scality · bert-e · Aug 22, 2025 · Jul 3, 2025
diff --git a/.github/scripts/end2end/configs/zenko.yaml b/.github/scripts/end2end/configs/zenko.yaml
@@ -130,6 +130,10 @@ spec:
     controlPlaneClass: 'nginx-control-plane'
     ${ZENKO_INGRESS_ANNOTATIONS}
     ${ZENKO_INGRESS_CERTIFICATES}
+  egress:
+    extraCACerts:
+      - secretName: zenko-root-ca 
+        secretAttributeName: ca.crt
   registry:
     imagePullSecretNames:
     - zenko-operator-image-pull

diff --git a/.github/scripts/end2end/install-kind-dependencies.sh b/.github/scripts/end2end/install-kind-dependencies.sh
@@ -67,19 +67,55 @@ kubectl rollout status -n ingress-nginx deployment/ingress-nginx-controller --ti
 kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml --wait
 kubectl rollout status -n cert-manager deployment/cert-manager-webhook --timeout=10m
 
-retries=20
-until kubectl apply -f - <<EOF
+# === CERTIFICATE AUTHORITY SETUP ===
+# We need a self-signed root CA certificate for signing certificates for mock services
+# (Azure mock, AWS mock). This enables HTTPS testing with proper certificate validation.
+
+echo "Waiting for cert-manager webhook to be ready..."
+kubectl wait --for=condition=Available --timeout=60s deployment/cert-manager-webhook -n cert-manager
+
+cat <<'EOF' | kubectl apply -f -
+---
+# Bootstrap self-signed ClusterIssuer for creating the root CA
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: artesca-root-ca-issuer
+  name: bootstrap-selfsigned
 spec:
   selfSigned: {}
+---
+# Root CA certificate that will act as our custom CA
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: root-ca
+  namespace: cert-manager
+spec:
+  secretName: root-ca
+  isCA: true
+  commonName: root-ca
+  issuerRef:
+    name: bootstrap-selfsigned
+    kind: ClusterIssuer
+---
+# Production ClusterIssuer that uses our root CA for signing service certificates
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: artesca-root-ca-issuer
+spec:
+  ca:
+    secretName: root-ca
 EOF
-do
-    ((--retries)) || { echo "Failed to create ClusterIssuer"; exit 1; }
-    sleep 1
-done
+
+kubectl wait --for=condition=Ready --timeout=240s certificate/root-ca -n cert-manager
+kubectl wait --for=condition=Ready --timeout=240s clusterissuer/artesca-root-ca-issuer
+
+# Copy root CA secret to default namespace for applications to use
+echo "Copying root CA certificate to default namespace..."
+kubectl get secret root-ca -n cert-manager -o json | 
+  jq '.metadata.namespace="default" | .metadata.name="zenko-root-ca"' | 
+  kubectl apply -f -
 
 # prometheus
 # last-applied-configuration can end up larger than 256kB  which is too large for an annotation

diff --git a/.github/scripts/end2end/run-e2e-test.sh b/.github/scripts/end2end/run-e2e-test.sh
@@ -135,10 +135,21 @@ run_e2e_test() {
     "containers": [
       {
         "name": "'$POD_NAME'",
+        "env": [
+          {
+            "name": "NODE_EXTRA_CA_CERTS",
+            "value": "/etc/ssl/certs/ca-cert.pem"
+          }
+        ],
         "volumeMounts": [
           {
             "name": "reports",
             "mountPath": "/reports"
+          },
+          {
+            "name": "ca-cert",
+            "mountPath": "/etc/ssl/certs",
+            "readOnly": true
           }
         ]
       }
@@ -150,6 +161,18 @@ run_e2e_test() {
           "path": "/data/reports",
           "type": "DirectoryOrCreate"
         }
+      },
+      {
+        "name": "ca-cert",
+        "secret": {
+          "secretName": "zenko-root-ca",
+          "items": [
+            {
+              "key": "ca.crt",
+              "path": "ca-cert.pem"
+            }
+          ]
+        }
       }
     ]
   }

