diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index a246bbca..bc7e4975 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -261,9 +261,10 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) { const installedInNamespace = "some-namespace" const configMapResourceName = "some-configmap-resource-name" - const generatedLoadBalancerServiceName = "some-service-resource-name" + const loadBalancerServiceName = "some-service-resource-name" const tlsSecretName = "some-secret-name" const localhostIP = "127.0.0.1" + const httpsPort = ":443" var labels = map[string]string{"app": "app-name", "other-key": "other-value"} var r *require.Assertions @@ -290,11 +291,15 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { return nil, startTLSListenerFuncError } var err error - startedTLSListener, err = tls.Listen(network, "127.0.0.1:0", config) // automatically choose the port for unit tests + startedTLSListener, err = tls.Listen(network, localhostIP+":0", config) // automatically choose the port for unit tests r.NoError(err) return &tlsListenerWrapper{listener: startedTLSListener, closeError: startTLSListenerUponCloseError}, nil } + var testServerAddr = func() string { + return startedTLSListener.Addr().String() + } + var closeTLSListener = func() { if startedTLSListener != nil { err := startedTLSListener.Close() @@ -352,13 +357,11 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var requireTLSServerIsRunningWithoutCerts = func() { r.Greater(startTLSListenerFuncWasCalled, 0) - tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec } - client := &http.Client{Transport: tr} - url := "https://" + startedTLSListener.Addr().String() + url := "https://" + testServerAddr() req, err := http.NewRequestWithContext(context.Background(), "GET", url, nil) r.NoError(err) _, err = client.Do(req) //nolint:bodyclose @@ -370,7 +373,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { r.Greater(startTLSListenerFuncWasCalled, 0) _, err := tls.Dial( startedTLSListener.Addr().Network(), - startedTLSListener.Addr().String(), + testServerAddr(), &tls.Config{InsecureSkipVerify: true}, //nolint:gosec ) r.Error(err) @@ -414,7 +417,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { kubeInformers.Core().V1().Secrets(), controllerlib.WithInformer, controllerlib.WithInitialEvent, - generatedLoadBalancerServiceName, + loadBalancerServiceName, tlsSecretName, labels, startTLSListenerFunc, @@ -459,26 +462,25 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { } var updateImpersonatorConfigMapInTracker = func(resourceName, configYAML string, client *kubernetesfake.Clientset, newResourceVersion string) { - impersonatorConfigMap := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceName, - Namespace: installedInNamespace, - // Different resource version compared to the initial version when this resource was created - // so we can tell when the informer cache has cached this newly updated version. - ResourceVersion: newResourceVersion, - }, - Data: map[string]string{ - "config.yaml": configYAML, - }, + configMapObj, err := client.Tracker().Get( + schema.GroupVersionResource{Version: "v1", Resource: "configmaps"}, + installedInNamespace, + resourceName, + ) + r.NoError(err) + configMap := configMapObj.(*corev1.ConfigMap) + configMap.ResourceVersion = newResourceVersion + configMap.Data = map[string]string{ + "config.yaml": configYAML, } r.NoError(client.Tracker().Update( schema.GroupVersionResource{Version: "v1", Resource: "configmaps"}, - impersonatorConfigMap, + configMap, installedInNamespace, )) } - var secretWithData = func(resourceName string, data map[string][]byte) *corev1.Secret { + var newSecretWithData = func(resourceName string, data map[string][]byte) *corev1.Secret { return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: resourceName, @@ -492,102 +494,94 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { } } - var createStubTLSSecret = func(resourceName string) *corev1.Secret { - return secretWithData(resourceName, map[string][]byte{}) + var newStubTLSSecret = func(resourceName string) *corev1.Secret { + return newSecretWithData(resourceName, map[string][]byte{}) } - var createActualTLSSecret = func(resourceName string, ip string) *corev1.Secret { + var createCertSecretData = func(dnsNames []string, ip string) map[string][]byte { impersonationCA, err := certauthority.New(pkix.Name{CommonName: "test CA"}, 24*time.Hour) r.NoError(err) - impersonationCert, err := impersonationCA.Issue(pkix.Name{}, nil, []net.IP{net.ParseIP(ip)}, 24*time.Hour) + impersonationCert, err := impersonationCA.Issue(pkix.Name{}, dnsNames, []net.IP{net.ParseIP(ip)}, 24*time.Hour) r.NoError(err) certPEM, keyPEM, err := certauthority.ToPEM(impersonationCert) r.NoError(err) - return secretWithData(resourceName, map[string][]byte{ + return map[string][]byte{ "ca.crt": impersonationCA.Bundle(), corev1.TLSPrivateKeyKey: keyPEM, corev1.TLSCertKey: certPEM, - }) + } } - var createTLSSecretWithMultipleHostnames = func(resourceName string, ip string) *corev1.Secret { - impersonationCA, err := certauthority.New(pkix.Name{CommonName: "test CA"}, 24*time.Hour) - r.NoError(err) - impersonationCert, err := impersonationCA.Issue(pkix.Name{}, []string{"foo", "bar"}, []net.IP{net.ParseIP(ip)}, 24*time.Hour) - r.NoError(err) - certPEM, keyPEM, err := certauthority.ToPEM(impersonationCert) - r.NoError(err) - return secretWithData(resourceName, map[string][]byte{ - "ca.crt": impersonationCA.Bundle(), - corev1.TLSPrivateKeyKey: keyPEM, - corev1.TLSCertKey: certPEM, - }) + var newActualTLSSecret = func(resourceName string, ip string) *corev1.Secret { + return newSecretWithData(resourceName, createCertSecretData(nil, ip)) + } + + var newActualTLSSecretWithMultipleHostnames = func(resourceName string, ip string) *corev1.Secret { + return newSecretWithData(resourceName, createCertSecretData([]string{"foo", "bar"}, ip)) + } + + var addSecretFromCreateActionToTracker = func(action coretesting.Action, client *kubernetesfake.Clientset, resourceVersion string) { + createdSecret := action.(coretesting.CreateAction).GetObject().