NO-JIRA: certrotation: Fix using a wrong annotation value #2061
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@tchap: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tchap The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tchap
force-pushed
the
certrotation
branch
2 times, most recently
from
84b8a5b to
247b85e
Compare
|
|
||
| func TestEnsureSigningCertKeyPair(t *testing.T) { | ||
| verifyActionFunc := func(check func(t *testing.T, action clienttesting.Action)) func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) { | ||
| return func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) { |
There was a problem hiding this comment.
This code is just copied and refactored so that it can be used for both create and update.
| "auth.openshift.io/certificate-issuer", | ||
| "certificates.openshift.io/refresh-period", | ||
| "openshift.io/owning-component", | ||
| ) |
There was a problem hiding this comment.
Added checking for annotation keys. Getting the precise values would require mocking time and what not, which is not currently possible. But it could be done if we changed some public functions.
| RefreshOnlyWhenExpired: false, | ||
| verifyActions: verifyActionsOnUpdated, | ||
| expectedEvents: []*corev1.Event{ | ||
| {Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: missing notBefore`}, |
There was a problem hiding this comment.
This actually ensures the reason as fixed in this PR works now.
There was a problem hiding this comment.
ic, normally i would prefer to create a valid secret and then remove the notBefore annotation but i understand that would require more work.
|
|
||
| verifyActions func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) | ||
| expectedError string | ||
| verifyActions func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) |
There was a problem hiding this comment.
would it make sense to change the signature to []func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) ?
and then the usage would be:
[verifyFn1, verifyFn2]
There was a problem hiding this comment.
I will rather rename it to verifyAction, because there is at most one.
There was a problem hiding this comment.
Not sure I am making it better or worse now, but I updated it to use verifyAction. Not specifying any function means that no action is expected.
tchap
force-pushed
the
certrotation
branch
2 times, most recently
from
919786a to
dff2a0e
Compare
This is actually not affecting the logic, but a wrong error is returned. Improved the unit test to check events and annotation keys.
|
@tchap: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| ) | ||
|
|
||
| func TestEnsureSigningCertKeyPair(t *testing.T) { | ||
| newVerifyActionFunc := func(check func(t *testing.T, action clienttesting.Action)) func(t *testing.T, action clienttesting.Action) { |
There was a problem hiding this comment.
could we change the signature of this method to accept the required object ?
in that case this function would be responsible for validating that object.
| t.Helper() | ||
| if !action.Matches("create", "secrets") { | ||
| t.Fatalf("Expected a Create action, got %s", spew.Sdump(action)) | ||
| } |
There was a problem hiding this comment.
then in this function we would validate the action, extract the object and call newVerifyActionFunc (we could rename the function to newVerifyObjectFunc`)
| t.Helper() | ||
| if !action.Matches("update", "secrets") { | ||
| t.Fatalf("Expected an Update action, got %s", spew.Sdump(action)) | ||
| } |
| test.verifyActions(t, client, updated) | ||
| actions := client.Actions() | ||
| if test.verifyAction == nil { | ||
| if len(actions) > 0 { |
There was a problem hiding this comment.
could we change this code to the previous version where we used the verifyEmptyAction function that was used on the test cases
| } | ||
| } | ||
|
|
||
| if events := pruneEventFieldsForComparison(recorder.Events()); !cmp.Equal(events, test.expectedEvents) { |
There was a problem hiding this comment.
we usually don't verify the events.
is this the only way to verify the new test cases ?
UPDATE: I just saw #2061 (comment)
not ideal but changing it would require more work.
There was a problem hiding this comment.
why have you decided to remove the validation of the updated var?
| if certType, _ := CertificateTypeFromObject(actual); certType != CertificateTypeSigner { | ||
| t.Errorf("expected certificate type 'signer', got: %v", certType) | ||
| } | ||
| if len(actual.Data["tls.crt"]) == 0 || len(actual.Data["tls.key"]) == 0 { |
There was a problem hiding this comment.
I know this is pre-existing (we don't have to change it now) but I would expect the tests to at least check if the cert and the key are valid.
| } | ||
| } | ||
|
|
||
| if events := pruneEventFieldsForComparison(recorder.Events()); !cmp.Equal(events, test.expectedEvents) { |
There was a problem hiding this comment.
why have you decided to remove the validation of the updated var?
| RefreshOnlyWhenExpired: false, | ||
| verifyActions: verifyActionsOnUpdated, | ||
| expectedEvents: []*corev1.Event{ | ||
| {Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: missing notBefore`}, |
There was a problem hiding this comment.
ic, normally i would prefer to create a valid secret and then remove the notBefore annotation but i understand that would require more work.
|
In the end I opened #2062 to refactor tests first. Once merged, I will rebase and fix the issue with event messages. But this will still require checking events, I think. |
|
^^^ /hold |
openshift-ci
bot
added
the
do-not-merge/hold
3 participants
This is actually not affecting the logic, but a wrong error is returned.
Improved the unit test to check events and annotation keys.