Merge pull request #248 from PillaiManish/master

CM-423: Improves e2e test for istio-csr controller to read from resource status

Author: openshift-merge-bot[bot]

test/e2e/config_template.go

@@ -6,6 +6,8 @@ package e2e
 import (
 	"bytes"
 	"text/template"
+
+	"github.com/openshift/cert-manager-operator/api/operator/v1alpha1"
 )
 
 // IssuerConfig customizes fields in the issuer spec
@@ -19,6 +21,12 @@ type CertificateConfig struct {
 	DNSName string
 }
 
+// IstioCSRConfig customizes the fields in a job spec
+type IstioCSRGRPCurlJobConfig struct {
+	CertificateSigningRequest string
+	IstioCSRStatus            v1alpha1.IstioCSRStatus
+}
+
 // replaceWithTemplate puts field values from a template struct
 func replaceWithTemplate(sourceFileContents string, templatedValues any) ([]byte, error) {
 	tmpl, err := template.New("template").Parse(sourceFileContents)

test/e2e/istio_csr_test.go

@@ -13,12 +13,10 @@ import (
 	"net/url"
 	"path/filepath"
 
-	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/utils/ptr"
 
 	"github.com/openshift/cert-manager-operator/test/library"
 
@@ -74,7 +72,7 @@ var _ = Describe("Istio-CSR", Ordered, Label("TechPreview", "Feature:IstioCSR"),
 	Context("grpc call istio.v1.auth.IstioCertificateService/CreateCertificate to istio-csr agent", func() {
 		It("should return cert-chain as response", func() {
 			serviceAccountName := "cert-manager-istio-csr"
-			grpcAppName := "grpcurl"
+			grpcAppName := "grpcurl-istio-csr"
 
 			By("creating cluster issuer")
 			loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "self_signed", "cluster_issuer.yaml"), ns.Name)
@@ -115,7 +113,7 @@ var _ = Describe("Istio-CSR", Ordered, Label("TechPreview", "Feature:IstioCSR"),
 			err = pollTillDeploymentAvailable(ctx, clientset, ns.Name, "cert-manager-istio-csr")
 			Expect(err).Should(BeNil())
 
-			istioCSRGRPCEndpoint, err := pollTillIstioCSRAvailable(ctx, dynamicClient, ns.Name, "default")
+			istioCSRStatus, err := pollTillIstioCSRAvailable(ctx, dynamicClient, ns.Name, "default")
 			Expect(err).Should(BeNil())
 
 			By("poll till the service account is available")
@@ -142,109 +140,16 @@ var _ = Describe("Istio-CSR", Ordered, Label("TechPreview", "Feature:IstioCSR"),
 			Expect(err).Should(BeNil())
 
