add k8s-cacert to hybrid overlay cmd

jrvaldes · openshift-cherrypick-robot · commit 5af9ef3e2644 · 2025-08-21T13:51:02.000Z
The hybrid-overlay service now includes the --k8s-cacert flag pointing to the
trusted CA bundle path to ensure proper certificate validation.

Additionally, comprehensive unit tests have been added for the
hybridOverlayConfiguration function covering all parameter combinations,
edge cases, command structure validation, and service property consistency.

Fixes OCPBUGS-59637
diff --git a/pkg/services/services.go b/pkg/services/services.go
@@ -108,6 +108,10 @@ func hybridOverlayConfiguration(vxlanPort string, debug bool) servicescm.Service
 	hybridOverlayServiceCmd := fmt.Sprintf("%s --node NODE_NAME --bootstrap-kubeconfig=%s --cert-dir=%s --cert-duration=24h "+
 		"--windows-service --logfile "+"%s\\hybrid-overlay.log", windows.HybridOverlayPath, windows.KubeconfigPath, windows.CniConfDir,
 		windows.HybridOverlayLogDir)
+
+	// append cacert option pointing to the trusted CA bundle path
+	hybridOverlayServiceCmd = fmt.Sprintf("%s --k8s-cacert %s", hybridOverlayServiceCmd, windows.TrustedCABundlePath)
+
 	if len(vxlanPort) > 0 {
 		hybridOverlayServiceCmd = fmt.Sprintf("%s --hybrid-overlay-vxlan-port %s", hybridOverlayServiceCmd, vxlanPort)
 	}
diff --git a/pkg/services/services_test.go b/pkg/services/services_test.go
@@ -5,6 +5,9 @@ import (
 
 	config "github.com/openshift/api/config/v1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/openshift/windows-machine-config-operator/pkg/windows"
 )
 
 func TestGetHostnameCmd(t *testing.T) {
@@ -41,3 +44,109 @@ func TestGetHostnameCmd(t *testing.T) {
 		})
 	}
 }
+
+func TestHybridOverlayConfiguration(t *testing.T) {
+	tests := []struct {
+		name                   string
+		vxlanPort              string
+		debug                  bool
+		expectedCmdContains    []string
+		expectedCmdNotContains []string
+	}{
+		{
+			name:      "Basic configuration with no optional flags",
+			vxlanPort: "",
+			debug:     false,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+			},
+			expectedCmdNotContains: []string{
+				"--hybrid-overlay-vxlan-port",
+				"--loglevel 5",
+			},
+		},
+		{
+			name:      "Configuration with debug logging enabled",
+			vxlanPort: "",
+			debug:     true,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+				"--loglevel 5",
+			},
+			expectedCmdNotContains: []string{
+				"--hybrid-overlay-vxlan-port",
+			},
+		},
+		{
+			name:      "Configuration with all optional flags enabled",
+			vxlanPort: "4789",
+			debug:     true,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+				"--hybrid-overlay-vxlan-port 4789",
+				"--loglevel 5",
+			},
+			expectedCmdNotContains: []string{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result := hybridOverlayConfiguration(test.vxlanPort, test.debug)
+
+			assert.Equal(t, windows.HybridOverlayServiceName, result.Name,
+				"Service name should match expected value")
+			assert.False(t, result.Bootstrap,
+				"Service should not be a bootstrap service")
+			assert.Equal(t, uint(2), result.Priority,
+				"Service priority should be 2")
+			assert.Equal(t, []string{windows.KubeletServiceName}, result.Dependencies,
+				"Service should depend on kubelet service")
+			assert.Nil(t, result.PowershellPreScripts,
+				"Service should not have PowerShell pre-scripts")
+
+			require.Len(t, result.NodeVariablesInCommand, 1,
+				"Service should have exactly one node variable")
+			assert.Equal(t, "NODE_NAME", result.NodeVariablesInCommand[0].Name,
+				"Node variable name should be NODE_NAME")
+			assert.Equal(t, "{.metadata.name}", result.NodeVariablesInCommand[0].NodeObjectJsonPath,
+				"Node variable JSON path should match expected format")
+
+			for _, expectedStr := range test.expectedCmdContains {
+				assert.Contains(t, result.Command, expectedStr,
+					"Command should contain: %s\nActual command: %s",
+					expectedStr, result.Command)
+			}
+
+			for _, unexpectedStr := range test.expectedCmdNotContains {
+				assert.NotContains(t, result.Command, unexpectedStr,
+					"Command should not contain: %s\nActual command: %s",
+					unexpectedStr, result.Command)
+			}
+		})
+	}
+}
