Protect against arbitrary *-Degraded conditions as true

* deliberatly fail the e2e if we encounter any unexpected Degraded in Status.Conditions

Signed-off-by: Swarup Ghosh <[email protected]>

Author: swghosh

test/e2e/certificates_test.go

@@ -67,11 +67,7 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 
 	BeforeEach(func() {
 		By("waiting for operator status to become available")
-		err := verifyOperatorStatusCondition(certmanageroperatorclient,
-			[]string{certManagerControllerDeploymentControllerName,
-				certManagerWebhookDeploymentControllerName,
-				certManagerCAInjectorDeploymentControllerName},
-			validOperatorStatusConditions)
+		err := VerifyHealthyOperatorConditions(certmanageroperatorclient.OperatorV1alpha1())
 		Expect(err).NotTo(HaveOccurred(), "Operator is expected to be available")
 
 		By("creating a test namespace")
@@ -195,7 +191,7 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "credentials", "credentialsrequest_aws.yaml"), "")
 
 			By("waiting for cloud secret to be available")
-			err := wait.PollUntilContextTimeout(context.TODO(), PollInterval, TestTimeout, true, func(context.Context) (bool, error) {
+			err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
 				_, err := loader.KubeClient.CoreV1().Secrets("cert-manager").Get(ctx, "aws-creds", metav1.GetOptions{})
 				if err != nil {
 					return false, nil
@@ -288,7 +284,7 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "credentials", "credentialsrequest_aws.yaml"), "")
 
 			By("waiting for cloud secret to be available")
-			err := wait.PollUntilContextTimeout(context.TODO(), PollInterval, TestTimeout, true, func(context.Context) (bool, error) {
+			err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
 				_, err := loader.KubeClient.CoreV1().Secrets("cert-manager").Get(ctx, "aws-creds", metav1.GetOptions{})
 				if err != nil {
 					return false, nil
@@ -488,7 +484,7 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			By("Waiting for cloud secret to be available")
 			// The name is defined cloud credential by the testdata YAML file.
 			credentialSecret := "gcp-credentials"
-			err := wait.PollUntilContextTimeout(context.TODO(), PollInterval, TestTimeout, true, func(context.Context) (bool, error) {
+			err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
 				_, err := loader.KubeClient.CoreV1().Secrets("cert-manager").Get(ctx, credentialSecret, metav1.GetOptions{})
 				if err != nil {
 					return false, nil
@@ -645,7 +641,7 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			defer loader.KubeClient.NetworkingV1().Ingresses(ingress.Namespace).Delete(ctx, ingress.Name, metav1.DeleteOptions{})
 
 			By("checking TLS certificate contents")
-			err = wait.PollUntilContextTimeout(context.TODO(), PollInterval, TestTimeout, true, func(context.Context) (bool, error) {
+			err = wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
 				secret, err := loader.KubeClient.CoreV1().Secrets(ingress.Namespace).Get(ctx, secretName, metav1.GetOptions{})
 				tlsConfig, isvalid := library.GetTLSConfig(secret)
 				if !isvalid {
@@ -686,11 +682,7 @@ var _ = Describe("Self-signed Certificate", Ordered, func() {
 
 	BeforeEach(func() {
 		By("waiting for operator status to become available")
-		err := verifyOperatorStatusCondition(certmanageroperatorclient,
-			[]string{certManagerControllerDeploymentControllerName,
-				certManagerWebhookDeploymentControllerName,
-				certManagerCAInjectorDeploymentControllerName},
-			validOperatorStatusConditions)
+		err := VerifyHealthyOperatorConditions(certmanageroperatorclient.OperatorV1alpha1())
 		Expect(err).NotTo(HaveOccurred(), "Operator is expected to be available")
 	})
 
@@ -768,7 +760,7 @@ var _ = Describe("Self-signed Certificate", Ordered, func() {
 			Expect(err).NotTo(HaveOccurred())
 
