Make go-getter use CABundles

Whether defined in secrets from Rancher or in a GitRepo resource,
go-getter (`helm.chart` field of `fleet.yaml`) is supposed to use the
certificates specified. First the certificate specified in the GitRepo
resource, then the ones from Rancher. It also should honor
`GitRepo.Spec.insecureSkipTLSVerify` (even when using the Rancher
certificates).

Refers to #3646

Author: p-se

e2e/assets/gitrepo/gitrepo.yaml

@@ -6,8 +6,18 @@ spec:
   repo: {{.Repo}}
   branch: {{.Branch}}
   pollingInterval: {{.PollingInterval}}
+  {{- if .InsecureSkipTLSVerify}}
+  insecureSkipTLSVerify: {{.InsecureSkipTLSVerify}}
+  {{- end }}
   {{- if .TargetNamespace }}
   targetNamespace: {{.TargetNamespace}}
   {{- end }}
   paths:
+  {{- if .Path }}
+  - {{.Path}}
+  {{- else }}
   - examples
+  {{- end }}
+  {{- if .CABundle}}
+  caBundle: {{.CABundle}}
+  {{- end}}

e2e/single-cluster/gitrepo_test.go

@@ -31,6 +31,17 @@ const (
 	HTTPSPort = 4343
 )
 
+type gitRepoTestValues struct {
+	Name                  string
+	Repo                  string
+	Branch                string
+	PollingInterval       string
+	TargetNamespace       string
+	Path                  string
+	InsecureSkipTLSVerify bool
+	CABundle              string
+}
+
 var _ = Describe("Monitoring Git repos via HTTP for change", Label("infra-setup"), func() {
 	var (
 		tmpDir           string
@@ -100,18 +111,12 @@ var _ = Describe("Monitoring Git repos via HTTP for change", Label("infra-setup"
 		})
 
 		JustBeforeEach(func() {
-			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), struct {
-				Name            string
-				Repo            string
-				Branch          string
-				PollingInterval string
-				TargetNamespace string
-			}{
-				gitrepoName,
-				inClusterRepoURL,
-				gh.Branch,
-				"15s",           // default
-				targetNamespace, // to avoid conflicts with other tests
+			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:            gitrepoName,
+				Repo:            inClusterRepoURL,
+				Branch:          gh.Branch,
+				PollingInterval: "15s",           // default
+				TargetNamespace: targetNamespace, // to avoid conflicts with other tests
 			})
 			Expect(err).ToNot(HaveOccurred())
 
@@ -157,18 +162,12 @@ var _ = Describe("Monitoring Git repos via HTTP for change", Label("infra-setup"
 		})
 
 		JustBeforeEach(func() {
-			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), struct {
-				Name            string
-				Repo            string
-				Branch          string
-				PollingInterval string
-				TargetNamespace string
-			}{
-				gitrepoName,
-				inClusterRepoURL,
-				gh.Branch,
-				"15s",           // default
-				targetNamespace, // to avoid conflicts with other tests
+			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:            gitrepoName,
+				Repo:            inClusterRepoURL,
+				Branch:          gh.Branch,
+				PollingInterval: "15s",           // default
+				TargetNamespace: targetNamespace, // to avoid conflicts with other tests
 			})
 			Expect(err).ToNot(HaveOccurred())
 
@@ -270,18 +269,12 @@ var _ = Describe("Monitoring Git repos via HTTP for change", Label("infra-setup"
 			clone, err = gh.Create(clonedir, testenv.AssetPath("gitrepo/sleeper-chart"), "examples")
 			Expect(err).ToNot(HaveOccurred())
 
-			err = testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), struct {
-				Name            string
-				Repo            string
-				Branch          string
-				PollingInterval string
-				TargetNamespace string
-			}{
-				gitrepoName,
-				inClusterRepoURL,
-				gh.Branch,
-				"24h",           // prevent polling
-				targetNamespace, // to avoid conflicts with other tests
+			err = testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:            gitrepoName,
+				Repo:            inClusterRepoURL,
+				Branch:          gh.Branch,
+				PollingInterval: "24h",           // prevent polling
+				TargetNamespace: targetNamespace, // to avoid conflicts with other tests
 			})
 			Expect(err).ToNot(HaveOccurred())
 		})

