Skip to content

Commit f877383

Browse files
author
Jeff Bornemann
committed
More test cases capturing results around load balancer spec
1 parent f648ea3 commit f877383

File tree

1 file changed

+325
-1
lines changed

1 file changed

+325
-1
lines changed

pkg/cloudprovider/providers/oci/load_balancer_spec_test.go

Lines changed: 325 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@
1515
package oci
1616

1717
import (
18+
"fmt"
19+
"github.com/pkg/errors"
20+
"k8s.io/apimachinery/pkg/util/sets"
1821
"reflect"
1922
"testing"
2023

@@ -24,13 +27,40 @@ import (
2427
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2528
)
2629

30+
var (
31+
backendSecret = "backendsecret"
32+
listenerSecret = "listenersecret"
33+
)
34+
35+
type mockSSLSecretReader struct {
36+
returnError bool
37+
38+
returnMap map[struct {
39+
namespaceArg string
40+
nameArg string
41+
}]*certificateData
42+
}
43+
44+
func (ssr mockSSLSecretReader) readSSLSecret(ns, name string) (sslSecret *certificateData, err error) {
45+
if ssr.returnError {
46+
return nil, errors.New("Oops, something went wrong")
47+
}
48+
for key, returnValue := range ssr.returnMap {
49+
if key.namespaceArg == ns && key.nameArg == name {
50+
return returnValue, nil
51+
}
52+
}
53+
return nil, nil
54+
}
55+
2756
func TestNewLBSpecSuccess(t *testing.T) {
2857
testCases := map[string]struct {
2958
defaultSubnetOne string
3059
defaultSubnetTwo string
3160
nodes []*v1.Node
3261
service *v1.Service
3362
expected *LBSpec
63+
sslConfig *SSLConfig
3464
}{
3565
"defaults": {
3666
defaultSubnetOne: "one",
@@ -481,6 +511,79 @@ func TestNewLBSpecSuccess(t *testing.T) {
481511
securityListManager: newSecurityListManagerNOOP(),
482512
},
483513
},
514+
"LBSpec returned with proper SSLConfiguration": {
515+
defaultSubnetOne: "one",
516+
defaultSubnetTwo: "two",
517+
service: &v1.Service{
518+
ObjectMeta: metav1.ObjectMeta{
519+
Namespace: "kube-system",
520+
Name: "testservice",
521+
UID: "test-uid",
522+
Annotations: map[string]string{},
523+
},
524+
Spec: v1.ServiceSpec{
525+
SessionAffinity: v1.ServiceAffinityNone,
526+
Ports: []v1.ServicePort{
527+
{
528+
Protocol: v1.ProtocolTCP,
529+
Port: int32(443),
530+
},
531+
},
532+
},
533+
},
534+
expected: &LBSpec{
535+
Name: "test-uid",
536+
Shape: "100Mbps",
537+
Internal: false,
538+
Subnets: []string{"one", "two"},
539+
Listeners: map[string]loadbalancer.ListenerDetails{
540+
fmt.Sprintf("TCP-443-%s", listenerSecret): {
541+
DefaultBackendSetName: common.String("TCP-443"),
542+
Port: common.Int(443),
543+
Protocol: common.String("TCP"),
544+
SslConfiguration: &loadbalancer.SslConfigurationDetails{
545+
CertificateName: &listenerSecret,
546+
VerifyDepth: common.Int(0),
547+
VerifyPeerCertificate: common.Bool(false),
548+
},
549+
},
550+
},
551+
BackendSets: map[string]loadbalancer.BackendSetDetails{
552+
"TCP-443": {
553+
Backends: []loadbalancer.BackendDetails{},
554+
HealthChecker: &loadbalancer.HealthCheckerDetails{
555+
Protocol: common.String("TCP"),
556+
Port: common.Int(10256),
557+
UrlPath: common.String("/healthz"),
558+
},
559+
Policy: common.String("ROUND_ROBIN"),
560+
SslConfiguration: &loadbalancer.SslConfigurationDetails{
561+
CertificateName: &backendSecret,
562+
VerifyDepth: common.Int(0),
563+
VerifyPeerCertificate: common.Bool(false),
564+
},
565+
},
566+
},
567+
SourceCIDRs: []string{"0.0.0.0/0"},
568+
Ports: map[string]portSpec{
569+
"TCP-443": {
570+
ListenerPort: 443,
571+
HealthCheckerPort: 10256,
572+
},
573+
},
574+
securityListManager: newSecurityListManagerNOOP(),
575+
SSLConfig: &SSLConfig{
576+
Ports: sets.NewInt(443),
577+
ListenerSSLSecretName: listenerSecret,
578+
BackendSetSSLSecretName: backendSecret,
579+
},
580+
},
581+
sslConfig: &SSLConfig{
582+
Ports: sets.NewInt(443),
583+
ListenerSSLSecretName: listenerSecret,
584+
BackendSetSSLSecretName: backendSecret,
585+
},
586+
},
484587
}
485588