 			By("certificate was renewed atleast once")
-			err = verifyCertificateRenewed(ctx, cert.Spec.SecretName, ns.Name, time.Minute+5*time.Second) // using wait period of (1min+jitter)=65s
+			err = verifyCertificateRenewed(ctx, cert.Spec.SecretName, ns.Name, time.Minute+slowPollInterval) // using wait period of (1min+jitter)=65s
 			Expect(err).NotTo(HaveOccurred())
 		})
 	})

test/e2e/condition_matcher_test.go

@@ -0,0 +1,148 @@
+//go:build e2e
+// +build e2e
+
+package e2e
+
+import (
+	"regexp"
+
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	opv1 "github.com/openshift/api/operator/v1"
+	v1alpha1client "github.com/openshift/cert-manager-operator/pkg/operator/clientset/versioned/typed/operator/v1alpha1"
+)
+
+// ConditionMatcher tracks a regex pattern cond.Type with an expected cond.Status
+type ConditionMatcher struct {
+	TypePattern    *regexp.Regexp       `json:"condition.Type"`
+	ExpectedStatus opv1.ConditionStatus `json:"condition.Status"`
+
+	// Any when true will expect matcher to succeed
+	// when atleast one conditions match, default is false when
+	// matcher will succeed only on matching all pattern conditions.
+	Any bool `json:"matcher.shouldMatchAny"`
+}
+
+// MatchesType returns true if the provided Condition.Type satisfies regex pattern
+func (m *ConditionMatcher) MatchesType(cond *opv1.OperatorCondition) bool {
+	return m.TypePattern.MatchString(cond.Type)
+}
+
+// MatchesStatus returns true if the provided Condition.Status is same as ExpectedStatus
+func (m *ConditionMatcher) MatchesStatus(cond *opv1.OperatorCondition) bool {
+	return cond.Status == m.ExpectedStatus
+}
+
+func (m *ConditionMatcher) Matches(conditions []opv1.OperatorCondition) bool {
+	matchCount := 0
+	for _, cond := range conditions {
+		if m.MatchesType(&cond) && m.MatchesStatus(&cond) {
+
+			if m.Any {
+				return true
+			}
+
+			matchCount += 1
+		}
+
+		if m.MatchesType(&cond) && !m.MatchesStatus(&cond) {
+			return false
+		}
+	}
+
+	return matchCount > 0
+}
+
+const (
+	MatchAnyCondition  bool = true
+	MatchAllConditions bool = false
+)
+
+// PrefixAndMatchTypeTuple is a tuple containing
+// controller name (i.e. the condition prefix)
+// and the condition matcher type be ANY or ALL.
+type PrefixAndMatchTypeTuple struct {
+	Prefix         string
+	ShouldMatchAny bool
+}
+
+func GenerateConditionMatchers(tuples []PrefixAndMatchTypeTuple, expectedConditions map[string]opv1.ConditionStatus) []ConditionMatcher {
+	matchers := make([]ConditionMatcher, len(tuples)*len(expectedConditions))
+
+	idx := 0
+	for _, t := range tuples {
+		for suffix, state := range expectedConditions {
+			matchers[idx] = ConditionMatcher{
+				TypePattern:    regexp.MustCompile("^" + t.Prefix + ".*" + suffix + "$"),
+				ExpectedStatus: state,
+				Any:            t.ShouldMatchAny,
+			}
+			idx += 1
+		}
+	}
+	return matchers
+}
+
+// verifyOperatorStatusCondition polls every few second to check if the status of each of the controllers
+// match with the expected conditions. It returns an error if a timeout (few mins) occurs or an error was
+// encountered which polls the status.
+func verifyOperatorStatusCondition(client v1alpha1client.OperatorV1alpha1Interface, conditionMatchers []ConditionMatcher) error {
+	var lastFetchedConditions []opv1.OperatorCondition
+
+	err := wait.PollUntilContextTimeout(context.TODO(), fastPollInterval, lowTimeout, true, func(context.Context) (bool, error) {
+		operator, err := client.CertManagers().Get(context.TODO(), "cluster", metav1.GetOptions{})
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				return false, nil
+			}
+			return false, err
+		}
+
+		if operator.DeletionTimestamp != nil {
+			return false, nil
+		}
+
+		lastFetchedConditions = operator.Status.DeepCopy().Conditions
+		for _, matcher := range conditionMatchers {
+			if !matcher.Matches(lastFetchedConditions) {
+
+				// [retry] false:   NOT match as desired
+				return false, nil
+			}
+		}
+
+		// [no-retry] true: when ALL match as desired
+		return true, nil
+	})
+
+	if err != nil {
+		prettyConds, _ := json.Marshal(lastFetchedConditions)
+		log.Printf("found status.conditions: %s", prettyConds)
+		prettyMatchers, _ := json.Marshal(conditionMatchers)
+		log.Printf("expected status.conditions to adhere with %s", prettyMatchers)
+
+		return fmt.Errorf("could not verify all status conditions as expected : %v", err)
+	}
+
+	return nil
+}
+
+func VerifyHealthyOperatorConditions(client v1alpha1client.OperatorV1alpha1Interface) error {
+	return verifyOperatorStatusCondition(client,
+		GenerateConditionMatchers(
+			[]PrefixAndMatchTypeTuple{
+				{certManagerController, MatchAllConditions},
+				{certManagerWebhook, MatchAllConditions},
+				{certManagerCAInjector, MatchAllConditions},
+			},
+			validOperatorStatusConditions,
+		),
+	)
+}

