespace: namespace, + }, + Spec: syngit.RemoteSyncerSpec{ + DefaultBranch: "main", + DefaultUnauthorizedUserMode: syngit.Block, + ExcludedFields: []string{".metadata.uid"}, + ProcessMode: syngit.CommitApply, + PushMode: syngit.SameBranch, + RemoteRepository: repoUrl, + ScopedResources: syngit.ScopedResources{ + Rules: []admissionv1.RuleWithOperations{{ + Operations: []admissionv1.OperationType{ + admissionv1.Create, + }, + Rule: admissionv1.Rule{ + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + Resources: []string{"configmaps"}, + }, + }, + }, + }, + }, + } + Eventually(func() bool { + err := sClient.As(Sanji).CreateOrUpdate(remotesyncer) + return err == nil + }, timeout, interval).Should(BeTrue()) + + By("creating a test configmap") + Wait3() + cm := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{Name: cmName5, Namespace: namespace}, + Data: map[string]string{"test": "oui"}, + } + Eventually(func() bool { + _, err = sClient.KAs(Luffy).CoreV1().ConfigMaps(namespace).Create(ctx, + cm, + metav1.CreateOptions{}, + ) + return err != nil && strings.Contains(err.Error(), x509ErrorMessage) + }, timeout, interval).Should(BeTrue()) + + }) +}) diff --git a/test/e2e/syngit/e2e_suite_test.go b/test/e2e/syngit/e2e_suite_test.go index 2806926..324cdee 100644 --- a/test/e2e/syngit/e2e_suite_test.go +++ b/test/e2e/syngit/e2e_suite_test.go @@ -66,6 +66,7 @@ const ( rsPermissionsDeniedMessage = "is not allowed to scope" ruPermissionsDeniedMessage = "is not allowed to get the secret" rubPermissionsDeniedMessage = "is not allowed to get the referenced remoteuser" + x509ErrorMessage = "x509: certificate signed by unknown authority" ) // CMD & CLIENT @@ -82,6 +83,9 @@ var clusterAlreadyExistsBefore = false // RBAC const reducedPermissionsCRName = "secret-rs-ru-cluster-role" +// Dynamic webhook name +const dynamicWebhookName = "syngit-dynamic-remotesyncer-webhook" + // MANAGER var k8sManager ctrl.Manager var cfg *rest.Config @@ -131,8 +135,9 @@ func setupGitea() { // setupManager creates the manager and the webhooks for the tests. func setupManager() { - os.Setenv("MANAGER_NAMESPACE", "syngit") - os.Setenv("DYNAMIC_WEBHOOK_NAME", "remotesyncer.syngit.io") + os.Setenv("MANAGER_NAMESPACE", operatorNamespace) + os.Setenv("DYNAMIC_WEBHOOK_NAME", dynamicWebhookName) + os.Setenv("GITEA_TEMP_CERT_DIR", "/tmp/gitea-certs") By("bootstrapping test environment") testEnv = &envtest.Environment{ @@ -353,8 +358,15 @@ func rbacSetup(ctx context.Context) { // namespaceSetup creates the test namespace and the secrets for the users to connect to the gitea platforms. func namespaceSetup(ctx context.Context) { - By("creating the test namespace") + By("creating the syngit namespace") _, err := sClient.KAs(Admin).CoreV1().Namespaces().Create(ctx, + &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: operatorNamespace}}, + metav1.CreateOptions{}, + ) + Expect(err).NotTo(HaveOccurred()) + + By("creating the test namespace") + _, err = sClient.KAs(Admin).CoreV1().Namespaces().Create(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}, metav1.CreateOptions{}, ) @@ -470,6 +482,7 @@ var _ = AfterSuite(func() { if setupType == "full" { uninstallSetup() } + }) var _ = AfterEach(func() { diff --git a/test/utils/.env b/test/utils/.env index fb37ff1..eef4cee 100644 --- a/test/utils/.env +++ b/test/utils/.env @@ -15,4 +15,6 @@ BROOK_USERNAME="brook-jbg-sb" PLATFORM1="jupyter" PLATFORM2="saturn" REPO1="blue" -REPO2="green" \ No newline at end of file +REPO2="green" + +GITEA_TEMP_CERT_DIR="/tmp/gitea-certs" \ No newline at end of file diff --git a/test/utils/gitea.go b/test/utils/gitea.go index 9a3b500..dd677ae 100644 --- a/test/utils/gitea.go +++ b/test/utils/gitea.go @@ -18,6 +18,7 @@ package utils import ( "bytes" + "crypto/tls" "encoding/base64" "encoding/json" "errors" @@ -70,7 +71,7 @@ func getAdminToken(baseFqdn string) (string, error) { username = "syngituser" password = "syngit_password" ) - url := fmt.Sprintf("http://%s/api/v1/users/%s/tokens", baseFqdn, username) + url := fmt.Sprintf("https://%s/api/v1/users/%s/tokens", baseFqdn, username) // Prepare the request payload tokenName := "admin-e2e-token" @@ -93,8 +94,15 @@ func getAdminToken(baseFqdn string) (string, error) { req.SetBasicAuth(username, password) req.Header.Set("Content-Type", "application/json") + // Skip Tls verify + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, // Skip TLS verification + }, + } + // Send the request - client := &http.Client{} + client := &http.Client{Transport: tr} resp, err := client.Do(req) if err != nil { return "", err @@ -124,7 +132,7 @@ func getAdminToken(baseFqdn string) (string, error) { // GetRepoTree fetches the full tree of the specified repository. func getTree(repoFqdn string, repoOwner string, repoName string, sha string) ([]Tree, error) { - url := fmt.Sprintf("http://%s/api/v1/repos/%s/%s/git/trees/%s", repoFqdn, repoOwner, repoName, sha) + url := fmt.Sprintf("https://%s/api/v1/repos/%s/%s/git/trees/%s", repoFqdn, repoOwner, repoName, sha) req, err := http.NewRequest("GET", url, nil) if err != nil { return nil, fmt.Errorf("failed to create HTTP request: %w", err) @@ -137,7 +145,14 @@ func getTree(repoFqdn string, repoOwner string, repoName string, sha string) ([] } req.Header.Add("Authorization", "token "+token) - client := &http.Client{} + // Skip Tls verify + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, // Skip TLS verification + }, + } + + client := &http.Client{Transport: tr} resp, err := client.Do(req) if err != nil { return nil, fmt.Errorf("HTTP GET failed: %w", err) @@ -274,8 +289,15 @@ type responseStruct struct { // fetchFileContent fetches the content of a file from the given URL. func fetchFileContent(url string) ([]byte, error) { + // Skip Tls verify + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, // Skip TLS verification + }, + } + // Create an HTTP client - client := &http.Client{} + client := &http.Client{Transport: tr} // Create a new HTTP GET request req, err := http.NewRequest("GET", url, nil) diff --git a/test/utils/gitea/add-collaborator.sh b/test/utils/gitea/add-collaborator.sh index 87fc41a..c8a403d 100755 --- a/test/utils/gitea/add-collaborator.sh +++ b/test/utils/gitea/add-collaborator.sh @@ -21,7 +21,7 @@ EOF ) # API request to add the user as a collaborator -response=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \ +response=$(curl -s -o /dev/null -w "%{http_code}" -X PUT -k \ -H "Content-Type: application/json" \ -H "Authorization: token $ADMIN_TOKEN" \ -d "$JSON_PAYLOAD" \ diff --git a/test/utils/gitea/gitea-gen-cert.sh b/test/utils/gitea/gitea-gen-cert.sh new file mode 100755 index 0000000..c98700c --- /dev/null +++ b/test/utils/gitea/gitea-gen-cert.