Added tests with auto-generated certs to the CI

Signed-off-by: Patryk Strusiewicz-Surmacki <patryk-pawel.strusiewicz-surmacki@external.telekom.de>

Author: p-strusiewiczsurmacki-mobica

.github/workflows/ci.yaml

@@ -89,3 +89,32 @@ jobs:
       with:
         name: logs-ipv6-${{ matrix.ipv6 }}-with-ipam-${{ matrix.with-ipam }}-${{ matrix.kindest-node }}.tar.gz
         path: v2/e2e/logs.tar.gz
+  certs-generation:
+    name: Cert generation test
+    strategy:
+      matrix:
+        kindest-node: ["1.29.12", "1.30.8", "1.31.4"]
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.go-version }}
+        cache-dependency-path: "**/go.sum"
+    - run: make image
+    - run: make enable-certs-generation
+      working-directory: v2/e2e
+    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }}
+      working-directory: v2/e2e
+    - run: make install-coil
+      working-directory: v2/e2e
+    - run: make test
+      working-directory: v2/e2e
+    - run: make logs
+      working-directory: v2/e2e
+      if: always()
+    - uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: logs-cert-generation-${{ matrix.kindest-node }}.tar.gz
+        path: v2/e2e/logs.tar.gz

v2/Makefile

@@ -75,7 +75,7 @@ check-generate:
 	$(MAKE) generate
 	$(MAKE) manifests
 	go mod tidy
-	git diff --exit-code
+	git diff --exit-code -- ':!config/rbac/coil-egress-controller_role.yaml' ':!config/rbac/coil-ipam-controller_role.yaml'
 
 # Generate manifests e.g. CRD, RBAC etc.
 .PHONY: manifests
@@ -263,3 +263,19 @@ staticcheck:
 	if ! which staticcheck >/dev/null; then \
 		env GOFLAGS= go install honnef.co/go/tools/cmd/staticcheck@latest; \
 	fi
+
+define comment_certs
+    $(eval $@_FILE = $(1))
+	sed -i -E "{s/(^patchesStrategicMerge.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*webhook_manifests_patch.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*files.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\.pem.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\/tls.*)/# \1/g}" ${$@_FILE}
+endef    
+
+.PHONY: enable-certs-generation
+enable-certs-generation:
+	sed -i "22,47 {s/^# //}" kustomization.yaml
+	@$(call comment_certs,"config/default/kustomization.yaml")
+	@$(call comment_certs,"config/default/egress/v4/kustomization.yaml")
+	@$(call comment_certs,"config/default/egress/v6/kustomization.yaml")

v2/config/pod/coil-egress-controller.yaml

@@ -46,8 +46,6 @@ spec:
         command: ["coil-egress-controller"]
         args:
           - --zap-stacktrace-level=panic
-          # [CERTS] Following line should be uncommented if automatic cert generation is used.
-          # - --enable-cert-rotation=true
         env:
         - name: "COIL_POD_NAMESPACE"
           valueFrom:

v2/config/pod/coil-ipam-controller.yaml

@@ -46,8 +46,6 @@ spec:
         command: ["coil-ipam-controller"]
         args:
           - --zap-stacktrace-level=panic
-          # [CERTS] Following line should be uncommented if automatic cert generation is used.
-          # - --enable-cert-rotation=true
         env:
         - name: "COIL_POD_NAMESPACE"
           valueFrom:

v2/config/pod/generate_certs.yaml

@@ -0,0 +1,3 @@
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: --enable-cert-rotation=true

v2/config/rbac/coil-egress-controller_role.yaml

@@ -12,15 +12,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -33,16 +24,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - apps
   resources:

v2/config/rbac/coil-ipam-controller_role.yaml

@@ -11,25 +11,6 @@ rules:
   verbs:
   - get
   - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - coil.cybozu.com
   resources:

v2/config/rbac/generate_certs.yaml

@@ -0,0 +1,26 @@
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - list
+      - update
+      - watch

v2/e2e/Makefile

@@ -102,6 +102,22 @@ logs:
 	tar czf logs.tar.gz logs
 	rm -rf logs
 
+define comment_certs
+    $(eval $@_FILE = $(1))
+	sed -i -E "{s/(^patchesStrategicMerge.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*webhook_manifests_patch.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*files.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\.pem.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\/tls.*)/# \1/g}" ${$@_FILE}
+endef
+
+.PHONY: enable-certs-generation
+enable-certs-generation:
+	sed -i "9,33 {s/^# //}" kustomization.yaml
+	@$(call comment_certs,"../config/default/kustomization.yaml")
+	@$(call comment_certs,"../config/default/egress/v4/kustomization.yaml")
+	@$(call comment_certs,"../config/default/egress/v6/kustomization.yaml")
+
 $(KIND):
 	mkdir -p $(dir $@)
 	curl -sfL -o $@ https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-linux-amd64

v2/e2e/coil-ipam-controller_patch.yaml

@@ -10,5 +10,3 @@ spec:
       - name: coil-ipam-controller
         args: 
         - "--gc-interval=10s"
-        # [CERTS] Following line should be uncommented if automatic cert generation is used.
-        # - "--enable-cert-rotation=true"