 			By("creating an grpcurl job")
-			job := &batchv1.Job{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: "grpcurl-job",
-				},
-				Spec: batchv1.JobSpec{
-					Completions:  ptr.To(int32(1)),
-					BackoffLimit: ptr.To(backOffLimit),
-					Template: corev1.PodTemplateSpec{
-						ObjectMeta: metav1.ObjectMeta{
-							Name: grpcAppName,
-							Labels: map[string]string{
-								"app": grpcAppName,
-							},
-						},
-						Spec: corev1.PodSpec{
-							ServiceAccountName:           serviceAccountName,
-							AutomountServiceAccountToken: ptr.To(false),
-							RestartPolicy:                corev1.RestartPolicyOnFailure,
-							Containers: []corev1.Container{
-								{
-									Name:  grpcAppName,
-									Image: "registry.redhat.io/rhel9/go-toolset",
-									Command: []string{
-										"/bin/sh",
-										"-c",
-									},
-									Env: []corev1.EnvVar{
-										{
-											Name:  "GOCACHE",
-											Value: "/tmp/go-cache",
-										},
-										{
-											Name:  "GOPATH",
-											Value: "/tmp/go",
-										},
-									},
-									Args: []string{
-										"go install github.com/fullstorydev/grpcurl/cmd/[email protected] >/dev/null 2>&1 && " +
-											"TOKEN=$(cat /var/run/secrets/istio-ca/token) && " +
-											"/tmp/go/bin/grpcurl " +
-											"-import-path /proto " +
-											"-proto /proto/ca.proto " +
-											"-H \"Authorization: Bearer $TOKEN\" " +
-											fmt.Sprintf("-d '{\"csr\": \"%s\", \"validity_duration\": 3600}' ", csr) +
-											"-cacert /etc/root-secret/ca.crt " +
-											"-key /etc/root-secret/tls.key " +
-											"-cert /etc/root-secret/tls.crt " +
-											fmt.Sprintf("%s istio.v1.auth.IstioCertificateService/CreateCertificate", istioCSRGRPCEndpoint),
-									},
-									VolumeMounts: []corev1.VolumeMount{
-										{Name: "root-secret", MountPath: "/etc/root-secret"},
-										{Name: "proto", MountPath: "/proto"},
-										{Name: "sa-token", MountPath: "/var/run/secrets/istio-ca"},
-									},
-								},
-							},
-							Volumes: []corev1.Volume{
-								{
-									Name: "sa-token",
-									VolumeSource: corev1.VolumeSource{
-										Projected: &corev1.ProjectedVolumeSource{
-											DefaultMode: ptr.To(int32(420)),
-											Sources: []corev1.VolumeProjection{
-												{
-													ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
-														Audience:          "istio-ca",
-														ExpirationSeconds: ptr.To(int64(3600)),
-														Path:              "token",
-													},
-												},
-											},
-										},
-									},
-								},
-								{
-									Name: "root-secret",
-									VolumeSource: corev1.VolumeSource{
-										Secret: &corev1.SecretVolumeSource{
-											SecretName: "istiod-tls",
-										},
-									},
-								},
-								{
-									Name: "proto",
-									VolumeSource: corev1.VolumeSource{
-										ConfigMap: &corev1.ConfigMapVolumeSource{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: "proto-cm",
-											},
-										},
-									},
-								},
-							},
-						},
-					},
+			loader.CreateFromFile(AssetFunc(testassets.ReadFile).WithTemplateValues(
+				IstioCSRGRPCurlJobConfig{
+					CertificateSigningRequest: csr,
+					IstioCSRStatus:            istioCSRStatus,
 				},
-			}
-			_, err = clientset.BatchV1().Jobs(ns.Name).Create(context.TODO(), job, metav1.CreateOptions{})
-			Expect(err).Should(BeNil())
-			defer clientset.BatchV1().Jobs(ns.Name).Delete(ctx, job.Name, metav1.DeleteOptions{})
+			), filepath.Join("testdata", "istio", "grpcurl_job.yaml"), ns.Name)
+			defer loader.DeleteFromFile(testassets.ReadFile, filepath.Join("testdata", "istio", "grpcurl_job.yaml"), ns.Name)
 
 			By("waiting for the job to be completed")
-			err = pollTillJobCompleted(ctx, clientset, ns.Name, "grpcurl-job")
+			err = pollTillJobCompleted(ctx, clientset, ns.Name, grpcAppName)
 			Expect(err).Should(BeNil())
 
 			By("fetching logs of the grpcurl job")

test/e2e/testdata/istio/grpcurl_job.yaml

@@ -0,0 +1,62 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: grpcurl-istio-csr
+spec:
+  backoffLimit: 10
+  completions: 1
+  template:
+    metadata:
+      labels:
+        app: grpcurl-istio-csr
+      name: grpcurl-istio-csr
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - |
+              go install github.com/fullstorydev/grpcurl/cmd/[email protected] >/dev/null 2>&1 && \
+              TOKEN=$(cat /var/run/secrets/istio-ca/token) && \
+              /tmp/go/bin/grpcurl \
+                -import-path /proto \
+                -proto /proto/ca.proto \
+                -H "Authorization: Bearer $TOKEN" \
+                -d '{"csr": "{{.CertificateSigningRequest}}", "validity_duration": 3600}' \
+                -cacert /etc/root-secret/ca.crt \
+                -key /etc/root-secret/tls.key \
+                -cert /etc/root-secret/tls.crt \
+                {{.IstioCSRStatus.IstioCSRGRPCEndpoint}} istio.v1.auth.IstioCertificateService/CreateCertificate
+          command:
+            - /bin/sh
+            - -c
+          env:
+            - name: GOCACHE
+              value: /tmp/go-cache
+            - name: GOPATH
+              value: /tmp/go
+          image: registry.redhat.io/rhel9/go-toolset
+          name: grpcurl
+          volumeMounts:
+            - mountPath: /etc/root-secret
+              name: root-secret
+            - mountPath: /proto
+              name: proto
+            - mountPath: /var/run/secrets/istio-ca
+              name: sa-token
+      restartPolicy: OnFailure
+      serviceAccountName: '{{.IstioCSRStatus.ServiceAccount}}'
+      volumes:
+        - name: sa-token
+          projected:
+            defaultMode: 420
+            sources:
+              - serviceAccountToken:
+                  audience: istio-ca
+                  expirationSeconds: 3600
+                  path: token
+        - name: root-secret
+          secret:
+            secretName: istiod-tls
+        - configMap:
+            name: proto-cm
+          name: proto