(*corev1.Secret) + createdSecret.ResourceVersion = resourceVersion + r.NoError(client.Tracker().Add(createdSecret)) + } + + var addServiceFromCreateActionToTracker = func(action coretesting.Action, client *kubernetesfake.Clientset, resourceVersion string) { + createdService := action.(coretesting.CreateAction).GetObject().(*corev1.Service) + createdService.ResourceVersion = resourceVersion + r.NoError(client.Tracker().Add(createdService)) + } + + var newLoadBalancerService = func(resourceName string, status corev1.ServiceStatus) *corev1.Service { + return &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: resourceName, + Namespace: installedInNamespace, + // Note that this seems to be ignored by the informer during initial creation, so actually + // the informer will see this as resource version "". Leaving it here to express the intent + // that the initial version is version 0. + ResourceVersion: "0", + }, + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeLoadBalancer, + }, + Status: status, + } } var addLoadBalancerServiceToTracker = func(resourceName string, client *kubernetesfake.Clientset) { - loadBalancerService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceName, - Namespace: installedInNamespace, - // Note that this seems to be ignored by the informer during initial creation, so actually - // the informer will see this as resource version "". Leaving it here to express the intent - // that the initial version is version 0. - ResourceVersion: "0", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - } + loadBalancerService := newLoadBalancerService(resourceName, corev1.ServiceStatus{}) r.NoError(client.Tracker().Add(loadBalancerService)) } - var updateLoadBalancerServiceInTracker = func(resourceName, lbIngressIP string, client *kubernetesfake.Clientset, newResourceVersion string) { - loadBalancerService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceName, - Namespace: installedInNamespace, - ResourceVersion: newResourceVersion, - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: []corev1.LoadBalancerIngress{ - {IP: lbIngressIP}, - }, - }, - }, - } - r.NoError(client.Tracker().Update( - schema.GroupVersionResource{Version: "v1", Resource: "services"}, - loadBalancerService, - installedInNamespace, - )) - } - var addLoadBalancerServiceWithIngressToTracker = func(resourceName string, ingress []corev1.LoadBalancerIngress, client *kubernetesfake.Clientset) { - loadBalancerService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceName, - Namespace: installedInNamespace, - // Note that this seems to be ignored by the informer during initial creation, so actually - // the informer will see this as resource version "". Leaving it here to express the intent - // that the initial version is version 0. - ResourceVersion: "0", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: ingress, - }, - }, - } + loadBalancerService := newLoadBalancerService(resourceName, corev1.ServiceStatus{ + LoadBalancer: corev1.LoadBalancerStatus{Ingress: ingress}, + }) r.NoError(client.Tracker().Add(loadBalancerService)) } + var addSecretToTracker = func(secret *corev1.Secret, client *kubernetesfake.Clientset) { + r.NoError(client.Tracker().Add(secret)) + } + + var updateLoadBalancerServiceInTracker = func(resourceName string, ingresses []corev1.LoadBalancerIngress, client *kubernetesfake.Clientset, newResourceVersion string) { + serviceObj, err := client.Tracker().Get( + schema.GroupVersionResource{Version: "v1", Resource: "services"}, + installedInNamespace, + resourceName, + ) + r.NoError(err) + service := serviceObj.(*corev1.Service) + service.ResourceVersion = newResourceVersion + service.Status = corev1.ServiceStatus{LoadBalancer: corev1.LoadBalancerStatus{Ingress: ingresses}} + r.NoError(client.Tracker().Update( + schema.GroupVersionResource{Version: "v1", Resource: "services"}, + service, + installedInNamespace, + )) + } + var deleteLoadBalancerServiceFromTracker = func(resourceName string, client *kubernetesfake.Clientset) { r.NoError(client.Tracker().Delete( schema.GroupVersionResource{Version: "v1", Resource: "services"}, @@ -604,14 +598,8 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { )) } - var addSecretFromCreateActionToTracker = func(action coretesting.Action, client *kubernetesfake.Clientset, resourceVersion string) { - createdSecret := action.(coretesting.CreateAction).GetObject().(*corev1.Secret) - createdSecret.ResourceVersion = resourceVersion - r.NoError(client.Tracker().Add(createdSecret)) - } - - var addNodeWithRoleToTracker = func(role string) { - r.NoError(kubeAPIClient.Tracker().Add( + var addNodeWithRoleToTracker = func(role string, client *kubernetesfake.Clientset) { + r.NoError(client.Tracker().Add( &corev1.Node{ ObjectMeta: metav1.ObjectMeta{ Name: "node", @@ -636,7 +624,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { createAction := action.(coretesting.CreateAction) r.Equal("create", createAction.GetVerb()) createdLoadBalancerService := createAction.GetObject().(*corev1.Service) - r.Equal(generatedLoadBalancerServiceName, createdLoadBalancerService.Name) + r.Equal(loadBalancerServiceName, createdLoadBalancerService.Name) r.Equal(installedInNamespace, createdLoadBalancerService.Namespace) r.Equal(corev1.ServiceTypeLoadBalancer, createdLoadBalancerService.Spec.Type) r.Equal("app-name", createdLoadBalancerService.Spec.Selector["app"]) @@ -646,7 +634,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var requireLoadBalancerDeleted = func(action coretesting.Action) { deleteAction := action.