Merge pull request #37 from munnerz/manager-testing

Add more exhaustive unit testing for manager

Author: jetstack-bot

manager/manager.go

@@ -189,6 +189,9 @@ func NewManager(opts Options) (*Manager, error) {
 		maxRequestsPerVolume: opts.MaxRequestsPerVolume,
 		nodeNameHash:         nodeNameHash,
 		backoffConfig:        *opts.RenewalBackoffConfig,
+		requestNameGenerator: func() string {
+			return string(uuid.NewUUID())
+		},
 	}
 
 	vols, err := opts.MetadataReader.ListVolumes()
@@ -287,6 +290,10 @@ type Manager struct {
 
 	// backoffConfig configures the exponential backoff applied to certificate renewal failures.
 	backoffConfig wait.Backoff
+
+	// requestNameGenerator generates a new random name for a certificaterequest object
+	// Defaults to uuid.NewUUID() from k8s.io/apimachinery/pkg/util/uuid.
+	requestNameGenerator func() string
 }
 
 // issue will step through the entire issuance flow for a volume.
@@ -334,7 +341,7 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 
 	// Poll every 1s for the CertificateRequest to be ready
 	lastFailureReason := ""
-	if err := wait.PollUntil(time.Second, func() (done bool, err error) {
+	if err := wait.PollUntilWithContext(ctx, time.Second, func(ctx context.Context) (done bool, err error) {
 		updatedReq, err := m.lister.CertificateRequests(req.Namespace).Get(req.Name)
 		if apierrors.IsNotFound(err) {
 			// A NotFound error implies something deleted the resource - fail
@@ -358,8 +365,9 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 			return false, fmt.Errorf("request %q has been denied by the approval plugin: %s", updatedReq.Name, cond.Message)
 		}
 
-		if !apiutil.CertificateRequestIsApproved(updatedReq) {
-			lastFailureReason = "request has not yet been approved by approval plugin"
+		isApproved := apiutil.CertificateRequestIsApproved(updatedReq)
+		if !isApproved {
+			lastFailureReason = fmt.Sprintf("request %q has not yet been approved by approval plugin", updatedReq.Name)
 			// we don't stop execution here, as some versions of cert-manager (and some external issuer plugins)
 			// may not be aware/utilise approval.
 			// If the certificate is still issued despite never being approved, the CSI driver should continue
@@ -368,11 +376,11 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 
 		readyCondition := apiutil.GetCertificateRequestCondition(updatedReq, cmapi.CertificateRequestConditionReady)
 		if readyCondition == nil {
-			if apiutil.CertificateRequestIsApproved(updatedReq) {
-				lastFailureReason = "request has no ready condition"
+			// only overwrite the approval failure message if the request is actually approved
+			// otherwise we may hide more useful information from the user by accident.
+			if isApproved {
+				lastFailureReason = fmt.Sprintf("request %q has no ready condition", updatedReq.Name)
 			}
-			log.V(2).Info("CertificateRequest is still pending")
-			// Issuance is still pending
 			return false, nil
 		}
 
@@ -382,11 +390,12 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 		case cmapi.CertificateRequestReasonFailed:
 			return false, fmt.Errorf("request %q has failed: %s", updatedReq.Name, readyCondition.Message)
 		case cmapi.CertificateRequestReasonPending:
-			lastFailureReason = fmt.Sprintf("request pending: %v", readyCondition.Message)
-			log.V(2).Info("CertificateRequest is still pending")
+			if isApproved {
+				lastFailureReason = fmt.Sprintf("request %q is pending: %v", updatedReq.Name, readyCondition.Message)
+			}
 			return false, nil
 		default:
-			lastFailureReason = fmt.Sprintf("unrecognised Ready condition state (%s): %s", readyCondition.Reason, readyCondition.Message)
+			lastFailureReason = fmt.Sprintf("request %q has unrecognised Ready condition state (%s): %s", updatedReq.Name, readyCondition.Reason, readyCondition.Message)
 			log.Info("unrecognised state for Ready condition", "request_namespace", updatedReq.Namespace, "request_name", updatedReq.Name, "condition", *readyCondition)
 			return false, nil
 		}
@@ -396,7 +405,7 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 		// writing out signed certificate
 		req = updatedReq
 		return true, nil
-	}, ctx.Done()); err != nil {
+	}); err != nil {
 		if errors.Is(err, wait.ErrWaitTimeout) {
 			// try and return a more helpful error message than "timed out waiting for the condition"
 			return fmt.Errorf("waiting for request: %s", lastFailureReason)
@@ -481,7 +490,7 @@ func (m *Manager) labelSelectorForVolume(volumeID string) (labels.Selector, erro
 func (m *Manager) submitRequest(ctx context.Context, meta metadata.Metadata, csrBundle *CertificateRequestBundle, csrPEM []byte) (*cmapi.CertificateRequest, error) {
 	req := &cmapi.CertificateRequest{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        string(uuid.NewUUID()),
+			Name:        m.requestNameGenerator(),
 			Namespace:   csrBundle.Namespace,
 			Annotations: csrBundle.Annotations,
 			Labels: map[string]string{

manager/manager_test.go

@@ -2,19 +2,283 @@ package manager
 
 import (
 	"context"
+	"fmt"
 	"testing"
+	"time"
 
