Merge pull request #704 from mattmoyer/deflake-serving-certificate-rotation-test

Make TestAPIServingCertificateAutoCreationAndRotation less flaky.
This commit is contained in:
Ryan Richard 2021-07-13 14:58:54 -07:00 committed by GitHub
commit 7ef3d42e01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -107,24 +107,26 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
require.NoError(t, test.forceRotation(ctx, kubeClient, env.ConciergeNamespace)) require.NoError(t, test.forceRotation(ctx, kubeClient, env.ConciergeNamespace))
// Expect that the Secret comes back right away with newly minted certs. // Expect that the Secret comes back right away with newly minted certs.
var regeneratedCACert []byte
testlib.RequireEventually(t, func(requireEventually *require.Assertions) { testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
var err error var err error
secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{}) secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
requireEventually.NoError(err) requireEventually.NoError(err)
regeneratedCACert = secret.Data["caCertificate"]
regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
regeneratedCertChain := secret.Data["tlsCertificateChain"]
requireEventually.NotEmpty(regeneratedCACert)
requireEventually.NotEmpty(regeneratedPrivateKey)
requireEventually.NotEmpty(regeneratedCertChain)
requireEventually.NotEqual(initialCACert, regeneratedCACert)
requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
for k, v := range env.ConciergeCustomLabels {
requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
}
requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
}, time.Minute, 250*time.Millisecond) }, time.Minute, 250*time.Millisecond)
regeneratedCACert := secret.Data["caCertificate"]
regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
regeneratedCertChain := secret.Data["tlsCertificateChain"]
require.NotEmpty(t, regeneratedCACert)
require.NotEmpty(t, regeneratedPrivateKey)
require.NotEmpty(t, regeneratedCertChain)
require.NotEqual(t, initialCACert, regeneratedCACert)
require.NotEqual(t, initialPrivateKey, regeneratedPrivateKey)
require.NotEqual(t, initialCertChain, regeneratedCertChain)
for k, v := range env.ConciergeCustomLabels {
require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
}
require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
// Expect that the APIService was also updated with the new CA. // Expect that the APIService was also updated with the new CA.
testlib.RequireEventually(t, func(requireEventually *require.Assertions) { testlib.RequireEventually(t, func(requireEventually *require.Assertions) {