implement more tests in secrets test, move validateca test to cert bundle, language feedback, comments

porthorian · porthorian · commit 070abeda5354 · 2025-02-18T21:20:57.000-05:00
diff --git a/internal/mode/static/state/dataplane/configuration.go b/internal/mode/static/state/dataplane/configuration.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"sort"
 
-	apiv1 "k8s.io/api/core/v1"
 	discoveryV1 "k8s.io/api/discovery/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -229,10 +228,10 @@ func buildSSLKeyPairs(
 			id := generateSSLKeyPairID(*l.ResolvedSecret)
 			secret := secrets[*l.ResolvedSecret]
 			// The Data map keys are guaranteed to exist by the graph package.
-			// the Source field is guaranteed to be non-nil by the graph package.
+			// the CertBundle field is guaranteed to be non-nil by the graph package.
 			keyPairs[id] = SSLKeyPair{
-				Cert: secret.Source.Data[apiv1.TLSCertKey],
-				Key:  secret.Source.Data[apiv1.TLSPrivateKeyKey],
+				Cert: secret.CertBundle.Cert.TLSCert,
+				Key:  secret.CertBundle.Cert.TLSPrivateKey,
 			}
 		}
 	}
diff --git a/internal/mode/static/state/graph/backend_tls_policy.go b/internal/mode/static/state/graph/backend_tls_policy.go
@@ -170,7 +170,7 @@ func validateBackendTLSCACertRef(
 			return field.Invalid(path, selectedCertRef, err.Error())
 		}
 	default:
-		return fmt.Errorf("invalid certificate reference supported %q", selectedCertRef.Kind)
+		return fmt.Errorf("invalid certificate reference kind %q", selectedCertRef.Kind)
 	}
 	return nil
 }
diff --git a/internal/mode/static/state/graph/certificate_bundle.go b/internal/mode/static/state/graph/certificate_bundle.go
@@ -11,21 +11,30 @@ import (
 	v1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
+// CAKey is the key that is stored in a secret or configmap to grab its data from.
+// This follows the convention setup by kubernetes service account root ca
+// key for optional root certificate authority
 const CAKey = "ca.crt"
 
+// CertificateBundle is used to submit certificate data to nginx that is kubernetes aware
 type CertificateBundle struct {
 	Cert *Certificate
 
 	Name types.NamespacedName
 	Kind v1.Kind
 }
 
+// Certificate houses the real certificate data that is sent to the configurator
 type Certificate struct {
-	TLSCert       []byte
+	// TLSCert is the SSL certificate used to send to CA
+	TLSCert []byte
+	// TLSPrivateKey is the cryptographic key for encrpyting traffic during secure TLS
 	TLSPrivateKey []byte
-	CACert        []byte
+	// CACert is the root certificate authority
+	CACert []byte
 }
 
+// NewCertificateBundle generates a kubernetes aware certificate that is used during the configurator for nginx
 func NewCertificateBundle(name types.NamespacedName, kind string, cert *Certificate) *CertificateBundle {
 	return &CertificateBundle{
 		Name: name,
@@ -34,6 +43,7 @@ func NewCertificateBundle(name types.NamespacedName, kind string, cert *Certific
 	}
 }
 
+// validateTLS ...
 func validateTLS(tlsCert, tlsPrivateKey []byte) error {
 	_, err := tls.X509KeyPair(tlsCert, tlsPrivateKey)
 	if err != nil {
diff --git a/internal/mode/static/state/graph/certificate_bundle_test.go b/internal/mode/static/state/graph/certificate_bundle_test.go
@@ -0,0 +1,55 @@
+package graph
+
+import (
+	"encoding/base64"
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestValidateCA(t *testing.T) {
+	t.Parallel()
+	base64Data := make([]byte, base64.StdEncoding.EncodedLen(len(caBlock)))
+	base64.StdEncoding.Encode(base64Data, []byte(caBlock))
+
+	tests := []struct {
+		name          string
+		data          []byte
+		errorExpected bool
+	}{
+		{
+			name:          "valid base64",
+			data:          base64Data,
+			errorExpected: false,
+		},
+		{
+			name:          "valid plain text",
+			data:          []byte(caBlock),
+			errorExpected: false,
+		},
+		{
+			name:          "invalid pem",
+			data:          []byte("invalid"),
+			errorExpected: true,
+		},
+		{
+			name:          "invalid type",
+			data:          []byte(caBlockInvalidType),
+			errorExpected: true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			err := validateCA(test.data)
+			if test.errorExpected {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	}
+}
diff --git a/internal/mode/static/state/graph/configmaps_test.go b/internal/mode/static/state/graph/configmaps_test.go
@@ -1,7 +1,6 @@
 package graph
 