test/e2e/utils_test.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"math/rand"
 	"regexp"
 	"strings"
@@ -32,7 +31,10 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/errors"
@@ -611,10 +613,10 @@ func pollTillServiceAccountAvailable(ctx context.Context, clientset *kubernetes.
 	return err
 }
 
-// pollTillIstioCSRAvailable poll the istioCSR object and returns non-nil error and istio-grpc-endpoint
+// pollTillIstioCSRAvailable poll the istioCSR object and returns non-nil error and istioCSRStatus
 // once the istiocsr is available, otherwise should return a time-out error
-func pollTillIstioCSRAvailable(ctx context.Context, dynamicClient *dynamic.DynamicClient, namespace, istioCsrName string) (string, error) {
-	var istioCSRGRPCEndpoint string
+func pollTillIstioCSRAvailable(ctx context.Context, dynamicClient *dynamic.DynamicClient, namespace, istioCsrName string) (v1alpha1.IstioCSRStatus, error) {
+	var istioCSRStatus v1alpha1.IstioCSRStatus
 	err := wait.PollUntilContextTimeout(ctx, PollInterval, TestTimeout, true, func(ctx context.Context) (bool, error) {
 		gvr := schema.GroupVersionResource{
 			Group:    "operator.openshift.io",
@@ -636,44 +638,24 @@ func pollTillIstioCSRAvailable(ctx context.Context, dynamicClient *dynamic.Dynam
 			return false, nil
 		}
 
-		conditions, found, err := unstructured.NestedSlice(customResource.Object, "status", "conditions")
+		err = runtime.DefaultUnstructuredConverter.FromUnstructured(status, &istioCSRStatus)
 		if err != nil {
 			return false, nil
 		}
 
-		if !found {
-			return false, nil
-		}
-
-		for _, condition := range conditions {
-			condMap, ok := condition.(map[string]interface{})
-			if !ok {
-				continue
-			}
-
-			condType, _ := condMap["type"].(string)
-			condStatus, _ := condMap["status"].(string)
-
-			if condType != "Ready" {
-				continue
-			}
-
-			if condStatus == string(metav1.ConditionTrue) {
-				break
-			} else {
-				return false, nil
-			}
+		readyCondition := meta.FindStatusCondition(istioCSRStatus.Conditions, v1alpha1.Ready)
 
+		if readyCondition == nil || readyCondition.Status != metav1.ConditionTrue {
+			return false, nil
 		}
 
-		if !library.IsEmptyString(status["istioCSRGRPCEndpoint"]) && !library.IsEmptyString(status["clusterRoleBinding"]) && !library.IsEmptyString(status["istioCSRImage"]) && !library.IsEmptyString(status["serviceAccount"]) {
-			istioCSRGRPCEndpoint = status["istioCSRGRPCEndpoint"].(string)
+		if !library.IsEmptyString(istioCSRStatus.IstioCSRGRPCEndpoint) && !library.IsEmptyString(istioCSRStatus.ClusterRoleBinding) && !library.IsEmptyString(istioCSRStatus.IstioCSRImage) && !library.IsEmptyString(istioCSRStatus.ServiceAccount) {
 			return true, nil
 		}
 		return false, nil
 	})
 
-	return istioCSRGRPCEndpoint, err
+	return istioCSRStatus, err
 }
 
 func pollTillDeploymentAvailable(ctx context.Context, clientSet *kubernetes.Clientset, namespace, deploymentName string) error {