Skip to content

Commit 0443a5f

Browse files
gkechhors
gkech
and
hors
authored
K8SPSMDB-1413 skip setting controller owner on secrets owned by Certificates created by cert-manager (#2135)
* K8SPSMDB-1413 skip setting controller owner on secrets owned by Certificates created by cert-manager * improve unit test with more scenarios * fix imports * handle error from SetControllerReference as AlreadyOwnedError * fix broken CertificateCA(cr) * fix test more * cr: use ptr.to * remove fix, it is already done since the test is passing --------- Co-authored-by: Viacheslav Sarzhan <slava.sarzhan@percona.com>
1 parent ac99eeb commit 0443a5f

File tree

1 file changed

+134
-0
lines changed

1 file changed

+134
-0
lines changed

pkg/psmdb/tls/certmanager_test.go

Lines changed: 134 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ import (
66

77
cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
88
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
9+
"github.com/stretchr/testify/assert"
10+
corev1 "k8s.io/api/core/v1"
911
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1012
"k8s.io/apimachinery/pkg/types"
1113
"k8s.io/client-go/kubernetes/scheme"
14+
"k8s.io/utils/ptr"
1215
"sigs.k8s.io/controller-runtime/pkg/client"
1316
"sigs.k8s.io/controller-runtime/pkg/client/fake" // nolint
1417

1518
api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
19+
"github.com/percona/percona-server-mongodb-operator/pkg/version"
1620
)
1721

1822
func TestCreateIssuer(t *testing.T) {
@@ -132,12 +136,142 @@ func TestCreateCertificate(t *testing.T) {
132136
})
133137
}
134138

139+
func TestWaitForCerts(t *testing.T) {
140+
ctx := context.Background()
141+
142+
cr := &api.PerconaServerMongoDB{
143+
ObjectMeta: metav1.ObjectMeta{
144+
Name: "test-cluster",
145+
Namespace: "default",
146+
UID: "test-uid-123",
147+
},
148+
Spec: api.PerconaServerMongoDBSpec{
149+
CRVersion: version.Version(),
150+
},
151+
}
152+
153+
certName := CertificateCA(cr).SecretName()
154+
155+
tests := map[string]struct {
156+
certificate *cm.Certificate
157+
secret *corev1.Secret
158+
}{
159+
"with cert-manager managed secret": {
160+
certificate: &cm.Certificate{
161+
ObjectMeta: metav1.ObjectMeta{
162+
Name: certName,
163+
Namespace: cr.Namespace,
164+
UID: "cert-uid-456",
165+
},
166+
Spec: cm.CertificateSpec{
167+
SecretName: certName,
168+
},
169+
},
170+
secret: &corev1.Secret{
171+
ObjectMeta: metav1.ObjectMeta{
172+
Name: certName,
173+
Namespace: cr.Namespace,
174+
Annotations: map[string]string{
175+
cm.CertificateNameKey: certName,
176+
},
177+
OwnerReferences: []metav1.OwnerReference{
178+
{
179+
APIVersion: cm.SchemeGroupVersion.String(),
180+
Kind: cm.CertificateKind,
181+
Name: certName,
182+
UID: "cert-uid-456",
183+
Controller: ptr.To(true),
184+
},
185+
},
186+
},
187+
Data: map[string][]byte{
188+
"ca.crt": []byte("fake-ca-cert"),
189+
"tls.crt": []byte("fake-tls-cert"),
190+
"tls.key": []byte("fake-tls-key"),
191+
},
192+
},
193+
},
194+
"with cert-manager managed secret but without OwnerReferences": {
195+
certificate: &cm.Certificate{
196+
ObjectMeta: metav1.ObjectMeta{
197+
Name: certName,
198+
Namespace: cr.Namespace,
199+
UID: "cert-uid-456",
200+
},
201+
Spec: cm.CertificateSpec{
202+
SecretName: certName,
203+
},
204+
},
205+
secret: &corev1.Secret{
206+
ObjectMeta: metav1.ObjectMeta{
207+
Name: certName,
208+
Namespace: cr.Namespace,
209+
Annotations: map[string]string{
210+
cm.CertificateNameKey: certName,
211+
},
212+
},
213+
Data: map[string][]byte{
214+
"ca.crt": []byte("fake-ca-cert"),
215+
"tls.crt": []byte("fake-tls-cert"),
216+
"tls.key": []byte("fake-tls-key"),
217+
},
218+
},
219+
},
220+
"without cert-manager": {
221+
certificate: nil,
222+
secret: &corev1.Secret{
223+
ObjectMeta: metav1.ObjectMeta{
224+
Name: certName,
225+
Namespace: cr.Namespace,
226+
},
227+
Data: map[string][]byte{
228+
"ca.crt": []byte("fake-ca-cert"),
229+
"tls.crt": []byte("fake-tls-cert"),
230+
"tls.key": []byte("fake-tls-key"),
231+
},
232+
},
233+
},
234+
}
235+
236+
for name, tc := range tests {
237+
t.Run(name, func(t *testing.T) {
238+
s := scheme.Scheme
239+
s.AddKnownTypes(api.SchemeGroupVersion, new(api.PerconaServerMongoDB))
240+
s.AddKnownTypes(cm.SchemeGroupVersion, new(cm.Certificate))
241+
s.AddKnownTypes(corev1.SchemeGroupVersion, new(corev1.Secret))
242+
243+
objects := []client.Object{cr, tc.secret}
244+
if tc.certificate != nil {
245+
objects = append(objects, tc.certificate)
246+
}
247+
248+
cl := fake.NewClientBuilder().
249+
WithScheme(s).
250+
WithObjects(objects...).
251+
WithStatusSubresource(cr).
252+
Build()
253+
254+
controller := &certManagerController{
255+
cl: cl,
256+
scheme: s,
257+
dryRun: false,
258+
}
259+
260+
err := controller.WaitForCerts(ctx, cr, CertificateCA(cr))
261+
assert.NoError(t, err)
262+
})
263+
}
264+
}
265+
135266
// creates a fake client to mock API calls with the mock objects
136267
func buildFakeClient(objs ...client.Object) CertManagerController {
137268
s := scheme.Scheme
138269

139270
s.AddKnownTypes(api.SchemeGroupVersion,
140271
new(api.PerconaServerMongoDB),
272+
)
273+
274+
s.AddKnownTypes(cm.SchemeGroupVersion,
141275
new(cm.Issuer),
142276
new(cm.Certificate),
143277
)

0 commit comments

Comments
 (0)