 import (
-	"encoding/base64"
 	"testing"
 
 	. "github.com/onsi/gomega"
@@ -87,53 +86,6 @@ UdxohGqleWFMQ3UNLOvc9Fk+q72ryg==
 `
 )
 
-func TestValidateCA(t *testing.T) {
-	t.Parallel()
-	base64Data := make([]byte, base64.StdEncoding.EncodedLen(len(caBlock)))
-	base64.StdEncoding.Encode(base64Data, []byte(caBlock))
-
-	tests := []struct {
-		name          string
-		data          []byte
-		errorExpected bool
-	}{
-		{
-			name:          "valid base64",
-			data:          base64Data,
-			errorExpected: false,
-		},
-		{
-			name:          "valid plain text",
-			data:          []byte(caBlock),
-			errorExpected: false,
-		},
-		{
-			name:          "invalid pem",
-			data:          []byte("invalid"),
-			errorExpected: true,
-		},
-		{
-			name:          "invalid type",
-			data:          []byte(caBlockInvalidType),
-			errorExpected: true,
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			t.Parallel()
-			g := NewWithT(t)
-
-			err := validateCA(test.data)
-			if test.errorExpected {
-				g.Expect(err).To(HaveOccurred())
-			} else {
-				g.Expect(err).ToNot(HaveOccurred())
-			}
-		})
-	}
-}
-
 func TestResolve(t *testing.T) {
 	configMaps := map[types.NamespacedName]*v1.ConfigMap{
 		{Namespace: "test", Name: "configmap1"}: {
diff --git a/internal/mode/static/state/graph/secret.go b/internal/mode/static/state/graph/secret.go
@@ -63,6 +63,9 @@ func (r *secretResolver) resolve(nsname types.NamespacedName) error {
 		validationErr = validateTLS(cert.TLSCert, cert.TLSPrivateKey)
 
 		// Not always guaranteed to have a ca certificate in the secret.
+		// Cert-Manager puts this at ca.crt and thus this is statically placed like so.
+		// To follow the convention setup by kubernetes for a service account root ca
+		// for optional root certificate authority
 		if _, exists := secret.Data[CAKey]; exists {
 			cert.CACert = secret.Data[CAKey]
 			validationErr = validateCA(cert.CACert)
diff --git a/internal/mode/static/state/graph/secret_test.go b/internal/mode/static/state/graph/secret_test.go
@@ -93,6 +93,19 @@ func TestSecretResolver(t *testing.T) {
 			Type: apiv1.SecretTypeTLS,
 		}
 
+		validSecret3 = &apiv1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "test",
+				Name:      "secret-3",
+			},
+			Data: map[string][]byte{
+				apiv1.TLSCertKey:       cert,
+				apiv1.TLSPrivateKeyKey: key,
+				CAKey:                  []byte(caBlock),
+			},
+			Type: apiv1.SecretTypeTLS,
+		}
+
 		invalidSecretType = &apiv1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: "test",
@@ -129,6 +142,19 @@ func TestSecretResolver(t *testing.T) {
 			Type: apiv1.SecretTypeTLS,
 		}
 
