Update e2e tests to use custom certs and image signature verification

Signed-off-by: Prem Kumar Kalle <pkalle@vmware.com>

Makefile

@@ -178,8 +178,14 @@ test: fmt ## Run Tests
 .PHONY: e2e-cli-core ## Execute all CLI Core E2E Tests
 e2e-cli-core: start-test-central-repo e2e-cli-core-all ## Execute all CLI Core E2E Tests
 
+.PHONY: setup-custom-cert-for-test-central-repo
+setup-custom-cert-for-test-central-repo: build ## Setup up the custom ca cert for test-central-repo in the config file
+	echo "Adding docker test central repo cert to the config file"
+	TANZU_CLI_CEIP_OPT_IN_PROMPT_ANSWER="No" $(ROOT_DIR)/bin/tanzu config cert delete localhost:9876 || true
+	$(ROOT_DIR)/bin/tanzu config cert add --hostname localhost:9876 --ca-certificate $(ROOT_DIR)/hack/central-repo/certs/localhost.crt
+
 .PHONY: start-test-central-repo
-start-test-central-repo: stop-test-central-repo ## Starts up a test central repository locally with docker
+start-test-central-repo: stop-test-central-repo setup-custom-cert-for-test-central-repo ## Starts up a test central repository locally with docker
 	@if [ ! -d $(ROOT_DIR)/hack/central-repo/registry-content ]; then \
 		(cd $(ROOT_DIR)/hack/central-repo && tar xjf registry-content.bz2 || true;) \
 	fi

test/e2e/Makefile

@@ -18,10 +18,23 @@ ifndef TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL
 TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL = gcr.io/eminent-nation-87317/tanzu-cli/test/v1/plugins/plugin-inventory:latest
 endif
 
+ifndef TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME
+TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME = localhost:9876
+endif
+
+ifndef TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_CA_CERT_PATH
+TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_CA_CERT_PATH =  ${ROOT_DIR}/hack/central-repo/certs/localhost.crt
+endif
+
 ifndef TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL
-TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL = localhost:9876/tanzu-cli/plugins/central:small
+TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL = ${TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME}/tanzu-cli/plugins/central:small
 endif
 
+ifndef TANZU_CLI_E2E_TEST_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH
+TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH = ${ROOT_DIR}/hack/central-repo/cosign-key-pair/cosign.pub
+endif
+
+
 
 .PHONY: e2e-cli-core-all ## Execute all CLI Core E2E Tests
 e2e-cli-core-all: e2e-cli-lifecycle e2e-cli-config e2e-cli-plugin-compatibility-test e2e-context-k8s-tests e2e-context-tmc-test e2e-cli-plugin-lifecycle-sync-test
@@ -44,7 +57,7 @@ e2e-cli-plugin-compatibility-test:
 	else \
 		export TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL=$(TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL) ; \
 		export TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST=$(TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL) ; \
-		export TANZU_CLI_CEIP_OPT_IN_PROMPT_ANSWER="Yes" ; \
+		export TANZU_CLI_CEIP_OPT_IN_PROMPT_ANSWER="No" ; \
 		${GO} test ${ROOT_DIR}/test/e2e/plugins_compatibility -timeout ${E2E_TEST_TIMEOUT} -race -coverprofile ${E2E_TEST_OUTPUT} ${GOTEST_VERBOSE} ; \
 	fi 
 
@@ -54,8 +67,10 @@ e2e-cli-plugin-lifecycle-sync-test:
 		echo "***Skipping Plugin life cycle test cases because environment variables TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL is not set***" ; \
 	else \
 		export TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL=$(TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL) ; \
-		export TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST=$(TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL) ; \
-		export TANZU_CLI_CEIP_OPT_IN_PROMPT_ANSWER="Yes" ; \
+		export TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH=$(TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH) ; \
+		export TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME=${TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME} ; \
+		export TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_CA_CERT_PATH=${TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_CA_CERT_PATH} ; \
+		export TANZU_CLI_CEIP_OPT_IN_PROMPT_ANSWER="No" ; \
 		${GO} test ${ROOT_DIR}/test/e2e/plugin_lifecycle -timeout ${E2E_TEST_TIMEOUT} -race -coverprofile ${E2E_TEST_OUTPUT} ${GOTEST_VERBOSE} ; \
 		${GO} test ${ROOT_DIR}/test/e2e/plugin_sync -timeout ${E2E_TEST_TIMEOUT} -race -coverprofile ${E2E_TEST_OUTPUT} ${GOTEST_VERBOSE} ; \
 	fi

test/e2e/framework/config_lifecycle_operations.go

@@ -45,17 +45,39 @@ type ConfigLifecycleOps interface {
 	IsCLIConfigurationFilesExists() bool
 }
 
