Skip to content

test:Add unit tests for certificate and webhook CA bundle handling #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
adity1raut wants to merge 5 commits into
base: main
Choose a base branch
from
+640 −0
Open

test:Add unit tests for certificate and webhook CA bundle handling #634

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
406eec6
test:add unit tests for certificate management functions in secret_te…
adity1raut Jan 8, 2026
a720e9b
test:add unit tests for certificate management functions in secret_te…
adity1raut Jan 8, 2026
4a5cb00
test: enhance unit tests for certificate management in secret_test.go
adity1raut Jan 12, 2026
2899d12
test: enhance unit tests for certificate management in secret_test.go
adity1raut Jan 12, 2026
2c5647d
test: enhance unit tests for certificate management in secret_test.go
adity1raut Jan 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 169 additions & 0 deletions pkg/webhook/cert/secret_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,169 @@
/*
Copyright The Volcano Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package cert

import (
"context"
"testing"

admissionv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes/fake"
)

func TestEnsureCertificate_CreateSecret(t *testing.T) {
client := fake.NewSimpleClientset()
ctx := context.Background()

ca, err := EnsureCertificate(
ctx,
client,
"default",
"test-secret",
[]string{"webhook.default.svc"},
)

if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(ca) == 0 {
t.Fatalf("expected CA bundle, got empty")
}
}

func TestEnsureCertificate_ReuseExistingSecret(t *testing.T) {
client := fake.NewSimpleClientset()
ctx := context.Background()

secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "existing-secret",
Namespace: "default",
},
Data: map[string][]byte{
CAKey: []byte("test-ca"),
},
}

_, _ = client.CoreV1().Secrets("default").Create(ctx, secret, metav1.CreateOptions{})

ca, err := EnsureCertificate(
ctx,
client,
"default",
"existing-secret",
[]string{"webhook.default.svc"},
)

if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if string(ca) != "test-ca" {
t.Fatalf("expected existing CA bundle")
}
}

func TestUpdateValidatingWebhookCABundle(t *testing.T) {
client := fake.NewSimpleClientset()
ctx := context.Background()

vwc := &admissionv1.ValidatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: "test-validating",
},
Webhooks: []admissionv1.ValidatingWebhook{
{
Name: "vhook.test",
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: nil,
},
},
},
}

_, _ = client.AdmissionregistrationV1().
ValidatingWebhookConfigurations().
Create(ctx, vwc, metav1.CreateOptions{})

err := UpdateValidatingWebhookCABundle(ctx, client, "test-validating", []byte("ca"))
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
Copy link

Copilot AI Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test doesn't verify that the CA bundle was actually set on the webhook configuration after the update. Consider adding an assertion to get the updated webhook configuration and verify that the CABundle field is correctly set to the expected value.

Copilot uses AI. Check for mistakes.
}

func TestUpdateMutatingWebhookCABundle(t *testing.T) {
client := fake.NewSimpleClientset()
ctx := context.Background()

mwc := &admissionv1.MutatingWebhookConfiguration{
ObjectMeta: metav1.ObjectMeta{
Name: "test-mutating",
Copy link

Copilot AI Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error from webhook configuration creation is being ignored. While this may succeed in the test, it's better to check the error to ensure the test setup is correct and to catch any unexpected issues during test execution.

Copilot uses AI. Check for mistakes.
},
Webhooks: []admissionv1.MutatingWebhook{
{
Name: "mhook.test",
ClientConfig: admissionv1.WebhookClientConfig{
CABundle: nil,
},
},
},
}

_, _ = client.AdmissionregistrationV1().
MutatingWebhookConfigurations().
Create(ctx, mwc, metav1.CreateOptions{})

err := UpdateMutatingWebhookCABundle(ctx, client, "test-mutating", []byte("ca"))
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}

func TestLoadCertBundleFromSecret(t *testing.T) {
client := fake.NewSimpleClientset()
ctx := context.Background()

secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "bundle-secret",
Namespace: "default",
},
Data: map[string][]byte{
TLSCertKey: []byte("cert"),
TLSKeyKey: []byte("key"),
CAKey: []byte("ca"),
},
}

_, _ = client.CoreV1().Secrets("default").Create(ctx, secret, metav1.CreateOptions{})

bundle, err := LoadCertBundleFromSecret(ctx, client, "default", "bundle-secret")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}

if string(bundle.CertPEM) != "cert" {
t.Fatalf("cert mismatch")
}
if string(bundle.KeyPEM) != "key" {
t.Fatalf("key mismatch")
}
if string(bundle.CAPEM) != "ca" {
t.Fatalf("ca mismatch")
}
}