486589
for name, tc := range testCases {
@@ -491,7 +594,7 @@ func TestNewLBSpecSuccess(t *testing.T) {
491594
slManagerFactory := func(mode string) securityListManager {
492595
return newSecurityListManagerNOOP()
493596
}
494-
result, err := NewLBSpec(tc.service, tc.nodes, subnets, nil, slManagerFactory)
597+
result, err := NewLBSpec(tc.service, tc.nodes, subnets, tc.sslConfig, slManagerFactory)
495598
if err != nil {
496599
t.Error(err)
497600
}
@@ -684,3 +787,224 @@ func TestNewLBSpecFailure(t *testing.T) {
684787
})
685788
}
686789
}
790+
791+
func TestNewSSLConfig(t *testing.T) {
792+
testCases := map[string]struct {
793+
listenerSecretName string
794+
backendSetSecretName string
795+
ports []int
796+
ssr sslSecretReader
797+
798+
expectedResult *SSLConfig
799+
}{
800+
"noopSSLSecretReader if ssr is nil": {
801+
listenerSecretName: "listenerSecretName",
802+
backendSetSecretName: "backendSetSecretName",
803+
ports: []int{8080},
804+
ssr: nil,
805+
806+
expectedResult: &SSLConfig{
807+
Ports: sets.NewInt(8080),
808+
ListenerSSLSecretName: "listenerSecretName",
809+
BackendSetSSLSecretName: "backendSetSecretName",
810+
sslSecretReader: noopSSLSecretReader{},
811+
},
812+
},
813+
"ssr is assigned if provided": {
814+
listenerSecretName: "listenerSecretName",
815+
backendSetSecretName: "backendSetSecretName",
816+
ports: []int{8080},
817+
ssr: &mockSSLSecretReader{},
818+
819+
expectedResult: &SSLConfig{
820+
Ports: sets.NewInt(8080),
821+
ListenerSSLSecretName: "listenerSecretName",
822+
BackendSetSSLSecretName: "backendSetSecretName",
823+
sslSecretReader: &mockSSLSecretReader{},
824+
},
825+
},
826+
}
827+
828+
for name, tc := range testCases {
829+
t.Run(name, func(t *testing.T) {
830+
result := NewSSLConfig(tc.listenerSecretName, tc.backendSetSecretName, tc.ports, tc.ssr)
831+
if !reflect.DeepEqual(result, tc.expectedResult) {
832+
t.Errorf("Expected SSlConfig \n%+v\nbut got\n%+v", tc.expectedResult, result)
833+
}
834+
})
835+
}
836+
}
837+
838+
func TestCertificates(t *testing.T) {
839+
840+
backendSecretCaCert := "cacert1"
841+
backendSecretPublicCert := "publiccert1"
842+
backendSecretPrivateKey := "privatekey1"
843+
backendSecretPassphrase := "passphrase1"
844+
845+
listenerSecretCaCert := "cacert2"
846+
listenerSecretPublicCert := "publiccert2"
847+
listenerSecretPrivateKey := "privatekey2"
848+
listenerSecretPassphrase := "passphrase2"
849+
850+
testCases := map[string]struct {
851+
lbSpec *LBSpec
852+
expectedResult map[string]loadbalancer.CertificateDetails
853+
expectError bool
854+
}{
855+
"No SSLConfig results in empty certificate details array": {
856+
expectError: false,
857+
lbSpec: &LBSpec{},
858+
expectedResult: make(map[string]loadbalancer.CertificateDetails),
859+
},
860+
"Return backend SSL secret": {
861+
expectError: false,
862+
lbSpec: &LBSpec{
863+
service: &v1.Service{
864+
ObjectMeta: metav1.ObjectMeta{
865+
Namespace: "testnamespace",
866+
},
867+
},
868+
SSLConfig: &SSLConfig{
869+
BackendSetSSLSecretName: backendSecret,
870+
sslSecretReader: &mockSSLSecretReader{
871+
returnError: false,
872+
returnMap: map[struct {
873+
namespaceArg string
874+
nameArg string
875+
}]*certificateData{
876+
{namespaceArg: "testnamespace", nameArg: backendSecret}: {
877+
Name: "certificatename",
878+
CACert: []byte(backendSecretCaCert),
879+
PublicCert: []byte(backendSecretPublicCert),
880+
PrivateKey: []byte(backendSecretPrivateKey),
881+
Passphrase: []byte(backendSecretPassphrase),
882+
},
883+
},
884+
},
885+
},
886+
},
887+
expectedResult: map[string]loadbalancer.CertificateDetails{
888+
backendSecret: {
889+
CertificateName: &backendSecret,
890+