+// ConfigCertOps performs "tanzu config cert" command operations
+type ConfigCertOps interface {
+	// ConfigCertAdd adds cert config for a host, and returns stdOut and error info
+	ConfigCertAdd(certAddOpts *CertAddOptions, opts ...E2EOption) (string, error)
+
+	// ConfigCertDelete deletes cert config for a host, and returns error info
+	ConfigCertDelete(hostname string, opts ...E2EOption) error
+}
+
+type ConfigCmdOps interface {
+	ConfigLifecycleOps
+	ConfigCertOps
+}
+
 // configOps is the implementation of ConfOps interface
 type configOps struct {
 	cmdExe CmdOps
+	ConfigCmdOps
 }
 
-func NewConfOps() ConfigLifecycleOps {
+func NewConfOps() ConfigCmdOps {
 	return &configOps{
 		cmdExe: NewCmdOps(),
 	}
 }
 
+type CertAddOptions struct {
+	HostName          string
+	CACertificatePath string
+	SkipCertVerify    string
+	Insecure          string
+}
+
 // GetConfig gets the tanzu config
 func (co *configOps) GetConfig(opts ...E2EOption) (*configapi.ClientConfig, error) {
 	out, _, err := co.cmdExe.TanzuCmdExec(ConfigGet, opts...)
@@ -154,3 +176,15 @@ func (co *configOps) IsCLIConfigurationFilesExists() bool {
 	}
 	return false
 }
+
+func (co *configOps) ConfigCertAdd(certAddOpts *CertAddOptions, opts ...E2EOption) (string, error) {
+	certAddCmd := fmt.Sprintf(ConfigCertAdd, "%s", certAddOpts.HostName, certAddOpts.CACertificatePath, certAddOpts.SkipCertVerify, certAddOpts.Insecure)
+	out, _, err := co.cmdExe.TanzuCmdExec(certAddCmd, opts...)
+	return out.String(), err
+}
+
+func (co *configOps) ConfigCertDelete(hostname string, opts ...E2EOption) error {
+	certDeleteCmd := fmt.Sprintf(ConfigCertDelete, "%s", hostname)
+	_, _, err := co.cmdExe.TanzuCmdExec(certDeleteCmd, opts...)
+	return err
+}

test/e2e/framework/framework.go

@@ -26,6 +26,8 @@ const (
 	ConfigInit         = "%s config init"
 	ConfigServerList   = "%s config server list"
 	ConfigServerDelete = "%s config server delete %s -y"
+	ConfigCertAdd      = "%s config cert add --hostname %s --ca-certificate %s --skip-cert-verify %s --insecure %s"
+	ConfigCertDelete   = "%s config cert delete %s"
 
 	// Plugin commands
 	UpdatePluginSource                  = "%s plugin source update %s --uri %s"
@@ -48,9 +50,11 @@ const (
 	PluginKey                           = "%s_%s_%s" // Plugins - Name_Target_Versions
 
 	// Central repository
-	TanzuCliE2ETestCentralRepositoryURL      = "TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL"
-	TanzuCliE2ETestLocalCentralRepositoryURL = "TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL"
-
+	TanzuCliE2ETestCentralRepositoryURL                                             = "TANZU_CLI_E2E_TEST_CENTRAL_REPO_URL"
+	TanzuCliE2ETestLocalCentralRepositoryURL                                        = "TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_URL"
+	TanzuCliE2ETestLocalCentralRepositoryPluginDiscoveryImageSignaturePublicKeyPath = "TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH"
+	TanzuCliE2ETestLocalCentralRepositoryHostName                                   = "TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_HOSTNAME"
+	TanzuCliE2ETestLocalCentralRepositoryCACertPath                                 = "TANZU_CLI_E2E_TEST_LOCAL_CENTRAL_REPO_CA_CERT_PATH"
 	// General constants
 	True         = "true"
 	Installed    = "installed"
@@ -165,7 +169,7 @@ func CLICoreDescribe(text string, body func()) bool {
 // Framework has all helper functions to write CLI e2e test cases
 type Framework struct {
 	CliOps
-	Config       ConfigLifecycleOps
+	Config       ConfigCmdOps
 	KindCluster  ClusterOps
 	PluginCmd    PluginCmdOps    // performs plugin command operations
 	PluginHelper PluginHelperOps // helper (pre-setup) for plugin cmd operations

test/e2e/plugin_lifecycle/plugin_lifecycle_suite_test.go

@@ -35,10 +35,26 @@ var _ = BeforeSuite(func() {
 	e2eTestLocalCentralRepoURL = os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryURL)
 	Expect(e2eTestLocalCentralRepoURL).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository URL", framework.TanzuCliE2ETestLocalCentralRepositoryURL))
 
