test: add certificates to container

Author: Clockwork-Muse

api/internal/oci/pusher_test.go

@@ -5,15 +5,24 @@ package oci
 
 import (
 	"bufio"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 	"net"
 	"os/exec"
 	"strconv"
 	"strings"
 	"syscall"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
+
+	loctest "sigs.k8s.io/kustomize/api/testutils/localizertest"
 )
 
 func skipIfNoDocker(t *testing.T) {
@@ -23,30 +32,56 @@ func skipIfNoDocker(t *testing.T) {
 	}
 }
 
+// run calls Cmd.Run and wraps the error to include the output to make debugging
+// easier. Not safe for real code, but fine for tests.
+func run(cmd *exec.Cmd) error {
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("%w\n--- COMMAND OUTPUT ---\n%s", err, string(out))
+	}
+	return nil
+}
+
 // Set up the registry.
-func registry(t *testing.T) (*exec.Cmd, int, error) {
+func registry(t *testing.T, certificate_path string, key_path string) (*exec.Cmd, int, error) {
 	skipIfNoDocker(t)
+	t.Helper()
+
+	const container_cert_path = "/certs/cert.pem"
+	const container_key_path = "/certs/key.pem"
 
-	container_name := fmt.Sprintf("%s_%d", t.Name(), 15)
+	container_name := t.Name()
 	internal_port := 5000
 
-	registry := exec.Command("docker", "run",
+	create := exec.Command("docker", "create",
 		"--rm",
-		"-p", fmt.Sprintf("0:%d", internal_port),
 		"--name", container_name,
+		"--publish", fmt.Sprintf("0:%d", internal_port),
+		"--env", "REGISTRY_HTTP_TLS_CERTIFICATE="+container_cert_path,
+		"--env", "REGISTRY_HTTP_TLS_KEY="+container_key_path,
 		"docker.io/library/registry:3.0.0",
 	)
+	require.NoError(t, run(create))
+
+	cert_upload := exec.Command("docker", "cp", certificate_path, container_name+":"+container_cert_path)
+	require.NoError(t, run(cert_upload))
+	key_upload := exec.Command("docker", "cp", key_path, container_name+":"+container_key_path)
+	require.NoError(t, run(key_upload))
 
-	stdout, err := registry.StderrPipe()
+	start := exec.Command("docker", "start",
+		"--attach", "--interactive",
+		container_name,
+	)
+
+	stdout, err := start.StderrPipe()
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if err := registry.Start(); err != nil {
+	if err := start.Start(); err != nil {
 		t.Fatal(err)
 	}
 
-	t.Cleanup(func() { registry.Process.Signal(syscall.SIGTERM) })
+	t.Cleanup(func() { start.Process.Signal(syscall.SIGTERM) })
 
 	scanner := bufio.NewScanner(stdout)
 	for scanner.Scan() {
@@ -75,16 +110,71 @@ func registry(t *testing.T) (*exec.Cmd, int, error) {
 		t.Fatal(err)
 	}
 
-	return registry, port, nil
+	return start, port, nil
+}
+
+func generateSelfSignedCert(t *testing.T) (certificate string, key string) {
+	t.Helper()
+
+	// Generate private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		t.Fatalf("failed to generate private key: %v", err)
+	}
+
+	// Certificate template
+	tmpl := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: "localhost",
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(24 * time.Hour),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	// Self-sign the certificate
+	derBytes, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		t.Fatalf("failed to create certificate: %v", err)
+	}
+
+	return string(pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: derBytes,
+		})),
+		string(pem.EncodeToMemory(&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+		}))
 }
 
 func TestFnContainerTransformerWithConfig(t *testing.T) {
-	registry, port, err := registry(t)
+	certificate, key := generateSelfSignedCert(t)
+	cert_path := "certs/cert.pem"
+	key_path := "certs/key.pem"
+
+	kustomization := map[string]string{
+		"src/README.md": `# NO VALID FILE
+`,
+		cert_path: certificate,
+		key_path:  key,
+	}
+	// clock := NewFakePassiveClock(time.Date(int(2025), time.July, int(28), int(20), int(56), int(0), int(0), time.UTC))
+
+	_, _, target := loctest.PrepareFs(t, []string{"src", "certs"}, kustomization)
+	loctest.SetWorkingDir(t, target.Join("src"))
+
+	registry, port, err := registry(t, target.Join(cert_path), target.Join(key_path))
 	require.NoError(t, err)
+
 	// t.Cleanup(func() {registry.})
 	require.NotNil(t, registry)
 	t.Setenv("asdfsd", "asdfadsf")
 
-	require.Equal(t, port, 5)
+	require.Equal(t, port, 7)
 
 }

go.work.sum

@@ -1407,6 +1407,8 @@ github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRci
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.4.0/go.mod h1:mZd6rFysKEcUhUHXJk0C/08wAgyDBFuwEYL7vWWGaGo=
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=