test/e2e/condition_matcher_unit_test.go

@@ -0,0 +1,151 @@
+//go:build e2e
+// +build e2e
+
+package e2e
+
+import (
+	"strings"
+	"testing"
+
+	opv1 "github.com/openshift/api/operator/v1"
+	operatorv1alpha1 "github.com/openshift/cert-manager-operator/api/operator/v1alpha1"
+	fakecertmanclient "github.com/openshift/cert-manager-operator/pkg/operator/clientset/versioned/fake"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// TestVerifyOperatorStatusCondition unit test for verifyOperatorStatusCondition func
+func TestVerifyOperatorStatusCondition(t *testing.T) {
+	controllerPrefix := "foo-controller"
+
+	newCertManagerObjectWithConditions := func(conditions ...opv1.OperatorCondition) *operatorv1alpha1.CertManager {
+		return &operatorv1alpha1.CertManager{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "cluster",
+			},
+			Status: operatorv1alpha1.CertManagerStatus{
+				OperatorStatus: opv1.OperatorStatus{
+					Conditions: conditions,
+				},
+			},
+		}
+	}
+
+	tests := []struct {
+		name               string
+		initialObjects     []runtime.Object
+		expectedConditions map[string]opv1.ConditionStatus
+		matchAny           bool
+		expectError        bool
+		errorContains      string
+	}{
+		{
+			name: "One degraded is true but another is false using Any",
+			expectedConditions: map[string]opv1.ConditionStatus{
+				"Available":   opv1.ConditionTrue,
+				"Degraded":    opv1.ConditionFalse,
+				"Progressing": opv1.ConditionFalse,
+			},
+			initialObjects: []runtime.Object{
+				newCertManagerObjectWithConditions(
+					opv1.OperatorCondition{Type: controllerPrefix + "Available", Status: opv1.ConditionTrue},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Degraded", Status: opv1.ConditionFalse},
+					opv1.OperatorCondition{Type: controllerPrefix + "-rand-Degraded", Status: opv1.ConditionTrue},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Progressing", Status: opv1.ConditionFalse},
+				),
+			},
+			matchAny:      true,
+			expectError:   false,
+			errorContains: "context deadline exceeded",
+		},
+		{
+			name: "Both degraded is false",
+			expectedConditions: map[string]opv1.ConditionStatus{
+				"Available":   opv1.ConditionTrue,
+				"Degraded":    opv1.ConditionFalse,
+				"Progressing": opv1.ConditionFalse,
+			},
+			initialObjects: []runtime.Object{
+				newCertManagerObjectWithConditions(
+					opv1.OperatorCondition{Type: controllerPrefix + "Available", Status: opv1.ConditionTrue},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Degraded", Status: opv1.ConditionFalse},
+					opv1.OperatorCondition{Type: controllerPrefix + "-bar-Degraded", Status: opv1.ConditionFalse},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Progressing", Status: opv1.ConditionFalse},
+				),
+			},
+			expectError: false,
+		},
+		{
+			name: "One available is true but another is false using All",
+			expectedConditions: map[string]opv1.ConditionStatus{
+				"Available":   opv1.ConditionTrue,
+				"Degraded":    opv1.ConditionFalse,
