Implement TLS API Support

* Added flags to point to TLS PEM files to use for exposing and connecting to an encrypted remote API socket with server and client authentication. * Added TLS fields for system connection ls templates. * Added special "tls" format for system connection ls to list TLS fields in human-readable table format. * Updated remote integration and system tests to allow specifying a "transport" to run the full suite against a unix, tcp, tls, or mtls system service. * Added system tests to verify basic operation of unix, tcp, tls, and mtls services, clients, and connections. Signed-off-by: Andrew Melnick <meln5674.5674@gmail.com>
2025-11-28 17:18:58 +08:00 · 2025-07-31 18:51:37 -06:00
parent a118fdf4e2
commit feb36e4fe6
116 changed files with 1848 additions and 616 deletions
--- a/test/e2e/libpod_suite_remote_test.go
+++ b/test/e2e/libpod_suite_remote_test.go
@@ -18,6 +18,8 @@ import (
 	. "github.com/onsi/gomega"
 )

+var RemoteTestingTarget = PodmanTestCreateUtilTarget(os.Getenv("REMOTEINTEGRATION_TRANSPORT"))
+
 func IsRemote() bool {
 	return true
 }
@@ -53,11 +55,6 @@ func (p *PodmanTestIntegration) setRegistriesConfigEnv(b []byte) {
 func resetRegistriesConfigEnv() {
 	os.Setenv("CONTAINERS_REGISTRIES_CONF", "")
 }
-func PodmanTestCreate(tempDir string) *PodmanTestIntegration {
-	pti := PodmanTestCreateUtil(tempDir, true)
-	pti.StartRemoteService()
-	return pti
-}

 func (p *PodmanTestIntegration) StartRemoteService() {
 	if !isRootless() {
@@ -70,10 +67,26 @@ func (p *PodmanTestIntegration) StartRemoteService() {
 		args = append(args, "--log-level", "trace")
 	}
 	remoteSocket := p.RemoteSocket
-	args = append(args, "system", "service", "--time", "0", remoteSocket)
+	args = append(args, "system", "service", "--time", "0")
+
+	if p.RemoteTLSClientCAFile != "" {
+		args = append(args, "--tls-client-ca", p.RemoteTLSClientCAFile)
+	}
+	if p.RemoteTLSServerCertFile != "" {
+		args = append(args, "--tls-cert", p.RemoteTLSServerCertFile)
+	}
+	if p.RemoteTLSServerKeyFile != "" {
+		args = append(args, "--tls-key", p.RemoteTLSServerKeyFile)
+	}
+
+	args = append(args, remoteSocket)
+
 	podmanOptions := getRemoteOptions(p, args)
-	cacheOptions := []string{"--storage-opt",
-		fmt.Sprintf("%s.imagestore=%s", p.PodmanTest.ImageCacheFS, p.PodmanTest.ImageCacheDir)}
+	cacheOptions := []string{
+		"--storage-opt",
+		fmt.Sprintf("%s.imagestore=%s", p.PodmanTest.ImageCacheFS, p.PodmanTest.ImageCacheDir),
+	}
+
 	podmanOptions = append(cacheOptions, podmanOptions...)
 	command := exec.Command(p.PodmanBinary, podmanOptions...)
 	command.Stdout = GinkgoWriter
@@ -111,11 +124,18 @@ func getRemoteOptions(p *PodmanTestIntegration, args []string) []string {
 	networkDir := p.NetworkConfigDir
 	podmanOptions := strings.Split(fmt.Sprintf("--root %s --runroot %s --runtime %s --conmon %s --network-config-dir %s --network-backend %s --cgroup-manager %s --tmpdir %s --events-backend %s --db-backend %s",
 		p.Root, p.RunRoot, p.OCIRuntime, p.ConmonBinary, networkDir, p.NetworkBackend.ToString(), p.CgroupManager, p.TmpDir, "file", p.DatabaseBackend), " ")
+
 	podmanOptions = append(podmanOptions, strings.Split(p.StorageOptions, " ")...)
 	podmanOptions = append(podmanOptions, args...)
 	return podmanOptions
 }

+func PodmanTestCreate(tempDir string) *PodmanTestIntegration {
+	pti := PodmanTestCreateUtil(tempDir, RemoteTestingTarget)
+	pti.StartRemoteService()
+	return pti
+}
+
 // RestoreArtifact puts the cached image into our test store
 func (p *PodmanTestIntegration) RestoreArtifact(image string) error {
 	tarball := imageTarPath(image)
@@ -139,7 +159,7 @@ func (p *PodmanTestIntegration) DelayForService() error {
 	var err error
 	var conn net.Conn
 	for i := 0; i < 100; i++ {
-		conn, err = net.Dial("unix", strings.TrimPrefix(p.RemoteSocket, "unix:"))
+		conn, err = net.Dial(p.RemoteSocketScheme, strings.TrimPrefix(p.RemoteSocket, p.RemoteSocketScheme+"://"))
 		if err == nil {
 			conn.Close()
 			return nil