+		invalidSecretCaCert = &apiv1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: "test",
+				Name:      "invalid-ca-key",
+			},
+			Data: map[string][]byte{
+				apiv1.TLSCertKey:       cert,
+				apiv1.TLSPrivateKeyKey: key,
+				CAKey:                  invalidCert,
+			},
+			Type: apiv1.SecretTypeTLS,
+		}
+
 		secretNotExistNsName = types.NamespacedName{
 			Namespace: "test",
 			Name:      "not-exist",
@@ -137,11 +163,13 @@ func TestSecretResolver(t *testing.T) {
 
 	resolver := newSecretResolver(
 		map[types.NamespacedName]*apiv1.Secret{
-			client.ObjectKeyFromObject(validSecret1):      validSecret1,
-			client.ObjectKeyFromObject(validSecret2):      validSecret2, // we're not going to resolve it
-			client.ObjectKeyFromObject(invalidSecretType): invalidSecretType,
-			client.ObjectKeyFromObject(invalidSecretCert): invalidSecretCert,
-			client.ObjectKeyFromObject(invalidSecretKey):  invalidSecretKey,
+			client.ObjectKeyFromObject(validSecret1):        validSecret1,
+			client.ObjectKeyFromObject(validSecret2):        validSecret2, // we're not going to resolve it
+			client.ObjectKeyFromObject(validSecret3):        validSecret3,
+			client.ObjectKeyFromObject(invalidSecretType):   invalidSecretType,
+			client.ObjectKeyFromObject(invalidSecretCert):   invalidSecretCert,
+			client.ObjectKeyFromObject(invalidSecretKey):    invalidSecretKey,
+			client.ObjectKeyFromObject(invalidSecretCaCert): invalidSecretCaCert,
 		})
 
 	tests := []struct {
@@ -157,6 +185,10 @@ func TestSecretResolver(t *testing.T) {
 			name:   "valid secret, again",
 			nsname: client.ObjectKeyFromObject(validSecret1),
 		},
+		{
+			name:   "valid secret, with ca certificate",
+			nsname: client.ObjectKeyFromObject(validSecret3),
+		},
 		{
 			name:           "doesn't exist",
 			nsname:         secretNotExistNsName,
@@ -182,6 +214,11 @@ func TestSecretResolver(t *testing.T) {
 			nsname:         client.ObjectKeyFromObject(invalidSecretKey),
 			expectedErrMsg: "TLS secret is invalid: tls: failed to parse private key",
 		},
+		{
+			name:           "invalid secret ca cert",
+			nsname:         client.ObjectKeyFromObject(invalidSecretCaCert),
+			expectedErrMsg: "failed to validate certificate: x509: malformed certificate",
+		},
 	}
 
 	// Not running tests with t.Run(...) because the last one (getResolvedSecrets) depends on the execution of
@@ -206,6 +243,14 @@ func TestSecretResolver(t *testing.T) {
 				TLSPrivateKey: key,
 			}),
 		},
+		client.ObjectKeyFromObject(validSecret3): {
+			Source: validSecret3,
+			CertBundle: NewCertificateBundle(client.ObjectKeyFromObject(validSecret3), "Secret", &Certificate{
+				TLSCert:       cert,
+				TLSPrivateKey: key,
+				CACert:        []byte(caBlock),
+			}),
+		},
 		client.ObjectKeyFromObject(invalidSecretType): {
 			Source: invalidSecretType,
 		},
@@ -223,6 +268,14 @@ func TestSecretResolver(t *testing.T) {
 				TLSPrivateKey: invalidKey,
 			}),
 		},
+		client.ObjectKeyFromObject(invalidSecretCaCert): {
+			Source: invalidSecretCaCert,
+			CertBundle: NewCertificateBundle(client.ObjectKeyFromObject(invalidSecretCaCert), "Secret", &Certificate{
+				TLSCert:       cert,
+				TLSPrivateKey: key,
+				CACert:        invalidCert,
+			}),
+		},
 		secretNotExistNsName: {
 			Source: nil,
 		},

Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,7 @@ func validateBackendTLSCACertRef(`
`170`	`170`	`return field.Invalid(path, selectedCertRef, err.Error())`
`171`	`171`	`}`
`172`	`172`	`default:`
`173`		`- return fmt.Errorf("invalid certificate reference supported %q", selectedCertRef.Kind)`
	`173`	`+ return fmt.Errorf("invalid certificate reference kind %q", selectedCertRef.Kind)`
`174`	`174`	`}`
`175`	`175`	`return nil`
`176`	`176`	`}`