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	testpkg "github.com/cert-manager/cert-manager/pkg/controller/test"
 	"github.com/go-logr/logr/testr"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
 	coretesting "k8s.io/client-go/testing"
 
 	internalapi "github.com/cert-manager/csi-lib/internal/api"
 	internalapiutil "github.com/cert-manager/csi-lib/internal/api/util"
+	"github.com/cert-manager/csi-lib/metadata"
+	"github.com/cert-manager/csi-lib/storage"
+	testutil "github.com/cert-manager/csi-lib/test/util"
 )
 
+func TestManager_ManageVolumeImmediate_issueOnceAndSucceed(t *testing.T) {
+	ctx := context.Background()
+
+	opts := newDefaultTestOptions(t)
+	m, err := NewManager(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Setup a goroutine to issue one CertificateRequest
+	stopCh := make(chan struct{})
+	go testutil.IssueOneRequest(t, opts.Client, defaultTestNamespace, stopCh, selfSignedExampleCertificate, []byte("ca bytes"))
+	defer close(stopCh)
+
+	// Register a new volume with the metadata store
+	store := opts.MetadataReader.(storage.Interface)
+	meta := metadata.Metadata{
+		VolumeID:   "vol-id",
+		TargetPath: "/fake/path",
+	}
+	store.RegisterMetadata(meta)
+	// Ensure we stop managing the volume after the test
+	defer func() {
+		store.RemoveVolume(meta.VolumeID)
+		m.UnmanageVolume(meta.VolumeID)
+	}()
+
+	// Attempt to issue the certificate & put it under management
+	managed, err := m.ManageVolumeImmediate(ctx, meta.VolumeID)
+	if !managed {
+		t.Errorf("expected management to have started, but it did not")
+	}
+	if err != nil {
+		t.Errorf("expected no error from ManageVolumeImmediate but got: %v", err)
+	}
+
+	// Assert the certificate is under management
+	if !m.IsVolumeReady(meta.VolumeID) {
+		t.Errorf("expected volume to be marked as Ready but it is not")
+	}
+}
+
+func TestManager_PropagatesRequestConditionMessages(t *testing.T) {
+	tests := []struct {
+		approved      string
+		ready         string
+		expectedError string
+	}{
+		{
+			approved:      "",
+			ready:         "",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has not yet been approved by approval plugin",
+		},
+		{
+			approved:      "",
+			ready:         "pending",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has not yet been approved by approval plugin",
+		},
+		{
+			approved:      "",
+			ready:         "failed",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has failed: failed",
+		},
+		//"pending approval, ready == true": {}
+		{
+			approved:      "denied",
+			ready:         "",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has been denied by the approval plugin: denied",
+		},
+		{
+			approved:      "denied",
+			ready:         "pending",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has been denied by the approval plugin: denied",
+		},
+		{
+			approved:      "denied",
+			ready:         "failed",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has been denied by the approval plugin: denied",
+		},
+		//"denied, ready == true": {},
+		{
+			approved:      "approved",
+			ready:         "",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has no ready condition",
+		},
+		{
+			approved:      "approved",
+			ready:         "pending",
+			expectedError: "waiting for request: request \"certificaterequest-name\" is pending: pending",
+		},
+		{
+			approved:      "approved",
+			ready:         "failed",
+			expectedError: "waiting for request: request \"certificaterequest-name\" has failed: failed",
+		},
+		//"approved, ready == true": {},
+	}
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("approval=%q, readiness=%q", test.approved, test.ready), func(t *testing.T) {
+			ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
+			defer cancel()
+
+			opts := newDefaultTestOptions(t)
+			m, err := NewManager(opts)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer m.Stop()
+			m.requestNameGenerator = func() string { return "certificaterequest-name" }
+
+			// build conditions to set based on test configuration
+			var conditions []cmapi.CertificateRequestCondition
+			switch test.approved {
+			case "":
+			case "approved":
+				conditions = append(conditions, cmapi.CertificateRequestCondition{Type: cmapi.CertificateRequestConditionApproved, Status: cmmeta.ConditionTrue, Reason: "SetByTest", Message: "approved"})
+			case "denied":
+				conditions = append(conditions, cmapi.CertificateRequestCondition{Type: cmapi.CertificateRequestConditionDenied, Status: cmmeta.ConditionTrue, Reason: "SetByTest", Message: "denied"})
