e2e: add TestOnlyCAExist in tls_util_test.go

Author: fanminshi

pkg/tlsutil/tls.go

@@ -170,7 +170,7 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 	} else if hasAppSecret && !hasCASecretAndConfigMap {
 		return nil, nil, nil, ErrCANotFound
 	} else if !hasAppSecret && hasCASecretAndConfigMap {
-		caKey, err := parsePEMEncodedPrivateKey(caSecret.Data[TLSCACertKey])
+		caKey, err := parsePEMEncodedPrivateKey(caSecret.Data[TLSPrivateCAKeyKey])
 		if err != nil {
 			return nil, nil, nil, err
 		}
@@ -192,7 +192,7 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 		}
 		return appSecret, caConfigMap, caSecret, nil
 	} else {
-		// TODO
+
 	}
 	return nil, nil, nil, nil
 }

test/e2e/tls_util_test.go

@@ -15,6 +15,7 @@
 package e2e
 
 import (
+	"io/ioutil"
 	"reflect"
 	"testing"
 
@@ -27,32 +28,53 @@ import (
 
 var (
 	// TLS test variables.
-	crKind   = "Pod"
-	crName   = "example-pod"
-	certName = "app-cert"
-
+	crKind                   = "Pod"
+	crName                   = "example-pod"
+	certName                 = "app-cert"
 	caConfigMapAndSecretName = tlsutil.ToCASecretAndConfigMapName(crKind, crName)
-	caConfigMap              = &v1.ConfigMap{
+	appSecretName            = tlsutil.ToAppSecretName(crKind, crName, certName)
+
+	caConfigMap *v1.ConfigMap
+	caSecret    *v1.Secret
+	appSecret   *v1.Secret
+
+	ccfg *tlsutil.CertConfig
+)
+
+// setup test variables.
+func init() {
+	caCertBytes, err := ioutil.ReadFile("./testdata/ca.crt")
+	if err != nil {
+		panic(err)
+	}
+	caConfigMap = &v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: caConfigMapAndSecretName,
 		},
+		Data: map[string]string{tlsutil.TLSCACertKey: string(caCertBytes)},
+	}
+
+	caKeyBytes, err := ioutil.ReadFile("./testdata/ca.key")
+	if err != nil {
+		panic(err)
 	}
 	caSecret = &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: caConfigMapAndSecretName,
 		},
+		Data: map[string][]byte{tlsutil.TLSPrivateCAKeyKey: caKeyBytes},
 	}
 
 	appSecret = &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: tlsutil.ToAppSecretName(crKind, crName, certName),
+			Name: appSecretName,
 		},
 	}
 
 	ccfg = &tlsutil.CertConfig{
 		CertName: certName,
 	}
-)
+}
 
 // TestBothAppAndCATLSAssetsExist ensures that when both application
 // and CA TLS assets exist in the k8s cluster for a given cr,
@@ -142,3 +164,73 @@ func TestOnlyAppSecretExist(t *testing.T) {
 		t.Fatalf("expect %v, but got %v", tlsutil.ErrCANotFound.Error(), err.Error())
 	}
 }
+
+// TestOnlyCAExist ensures that at the case where only the CA exists in the cluster;
+// GenerateCert can retrieve the CA and uses it to create a new application secret.
+func TestOnlyCAExist(t *testing.T) {
+	f := framework.Global
+	ctx := f.NewTestCtx(t)
+	defer ctx.Cleanup(t)
+	namespace, err := ctx.GetNamespace()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = f.KubeClient.CoreV1().ConfigMaps(namespace).Create(caConfigMap)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = f.KubeClient.CoreV1().Secrets(namespace).Create(caSecret)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cg := tlsutil.NewSDKCertGenerator(f.KubeClient)
+	// Use Pod as a dummy runtime object for the CR input of GenerateCert().
+	mCR := &v1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			Kind: crKind,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      crName,
+			Namespace: namespace,
+		},
+	}
+	appSvc := &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "app-service",
+			Namespace: namespace,
+		},
+	}
+	appSecret, _, _, err := cg.GenerateCert(mCR, appSvc, ccfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// check if appSecret has the correct fields.
+	if appSecretName != appSecret.Name {
+		t.Fatalf("expect the secret name %v, but got %v", appSecretName, appSecret.Name)
+	}
+	if namespace != appSecret.Namespace {
+		t.Fatalf("expect the secret namespace %v, but got %v", namespace, appSecret.Namespace)
+	}
+	if v1.SecretTypeTLS != appSecret.Type {
+		t.Fatalf("expect the secret type %v, but got %v", v1.SecretTypeTLS, appSecret.Type)
+	}
+	if _, ok := appSecret.Data[v1.TLSCertKey]; !ok {
+		t.Fatalf("expect the secret to have the data field %v, but got none", v1.TLSCertKey)
+	}
+	if _, ok := appSecret.Data[v1.TLSPrivateKeyKey]; !ok {
+		t.Fatalf("expect the secret to have the data field %v, but got none", v1.TLSPrivateKeyKey)
+	}
+
+	// check if appSecret exists in k8s cluster.
+	appSecretFromCluster, err := f.KubeClient.CoreV1().Secrets(namespace).Get(appSecretName, metav1.GetOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	// check if appSecret returned from GenerateCert is the same as the one that exists in the k8s.
+	if !reflect.DeepEqual(appSecret, appSecretFromCluster) {
+		t.Fatalf("expect %+v, but got %+v", appSecret, appSecretFromCluster)
+	}
+}