(coretesting.DeleteAction) r.Equal("delete", deleteAction.GetVerb()) - r.Equal(generatedLoadBalancerServiceName, deleteAction.GetName()) + r.Equal(loadBalancerServiceName, deleteAction.GetName()) r.Equal("services", deleteAction.GetResource().Resource) } @@ -683,11 +671,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { return createdSecret.Data["ca.crt"] } + var runControllerSync = func() error { + return controllerlib.TestSync(t, subject, *syncContext) + } + it.Before(func() { r = require.New(t) - timeoutContext, timeoutContextCancel = context.WithTimeout(context.Background(), time.Second*3) - kubeInformerClient = kubernetesfake.NewSimpleClientset() kubeInformers = kubeinformers.NewSharedInformerFactoryWithOptions(kubeInformerClient, 0, kubeinformers.WithNamespace(installedInNamespace), @@ -702,17 +692,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the ConfigMap does not yet exist in the installation namespace or it was deleted (defaults to auto mode)", func() { it.Before(func() { - addImpersonatorConfigMapToTracker("some-other-ConfigMap", "foo: bar", kubeInformerClient) + addImpersonatorConfigMapToTracker("some-other-configmap", "foo: bar", kubeInformerClient) }) when("there are visible control plane nodes", func() { it.Before(func() { - addNodeWithRoleToTracker("control-plane") + addNodeWithRoleToTracker("control-plane", kubeAPIClient) }) it("does not start the impersonator or load balancer", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerWasNeverStarted() r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -721,17 +711,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are visible control plane nodes and a loadbalancer and a tls Secret", func() { it.Before(func() { - addNodeWithRoleToTracker("control-plane") - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeAPIClient) - tlsSecret := createStubTLSSecret(tlsSecretName) - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addNodeWithRoleToTracker("control-plane", kubeAPIClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeInformerClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeAPIClient) + tlsSecret := newStubTLSSecret(tlsSecretName) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) }) it("does not start the impersonator, deletes the loadbalancer, deletes the Secret", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerWasNeverStarted() r.Len(kubeAPIClient.Actions(), 3) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -742,16 +732,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) - }) - - it("starts the impersonator without tls certs", func() { - requireTLSServerIsRunningWithoutCerts() + r.NoError(runControllerSync()) }) it("starts the load balancer automatically", func() { + requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) @@ -760,18 +747,15 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists without an IP", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeInformerClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) - }) - - it("starts the impersonator without tls certs", func() { - requireTLSServerIsRunningWithoutCerts() + r.NoError(runControllerSync()) }) it("does not start the load balancer automatically", func() { + requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) }) @@ -779,18 +763,15 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists with empty ingress", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "", Hostname: ""}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "", Hostname: ""}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "", Hostname: ""}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "", Hostname: ""}}, kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) - }) - - it("starts the impersonator without tls certs", func() { - requireTLSServerIsRunningWithoutCerts() + r.NoError(runControllerSync()) }) it("does not start the load balancer automatically", func() { + requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) }) @@ -798,18 +779,15 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists with invalid ip", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "not-an-ip"}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "not-an-ip"}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "not-an-ip"}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "not-an-ip"}}, kubeAPIClient) startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "could not find valid IP addresses or hostnames from load balancer some-namespace/some-service-resource-name") - }) - - it("starts the impersonator without tls certs", func() { - requireTLSServerIsRunningWithoutCerts() + r.EqualError(runControllerSync(), "could not find valid IP addresses or hostnames from load balancer some-namespace/some-service-resource-name") }) it("does not start the load balancer automatically", func() { + requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) }) @@ -817,24 +795,24 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists with multiple ips", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.123"}, {IP: "127.0.0.456"}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.123"}, {IP: "127.0.0.456"}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.123"}, {IP: "127.0.0.456"}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.123"}, {IP: "127.0.0.456"}}, kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) }) it("starts the impersonator with certs that match the first IP address", func() { r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) - requireTLSServerIsRunning(ca, "127.0.0.123", map[string]string{"127.0.0.123:443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, "127.0.0.123", map[string]string{"127.0.0.123:443": testServerAddr()}) }) it("keeps the secret around after resync", func() { addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "0") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "0") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) // nothing changed }) }) @@ -842,24 +820,24 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists with multiple hostnames", func() { firstHostname := "fake-1.example.com" it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{Hostname: firstHostname}, {Hostname: "fake-2.example.com"}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{Hostname: firstHostname}, {Hostname: "fake-2.example.com"}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{Hostname: firstHostname}, {Hostname: "fake-2.example.com"}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{Hostname: firstHostname}, {Hostname: "fake-2.example.com"}}, kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) }) it("starts the impersonator with certs that match the first