+			}
+			switch test.ready {
+			case "":
+			case "pending":
+				conditions = append(conditions, cmapi.CertificateRequestCondition{Type: cmapi.CertificateRequestConditionReady, Status: cmmeta.ConditionFalse, Reason: cmapi.CertificateRequestReasonPending, Message: "pending"})
+			case "failed":
+				conditions = append(conditions, cmapi.CertificateRequestCondition{Type: cmapi.CertificateRequestConditionReady, Status: cmmeta.ConditionFalse, Reason: cmapi.CertificateRequestReasonFailed, Message: "failed"})
+			}
+			// Automatically set the request to be approved & pending once created
+			go testutil.SetCertificateRequestConditions(ctx, t, opts.Client, defaultTestNamespace, conditions...)
+
+			// Register a new volume with the metadata store
+			store := opts.MetadataReader.(storage.Interface)
+			meta := metadata.Metadata{
+				VolumeID:   "vol-id",
+				TargetPath: "/fake/path",
+			}
+			store.RegisterMetadata(meta)
+			// Ensure we stop managing the volume after the test
+			defer func() {
+				store.RemoveVolume(meta.VolumeID)
+				m.UnmanageVolume(meta.VolumeID)
+			}()
+
+			// Attempt to issue the certificate & put it under management
+			managed, err := m.ManageVolumeImmediate(ctx, meta.VolumeID)
+			if !managed {
+				t.Errorf("expected volume to still be managed after failure")
+			}
+			if err == nil {
+				t.Errorf("expected to get an error from ManageVolumeImmediate")
+			}
+			if err.Error() != test.expectedError {
+				t.Errorf("expected '%s' but got: %s", test.expectedError, err.Error())
+			}
+		})
+	}
+}
+
+func TestManager_ResumesManagementOfExistingVolumes(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
+	defer cancel()
+
+	store := storage.NewMemoryFS()
+	opts := defaultTestOptions(t, Options{MetadataReader: store})
+
+	m, err := NewManager(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m.requestNameGenerator = func() string { return "certificaterequest-name" }
+	// Automatically issue the request once created
+	go testutil.IssueOneRequest(t, opts.Client, defaultTestNamespace, ctx.Done(), selfSignedExampleCertificate, []byte("ca bytes"))
+
+	// Register a new volume with the metadata store
+	meta := metadata.Metadata{
+		VolumeID:   "vol-id",
+		TargetPath: "/fake/path",
+	}
+	_, err = store.RegisterMetadata(meta)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Attempt to issue the certificate & put it under management
+	managed, err := m.ManageVolumeImmediate(ctx, meta.VolumeID)
+	if !managed {
+		t.Fatalf("expected volume to be managed")
+	}
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Shutdown the manager
+	m.Stop()
+
+	m, err = NewManager(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer m.Stop()
+
+	if !m.IsVolumeReady(meta.VolumeID) {
+		t.Errorf("expected volume to be monitored & ready but it is not")
+	}
+}
+
+func TestManager_ManageVolume_beginsManagingAndProceedsIfNotReady(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	opts := newDefaultTestOptions(t)
+	m, err := NewManager(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Register a new volume with the metadata store
+	store := opts.MetadataReader.(storage.Interface)
+	meta := metadata.Metadata{
+		VolumeID:   "vol-id",
+		TargetPath: "/fake/path",
+	}
+	store.RegisterMetadata(meta)
+	// Ensure we stop managing the volume after the test
+	defer func() {
+		store.RemoveVolume(meta.VolumeID)
+		m.UnmanageVolume(meta.VolumeID)
+	}()
+
+	// Put the certificate under management
+	managed := m.ManageVolume(meta.VolumeID)
+	if !managed {
+		t.Errorf("expected management to have started, but it did not")
+	}
+
+	if err := wait.PollUntilWithContext(ctx, time.Millisecond*500, func(ctx context.Context) (done bool, err error) {
+		reqs, err := opts.Client.CertmanagerV1().CertificateRequests("").List(ctx, metav1.ListOptions{})
+		if err != nil {
+			return false, err
+		}
+		if len(reqs.Items) == 1 {
+			return true, nil
+		}
+		return false, nil
+	}); err != nil {
+		t.Errorf("failed waiting for CertificateRequest to exist: %v", err)
+	}
+
+	// Assert the certificate is under management - it won't be ready as no issuer has issued the certificate
+	if m.IsVolumeReady(meta.VolumeID) {
+		t.Errorf("expected volume to not be Ready but it is")
+	}
+	if _, ok := m.managedVolumes[meta.VolumeID]; !ok {
+		t.Errorf("expected volume to be part of managedVolumes map but it is not")
+	}
+}
+
 func TestManager_cleanupStaleRequests(t *testing.T) {
 
 	ctx := context.TODO()