CaCertificate: &backendSecretCaCert,
891+
Passphrase: &backendSecretPassphrase,
892+
PrivateKey: &backendSecretPrivateKey,
893+
PublicCertificate: &backendSecretPublicCert,
894+
},
895+
},
896+
},
897+
"Return both backend and listener SSL secret": {
898+
expectError: false,
899+
lbSpec: &LBSpec{
900+
service: &v1.Service{
901+
ObjectMeta: metav1.ObjectMeta{
902+
Namespace: "testnamespace",
903+
},
904+
},
905+
SSLConfig: &SSLConfig{
906+
BackendSetSSLSecretName: backendSecret,
907+
ListenerSSLSecretName: listenerSecret,
908+
sslSecretReader: &mockSSLSecretReader{
909+
returnError: false,
910+
returnMap: map[struct {
911+
namespaceArg string
912+
nameArg string
913+
}]*certificateData{
914+
{namespaceArg: "testnamespace", nameArg: backendSecret}: {
915+
Name: "backendcertificatename",
916+
CACert: []byte(backendSecretCaCert),
917+
PublicCert: []byte(backendSecretPublicCert),
918+
PrivateKey: []byte(backendSecretPrivateKey),
919+
Passphrase: []byte(backendSecretPassphrase),
920+
},
921+
{namespaceArg: "testnamespace", nameArg: listenerSecret}: {
922+
Name: "listenercertificatename",
923+
CACert: []byte(listenerSecretCaCert),
924+
PublicCert: []byte(listenerSecretPublicCert),
925+
PrivateKey: []byte(listenerSecretPrivateKey),
926+
Passphrase: []byte(listenerSecretPassphrase),
927+
},
928+
},
929+
},
930+
},
931+
},
932+
expectedResult: map[string]loadbalancer.CertificateDetails{
933+
backendSecret: {
934+
CertificateName: &backendSecret,
935+
CaCertificate: &backendSecretCaCert,
936+
Passphrase: &backendSecretPassphrase,
937+
PrivateKey: &backendSecretPrivateKey,
938+
PublicCertificate: &backendSecretPublicCert,
939+
},
940+
listenerSecret: {
941+
CertificateName: &listenerSecret,
942+
CaCertificate: &listenerSecretCaCert,
943+
Passphrase: &listenerSecretPassphrase,
944+
PrivateKey: &listenerSecretPrivateKey,
945+
PublicCertificate: &listenerSecretPublicCert,
946+
},
947+
},
948+
},
949+
"Error returned from SSL secret reader is handled gracefully": {
950+
expectError: true,
951+
lbSpec: &LBSpec{
952+
service: &v1.Service{
953+
ObjectMeta: metav1.ObjectMeta{
954+
Namespace: "testnamespace",
955+
},
956+
},
957+
SSLConfig: &SSLConfig{
958+
BackendSetSSLSecretName: backendSecret,
959+
sslSecretReader: &mockSSLSecretReader{
960+
returnError: true,
961+
},
962+
},
963+
},
964+
expectedResult: nil,
965+
},
966+
}
967+
968+
for name, tc := range testCases {
969+
t.Run(name, func(t *testing.T) {
970+
certDetails, err := tc.lbSpec.Certificates()
971+
if err != nil && !tc.expectError {
972+
t.Errorf("Was not expected an error to be returned, but got one:\n%+v", err)
973+
}
974+
if !reflect.DeepEqual(certDetails, tc.expectedResult) {
975+
t.Errorf("Expected certificate details \n%+v\nbut got\n%+v", tc.expectedResult, certDetails)
976+
}
977+
})
978+
}
979+
}
980+
981+
func TestRequiresCertificate(t *testing.T) {
982+
testCases := map[string]struct {
983+
expected bool
984+
annotations map[string]string
985+
}{
986+
"Contains the Load Balancer SSL Ports Annotation": {
987+
expected: true,
988+
annotations: map[string]string{
989+
ServiceAnnotationLoadBalancerSSLPorts: "443",
990+
},
991+
},
992+
"Does not container the Load Balancer SSL Ports Annotation": {
993+
expected: false,
994+
annotations: make(map[string]string, 0),
995+
},
996+
}
997+
998+
for name, tc := range testCases {
999+
t.Run(name, func(t *testing.T) {
1000+
result := requiresCertificate(&v1.Service{
1001+
ObjectMeta: metav1.ObjectMeta{
1002+
Annotations: tc.annotations,
1003+
},
1004+
})
1005+
if result != tc.expected {
1006+
t.Error("Did not get the correct result")
1007+
}
1008+
})
1009+
}
1010+
}

0 commit comments

Comments
 (0)