hostname", func() { r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) - requireTLSServerIsRunning(ca, firstHostname, map[string]string{firstHostname + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, firstHostname, map[string]string{firstHostname + httpsPort: testServerAddr()}) }) it("keeps the secret around after resync", func() { addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "0") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "0") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) // nothing changed }) }) @@ -867,38 +845,38 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes and a load balancer already exists with hostnames and ips", func() { firstHostname := "fake-1.example.com" it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.254"}, {Hostname: firstHostname}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.254"}, {Hostname: firstHostname}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.254"}, {Hostname: firstHostname}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.254"}, {Hostname: firstHostname}}, kubeAPIClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) }) it("starts the impersonator with certs that match the first hostname", func() { r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) - requireTLSServerIsRunning(ca, firstHostname, map[string]string{firstHostname + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, firstHostname, map[string]string{firstHostname + httpsPort: testServerAddr()}) }) it("keeps the secret around after resync", func() { addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "0") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "0") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) // nothing changed }) }) when("there are not visible control plane nodes, a secret exists with multiple hostnames and an IP", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) - tlsSecret := createTLSSecretWithMultipleHostnames(tlsSecretName, localhostIP) - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) + tlsSecret := newActualTLSSecretWithMultipleHostnames(tlsSecretName, localhostIP) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) }) it("deletes and recreates the secret to match the IP in the load balancer without the extra hostnames", func() { @@ -906,18 +884,18 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { requireNodesListed(kubeAPIClient.Actions()[0]) requireTLSSecretDeleted(kubeAPIClient.Actions()[1]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) }) when("the cert's name needs to change but there is an error while deleting the tls Secret", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.42"}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.42"}}, kubeAPIClient) - tlsSecret := createActualTLSSecret(tlsSecretName, localhostIP) - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.42"}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "127.0.0.42"}}, kubeAPIClient) + tlsSecret := newActualTLSSecret(tlsSecretName, localhostIP) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) kubeAPIClient.PrependReactor("delete", "secrets", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on delete") }) @@ -925,7 +903,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("returns an error and runs the proxy without certs", func() { startInformersAndController() - r.Error(controllerlib.TestSync(t, subject, *syncContext), "error on delete") + r.Error(runControllerSync(), "error on delete") r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireTLSSecretDeleted(kubeAPIClient.Actions()[1]) @@ -936,51 +914,51 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the cert's name might need to change but there is an error while determining the new name", func() { var ca []byte it.Before(func() { - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) - tlsSecret := createActualTLSSecret(tlsSecretName, localhostIP) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) + tlsSecret := newActualTLSSecret(tlsSecretName, localhostIP) ca = tlsSecret.Data["ca.crt"] - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) }) it("returns an error and keeps running the proxy with the old cert", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) - updateLoadBalancerServiceInTracker(generatedLoadBalancerServiceName, "not-an-ip", kubeInformerClient, "1") + updateLoadBalancerServiceInTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: "not-an-ip"}}, kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), + r.EqualError(runControllerSync(), "could not find valid IP addresses or hostnames from load balancer some-namespace/some-service-resource-name") r.Len(kubeAPIClient.Actions(), 1) // no new actions - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) }) }) when("sync is called more than once", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("only starts the impersonator once and only lists the cluster's nodes once", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) requireTLSServerIsRunningWithoutCerts() - // update manually because the kubeAPIClient isn't connected to the informer in the tests - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "0") + // Simulate the informer cache's background update from its watch. + addServiceFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "1") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a second time requireTLSServerIsRunningWithoutCerts() // still running r.Len(kubeAPIClient.Actions(), 2) // no new API calls @@ -988,79 +966,85 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("creates certs from the ip address listed on the load balancer", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) requireTLSServerIsRunningWithoutCerts() - // update manually because the kubeAPIClient isn't connected to the informer in the tests - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + // Simulate the informer cache's background update from its watch. + addServiceFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "0") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "0") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + updateLoadBalancerServiceInTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient, "1") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") + + r.NoError(runControllerSync()) r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a second time r.Len(kubeAPIClient.Actions(), 3) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) // running with certs now + requireTLSServerIsRunning(ca, testServerAddr(), nil) // running with certs now - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[2], kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) - r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a third time - r.Len(kubeAPIClient.Actions(), 3) // no more actions - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) // still running + r.NoError(runControllerSync()) + r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a third time + r.Len(kubeAPIClient.Actions(), 3) // no more actions + requireTLSServerIsRunning(ca, testServerAddr(), nil) // still running }) it("creates certs from the hostname listed on the load balancer", func() { hostname := "fake.example.com" startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) requireTLSServerIsRunningWithoutCerts() - // update manually because the kubeAPIClient isn't connected to the informer in the tests - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP, Hostname: hostname}}, kubeInformerClient) + // Simulate the informer cache's background update from its watch. + addServiceFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "0") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "0") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + updateLoadBalancerServiceInTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP, Hostname: hostname}}, kubeInformerClient, "1") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") + + r.NoError(runControllerSync()) r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a second time r.Len(kubeAPIClient.Actions(), 3) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, hostname, map[string]string{hostname + ":443": startedTLSListener.Addr().String()}) // running with certs now + requireTLSServerIsRunning(ca, hostname, map[string]string{hostname + httpsPort: testServerAddr()}) // running with certs now - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[2], kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) - r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a third time - r.Len(kubeAPIClient.Actions(), 3) // no more actions - requireTLSServerIsRunning(ca, hostname, map[string]string{hostname + ":443": startedTLSListener.Addr().String()}) // still running + r.NoError(runControllerSync()) + r.Equal(1, startTLSListenerFuncWasCalled) // wasn't started a third time + r.Len(kubeAPIClient.Actions(), 3) // no more actions + requireTLSServerIsRunning(ca, hostname, map[string]string{hostname + httpsPort: testServerAddr()}) // still running }) }) when("getting the control plane nodes returns an error, e.g. when there are no nodes", func() { it("returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "no nodes found") + r.EqualError(runControllerSync(), "no nodes found") requireTLSServerWasNeverStarted() }) }) when("the http handler factory function returns an error", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) httpHanderFactoryFuncError = errors.New("some factory error") }) it("returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "some factory error") + r.EqualError(runControllerSync(), "some factory error") requireTLSServerWasNeverStarted() }) }) @@ -1072,7 +1056,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "invalid impersonator configuration: decode yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type impersonator.Config") + r.EqualError(runControllerSync(), "invalid impersonator configuration: decode yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type impersonator.Config") requireTLSServerWasNeverStarted() }) }) @@ -1080,17 +1064,18 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the ConfigMap is already in the installation namespace", func() { when("the configuration is auto mode with an endpoint", func() { it.Before(func() { - addImpersonatorConfigMapToTracker(configMapResourceName, "{mode: auto, endpoint: 127.0.0.1}", kubeInformerClient) + configMapYAML := fmt.Sprintf("{mode: auto, endpoint: %s}", localhostIP) + addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) }) when("there are visible control plane nodes", func() { it.Before(func() { - addNodeWithRoleToTracker("control-plane") + addNodeWithRoleToTracker("control-plane", kubeAPIClient) }) it("does not start the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerWasNeverStarted() requireNodesListed(kubeAPIClient.Actions()[0]) r.Len(kubeAPIClient.Actions(), 1) @@ -1099,16 +1084,16 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there are not visible control plane nodes", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("starts the impersonator according to the settings in the ConfigMap", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) }) }) @@ -1116,12 +1101,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the configuration is disabled mode", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: disabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("does not start the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerWasNeverStarted() requireNodesListed(kubeAPIClient.Actions()[0]) r.Len(kubeAPIClient.Actions(), 1) @@ -1132,24 +1117,24 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("no load balancer", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("control-plane") + addNodeWithRoleToTracker("control-plane", kubeAPIClient) }) it("starts the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsRunningWithoutCerts() }) it("returns an error when the tls listener fails to start", func() { startTLSListenerFuncError = errors.New("tls error") startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "tls error") + r.EqualError(runControllerSync(), "tls error") }) it("starts the load balancer", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) @@ -1159,26 +1144,26 