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +mkdir -p $GITEA_TEMP_CERT_DIR + +openssl genrsa -out $GITEA_TEMP_CERT_DIR/ca.key 2048 +openssl req -x509 -new -nodes -key $GITEA_TEMP_CERT_DIR/ca.key -sha256 -days 365 \ + -out $GITEA_TEMP_CERT_DIR/ca.crt -subj "/CN=Gitea Root CA" + +openssl genrsa -out $GITEA_TEMP_CERT_DIR/tls.key 2048 +openssl req -new -key $GITEA_TEMP_CERT_DIR/tls.key -out $GITEA_TEMP_CERT_DIR/gitea.csr -subj "/CN=$1" +openssl x509 -req -in $GITEA_TEMP_CERT_DIR/gitea.csr \ + -CA $GITEA_TEMP_CERT_DIR/ca.crt -CAkey $GITEA_TEMP_CERT_DIR/ca.key -CAcreateserial \ + -out $GITEA_TEMP_CERT_DIR/tls.crt -days 365 -sha256 -extfile <(printf "subjectAltName=IP:$1") + +kubectl create secret tls gitea-tls-secret --cert=$GITEA_TEMP_CERT_DIR/tls.crt --key=$GITEA_TEMP_CERT_DIR/tls.key -n $PLATFORM1 +kubectl create secret tls gitea-tls-secret --cert=$GITEA_TEMP_CERT_DIR/tls.crt --key=$GITEA_TEMP_CERT_DIR/tls.key -n $PLATFORM2 diff --git a/test/utils/gitea/helm-values-jupyter.yaml b/test/utils/gitea/helm-values-jupyter.yaml index 2836e82..3926699 100755 --- a/test/utils/gitea/helm-values-jupyter.yaml +++ b/test/utils/gitea/helm-values-jupyter.yaml @@ -13,6 +13,10 @@ persistence: # Set Gitea to use SQLite (already default in Gitea, but you can explicitly specify it) gitea: config: + server: + PROTOCOL: https + CERT_FILE: /data/tls/tls.crt + KEY_FILE: /data/tls/tls.key database: DB_TYPE: sqlite3 session: @@ -22,6 +26,16 @@ gitea: queue: TYPE: level +extraVolumes: + - name: gitea-tls + secret: + secretName: gitea-tls-secret + +extraVolumeMounts: + - name: gitea-tls + mountPath: /data/tls + readOnly: true + # Set service type to NodePort (optional, as per your previous script) service: http: diff --git a/test/utils/gitea/helm-values-saturn.yaml b/test/utils/gitea/helm-values-saturn.yaml index aac48a4..61c542a 100755 --- a/test/utils/gitea/helm-values-saturn.yaml +++ b/test/utils/gitea/helm-values-saturn.yaml @@ -13,6 +13,10 @@ persistence: # Set Gitea to use SQLite (already default in Gitea, but you can explicitly specify it) gitea: config: + server: + PROTOCOL: https + CERT_FILE: /data/tls/tls.crt + KEY_FILE: /data/tls/tls.key database: DB_TYPE: sqlite3 session: @@ -22,6 +26,16 @@ gitea: queue: TYPE: level +extraVolumes: + - name: gitea-tls + secret: + secretName: gitea-tls-secret + +extraVolumeMounts: + - name: gitea-tls + mountPath: /data/tls + readOnly: true + # Set service type to NodePort (optional, as per your previous script) service: http: diff --git a/test/utils/gitea/launch-gitea-setup.sh b/test/utils/gitea/launch-gitea-setup.sh index 10de9d0..91fbadd 100755 --- a/test/utils/gitea/launch-gitea-setup.sh +++ b/test/utils/gitea/launch-gitea-setup.sh @@ -10,6 +10,13 @@ export PREFIXED_PATH=./test/utils/gitea helm repo add gitea-charts https://dl.gitea.io/charts/ > /dev/null helm repo update > /dev/null +kubectl create ns $PLATFORM1 +kubectl create ns $PLATFORM2 + +# Generate certs +NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}') +$PREFIXED_PATH/gitea-gen-cert.sh $NODE_IP + export NAMESPACE="$PLATFORM1" export VALUES_FILE="$PREFIXED_PATH/helm-values-$PLATFORM1.yaml" $PREFIXED_PATH/setup-gitea-install.sh diff --git a/test/utils/gitea/setup-gitea-bind-platform1.sh b/test/utils/gitea/setup-gitea-bind-platform1.sh index 5ed068d..2be288b 100755 --- a/test/utils/gitea/setup-gitea-bind-platform1.sh +++ b/test/utils/gitea/setup-gitea-bind-platform1.sh @@ -4,7 +4,7 @@ SERVICE_PORT=$(kubectl get svc $SERVICE_NAME -n $NAMESPACE -o jsonpath="{.spec.p NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[?(@.type=='InternalIP')].address}") # Formulate the Gitea URL for API access -GITEA_URL="http://$NODE_IP:$SERVICE_PORT" +GITEA_URL="https://$NODE_IP:$SERVICE_PORT" POD_NAME=$(kubectl get pods -n $NAMESPACE -l app.kubernetes.io/name=gitea -o jsonpath="{.items[0].metadata.name}") TOKEN_RESPONSE=$(kubectl exec -i $POD_NAME -n $NAMESPACE -- gitea admin user generate-access-token \ diff --git a/test/utils/gitea/setup-gitea-bind-platform2.sh b/test/utils/gitea/setup-gitea-bind-platform2.sh index e4885b2..20ce46f 100755 --- a/test/utils/gitea/setup-gitea-bind-platform2.sh +++ b/test/utils/gitea/setup-gitea-bind-platform2.sh @@ -5,7 +5,7 @@ SERVICE_PORT=$(kubectl get svc $SERVICE_NAME -n $NAMESPACE -o jsonpath="{.spec.p NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[?(@.type=='InternalIP')].address}") # Formulate the Gitea URL for API access -GITEA_URL="http://$NODE_IP:$SERVICE_PORT" +GITEA_URL="https://$NODE_IP:$SERVICE_PORT" POD_NAME=$(kubectl get pods -n $NAMESPACE -l app.kubernetes.io/name=gitea -o jsonpath="{.items[0].metadata.name}") TOKEN_RESPONSE=$(kubectl exec -i $POD_NAME -n $NAMESPACE -- gitea admin user generate-access-token \ diff --git a/test/utils/gitea/setup-gitea-repos.sh b/test/utils/gitea/setup-gitea-repos.sh index 29c57f6..7b03561 100755 --- a/test/utils/gitea/setup-gitea-repos.sh +++ b/test/utils/gitea/setup-gitea-repos.sh @@ -5,7 +5,7 @@ SERVICE_PORT=$(kubectl get svc $SERVICE_NAME -n $NAMESPACE -o jsonpath="{.spec.p NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[?(@.type=='InternalIP')].address}") # Formulate the Gitea URL for API access -GITEA_URL="http://$NODE_IP:$SERVICE_PORT" +GITEA_URL="https://$NODE_IP:$SERVICE_PORT" # Create an admin user using Gitea CLI inside the Gitea pod POD_NAME=$(kubectl get pods -n $NAMESPACE -l app.kubernetes.io/name=gitea -o jsonpath="{.items[0].metadata.name}") @@ -48,7 +48,7 @@ EOF ) # Make the API call to create the repository -response=$(curl -s -o /dev/null -w "%{http_code}" -X POST \ +response=$(curl -s -o /dev/null -w "%{http_code}" -X POST -k \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD" \ "$CREATE_REPO_ENDPOINT?access_token=$GIT_TOKEN") @@ -76,7 +76,7 @@ EOF ) # Make the API call to create the repository -response=$(curl -s -o /dev/null -w "%{http_code}" -X POST \ +response=$(curl -s -o /dev/null -w "%{http_code}" -X POST -k \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD" \ "$CREATE_REPO_ENDPOINT?access_token=$GIT_TOKEN")