Validate kubernetes cluster CA certificate

No certificate is still accepted, but if one is provided it must
be valid. Only run validation if the certificate has changed to
avoid making existing records invalid.

app/models/clusters/platforms/kubernetes.rb

@@ -43,6 +43,7 @@ module Clusters
       # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned)
       validates :api_url, url: true, presence: true
       validates :token, presence: true
+      validates :ca_cert, certificate: true, allow_blank: true, if: :ca_cert_changed?
 
       validate :prevent_modification, on: :update
 

changelogs/unreleased/55447-validate-k8s-ca-cert.yml

@@ -0,0 +1,5 @@
+---
+title: Validate kubernetes cluster CA certificate
+merge_request: 24990
+author:
+type: changed

spec/fixtures/clusters/sample_cert.pem

@@ -30,4 +30,4 @@ TkIdFE47ZisEDhIdF6wC1izEMLeMEsPAO7/Y6MY4nRxsinSe95lRaw+yQpzx+mvJ
 Q7n1kiHI9Pd5M3+CiQda0d/GO1o5ORJnUGJRvr9HKuNmE7Lif0As/N0AlywjzE7A
 6Z8AEiWyRV1ffshu1k2UKmzvZuZeGGKRtrIjbJIRAtpRVtVZZGzhq5/sojCLoJ+u
 texqFBUo/4mFRZa4pDItUdyOlDy2/LO/ag==
------END CERTIFICATE-----
+-----END CERTIFICATE-----

spec/models/clusters/kubernetes_namespace_spec.rb

@@ -97,7 +97,7 @@ RSpec.describe Clusters::KubernetesNamespace, type: :model do
     let(:platform) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem, token: token) }
 
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
     let(:token) { 'token' }
 
     let(:kubeconfig) do

spec/models/clusters/platforms/kubernetes_spec.rb

@@ -114,6 +114,36 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
     end
 
+    context 'ca_cert' do
+      let(:kubernetes) { build(:cluster_platform_kubernetes, ca_pem: ca_pem) }
+
+      context 'with a valid certificate' do
+        let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'with an invalid certificate' do
+        let(:ca_pem) { "invalid" }
+
+        it { is_expected.to be_falsey }
+
+        context 'but the certificate is not being updated' do
+          before do
+            allow(kubernetes).to receive(:ca_cert_changed?).and_return(false)
+          end
+
+          it { is_expected.to be_truthy }
+        end
+      end
+
+      context 'with no certificate' do
+        let(:ca_pem) { "" }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
     describe 'when using reserved namespaces' do
       subject { build(:cluster_platform_kubernetes, namespace: namespace) }
 
@@ -202,7 +232,7 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
     let!(:cluster) { create(:cluster, :project, platform_kubernetes: kubernetes) }
     let(:kubernetes) { create(:cluster_platform_kubernetes, api_url: api_url, ca_cert: ca_pem) }
     let(:api_url) { 'https://kube.domain.com' }
-    let(:ca_pem) { 'CA PEM DATA' }
+    let(:ca_pem) { File.read(Rails.root.join('spec/fixtures/clusters/sample_cert.pem')) }
 
     subject { kubernetes.predefined_variables(project: cluster.project) }