Documentation
¶
Overview ¶
Package certs contains certificate rotation and expiration tests.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CertAutoRotationSpec ¶
func CertAutoRotationSpec()
CertAutoRotationSpec registers tests that verify automatic certificate rotation when leaf certs are near expiry. These tests are Ordered because they form a lifecycle: record state -> inject expiring cert -> restart -> verify.
Must be called inside a Describe that has cluster.Use() for the vcluster and host cluster.
func CertTestsSpec ¶
func CertTestsSpec()
CertTestsSpec registers all cert rotation, expiration, and kubeconfig TLS tests in a single Ordered Describe. They MUST run sequentially because:
- All three operate on the same vCluster and do destructive cert rotations
- CertExpiration uses os.Setenv(VCLUSTER_CERTS_VALIDITYPERIOD) which is process-global - running in parallel would poison other cert operations
- Each section's reconnect establishes the proxy for the next section
Lifecycle: rotation (leaf -> CA with fingerprint verification) -> expiration (1s CA -> wait expire -> recover) -> kubeconfig TLS (baseline -> leaf rotate -> CA rotate -> verify old TLS fails)
func HACertRotationSpec ¶
func HACertRotationSpec()
HACertRotationSpec verifies that HA cert rotation is coordinated via a Lease so that replicas don't all restart simultaneously.
This test uses a 2-replica vcluster with short-lived certs (3m) and a short watcher check interval (15s). After pods are running, we write an expiring cert directly to disk inside each pod (bypassing the startup EnsureCerts check). The watcher detects the expiring cert on its next check and the first replica to acquire the rotation lease performs the rotation.
Must be called inside a Describe that has cluster.Use() for the vcluster and host cluster.
func ServingCertRotationSpec ¶
func ServingCertRotationSpec()
ServingCertRotationSpec verifies that the API server serving certificate syncer correctly regenerates the cert at runtime when it approaches expiry. This test requires a vcluster deployed with DEVELOPMENT=true and VCLUSTER_CERTS_VALIDITYPERIOD=3m so the serving cert has a short lifetime.
The syncer polls every 2 seconds and regenerates the cert when IsCertExpired returns true (<=90 days to expiry). With a 3-minute cert, this fires on every poll cycle. We verify regeneration by recording the cert serial via TLS handshake, waiting briefly, then verifying the serial changed — proving the syncer actually regenerated and applied a new serving cert.
Must be called inside a Describe that has cluster.Use() for the vcluster and host cluster.
func SingleReplicaWatcherSpec ¶
func SingleReplicaWatcherSpec()
SingleReplicaWatcherSpec verifies that the cert watcher works correctly in a single-replica deployment where no lease coordination is needed. This is the default deployment mode where coordination.k8s.io/leases RBAC may not be granted, so the watcher must skip lease acquisition and rotate directly.
Must be called inside a Describe that has cluster.Use() for the vcluster and host cluster.
Types ¶
This section is empty.
Source Files