fix dependencies

Author: wangke19

test/extended/ckao.go

@@ -0,0 +1,146 @@
+package extended
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+	"github.com/openshift/cluster-kube-apiserver-operator/test/extended/util"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+)
+
+var _ = g.Describe("[Jira:kube-apiserver][sig-api-machinery] sanity test", func() {
+	g.It("should always pass [Suite:openshift/cluster-kube-apiserver-operator/conformance/parallel]", func() {
+		o.Expect(true).To(o.BeTrue())
+	})
+})
+
+// Helper: scale a Deployment
+func scaleDeployment(oc *util.CLI, ns, name string, replicas int32) {
+	_, err := oc.AdminKubeClient().AppsV1().Deployments(ns).
+		Patch(context.Background(), name,
+			types.MergePatchType,
+			[]byte(fmt.Sprintf(`{"spec":{"replicas":%d}}`, replicas)),
+			metav1.PatchOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
+
+// Helper: patch annotations on a Secret/ConfigMap
+func patchAnnotationsOnSecret(oc *util.CLI, ns, name string, anns map[string]*string) {
+	patch := `{"metadata":{"annotations":{`
+	first := true
+	for k, v := range anns {
+		if !first {
+			patch += ","
+		}
+		if v == nil {
+			patch += fmt.Sprintf("%q:null", k)
+		} else {
+			patch += fmt.Sprintf("%q:%q", k, *v)
+		}
+		first = false
+	}
+	patch += "}}}"
+	_, err := oc.AdminKubeClient().CoreV1().Secrets(ns).
+		Patch(context.Background(), name,
+			types.MergePatchType, []byte(patch), metav1.PatchOptions{})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
+
+var _ = g.Describe("[sig-api-machinery][cert-rotation][sidecar-refresh-only-when-expired] merged scenarios", func() {
+	defer g.GinkgoRecover()
+	oc := util.NewCLI("cert-rotation", "")
+
+	ns := "openshift-kube-apiserver"
+	secretName := "kubelet-client"
+
+	var kc *kubernetes.Clientset
+	g.BeforeEach(func() {
+		kc = oc.AdminKubeClient().(*kubernetes.Clientset)
+	})
+
+	g.It("pauses CVO, tests sidecar/operator behavior, then resumes CVO", func() {
+		ctx := context.Background()
+
+		// --- Pause CVO
+		g.By("Pausing CVO reconciliation")
+		scaleDeployment(oc, "openshift-cluster-version", "cluster-version-operator", 0)
+		_, err := oc.AdminConfigClient().ConfigV1().ClusterVersions().
+			Patch(ctx, "version", types.MergePatchType,
+				[]byte(`{"spec":{"overrides":[{"kind":"Deployment","group":"apps","namespace":"openshift-cluster-version","name":"cluster-version-operator","unmanaged":true}]}}`),
+				metav1.PatchOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+
+		defer func() {
+			// --- Resume CVO
+			g.By("Resuming CVO reconciliation")
+			scaleDeployment(oc, "openshift-cluster-version", "cluster-version-operator", 1)
+			_, _ = oc.AdminConfigClient().ConfigV1().ClusterVersions().
+				Patch(ctx, "version", types.MergePatchType,
+					[]byte(`{"spec":{"overrides":[]}}`), metav1.PatchOptions{})
+		}()
+
+		// --- Scenario A
+		g.By("Scenario A: operator down, removing metadata should not be re-added by sidecar")
+		scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 0)
+
+		sec, err := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred())
+		dataBefore := base64.StdEncoding.EncodeToString(sec.Data["tls.crt"])
+
+		patchAnnotationsOnSecret(oc, ns, secretName, map[string]*string{
+			"auth.openshift.io/component":   nil,
+			"auth.openshift.io/description": nil,
+		})
+
+		o.Consistently(func() bool {
+			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			ann := s.Annotations
+			_, comp := ann["auth.openshift.io/component"]
+			_, desc := ann["auth.openshift.io/description"]
+			dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
+			return !comp && !desc && dataNow == dataBefore
+		}, 2*time.Minute, 10*time.Second).Should(o.BeTrue())
+
+		// --- Scenario B
+		g.By("Scenario B: operator up, metadata restored without cert rotation")
+		scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 1)
+
+		o.Eventually(func() bool {
+			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			ann := s.Annotations
+			comp := ann["auth.openshift.io/component"] != ""
+			desc := ann["auth.openshift.io/description"] != ""
+			dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
+			return comp && desc && dataNow == dataBefore
+		}, 3*time.Minute, 10*time.Second).Should(o.BeTrue())
+
+		// --- Scenario C
+		g.By("Scenario C: operator down, expired not-after triggers sidecar rotation")
+		scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 0)
+		past := "2000-01-01T00:00:00Z"
+		patchAnnotationsOnSecret(oc, ns, secretName, map[string]*string{
+			"auth.openshift.io/not-after": &past,
+		})
+
+		o.Eventually(func() bool {
+			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
+			ann := s.Annotations
+			na := ann["auth.openshift.io/not-after"]
+			if na == "" {
+				return false
+			}
+			// content rotated
+			return dataNow != dataBefore
+		}, 3*time.Minute, 10*time.Second).Should(o.BeTrue())
+
+		// scale operator back up for cleanup
+		scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 1)
+	})
+})

test/extended/main.go

@@ -0,0 +1,50 @@
+package util
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	g "github.com/onsi/ginkgo/v2"
+	o "github.com/onsi/gomega"
+)
+
+// e is return value of Wait.Poll
+// msg is the reason why time out
+// the function assert return value of Wait.Poll, and expect NO error
+// if e is Nil, just pass and nothing happen.
+// if e is not Nil, will not print the default error message "timed out waiting for the condition" because it causes RP AA not to analysis result exactly.
+// if e is "timed out waiting for the condition" or "context deadline exceeded", it is replaced by msg.
+// if e is not "timed out waiting for the condition", it print e and then case fails.
+
+func AssertWaitPollNoErr(e error, msg string) {
+	if e == nil {
+		return
+	}
+	var err error
+	if errors.Is(e, context.DeadlineExceeded) ||
+		strings.Compare(e.Error(), "timed out waiting for the condition") == 0 ||
+		strings.Compare(e.Error(), "context deadline exceeded") == 0 {
+		err = fmt.Errorf("case: %v\nerror: %s", g.CurrentSpecReport().FullText(), msg)
+	} else {
+		err = fmt.Errorf("case: %v\nerror: %s", g.CurrentSpecReport().FullText(), e.Error())
+	}
+	o.Expect(err).NotTo(o.HaveOccurred())
+}
+
+// OrFail function will process another function's return values and fail if any of those returned values is ane error != nil and returns the first value
+// example: if we have: func getValued() (string, error)
+//
+//	we can do:  value := OrFail[string](getValue())
+func OrFail[T any](vals ...any) T {
+
+	for _, val := range vals {
+		err, ok := val.(error)
+		if ok {
+			o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred())
+		}
+	}
+
+	return vals[0].(T)
+}