From 73e5d3a2693d0469fdad925c398b6c464803c4b3 Mon Sep 17 00:00:00 2001
From: Tiger <twatson@gitlab.com>
Date: Thu, 7 Feb 2019 15:56:08 +1100
Subject: [PATCH] Validate kubernetes cluster CA certificate

No certificate is still accepted, but if one is provided it must
be valid. Only run validation if the certificate has changed to
avoid making existing records invalid.
---
 app/models/clusters/platforms/kubernetes.rb   |  1 +
 .../unreleased/55447-validate-k8s-ca-cert.yml |  5 +++
 spec/fixtures/clusters/sample_cert.pem        |  2 +-
 .../clusters/kubernetes_namespace_spec.rb     |  2 +-
 .../clusters/platforms/kubernetes_spec.rb     | 32 ++++++++++++++++++-
 5 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/55447-validate-k8s-ca-cert.yml

diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 8f3424db295..ed6bbfb4c64 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -43,6 +43,7 @@ module Clusters
       # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
       validates :api_url, url: true, presence: true
       validates :token, presence: true
+      validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
 
       validate :prevent_modification, on: :update
 
diff --git a/changelogs/unreleased/55447-validate-k8s-ca-cert.yml b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
new file mode 100644
index 00000000000..e0448d403da
--- /dev/null
+++ b/changelogs/unreleased/55447-validate-k8s-ca-cert.yml
@@ -0,0 +1,5 @@
+---
+title: Validate kubernetes cluster CA certificate
+merge_request: 24990
+author:
+type: changed
diff --git a/spec/fixtures/clusters/sample_cert.pem b/spec/fixtures/clusters/sample_cert.pem
index e39a2b34416..00e6ce44d87 100644
--- a/spec/fixtures/clusters/sample_cert.pem
+++ b/spec/fixtures/clusters/sample_cert.pem
@@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ
 Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A
 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u
 texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag==
------END CERTIFICATE-----
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/spec/models/clusters/kubernetes_namespace_spec.rb b/spec/models/clusters/kubernetes_namespace_spec.rb
index 235e2ee4e69..b865909c7fd 100644
--- a/spec/models/clusters/kubernetes_namespace_spec.rb
+++ b/spec/models/clusters/kubernetes_namespace_spec.rb
@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
     let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
 
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
     let(:token) { 'token' }
 
     let(:kubeconfig) do
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index 6c8a223092e..ce8269d8024 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
     end
 
+    context 'ca_cert' do
+      let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
+
+      context 'with a valid certificate' do
+        let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'with an invalid certificate' do
+        let(:ca_pem) { "invalid" }
+
+        it { is_expected.to be_falsey }
+
+        context 'but the certificate is not being updated' do
+          before do
+            allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
+          end
+
+          it { is_expected.to be_truthy }
+        end
+      end
+
+      context 'with no certificate' do
+        let(:ca_pem) { "" }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
     describe 'when using reserved namespaces' do
       subject { build(:cluster_platform_kubernetes, namespace: namespace) }
 
@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
     let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
     let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
 
     subject { kubernetes.predefined_variables(project: cluster.project) }