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a loadbalancer already exists", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeInformerClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeAPIClient) }) it("starts the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsRunningWithoutCerts() }) it("returns an error when the tls listener fails to start", func() { startTLSListenerFuncError = errors.New("tls error") startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "tls error") + r.EqualError(runControllerSync(), "tls error") }) it("does not start the load balancer", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) }) @@ -1188,21 +1173,21 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var ca []byte it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") - tlsSecret := createActualTLSSecret(tlsSecretName, localhostIP) + addNodeWithRoleToTracker("worker", kubeAPIClient) + tlsSecret := newActualTLSSecret(tlsSecretName, localhostIP) ca = tlsSecret.Data["ca.crt"] - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) }) it("starts the impersonator with the existing tls certs, does not start loadbalancer or make tls secret", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 1) requireNodesListed(kubeAPIClient.Actions()[0]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) }) @@ -1211,17 +1196,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it.Before(func() { configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", fakeHostname) addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("starts the impersonator, generates a valid cert for the hostname", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) // Check that the server is running and that TLS certs that are being served are are for fakeHostname. - requireTLSServerIsRunning(ca, fakeHostname, map[string]string{fakeHostname + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, fakeHostname, map[string]string{fakeHostname + httpsPort: testServerAddr()}) }) }) @@ -1232,19 +1217,19 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { var ipAddressYAML = fmt.Sprintf("{mode: enabled, endpoint: %s}", fakeIP) it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, ipAddressYAML, kubeInformerClient) - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("regenerates the cert for the hostname, then regenerates it for the IP again", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) // Check that the server is running and that TLS certs that are being served are are for fakeIP. - requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + httpsPort: testServerAddr()}) - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "1") @@ -1252,14 +1237,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { updateImpersonatorConfigMapInTracker(configMapResourceName, hostnameYAML, kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 4) requireTLSSecretDeleted(kubeAPIClient.Actions()[2]) ca = requireTLSSecretWasCreated(kubeAPIClient.Actions()[3]) // Check that the server is running and that TLS certs that are being served are are for fakeHostname. - requireTLSServerIsRunning(ca, fakeHostname, map[string]string{fakeHostname + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, fakeHostname, map[string]string{fakeHostname + httpsPort: testServerAddr()}) - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. deleteTLSCertSecretFromTracker(tlsSecretName, kubeInformerClient) addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[3], kubeInformerClient, "2") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "2") @@ -1268,12 +1253,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { updateImpersonatorConfigMapInTracker(configMapResourceName, ipAddressYAML, kubeInformerClient, "2") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "2") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 6) requireTLSSecretDeleted(kubeAPIClient.Actions()[4]) ca = requireTLSSecretWasCreated(kubeAPIClient.Actions()[5]) // Check that the server is running and that TLS certs that are being served are are for fakeIP. - requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + httpsPort: testServerAddr()}) }) }) }) @@ -1281,37 +1266,37 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the configuration switches from enabled to disabled mode", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("starts the impersonator and loadbalancer, then shuts it down, then starts it again", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[1]) - // update manually because the kubeAPIClient isn't connected to the informer in the tests - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "0") + // Simulate the informer cache's background update from its watch. + addServiceFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "1") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") updateImpersonatorConfigMapInTracker(configMapResourceName, "mode: disabled", kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsNoLongerRunning() r.Len(kubeAPIClient.Actions(), 3) requireLoadBalancerDeleted(kubeAPIClient.Actions()[2]) - deleteLoadBalancerServiceFromTracker(generatedLoadBalancerServiceName, kubeInformerClient) - waitForLoadBalancerToBeDeleted(kubeInformers.Core().V1().Services(), generatedLoadBalancerServiceName) + deleteLoadBalancerServiceFromTracker(loadBalancerServiceName, kubeInformerClient) + waitForLoadBalancerToBeDeleted(kubeInformers.Core().V1().Services(), loadBalancerServiceName) updateImpersonatorConfigMapInTracker(configMapResourceName, "mode: enabled", kubeInformerClient, "2") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "2") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 4) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[3]) @@ -1324,13 +1309,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("returns the error from the sync function", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) requireTLSServerIsRunningWithoutCerts() updateImpersonatorConfigMapInTracker(configMapResourceName, "mode: disabled", kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "1") - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "fake