+				"Progressing": opv1.ConditionFalse,
+			},
+			initialObjects: []runtime.Object{
+				newCertManagerObjectWithConditions(
+					opv1.OperatorCondition{Type: controllerPrefix + "Available", Status: opv1.ConditionTrue},
+					opv1.OperatorCondition{Type: controllerPrefix + "-bar-Available", Status: opv1.ConditionFalse},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Degraded", Status: opv1.ConditionFalse},
+					opv1.OperatorCondition{Type: controllerPrefix + "-bar-Degraded", Status: opv1.ConditionFalse},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Progressing", Status: opv1.ConditionFalse},
+				),
+			},
+			expectError:   true,
+			errorContains: "context deadline exceeded",
+		},
+		{
+			name: "A missing condition for Progressing",
+			expectedConditions: map[string]opv1.ConditionStatus{
+				"Available":   opv1.ConditionTrue,
+				"Degraded":    opv1.ConditionFalse,
+				"Progressing": opv1.ConditionFalse,
+			},
+			initialObjects: []runtime.Object{
+				newCertManagerObjectWithConditions(
+					opv1.OperatorCondition{Type: controllerPrefix + "Available", Status: opv1.ConditionTrue},
+					opv1.OperatorCondition{Type: controllerPrefix + "-bar-Available", Status: opv1.ConditionFalse},
+
+					opv1.OperatorCondition{Type: controllerPrefix + "Degraded", Status: opv1.ConditionFalse},
+					opv1.OperatorCondition{Type: controllerPrefix + "-bar-Degraded", Status: opv1.ConditionFalse},
+				),
+			},
+			expectError:   true,
+			errorContains: "could not verify all status conditions as expected",
+		},
+	}
+
+	t.Parallel()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fakeClient := fakecertmanclient.NewSimpleClientset(tt.initialObjects...)
+
+			matchers := GenerateConditionMatchers([]PrefixAndMatchTypeTuple{
+				{controllerPrefix, tt.matchAny},
+			}, tt.expectedConditions)
+
+			err := verifyOperatorStatusCondition(fakeClient.OperatorV1alpha1(), matchers)
+
+			if tt.expectError && err == nil {
+				t.Errorf("Expected an error, but got nil")
+			}
+
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error, but got: %v", err)
+			}
+
+			if tt.expectError && err != nil {
+				if tt.errorContains != "" && !strings.Contains(err.Error(), tt.errorContains) {
+					t.Errorf("Expected error to contain '%s', but got: %v", tt.errorContains, err)
+				}
+			}
+		})
+	}
+}

test/e2e/istio_csr_test.go

@@ -58,11 +58,7 @@ var _ = Describe("Istio-CSR", Ordered, Label("TechPreview", "Feature:IstioCSR"),
 
 	BeforeEach(func() {
 		By("waiting for operator status to become available")
-		err := verifyOperatorStatusCondition(certmanageroperatorclient, []string{
-			certManagerControllerDeploymentControllerName,
-			certManagerWebhookDeploymentControllerName,
-			certManagerCAInjectorDeploymentControllerName,
-		}, validOperatorStatusConditions)
+		err := VerifyHealthyOperatorConditions(certmanageroperatorclient.OperatorV1alpha1())
 		Expect(err).NotTo(HaveOccurred(), "Operator is expected to be available")
 
 		By("creating a test namespace")