diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index c8969351ed9..46d0898014e 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -43,6 +43,7 @@ module Clusters # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned) validates :api_url, url: true, presence: true validates :token, presence: true + validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed? validate :prevent_modification, on: :update diff --git a/changelogs/unreleased/55447-validate-k8s-ca-cert.yml b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml new file mode 100644 index 00000000000..e0448d403da --- /dev/null +++ b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml @@ -0,0 +1,5 @@ +--- +title: Validate kubernetes cluster CA certificate +merge_request: 24990 +author: +type: changed diff --git a/spec/fixtures/clusters/sample_cert.pem b/spec/fixtures/clusters/sample_cert.pem index e39a2b34416..00e6ce44d87 100644 --- a/spec/fixtures/clusters/sample_cert.pem +++ b/spec/fixtures/clusters/sample_cert.pem @@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag== ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/spec/models/clusters/kubernetes_namespace_spec.rb b/spec/models/clusters/kubernetes_namespace_spec.rb index 235e2ee4e69..b865909c7fd 100644 --- a/spec/models/clusters/kubernetes_namespace_spec.rb +++ b/spec/models/clusters/kubernetes_namespace_spec.rb @@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) } let(:api_url) { 'https://kube.domain.com' } - let(:ca_pem) { 'CA PEM DATA' } + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } let(:token) { 'token' } let(:kubeconfig) do diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index c273fa7e164..4068d98d8f7 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching end end + context 'ca_cert' do + let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) } + + context 'with a valid certificate' do + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } + + it { is_expected.to be_truthy } + end + + context 'with an invalid certificate' do + let(:ca_pem) { "invalid" } + + it { is_expected.to be_falsey } + + context 'but the certificate is not being updated' do + before do + allow(kubernetes).to receive(:ca_cert_changed?).and_return(false) + end + + it { is_expected.to be_truthy } + end + end + + context 'with no certificate' do + let(:ca_pem) { "" } + + it { is_expected.to be_truthy } + end + end + describe 'when using reserved namespaces' do subject { build(:cluster_platform_kubernetes, namespace: namespace) } @@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) } let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) } let(:api_url) { 'https://kube.domain.com' } - let(:ca_pem) { 'CA PEM DATA' } + let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) } subject { kubernetes.predefined_variables(project: cluster.project) }