Fix to Rotate CA e2e test (#7101)

* Include note on service keys

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Fix rotate cert ca test

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Remove periods

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Add new test to nightly script

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>

contrib/util/generate-custom-ca-certs.sh

@@ -12,13 +12,14 @@
 # 
 # This script will also auto-generate certificates and keys for both root and intermediate
 # certificate authorities if none are found.
+# If you have existing certs, you must place then in `DATA_DIR/server/tls`.
 # If you have only an existing root CA, provide:
 #   root-ca.pem
-#   root-ca.key.
+#   root-ca.key
 # If you have an existing root and intermediate CA, provide:
 #   root-ca.pem
 #   intermediate-ca.pem
-#   intermediate-ca.key.
+#   intermediate-ca.key
 
 set -e
 umask 027

tests/e2e/rotateca/Vagrantfile

@@ -1,6 +1,6 @@
 ENV['VAGRANT_NO_PARALLEL'] = 'no'
 NODE_ROLES = (ENV['E2E_NODE_ROLES'] ||
-  ["server-0", "server-1", "server-2", "agent-1"])
+  ["server-0", "server-1", "server-2", "agent-0"])
 NODE_BOXES = (ENV['E2E_NODE_BOXES'] ||
   ['generic/ubuntu2204', 'generic/ubuntu2204', 'generic/ubuntu2204', 'generic/ubuntu2204'])
 GITHUB_BRANCH = (ENV['E2E_GITHUB_BRANCH'] || "master")
@@ -26,8 +26,12 @@ def provision(vm, role, role_num, node_num)
   vm.provision "shell", inline: "ping -c 2 k3s.io"
   
   if role.include?("server") && role_num == 0
+    vm.provision 'file' do |scp| 
+      scp.source = '../../../contrib/util/generate-custom-ca-certs.sh'
+      scp.destination = '/tmp/generate-custom-ca-certs.sh'
+    end
     vm.provision 'custom-ca', type: 'shell', run: 'once' do |script|
-      script.path = '../../../contrib/util/certs.sh'
+      script.inline = 'bash /tmp/generate-custom-ca-certs.sh'
       script.env = {'PRODUCT' => 'vagrant-e2e-test', 'DATA_DIR' => '/var/lib/rancher/k3s'}
     end
     vm.provision 'k3s-install', type: 'k3s', run: 'once' do |k3s|

tests/e2e/rotateca/rotateca_test.go

@@ -25,7 +25,7 @@ func Test_E2ECustomCARotation(t *testing.T) {
 	RegisterFailHandler(Fail)
 	flag.Parse()
 	suiteConfig, reporterConfig := GinkgoConfiguration()
-	RunSpecs(t, "Secrets Encryption Test Suite", suiteConfig, reporterConfig)
+	RunSpecs(t, "Custom Certificate Rotation Test Suite", suiteConfig, reporterConfig)
 }
 
 var (
@@ -80,7 +80,7 @@ var _ = Describe("Verify Custom CA Rotation", Ordered, func() {
 			cmds := []string{
 				"sudo mkdir -p /opt/rancher/k3s/server",
 				"sudo cp -r /var/lib/rancher/k3s/server/tls /opt/rancher/k3s/server",
-				"curl -ksL https://raw.githubusercontent.com/brandond/k3s/custom-cert-gen/contrib/util/certs.sh | sudo DATA_DIR=/opt/rancher/k3s bash -s -",
+				"sudo DATA_DIR=/opt/rancher/k3s /tmp/generate-custom-ca-certs.sh",
 			}
 			for _, cmd := range cmds {
 				_, err := e2e.RunCmdOnNode(cmd, serverNodeNames[0])
@@ -89,7 +89,7 @@ var _ = Describe("Verify Custom CA Rotation", Ordered, func() {
 		})
 
 		It("Rotates CA Certificates", func() {
-			cmd := "sudo k3s certificate rotate-ca --path=/opt/rancher/k3s"
+			cmd := "sudo k3s certificate rotate-ca --path=/opt/rancher/k3s/server"
 			_, err := e2e.RunCmdOnNode(cmd, serverNodeNames[0])
 			Expect(err).NotTo(HaveOccurred())
 		})

tests/e2e/scripts/run_tests.sh

@@ -41,6 +41,9 @@ echo 'RUNNING EXTERNAL IP TEST'
 echo 'RUNNING SNAPSHOT AND RESTORE TEST'
 /usr/local/go/bin/go test -v snapshotrestore/snapshotrestore_test.go -nodeOS="$nodeOS" -serverCount=1 -agentCount=1 -timeout=30m -json -ci | tee -a k3s_"$OS".log
 
+echo 'RUNNING ROTATE CUSTOM CA TEST'
+/usr/local/go/bin/go test -v rotateca/rotateca_test.go -nodeOS="$nodeOS" -serverCount=1 -agentCount=1 -timeout=30m -json -ci | tee -a k3s_"$OS".log
+
 E2E_RELEASE_CHANNEL="latest" && export E2E_RELEASE_CHANNEL
 echo 'RUNNING CLUSTER UPGRADE TEST'
 E2E_REGISTRY=true /usr/local/go/bin/go test -v upgradecluster/upgradecluster_test.go -nodeOS="$nodeOS" -serverCount=$((servercount)) -agentCount=$((agentcount)) -timeout=1h -json -ci | tee -a k3s_"$OS".log