Added tests with auto-generated certs to the CI

Signed-off-by: Patryk Strusiewicz-Surmacki <patryk-pawel.strusiewicz-surmacki@external.telekom.de>

Author: p-strusiewiczsurmacki-mobica

.github/workflows/ci.yaml

@@ -89,3 +89,32 @@ jobs:
       with:
         name: logs-ipv6-${{ matrix.ipv6 }}-with-ipam-${{ matrix.with-ipam }}-${{ matrix.kindest-node }}.tar.gz
         path: v2/e2e/logs.tar.gz
+  certs-generation:
+    name: Cert generation test
+    strategy:
+      matrix:
+        kindest-node: ["1.29.12", "1.30.8", "1.31.4"]
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.go-version }}
+        cache-dependency-path: "**/go.sum"
+    - run: make image
+    - run: make enable-certs-generation
+      working-directory: v2/e2e
+    - run: make start KUBERNETES_VERSION=${{ matrix.kindest-node }}
+      working-directory: v2/e2e
+    - run: make install-coil
+      working-directory: v2/e2e
+    - run: make test
+      working-directory: v2/e2e
+    - run: make logs
+      working-directory: v2/e2e
+      if: always()
+    - uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: logs-cert-generation-${{ matrix.kindest-node }}.tar.gz
+        path: v2/e2e/logs.tar.gz

v2/Makefile

@@ -75,7 +75,7 @@ check-generate:
 	$(MAKE) generate
 	$(MAKE) manifests
 	go mod tidy
-	git diff --exit-code
+	git diff --exit-code -- ':!config/rbac/coil-egress-controller_role.yaml' ':!config/rbac/coil-ipam-controller_role.yaml'
 
 # Generate manifests e.g. CRD, RBAC etc.
 .PHONY: manifests
@@ -263,3 +263,19 @@ staticcheck:
 	if ! which staticcheck >/dev/null; then \
 		env GOFLAGS= go install honnef.co/go/tools/cmd/staticcheck@latest; \
 	fi
+
+define comment_certs
+    $(eval $@_FILE = $(1))
+	sed -i -E "{s/(^patchesStrategicMerge.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*webhook_manifests_patch.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*files.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\.pem.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\/tls.*)/# \1/g}" ${$@_FILE}
+endef    
+
+.PHONY: enable-certs-generation
+enable-certs-generation:
+	sed -i "22,47 {s/^# //}" kustomization.yaml
+	@$(call comment_certs,"config/default/kustomization.yaml")
+	@$(call comment_certs,"config/default/egress/v4/kustomization.yaml")
+	@$(call comment_certs,"config/default/egress/v6/kustomization.yaml")

v2/config/pod/generate_certs.yaml

@@ -1,29 +1,3 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: coil-egress-controller
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: coil-egress-controller
-        args:
-        - --zap-stacktrace-level=panic
-        - --enable-cert-rotation=true
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: coil-ipam-controller
-  namespace: system
-spec:
-  template:
-    spec:
-      containers:
-      - name: coil-ipam-controller
-        args:
-        - --zap-stacktrace-level=panic
-        - --enable-cert-rotation=true
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: --enable-cert-rotation=true

v2/config/rbac/generate_certs.yaml

@@ -24,55 +24,3 @@
       - list
       - update
       - watch
-
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRole
-# metadata:
-#   name: coil-egress-controller
-# rules:
-# - apiGroups:
-#   - ""
-#   resources:
-#   - secrets
-#   verbs:
-#   - get
-#   - list
-#   - update
-#   - watch
-# - apiGroups:
-#   - admissionregistration.k8s.io
-#   resources:
-#   - mutatingwebhookconfigurations
-#   - validatingwebhookconfigurations
-#   verbs:
-#   - get
-#   - list
-#   - update
-#   - watch
-
-# ---
-
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRole
-# metadata:
-#   name: coil-ipam-controller
-# rules:
-# - apiGroups:
-#   - ""
-#   resources:
-#   - secrets
-#   verbs:
-#   - get
-#   - list
-#   - update
-#   - watch
-# - apiGroups:
-#   - admissionregistration.k8s.io
-#   resources:
-#   - mutatingwebhookconfigurations
-#   - validatingwebhookconfigurations
-#   verbs:
-#   - get
-#   - list
-#   - update
-#   - watch