-	// setup the test central repo
+	// set up the test central repo
 	_, err := tf.PluginCmd.UpdatePluginDiscoverySource(&framework.DiscoveryOptions{Name: "default", SourceType: framework.SourceType, URI: e2eTestLocalCentralRepoURL})
 	Expect(err).To(BeNil(), "should not get any error for plugin source update")
 
+	e2eTestLocalCentralRepoPluginHostname := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryHostName)
+	Expect(e2eTestLocalCentralRepoPluginHostname).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository hostname", framework.TanzuCliE2ETestLocalCentralRepositoryHostName))
+
+	e2eTestLocalCentralRepoCACertPath := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryCACertPath)
+	Expect(e2eTestLocalCentralRepoCACertPath).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository CA cert path", framework.TanzuCliE2ETestLocalCentralRepositoryCACertPath))
+
+	// set up the CA cert fort local central repository
+	_ = tf.Config.ConfigCertDelete(e2eTestLocalCentralRepoPluginHostname)
+	_, err = tf.Config.ConfigCertAdd(&framework.CertAddOptions{HostName: e2eTestLocalCentralRepoPluginHostname, CACertificatePath: e2eTestLocalCentralRepoCACertPath, SkipCertVerify: "false", Insecure: "false"})
+	Expect(err).To(BeNil())
+
+	// set up the local central repository discovery image public key path
+	e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryPluginDiscoveryImageSignaturePublicKeyPath)
+	Expect(e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository discovery image signature public key path", framework.TanzuCliE2ETestLocalCentralRepositoryPluginDiscoveryImageSignaturePublicKeyPath))
+	os.Setenv("TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH", e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath)
+
 	// search plugin groups and make sure there plugin groups available
 	pluginGroups = SearchAllPluginGroups(tf)
 

test/e2e/plugin_sync/plugin_sync_lifecycle_suite_test.go

@@ -41,10 +41,26 @@ var _ = BeforeSuite(func() {
 	e2eTestLocalCentralRepoURL = os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryURL)
 	Expect(e2eTestLocalCentralRepoURL).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository URL", framework.TanzuCliE2ETestLocalCentralRepositoryURL))
 
-	// setup the test central repo
+	// set up the test central repo
 	_, err := tf.PluginCmd.UpdatePluginDiscoverySource(&framework.DiscoveryOptions{Name: "default", SourceType: framework.SourceType, URI: e2eTestLocalCentralRepoURL})
 	Expect(err).To(BeNil(), "should not get any error for plugin source update")
 
+	e2eTestLocalCentralRepoPluginHostname := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryHostName)
+	Expect(e2eTestLocalCentralRepoPluginHostname).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository hostname", framework.TanzuCliE2ETestLocalCentralRepositoryHostName))
+
+	e2eTestLocalCentralRepoCACertPath := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryCACertPath)
+	Expect(e2eTestLocalCentralRepoCACertPath).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository CA cert path", framework.TanzuCliE2ETestLocalCentralRepositoryCACertPath))
+
+	// set up the CA cert fort local central repository
+	_ = tf.Config.ConfigCertDelete(e2eTestLocalCentralRepoPluginHostname)
+	_, err = tf.Config.ConfigCertAdd(&framework.CertAddOptions{HostName: e2eTestLocalCentralRepoPluginHostname, CACertificatePath: e2eTestLocalCentralRepoCACertPath, SkipCertVerify: "false", Insecure: "false"})
+	Expect(err).To(BeNil())
+
+	// set up the local central repository discovery image public key path
+	e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath := os.Getenv(framework.TanzuCliE2ETestLocalCentralRepositoryPluginDiscoveryImageSignaturePublicKeyPath)
+	Expect(e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath).NotTo(BeEmpty(), fmt.Sprintf("environment variable %s should set with local central repository discovery image signature public key path", framework.TanzuCliE2ETestLocalCentralRepositoryPluginDiscoveryImageSignaturePublicKeyPath))
+	os.Setenv("TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_PUBLIC_KEY_PATH", e2eTestLocalCentralRepoPluginDiscoveryImageSignaturePublicKeyPath)
+
 	// search plugin groups and make sure there plugin groups available
 	pluginGroups = helper.SearchAllPluginGroups(tf)