e2e/single-cluster/go_getter_custom_ca_test.go

@@ -0,0 +1,196 @@
+package singlecluster_test
+
+// These test cases rely on a local git server, so that they can be run locally and against PRs.
+// For tests monitoring external git hosting providers, see `e2e/require-secrets`.
+
+import (
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"os"
+	"path"
+	"strings"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/rancher/fleet/e2e/testenv"
+	"github.com/rancher/fleet/e2e/testenv/githelper"
+	"github.com/rancher/fleet/e2e/testenv/kubectl"
+)
+
+var _ = Describe("Testing go-getter CA bundles", Label("infra-setup"), func() {
+	const (
+		sleeper    = "sleeper"
+		entrypoint = "entrypoint"
+	)
+
+	var (
+		tmpDir          string
+		cloneDir        string
+		k               kubectl.Command
+		gh              *githelper.Git
+		gitrepoName     string
+		r               = rand.New(rand.NewSource(GinkgoRandomSeed()))
+		targetNamespace string
+		// Build git repo URL reachable _within_ the cluster, for the GitRepo
+		host = githelper.BuildGitHostname()
+	)
+
+	getExternalRepoURL := func(repoName string) string {
+		GinkgoHelper()
+		addr, err := githelper.GetExternalRepoAddr(env, HTTPSPort, repoName)
+		Expect(err).ToNot(HaveOccurred())
+		addr = strings.Replace(addr, "http://", fmt.Sprintf("%s://", "https"), 1)
+		return addr
+	}
+
+	BeforeEach(func() {
+		k = env.Kubectl.Namespace(env.Namespace)
+	})
+
+	JustBeforeEach(func() {
+		// Create the first repository
+		addr := getExternalRepoURL("repo")
+		gh = githelper.NewHTTP(addr)
+		tmpDir, err := os.MkdirTemp("", "fleet-")
+		Expect(err).ToNot(HaveOccurred())
+		cloneDir = path.Join(tmpDir, "repo") // Fixed and built into the container image.
+		gitrepoName = testenv.RandomFilename("gitjob-test", r)
+		// Creates the content in the sleeperClusterName directory
+		_, err = gh.Create(cloneDir, testenv.AssetPath("gitrepo/sleeper-chart"), sleeper)
+		Expect(err).ToNot(HaveOccurred())
+
+		// Create the second repository
+		Expect(err).ToNot(HaveOccurred())
+		tmpAssetDir := path.Join(tmpDir, "entryPoint")
+		err = os.Mkdir(tmpAssetDir, 0755)
+		Expect(err).ToNot(HaveOccurred())
+		url := "git::" + gh.GetInClusterURL(host, HTTPSPort, "repo?ref="+sleeper)
+		err = os.WriteFile(
+			path.Join(tmpAssetDir, "fleet.yaml"),
+			fmt.Appendf([]byte{}, "helm:\n  chart: %s\n", url),
+			0755,
+		)
+		Expect(err).NotTo(HaveOccurred())
+
+		_, err = gh.Add(cloneDir, tmpAssetDir, entrypoint)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		_ = os.RemoveAll(tmpDir)
+		_, _ = k.Delete("gitrepo", gitrepoName)
+
+		// Check that the bundle deployment resource has been deleted
+		Eventually(func(g Gomega) {
+			out, _ := k.Get(
+				"bundledeployments",
+				"-A",
+				"-l",
+				fmt.Sprintf("fleet.cattle.io/repo-name=%s", gitrepoName),
+			)
+			g.Expect(out).To(ContainSubstring("No resources found"))
+		}).Should(Succeed())
+
+		_, _ = k.Delete("ns", targetNamespace)
+	})
+
+	When("testing InsecureSkipTLSVerify", func() {
+		BeforeEach(func() {
+			targetNamespace = testenv.NewNamespaceName("target", r)
+		})
+
+		It("should fail if InsecureSkipTLSVerify is false and an invalid certificate was provided", func() {
+			// Create and apply GitRepo
+			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:                  gitrepoName,
+				Repo:                  gh.GetInClusterURL(host, HTTPSPort, "repo"),
+				Branch:                gh.Branch,
+				PollingInterval:       "15s",           // default
+				TargetNamespace:       targetNamespace, // to avoid conflicts with other tests
+				Path:                  entrypoint,
+				InsecureSkipTLSVerify: false,
+				CABundle:              base64.StdEncoding.EncodeToString([]byte("invalid-ca-bundle")), // prevents Rancher CA bundles from being used
+			})
+			Expect(err).ToNot(HaveOccurred())
+
+			Eventually(func(g Gomega) {
+				out, err := k.Get("gitrepo", gitrepoName, `-o=jsonpath={.status.conditions[?(@.type=="GitPolling")].message}`)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(out).To(ContainSubstring("certificate signed by unknown authority"))
+			}).Should(Succeed())
+		})
+
+		It("should succeed if InsecureSkipTLSVerify is true and an invalid certificate was provided", func() {
+			// Create and apply GitRepo
+			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:                  gitrepoName,
+				Repo:                  gh.GetInClusterURL(host, HTTPSPort, "repo"),
+				Branch:                gh.Branch,
+				PollingInterval:       "15s",           // default
+				TargetNamespace:       targetNamespace, // to avoid conflicts with other tests
+				Path:                  entrypoint,
+				InsecureSkipTLSVerify: true,
+				CABundle:              base64.StdEncoding.EncodeToString([]byte("invalid-ca-bundle")), // prevents Rancher CA bundles from being used
+			})
+			Expect(err).ToNot(HaveOccurred())
+
+			Eventually(func(g Gomega) {
+				out, err := k.Get("gitrepo", gitrepoName, `-o=jsonpath={.status.display.readyBundleDeployments}`)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(out).To(ContainSubstring("1/1"))
+			}).Should(Succeed())
+		})
+	})
+
+	When("testing custom CA bundles", func() {
+		It("should succeed when using the Rancher CA bundles provided in ConfigMaps", func() {
+			// Create and apply GitRepo
+			err := testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:                  gitrepoName,
+				Repo:                  gh.GetInClusterURL(host, HTTPSPort, "repo"),
+				Branch:                gh.Branch,
+				PollingInterval:       "15s",           // default
+				TargetNamespace:       targetNamespace, // to avoid conflicts with other tests
+				Path:                  entrypoint,
+				InsecureSkipTLSVerify: false,
+				CABundle:              "", // use Rancher CA bundles
+			})
+			Expect(err).ToNot(HaveOccurred())
+
+			Eventually(func(g Gomega) {
+				out, err := k.Get("gitrepo", gitrepoName, `-o=jsonpath={.status.display.readyBundleDeployments}`)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(out).To(ContainSubstring("1/1"))
+			}).Should(Succeed())
+		})
+
+		It("should succeed when using the correct CA bundle provided in GitRepo", func() {
+			certsDir := os.Getenv("CI_OCI_CERTS_DIR")
+			Expect(certsDir).ToNot(BeEmpty())
+			helmCrtFile := path.Join(certsDir, "helm.crt")
+			crt, err := os.ReadFile(helmCrtFile)
+			Expect(err).ToNot(HaveOccurred(), "failed to open helm.crt file")
+			encodedCert := base64.StdEncoding.EncodeToString(crt)
+			// Create and apply GitRepo
+			err = testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+				Name:                  gitrepoName,
+				Repo:                  gh.GetInClusterURL(host, HTTPSPort, "repo"),
+				Branch:                gh.Branch,
+				PollingInterval:       "15s",           // default
+				TargetNamespace:       targetNamespace, // to avoid conflicts with other tests
+				Path:                  entrypoint,
+				InsecureSkipTLSVerify: false,
+				CABundle:              encodedCert,
+			})
+			Expect(err).ToNot(HaveOccurred())
+
+			Eventually(func(g Gomega) {
+				out, err := k.Get("gitrepo", gitrepoName, `-o=jsonpath={.status.display.readyBundleDeployments}`)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(out).To(ContainSubstring("1/1"))
+			}).Should(Succeed())
+		})
+	})
+})

