2020-09-16 14:19:51 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-08-19 20:15:45 +00:00
|
|
|
|
|
|
|
package apicerts
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2020-08-28 15:19:52 +00:00
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
2020-08-19 20:15:45 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
kubeinformers "k8s.io/client-go/informers"
|
|
|
|
kubernetesfake "k8s.io/client-go/kubernetes/fake"
|
|
|
|
kubetesting "k8s.io/client-go/testing"
|
|
|
|
|
2020-09-17 17:56:54 +00:00
|
|
|
"github.com/vmware-tanzu/pinniped/internal/controllerlib"
|
|
|
|
"github.com/vmware-tanzu/pinniped/internal/testutil"
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestExpirerControllerFilters(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
namespace string
|
|
|
|
secret corev1.Secret
|
|
|
|
want bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "good name, good namespace",
|
|
|
|
namespace: "good-namespace",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "api-serving-cert",
|
|
|
|
Namespace: "good-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "bad name, good namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "bad-name",
|
|
|
|
Namespace: "good-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "good name, bad namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "api-serving-cert",
|
|
|
|
Namespace: "bad-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "bad name, bad namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "bad-name",
|
|
|
|
Namespace: "bad-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
|
|
|
t.Run(test.name+"-"+test.namespace, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
secretsInformer := kubeinformers.NewSharedInformerFactory(
|
|
|
|
kubernetesfake.NewSimpleClientset(),
|
|
|
|
0,
|
|
|
|
).Core().V1().Secrets()
|
|
|
|
withInformer := testutil.NewObservableWithInformerOption()
|
|
|
|
_ = NewCertsExpirerController(
|
|
|
|
test.namespace,
|
|
|
|
nil, // k8sClient, not needed
|
|
|
|
secretsInformer,
|
|
|
|
withInformer.WithInformer,
|
2020-08-20 19:17:18 +00:00
|
|
|
0, // renewBefore, not needed
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
unrelated := corev1.Secret{}
|
|
|
|
filter := withInformer.GetFilterForInformer(secretsInformer)
|
|
|
|
require.Equal(t, test.want, filter.Add(&test.secret))
|
|
|
|
require.Equal(t, test.want, filter.Update(&unrelated, &test.secret))
|
|
|
|
require.Equal(t, test.want, filter.Update(&test.secret, &unrelated))
|
|
|
|
require.Equal(t, test.want, filter.Delete(&test.secret))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestExpirerControllerSync(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
2020-08-20 19:17:18 +00:00
|
|
|
renewBefore time.Duration
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData func(*testing.T, map[string][]byte)
|
|
|
|
configKubeAPIClient func(*kubernetesfake.Clientset)
|
|
|
|
wantDelete bool
|
|
|
|
wantError string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "secret does not exist",
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "secret missing key",
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {},
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "lifetime below threshold",
|
|
|
|
renewBefore: 7 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-08-20 19:17:18 +00:00
|
|
|
certPEM, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// See certs_manager.go for this constant.
|
|
|
|
m["tlsCertificateChain"] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "lifetime above threshold",
|
|
|
|
renewBefore: 3 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-08-20 19:17:18 +00:00
|
|
|
certPEM, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// See certs_manager.go for this constant.
|
|
|
|
m["tlsCertificateChain"] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: true,
|
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "cert expired",
|
|
|
|
renewBefore: 3 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-08-20 19:17:18 +00:00
|
|
|
certPEM, err := testutil.CreateCertificate(
|
|
|
|
time.Now().Add(-2*time.Hour),
|
|
|
|
time.Now().Add(-1*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// See certs_manager.go for this constant.
|
|
|
|
m["tlsCertificateChain"] = certPEM
|
|
|
|
},
|
|
|
|
wantDelete: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "delete failure",
|
|
|
|
renewBefore: 3 * time.Hour,
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
|
|
|
certPEM, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// See certs_manager.go for this constant.
|
|
|
|
m["tlsCertificateChain"] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
configKubeAPIClient: func(c *kubernetesfake.Clientset) {
|
|
|
|
c.PrependReactor("delete", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
|
|
|
|
return true, nil, errors.New("delete failed: some delete error")
|
|
|
|
})
|
|
|
|
},
|
|
|
|
wantError: "delete failed: some delete error",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "parse cert failure",
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-08-28 15:19:52 +00:00
|
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2020-08-19 20:15:45 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// See certs_manager.go for this constant.
|
2020-08-28 15:19:52 +00:00
|
|
|
m["tlsCertificateChain"], err = x509.MarshalPKCS8PrivateKey(privateKey)
|
|
|
|
require.NoError(t, err)
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
kubeAPIClient := kubernetesfake.NewSimpleClientset()
|
|
|
|
if test.configKubeAPIClient != nil {
|
|
|
|
test.configKubeAPIClient(kubeAPIClient)
|
|
|
|
}
|
|
|
|
|
|
|
|
kubeInformerClient := kubernetesfake.NewSimpleClientset()
|
2020-08-20 19:17:18 +00:00
|
|
|
name := "api-serving-cert" // See certs_manager.go.
|
2020-08-19 20:15:45 +00:00
|
|
|
namespace := "some-namespace"
|
|
|
|
if test.fillSecretData != nil {
|
|
|
|
secret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: name,
|
|
|
|
Namespace: namespace,
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{},
|
|
|
|
}
|
|
|
|
test.fillSecretData(t, secret.Data)
|
|
|
|
|
|
|
|
require.NoError(t, kubeAPIClient.Tracker().Add(secret))
|
|
|
|
require.NoError(t, kubeInformerClient.Tracker().Add(secret))
|
|
|
|
}
|
|
|
|
|
|
|
|
kubeInformers := kubeinformers.NewSharedInformerFactory(
|
|
|
|
kubeInformerClient,
|
|
|
|
0,
|
|
|
|
)
|
|
|
|
|
|
|
|
c := NewCertsExpirerController(
|
|
|
|
namespace,
|
|
|
|
kubeAPIClient,
|
|
|
|
kubeInformers.Core().V1().Secrets(),
|
2020-08-28 15:59:09 +00:00
|
|
|
controllerlib.WithInformer,
|
2020-08-20 19:17:18 +00:00
|
|
|
test.renewBefore,
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Must start informers before calling TestRunSynchronously().
|
|
|
|
kubeInformers.Start(ctx.Done())
|
2020-08-28 15:59:09 +00:00
|
|
|
controllerlib.TestRunSynchronously(t, c)
|
2020-08-19 20:15:45 +00:00
|
|
|
|
2020-08-28 15:59:09 +00:00
|
|
|
err := controllerlib.TestSync(t, c, controllerlib.Context{
|
2020-08-19 20:15:45 +00:00
|
|
|
Context: ctx,
|
|
|
|
})
|
|
|
|
if test.wantError != "" {
|
|
|
|
require.EqualError(t, err, test.wantError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
exActions := []kubetesting.Action{}
|
|
|
|
if test.wantDelete {
|
|
|
|
exActions = append(
|
|
|
|
exActions,
|
|
|
|
kubetesting.NewDeleteAction(
|
|
|
|
schema.GroupVersionResource{
|
|
|
|
Group: "",
|
|
|
|
Version: "v1",
|
|
|
|
Resource: "secrets",
|
|
|
|
},
|
|
|
|
namespace,
|
|
|
|
name,
|
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
acActions := kubeAPIClient.Actions()
|
|
|
|
require.Equal(t, exActions, acActions)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|