diff --git a/.github/scripts/mocks/aws-mock.yaml b/.github/scripts/mocks/aws-mock.yaml
@@ -19,7 +19,13 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-body-size: 0m
     nginx.ingress.kubernetes.io/proxy-buffering: "off"
     nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+    cert-manager.io/cluster-issuer: "artesca-root-ca-issuer"
 spec:
+  tls:
+    - secretName: aws-mock-tls
+      hosts:
+        - "aws-mock.zenko.local"
+        - "*.aws-mock.zenko.local"
   rules:
   - host: 'aws-mock.zenko.local'
     http:

diff --git a/.github/scripts/mocks/azure-mock.yaml b/.github/scripts/mocks/azure-mock.yaml
@@ -26,7 +26,14 @@ spec:
   subdomain: azure-mock
   containers:
   - image: mcr.microsoft.com/azure-storage/azurite:3.31.0
-    command: ["azurite", "-l", "/data", "--blobHost", "0.0.0.0", "--blobPort", "80", "--queueHost", "0.0.0.0","--queuePort", "81"]
+    command: [
+      "azurite",
+      "-l", "/data",
+      "--blobHost", "0.0.0.0",
+      "--blobPort", "80",
+      "--queueHost", "0.0.0.0",
+      "--queuePort", "81",
+    ]
     name: azurite
     ports:
       - name: blob
@@ -46,7 +53,16 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: azure-mock
+  annotations:
+    cert-manager.io/cluster-issuer: "artesca-root-ca-issuer"
 spec:
+  tls:
+    - secretName: zenko-tls-azure
+      hosts:
+        - "azure-mock.zenko.local" 
+        - "*.azure-mock.zenko.local"
+        - "*.blob.azure-mock.zenko.local"
+        - "*.queue.azure-mock.zenko.local"
   rules:
   - host: '*.azure-mock.zenko.local'
     http:
@@ -108,3 +124,23 @@ spec:
               name: queue
         path: /
         pathType: Prefix
+  - host: 'devstoreaccount1.blob.azure-mock.zenko.local'
+    http:
+      paths:
+      - backend:
+          service:
+            name: azure-mock
+            port:
+              name: blob
+        path: /
+        pathType: Prefix
+  - host: 'devstoreaccount1.queue.azure-mock.zenko.local'
+    http:
+      paths:
+      - backend:
+          service:
+            name: azure-mock
+            port:
+              name: queue
+        path: /
+        pathType: Prefix
diff --git a/.github/workflows/end2end.yaml b/.github/workflows/end2end.yaml
@@ -46,10 +46,10 @@ env:
   PROMETHEUS_NAME: "prometheus"
   # mock-env
   AZURE_ACCOUNT_NAME: devstoreaccount1
-  AZURE_BACKEND_ENDPOINT: http://devstoreaccount1.blob.azure-mock.zenko.local
-  AZURE_BACKEND_QUEUE_ENDPOINT: http://devstoreaccount1.queue.azure-mock.zenko.local
+  AZURE_BACKEND_ENDPOINT: https://devstoreaccount1.blob.azure-mock.zenko.local
+  AZURE_BACKEND_QUEUE_ENDPOINT: https://devstoreaccount1.queue.azure-mock.zenko.local
   AZURE_SECRET_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
-  AWS_ENDPOINT: http://aws-mock.zenko.local
+  AWS_ENDPOINT: https://aws-mock.zenko.local
   AWS_ACCESS_KEY: accessKey1
   AWS_SECRET_KEY: verySecretKey1
   VERIFY_CERTIFICATES: "false"

diff --git a/solution/deps.yaml b/solution/deps.yaml
@@ -136,7 +136,7 @@ vault:
 zenko-operator:
   sourceRegistry: ghcr.io/scality
   image: zenko-operator
-  tag: v1.7.5
+  tag: v1.7.7
   envsubst: ZENKO_OPERATOR_TAG
 zenko-ui:
   sourceRegistry: ghcr.io/scality