From f8fd68c04b4be1f31e44616b83d534f164c12eb8 Mon Sep 17 00:00:00 2001 From: lei-tang <32078630+lei-tang@users.noreply.github.com> Date: Tue, 21 Apr 2020 22:32:39 +0800 Subject: [PATCH] User guide tests for DNS certificate management (#7103) * User guide tests for DNS certificate management - Add user guide tests for DNS certificate management - Remove user guide's dependency on jq * Use _verify_contains function --- .../en/docs/tasks/security/dns-cert/index.md | 23 ++++--- .../en/docs/tasks/security/dns-cert/snips.sh | 64 +++++++++++++++++++ tests/security/dns_cert/dns_cert_test.go | 44 +++++++++++++ tests/security/dns_cert/main_test.go | 51 +++++++++++++++ tests/security/dns_cert/scripts/dns_cert.txt | 33 ++++++++++ 5 files changed, 207 insertions(+), 8 deletions(-) create mode 100644 content/en/docs/tasks/security/dns-cert/snips.sh create mode 100644 tests/security/dns_cert/dns_cert_test.go create mode 100644 tests/security/dns_cert/main_test.go create mode 100644 tests/security/dns_cert/scripts/dns_cert.txt diff --git a/content/en/docs/tasks/security/dns-cert/index.md b/content/en/docs/tasks/security/dns-cert/index.md index 18859c2f89..be9d491f1f 100644 --- a/content/en/docs/tasks/security/dns-cert/index.md +++ b/content/en/docs/tasks/security/dns-cert/index.md @@ -3,6 +3,7 @@ title: Istio DNS Certificate Management description: Shows how to provision and manage DNS certificates in Istio. weight: 90 keywords: [security,certificate] +test: true --- This task shows how to provision and manage DNS certificates @@ -35,8 +36,6 @@ EOF $ istioctl manifest apply -f ./istio.yaml {{< /text >}} -* Install [`jq`](https://stedolan.github.io/jq/) for validating the results from running the task. - ## DNS certificate provisioning and management Istio provisions the DNS names and secret names for the DNS certificates based on configuration you provide. @@ -60,14 +59,14 @@ and that the certificate contains the configured DNS names, you need to get the decode it, and view its text output with the following command: {{< text bash >}} -$ kubectl get secret dns.example1-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in /dev/stdin -text -noout +$ kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout {{< /text >}} The text output should include: {{< text plain >}} -X509v3 Subject Alternative Name: - DNS:example1.istio-system.svc, DNS:example1.istio-system + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system {{< /text >}} ## Regenerating a DNS certificate @@ -86,12 +85,20 @@ contains the configured DNS names, you need to get the secret from Kubernetes, p and view its text output with the following command: {{< text bash >}} - $ kubectl get secret dns.example1-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in /dev/stdin -text -noout + $ sleep 10; kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout {{< /text >}} The output should include: {{< text plain >}} -X509v3 Subject Alternative Name: - DNS:example1.istio-system.svc, DNS:example1.istio-system + X509v3 Subject Alternative Name: + DNS:example1.istio-system.svc, DNS:example1.istio-system {{< /text >}} + +## Cleanup + +* To remove the `istio-system` namespace: + + {{< text bash >}} + $ kubectl delete ns istio-system + {{< /text >}} \ No newline at end of file diff --git a/content/en/docs/tasks/security/dns-cert/snips.sh b/content/en/docs/tasks/security/dns-cert/snips.sh new file mode 100644 index 0000000000..51f1bf3dfc --- /dev/null +++ b/content/en/docs/tasks/security/dns-cert/snips.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Copyright Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#################################################################################################### +# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE: +# docs/tasks/security/dns-cert/index.md +#################################################################################################### + +snip_before_you_begin_1() { +cat < ./istio.yaml +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + values: + global: + certificates: + - secretName: dns.example1-service-account + dnsNames: [example1.istio-system.svc, example1.istio-system] + - secretName: dns.example2-service-account + dnsNames: [example2.istio-system.svc, example2.istio-system] +EOF +istioctl manifest apply -f ./istio.yaml +} + +snip_check_the_provisioning_of_dns_certificates_1() { +kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout +} + +# shellcheck disable=SC2034 +! read -r -d '' snip_check_the_provisioning_of_dns_certificates_2 <&1) +# Remove trailing spaces +out=$(echo "$out" | sed 's/[ ]*$//') +_verify_contains "$out" "$snip_check_the_provisioning_of_dns_certificates_2" "snip_check_the_provisioning_of_dns_certificates_1" + +snip_regenerating_a_dns_certificate_1 + +out=$(snip_regenerating_a_dns_certificate_2 2>&1) +# Remove trailing spaces +out=$(echo "$out" | sed 's/[ ]*$//') +_verify_contains "$out" "$snip_regenerating_a_dns_certificate_3" "snip_regenerating_a_dns_certificate_2"