e2e/single-cluster/schedule_test.go

@@ -1,8 +1,6 @@
-package singlecluster
+package singlecluster_test
 
 import (
-	"bytes"
-	"encoding/json"
 	"fmt"
 	"math/rand"
 	"os"
@@ -113,18 +111,12 @@ var _ = Describe("Schedules", Label("infra-setup"), func() {
 		}).Should(BeTrue())
 
 		// Apply a GitRepo
-		err = testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), struct {
-			Name            string
-			Repo            string
-			Branch          string
-			PollingInterval string
-			TargetNamespace string
-		}{
-			gitrepoName,
-			inClusterRepoURL,
-			gh.Branch,
-			"15s",           // default
-			targetNamespace, // to avoid conflicts with other tests
+		err = testenv.ApplyTemplate(k, testenv.AssetPath("gitrepo/gitrepo.yaml"), gitRepoTestValues{
+			Name:            gitrepoName,
+			Repo:            inClusterRepoURL,
+			Branch:          gh.Branch,
+			PollingInterval: "15s",           // default
+			TargetNamespace: targetNamespace, // to avoid conflicts with other tests
 		})
 		Expect(err).ToNot(HaveOccurred())
 
@@ -249,29 +241,6 @@ var _ = Describe("Schedules", Label("infra-setup"), func() {
 	})
 })
 
-// replace replaces string s with r in the file located at path. That file must exist and be writable.
-func replace(path string, s string, r string) {
-	b, err := os.ReadFile(path)
-	Expect(err).ToNot(HaveOccurred())
-
-	b = bytes.ReplaceAll(b, []byte(s), []byte(r))
-
-	err = os.WriteFile(path, b, 0644)
-	Expect(err).ToNot(HaveOccurred())
-}
-
-// getGitRepoStatus retrieves the status of the gitrepo with the provided name.
-func getGitRepoStatus(g Gomega, k kubectl.Command, name string) fleet.GitRepoStatus {
-	gr, err := k.Get("gitrepo", name, "-o=json")
-
-	g.Expect(err).ToNot(HaveOccurred())
-
-	var gitrepo fleet.GitRepo
-	_ = json.Unmarshal([]byte(gr), &gitrepo)
-
-	return gitrepo.Status
-}
-
 func waitForBeginningOfNextMinute() {
 	for {
 		now := time.Now()