Add test for controller certificate change

The test does the following: 1. deploy first app with userdata to EVE 2. create new signing certificate for controller 3. update controller's certificate and resign old config 4. deploy second app with userdata 5. reboot EVE 6. deploy third app with userdata 7. make sure all apps are running correclty Signed-off-by: Paul Gaiduk <[email protected]>
lf-edge · Mar 4, 2024 · 9440875 · 9440875
1 parent 58c76f5
commit 9440875
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 4 deletions.
diff --git a/tests/eclient/testdata/ctrl_cert_change.txt b/tests/eclient/testdata/ctrl_cert_change.txt
@@ -0,0 +1,81 @@
+# Test of controller certificate change
+# This test validates the re-encryption of an application's user data
+# following a change in the controller's certificate, accompanied by an edge node reboot.
+# The test involves deploying three applications to make sure the config is (re)applied to all of them.
+
+{{$port := "2223"}}
+
+{{$userdata := "variable=value"}}
+{{define "eclient_image"}}docker://{{EdenConfig "eden.eclient.image"}}:{{EdenConfig "eden.eclient.tag"}}{{end}}
+
+[!exec:bash] stop
+[!exec:sleep] stop
+[!exec:chmod] stop
+
+exec chmod 600 {{EdenConfig "eden.tests"}}/eclient/image/cert/id_rsa
+
+eden network create 10.11.12.0/24 -n n1
+eden pod deploy -n eclient1 --memory=512MB --networks=n1 {{template "eclient_image"}} -p {{$port}}:22 --metadata={{$userdata}}
+
+test eden.app.test -test.v -timewait 20m RUNNING eclient1
+
+# generate new controller certificate
+eden utils gen-signing-cert -o /tmp/signing-new.pem
+
+# upload new certificate to controller, resign old config and reapply it
+eden adam change-signing-cert --cert-file /tmp/signing-new.pem
+
+# wait for changes to be applied
+test eden.lim.test -test.v -timewait 15m -test.run TestLog -out content 'content:Rebuilding.intended.global.config,.reasons:.reconnecting.app'
+
+eden pod deploy -n eclient2 --memory=512MB --networks=n1 {{template "eclient_image"}} --metadata={{$userdata}}
+
+test eden.app.test -test.v -timewait 20m RUNNING eclient2
+
+# check EVE got the new signing certificate
+exec -t 2m bash check_sign_cert.sh
+
+# send reboot command and wait in background
+test eden.reboot.test -test.v -timewait=20m -reboot=1 -count=1 &
+
+# wait for HALTED state which indicates that we are rebooting
+test eden.app.test -test.v -timewait 5m HALTED eclient1
+test eden.app.test -test.v -timewait 5m HALTED eclient2
+
+# wait for RUNNING state after reboot
+test eden.app.test -test.v -timewait 10m -check-new RUNNING eclient1
+test eden.app.test -test.v -timewait 10m -check-new RUNNING eclient2
+
+eden pod deploy -n eclient3 --memory=512MB --networks=n1 {{template "eclient_image"}} --metadata={{$userdata}}
+
+# check all apps are RUNNING
+
+test eden.app.test -test.v -timewait 20m RUNNING eclient1
+test eden.app.test -test.v -timewait 20m RUNNING eclient2
+test eden.app.test -test.v -timewait 20m RUNNING eclient3
+
+# cleanup
+eden pod delete eclient1
+eden pod delete eclient2
+eden pod delete eclient3
+eden network delete n1
+
+test eden.app.test -test.v -timewait 10m - eclient1
+test eden.app.test -test.v -timewait 10m - eclient2
+test eden.app.test -test.v -timewait 10m - eclient3
+test eden.network.test -test.v -timewait 10m - n1
+
+-- eden-config.yml --
+{{/* Test's config. file */}}
+test:
+    controller: adam://{{EdenConfig "adam.ip"}}:{{EdenConfig "adam.port"}}
+    eve:
+      {{EdenConfig "eve.name"}}:
+        onboard-cert: {{EdenConfigPath "eve.cert"}}
+        serial: "{{EdenConfig "eve.serial"}}"
+        model: {{EdenConfig "eve.devmodel"}}
+
+-- check_sign_cert.sh --
+EDEN={{EdenConfig "eden.root"}}/{{EdenConfig "eden.bin-dist"}}/{{EdenConfig "eden.eden-bin"}}
+$EDEN eve ssh cat /persist/certs/server-signing-cert.pem > /tmp/server-signing-cert.pem
+diff -Z /tmp/signing-new.pem /tmp/server-signing-cert.pem
diff --git a/tests/workflow/smoke.tests.txt b/tests/workflow/smoke.tests.txt
@@ -1,5 +1,5 @@
 # Number of tests
-{{$tests := 22}}
+{{$tests := 23}}
 # EDEN_TEST_SETUP env. var. -- "y"(default) performs the EDEN setup steps
 {{$setup := "y"}}
 {{$setup_env := EdenGetEnv "EDEN_TEST_SETUP"}}
@@ -70,12 +70,14 @@ eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/metad
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/userdata
 /bin/echo Eden app log test (19/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/app_logs
+/bin/echo Eden change controller certificate test (20/{{$tests}})
+eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/ctrl_cert_change
 
-/bin/echo Eden Shutdown test (20/{{$tests}})
+/bin/echo Eden Shutdown test (21/{{$tests}})
 eden.escript.test -testdata ../eclient/testdata/ -test.run TestEdenScripts/shutdown_test
 
-/bin/echo EVE reset (21/{{$tests}})
+/bin/echo EVE reset (22/{{$tests}})
 eden.escript.test -test.run TestEdenScripts/eden_reset
 
-/bin/echo EVE security tests (22/{{$tests}})
+/bin/echo EVE security tests (23/{{$tests}})
 eden.escript.test -test.run TestEdenScripts/sec_eden