dd

test/e2e/v4/plugin_cluster_test.go

@@ -69,10 +69,16 @@ var _ = Describe("kubebuilder", func() {
 		It("should generate a runnable project", func() {
 			GenerateV4(kbc)
 			Run(kbc, true, false, false, true, false)
+			It("should validate the metrics endpoint using cert-manager generated certificates", func() {
+				checkMetricsWithCert(kbc)
+			})
 		})
 		It("should generate a runnable project with the Installer", func() {
 			GenerateV4(kbc)
 			Run(kbc, true, true, false, true, false)
+			It("should validate the metrics endpoint using cert-manager generated certificates", func() {
+				checkMetricsWithCert(kbc)
+			})
 		})
 		It("should generate a runnable project using webhooks and installed with the HelmChart", func() {
 			GenerateV4(kbc)
@@ -95,6 +101,10 @@ var _ = Describe("kubebuilder", func() {
 		It("should generate a runnable project with webhooks and metrics protected by network policies", func() {
 			GenerateV4WithNetworkPolicies(kbc)
 			Run(kbc, true, false, false, true, true)
+
+			It("should validate the metrics endpoint using cert-manager generated certificates", func() {
+				checkMetricsWithCert(kbc)
+			})
 		})
 		It("should generate a runnable project with the manager running "+
 			"as restricted and without webhooks", func() {
@@ -535,6 +545,97 @@ func getMetricsOutput(kbc *utils.TestContext) string {
 	return metricsOutput
 }
 
+// checkMetricsWithCert validates the metrics endpoint using cert-manager generated certificates.
+func checkMetricsWithCert(kbc *utils.TestContext) {
+	By("validating that the controller-manager service is available")
+	_, err := kbc.Kubectl.Get(
+		true,
+		"service", fmt.Sprintf("e2e-%s-controller-manager-metrics-service", kbc.TestSuffix),
+	)
+	ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Controller-manager service should exist")
+
+	By("ensuring the service endpoint is ready")
+	eventuallyCheckServiceEndpoint := func() error {
+		output, err := kbc.Kubectl.Get(
+			true,
+			"endpoints", fmt.Sprintf("e2e-%s-controller-manager-metrics-service", kbc.TestSuffix),
+			"-o", "jsonpath={.subsets[*].addresses[*].ip}",
+		)
+		if err != nil {
+			return err
+		}
+		if output == "" {
+			return fmt.Errorf("no endpoints found")
+		}
+		return nil
+	}
+	EventuallyWithOffset(1, eventuallyCheckServiceEndpoint, 2*time.Minute, time.Second).Should(Succeed(),
+		"Service endpoint should be ready")
+
+	By("creating a curl pod to access the metrics endpoint using cert-manager certificates")
+	// Define the curl pod YAML
+	curlPodYAML := `
+apiVersion: v1
+kind: Pod
+metadata:
+  name: curl
+  namespace: system
+spec:
+  containers:
+  - name: curl
+    image: curlimages/curl:7.85.0
+    command:
+    - sh
+    - -c
+    - sleep infinity
+    volumeMounts:
+    - mountPath: /tmp/cert
+      name: cert-volume
+      readOnly: true
+  volumes:
+  - name: cert-volume
+    secret:
+      secretName: metrics-server-cert
+  restartPolicy: Never
+`
+	// Write the YAML to a temporary file
+	curlPodFile := filepath.Join(kbc.Dir, "curl-pod.yaml")
+	err = os.WriteFile(curlPodFile, []byte(curlPodYAML), 0644)
+	ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to write curl pod YAML to file")
+
+	// Apply the curl pod YAML
+	_, err = kbc.Kubectl.Apply(true, "-f", curlPodFile)
+	ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to create curl pod")
+
+	By("validating that the curl pod is running as expected")
+	verifyCurlPodUp := func() error {
+		status, err := kbc.Kubectl.Get(
+			true,
+			"pods", "curl", "-o", "jsonpath={.status.phase}",
+		)
+		ExpectWithOffset(2, err).NotTo(HaveOccurred())
+		if status != "Running" {
+			return fmt.Errorf("curl pod in %s status", status)
+		}
+		return nil
+	}
+	EventuallyWithOffset(1, verifyCurlPodUp, 2*time.Minute, time.Second).Should(Succeed())
+
+	By("validating that the metrics endpoint is serving as expected using the certificate")
+	cmd := `curl -v -k --cert /tmp/cert/tls.crt --key /tmp/cert/tls.key https://e2e-%s-controller-manager-metrics-service.system.svc.cluster.local:8443/metrics`
+	cmd = fmt.Sprintf(cmd, kbc.TestSuffix)
+	curlOutput, err := kbc.Kubectl.Command("exec", "curl", "--", "sh", "-c", cmd)
+	ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to curl the metrics endpoint with certificate")
+	ExpectWithOffset(1, curlOutput).To(ContainSubstring("< HTTP/1.1 200 OK"))
+
+	By("cleaning up the curl pod")
+	removeCurlPod(kbc)
+
+	// Remove the temporary YAML file
+	err = os.Remove(curlPodFile)
+	ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to delete temporary curl pod YAML file")
+}
+
 func metricsShouldBeUnavailable(kbc *utils.TestContext) {
 	_, err := kbc.Kubectl.Command(
 		"create", "clusterrolebinding", fmt.Sprintf("metrics-%s", kbc.TestSuffix),