server close error") + r.EqualError(runControllerSync(), "fake server close error") requireTLSServerIsNoLongerRunning() }) }) @@ -1338,21 +1323,22 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the endpoint switches from specified, to not specified, to specified again", func() { it.Before(func() { - addImpersonatorConfigMapToTracker(configMapResourceName, "{mode: enabled, endpoint: 127.0.0.1}", kubeInformerClient) - addNodeWithRoleToTracker("worker") + configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", localhostIP) + addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) }) it("doesn't create, then creates, then deletes the load balancer", func() { startInformersAndController() // Should have started in "enabled" mode with an "endpoint", so no load balancer is needed. - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) // created immediately because "endpoint" was specified - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[1], kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "1") @@ -1360,42 +1346,43 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { updateImpersonatorConfigMapInTracker(configMapResourceName, "mode: enabled", kubeInformerClient, "1") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 4) requireLoadBalancerWasCreated(kubeAPIClient.Actions()[2]) requireTLSSecretDeleted(kubeAPIClient.Actions()[3]) // the Secret was deleted because it contained a cert with the wrong IP requireTLSServerIsRunningWithoutCerts() - // update manually because the kubeAPIClient isn't connected to the informer in the tests - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "0") + // Simulate the informer cache's background update from its watch. + addServiceFromCreateActionToTracker(kubeAPIClient.Actions()[2], kubeInformerClient, "1") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") deleteTLSCertSecretFromTracker(tlsSecretName, kubeInformerClient) waitForTLSCertSecretToBeDeleted(kubeInformers.Core().V1().Secrets(), tlsSecretName) // The controller should be waiting for the load balancer's ingress to become available. - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 4) // no new actions while it is waiting for the load balancer's ingress requireTLSServerIsRunningWithoutCerts() // Update the ingress of the LB in the informer's client and run Sync again. fakeIP := "127.0.0.123" - updateLoadBalancerServiceInTracker(generatedLoadBalancerServiceName, fakeIP, kubeInformerClient, "1") - waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "1") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + updateLoadBalancerServiceInTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: fakeIP}}, kubeInformerClient, "2") + waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Services().Informer(), "2") + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 5) ca = requireTLSSecretWasCreated(kubeAPIClient.Actions()[4]) // created because the LB ingress became available // Check that the server is running and that TLS certs that are being served are are for fakeIP. - requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + ":443": startedTLSListener.Addr().String()}) + requireTLSServerIsRunning(ca, fakeIP, map[string]string{fakeIP + httpsPort: testServerAddr()}) - // update manually because the kubeAPIClient isn't connected to the informer in the tests + // Simulate the informer cache's background update from its watch. addSecretFromCreateActionToTracker(kubeAPIClient.Actions()[4], kubeInformerClient, "2") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().Secrets().Informer(), "2") // Now switch back to having the "endpoint" specified, so the load balancer is not needed anymore. - updateImpersonatorConfigMapInTracker(configMapResourceName, "{mode: enabled, endpoint: 127.0.0.1}", kubeInformerClient, "2") + configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", localhostIP) + updateImpersonatorConfigMapInTracker(configMapResourceName, configMapYAML, kubeInformerClient, "2") waitForInformerCacheToSeeResourceVersion(kubeInformers.Core().V1().ConfigMaps().Informer(), "2") - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 8) requireLoadBalancerDeleted(kubeAPIClient.Actions()[5]) requireTLSSecretDeleted(kubeAPIClient.Actions()[6]) @@ -1406,7 +1393,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there is an error creating the load balancer", func() { it.Before(func() { - addNodeWithRoleToTracker("worker") + addNodeWithRoleToTracker("worker", kubeAPIClient) startInformersAndController() kubeAPIClient.PrependReactor("create", "services", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on create") @@ -1414,14 +1401,14 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) it("exits with an error", func() { - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "could not create load balancer: error on create") + r.EqualError(runControllerSync(), "could not create load balancer: error on create") }) }) when("there is an error creating the tls secret", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "{mode: enabled, endpoint: example.com}", kubeInformerClient) - addNodeWithRoleToTracker("control-plane") + addNodeWithRoleToTracker("control-plane", kubeAPIClient) kubeAPIClient.PrependReactor("create", "secrets", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on create") }) @@ -1429,7 +1416,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("starts the impersonator without certs and returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "error on create") + r.EqualError(runControllerSync(), "error on create") requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -1439,12 +1426,12 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("there is an error deleting the tls secret", func() { it.Before(func() { - addNodeWithRoleToTracker("control-plane") - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeInformerClient) - addLoadBalancerServiceToTracker(generatedLoadBalancerServiceName, kubeAPIClient) - tlsSecret := createStubTLSSecret(tlsSecretName) - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addNodeWithRoleToTracker("control-plane", kubeAPIClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeInformerClient) + addLoadBalancerServiceToTracker(loadBalancerServiceName, kubeAPIClient) + tlsSecret := newStubTLSSecret(tlsSecretName) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) startInformersAndController() kubeAPIClient.PrependReactor("delete", "secrets", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) { return true, nil, fmt.Errorf("error on delete") @@ -1452,7 +1439,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) it("does not start the impersonator, deletes the loadbalancer, returns an error", func() { - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "error on delete") + r.EqualError(runControllerSync(), "error on delete") requireTLSServerWasNeverStarted() r.Len(kubeAPIClient.Actions(), 3) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -1463,8 +1450,9 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("the PEM formatted data in the Secret is not a valid cert", func() { it.Before(func() { - addImpersonatorConfigMapToTracker(configMapResourceName, "{mode: enabled, endpoint: 127.0.0.1}", kubeInformerClient) - addNodeWithRoleToTracker("worker") + configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", localhostIP) + addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) tlsSecret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: tlsSecretName, @@ -1475,18 +1463,18 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { corev1.TLSCertKey: []byte("-----BEGIN CERTIFICATE-----\naGVsbG8gd29ybGQK\n-----END CERTIFICATE-----\n"), }, } - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) }) it("deletes the invalid certs, creates new certs, and starts the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 3) requireNodesListed(kubeAPIClient.Actions()[0]) requireTLSSecretDeleted(kubeAPIClient.Actions()[1]) // deleted the bad cert ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) when("there is an error while the invalid cert is being deleted", func() { @@ -1498,7 +1486,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("tries to delete the invalid cert, starts the impersonator without certs, and returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "PEM data represented an invalid cert, but got error while deleting it: error on delete") + r.EqualError(runControllerSync(), "PEM data represented an invalid cert, but got error while deleting it: error on delete") requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -1511,22 +1499,22 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a tls secret already exists but it is not valid", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") - tlsSecret := createStubTLSSecret(tlsSecretName) // secret exists but lacks certs - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + tlsSecret := newStubTLSSecret(tlsSecretName) // secret exists but lacks certs + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) }) it("deletes the invalid certs, creates new certs, and starts the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 3) requireNodesListed(kubeAPIClient.Actions()[0]) requireTLSSecretDeleted(kubeAPIClient.Actions()[1]) // deleted the bad cert ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) when("there is an error while the invalid cert is being deleted", func() { @@ -1538,7 +1526,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("tries to delete the invalid cert, starts the impersonator without certs, and returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "found missing or not PEM-encoded data in TLS Secret, but got error while deleting it: error on delete") + r.EqualError(runControllerSync(), "found missing or not PEM-encoded data in TLS Secret, but got error while deleting it: error on delete") requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0]) @@ -1551,23 +1539,23 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { when("a tls secret already exists but the private key is not valid", func() { it.Before(func() { addImpersonatorConfigMapToTracker(configMapResourceName, "mode: enabled", kubeInformerClient) - addNodeWithRoleToTracker("worker") - tlsSecret := createActualTLSSecret(tlsSecretName, localhostIP) + addNodeWithRoleToTracker("worker", kubeAPIClient) + tlsSecret := newActualTLSSecret(tlsSecretName, localhostIP) tlsSecret.Data["tls.key"] = nil - r.NoError(kubeAPIClient.Tracker().Add(tlsSecret)) - r.NoError(kubeInformerClient.Tracker().Add(tlsSecret)) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) - addLoadBalancerServiceWithIngressToTracker(generatedLoadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeAPIClient) + addSecretToTracker(tlsSecret, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeInformerClient) + addLoadBalancerServiceWithIngressToTracker(loadBalancerServiceName, []corev1.LoadBalancerIngress{{IP: localhostIP}}, kubeAPIClient) }) it("deletes the invalid certs, creates new certs, and starts the impersonator", func() { startInformersAndController() - r.NoError(controllerlib.TestSync(t, subject, *syncContext)) + r.NoError(runControllerSync()) r.Len(kubeAPIClient.Actions(), 3) requireNodesListed(kubeAPIClient.Actions()[0]) requireTLSSecretDeleted(kubeAPIClient.Actions()[1]) // deleted the bad cert ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[2]) - requireTLSServerIsRunning(ca, startedTLSListener.Addr().String(), nil) + requireTLSServerIsRunning(ca, testServerAddr(), nil) }) when("there is an error while the invalid cert is being deleted", func() { @@ -1579,7 +1567,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { it("tries to delete the invalid cert, starts the impersonator without certs, and returns an error", func() { startInformersAndController() - r.EqualError(controllerlib.TestSync(t, subject, *syncContext), "cert had an invalid private key, but got error while deleting it: error on delete") + r.EqualError(runControllerSync(), "cert had an invalid private key, but got error while deleting it: error on delete") requireTLSServerIsRunningWithoutCerts() r.Len(kubeAPIClient.Actions(), 2) requireNodesListed(kubeAPIClient.Actions()[0])