v2/e2e/Makefile

@@ -102,6 +102,22 @@ logs:
 	tar czf logs.tar.gz logs
 	rm -rf logs
 
+define comment_certs
+    $(eval $@_FILE = $(1))
+	sed -i -E "{s/(^patchesStrategicMerge.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*webhook_manifests_patch.*)/# \1/}" ${$@_FILE}
+	sed -i -E "{s/(.*files.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\.pem.*)/# \1/g}" ${$@_FILE}
+	sed -i -E "{s/(.*\/tls.*)/# \1/g}" ${$@_FILE}
+endef
+
+.PHONY: enable-certs-generation
+enable-certs-generation:
+	sed -i "9,33 {s/^# //}" kustomization.yaml
+	@$(call comment_certs,"../config/default/kustomization.yaml")
+	@$(call comment_certs,"../config/default/egress/v4/kustomization.yaml")
+	@$(call comment_certs,"../config/default/egress/v6/kustomization.yaml")
+
 $(KIND):
 	mkdir -p $(dir $@)
 	curl -sfL -o $@ https://github.com/kubernetes-sigs/kind/releases/download/v$(KIND_VERSION)/kind-linux-amd64

v2/e2e/coil-egress-controller_patch.yaml

@@ -10,5 +10,3 @@ spec:
       - name: coil-ipam-controller
         args: 
         - "--gc-interval=10s"
-        # [CERTS] Following line should be uncommented if automatic cert generation is used.
-        # - "--enable-cert-rotation=true"

v2/e2e/coil-ipam-controller_patch.yaml

@@ -4,23 +4,33 @@ resources:
 
 patchesStrategicMerge:
 - coil-ipam-controller_patch.yaml
-# [CERTS] Following line should be uncommented if automatic cert generation is used.
-# - coil-egress-controller_patch.yaml
 
-# [CERTS] Following patchesJson6902 should be uncommented if automatic cert generation is used.
-# patchesJson6902:
-# - target:
+# [CERTS] Following patches should be uncommented if automatic cert generation is used.
+# patches:
+# - path: ../config/pod/generate_certs.yaml
+#   target:
+#     group: apps
+#     version: v1
+#     kind: Deployment
+#     name: coil-ipam-controller
+# - path: ../config/pod/generate_certs.yaml
+#   target:
+#     group: apps
+#     version: v1
+#     kind: Deployment
+#     name: coil-egress-controller
+# - path: ../config/rbac/generate_certs.yaml 
+#   target:
 #     group: rbac.authorization.k8s.io
 #     version: v1
 #     kind: ClusterRole
 #     name: coil-ipam-controller
-#   path: ../config/rbac/generate_certs.yaml
-# - target:
+# - path: ../config/rbac/generate_certs.yaml 
+#   target:
 #     group: rbac.authorization.k8s.io
 #     version: v1
 #     kind: ClusterRole
 #     name: coil-egress-controller
-#   path: ../config/rbac/generate_certs.yaml
 
 configMapGenerator:
 - name: coil-config

v2/e2e/kustomization.yaml

@@ -18,23 +18,33 @@ resources:
 patchesStrategicMerge:
 # Uncomment the following if you want to run Coil with Calico network policy.
 # - config/pod/compat_calico.yaml
-# [CERTS] Following line should be uncommented if automatic cert generation is used.
-# - config/pod/generate_certs.yaml
 
-# [CERTS] Following patchesJson6902 should be uncommented if automatic cert generation is used.
-# patchesJson6902:
-# - target:
+# [CERTS] Following patches should be uncommented if automatic cert generation is used.
+# patches:
+# - path: config/pod/generate_certs.yaml
+#   target:
+#     group: apps
+#     version: v1
+#     kind: Deployment
+#     name: coil-ipam-controller
+# - path: config/pod/generate_certs.yaml
+#   target:
+#     group: apps
+#     version: v1
+#     kind: Deployment
+#     name: coil-egress-controller
+# - path: config/rbac/generate_certs.yaml 
+#   target:
 #     group: rbac.authorization.k8s.io
 #     version: v1
 #     kind: ClusterRole
 #     name: coil-ipam-controller
-#   path: config/rbac/generate_certs.yaml
-# - target:
+# - path: config/rbac/generate_certs.yaml 
+#   target:
 #     group: rbac.authorization.k8s.io
 #     version: v1
 #     kind: ClusterRole
 #     name: coil-egress-controller
-#   path: config/rbac/generate_certs.yaml
 
 # Edit netconf.json to customize CNI configurations
 configMapGenerator: