Merge pull request kubernetes#94535 from liggitt/kubeadm-unit-fix

Speed up slow Kubeadm unit tests, avoid mutating global variables

Author: k8s-ci-robot

cmd/kubeadm/app/cmd/alpha/certs_test.go

@@ -98,9 +98,9 @@ func TestRunRenewCommands(t *testing.T) {
 	CACerts := map[string]*x509.Certificate{}
 	CAKeys := map[string]crypto.Signer{}
 	for _, ca := range []*certsphase.KubeadmCert{
-		&certsphase.KubeadmCertRootCA,
-		&certsphase.KubeadmCertFrontProxyCA,
-		&certsphase.KubeadmCertEtcdCA,
+		certsphase.KubeadmCertRootCA(),
+		certsphase.KubeadmCertFrontProxyCA(),
+		certsphase.KubeadmCertEtcdCA(),
 	} {
 		caCert, caKey, err := ca.CreateAsCA(cfg)
 		if err != nil {
@@ -112,13 +112,13 @@ func TestRunRenewCommands(t *testing.T) {
 
 	// Generate all the signed certificates
 	for _, cert := range []*certsphase.KubeadmCert{
-		&certsphase.KubeadmCertAPIServer,
-		&certsphase.KubeadmCertKubeletClient,
-		&certsphase.KubeadmCertFrontProxyClient,
-		&certsphase.KubeadmCertEtcdAPIClient,
-		&certsphase.KubeadmCertEtcdServer,
-		&certsphase.KubeadmCertEtcdPeer,
-		&certsphase.KubeadmCertEtcdHealthcheck,
+		certsphase.KubeadmCertAPIServer(),
+		certsphase.KubeadmCertKubeletClient(),
+		certsphase.KubeadmCertFrontProxyClient(),
+		certsphase.KubeadmCertEtcdAPIClient(),
+		certsphase.KubeadmCertEtcdServer(),
+		certsphase.KubeadmCertEtcdPeer(),
+		certsphase.KubeadmCertEtcdHealthcheck(),
 	} {
 		caCert := CACerts[cert.CAName]
 		caKey := CAKeys[cert.CAName]
@@ -146,13 +146,13 @@ func TestRunRenewCommands(t *testing.T) {
 		{
 			command: "all",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertAPIServer,
-				&certsphase.KubeadmCertKubeletClient,
-				&certsphase.KubeadmCertFrontProxyClient,
-				&certsphase.KubeadmCertEtcdAPIClient,
-				&certsphase.KubeadmCertEtcdServer,
-				&certsphase.KubeadmCertEtcdPeer,
-				&certsphase.KubeadmCertEtcdHealthcheck,
+				certsphase.KubeadmCertAPIServer(),
+				certsphase.KubeadmCertKubeletClient(),
+				certsphase.KubeadmCertFrontProxyClient(),
+				certsphase.KubeadmCertEtcdAPIClient(),
+				certsphase.KubeadmCertEtcdServer(),
+				certsphase.KubeadmCertEtcdPeer(),
+				certsphase.KubeadmCertEtcdHealthcheck(),
 			},
 			KubeconfigFiles: []string{
 				kubeadmconstants.AdminKubeConfigFileName,
@@ -163,43 +163,43 @@ func TestRunRenewCommands(t *testing.T) {
 		{
 			command: "apiserver",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertAPIServer,
+				certsphase.KubeadmCertAPIServer(),
 			},
 		},
 		{
 			command: "apiserver-kubelet-client",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertKubeletClient,
+				certsphase.KubeadmCertKubeletClient(),
 			},
 		},
 		{
 			command: "apiserver-etcd-client",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertEtcdAPIClient,
+				certsphase.KubeadmCertEtcdAPIClient(),
 			},
 		},
 		{
 			command: "front-proxy-client",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertFrontProxyClient,
+				certsphase.KubeadmCertFrontProxyClient(),
 			},
 		},
 		{
 			command: "etcd-server",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertEtcdServer,
+				certsphase.KubeadmCertEtcdServer(),
 			},
 		},
 		{
 			command: "etcd-peer",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertEtcdPeer,
+				certsphase.KubeadmCertEtcdPeer(),
 			},
 		},
 		{
 			command: "etcd-healthcheck-client",
 			Certs: []*certsphase.KubeadmCert{
-				&certsphase.KubeadmCertEtcdHealthcheck,
+				certsphase.KubeadmCertEtcdHealthcheck(),
 			},
 		},
 		{
@@ -271,14 +271,14 @@ func TestRunRenewCommands(t *testing.T) {
 func TestRenewUsingCSR(t *testing.T) {
 	tmpDir := testutil.SetupTempDir(t)
 	defer os.RemoveAll(tmpDir)
-	cert := &certsphase.KubeadmCertEtcdServer
+	cert := certsphase.KubeadmCertEtcdServer()
 
 	cfg := testutil.GetDefaultInternalConfig(t)
 	cfg.CertificatesDir = tmpDir
 
-	caCert, caKey, err := certsphase.KubeadmCertEtcdCA.CreateAsCA(cfg)
+	caCert, caKey, err := certsphase.KubeadmCertEtcdCA().CreateAsCA(cfg)
 	if err != nil {
-		t.Fatalf("couldn't write out CA %s: %v", certsphase.KubeadmCertEtcdCA.Name, err)
+		t.Fatalf("couldn't write out CA %s: %v", certsphase.KubeadmCertEtcdCA().Name, err)
 	}
 
 	if err := cert.CreateFromCA(cfg, caCert, caKey); err != nil {

cmd/kubeadm/app/cmd/phases/init/certs_test.go

@@ -44,7 +44,7 @@ func TestCertsWithCSRs(t *testing.T) {
 	defer os.RemoveAll(csrDir)
 	certDir := testutil.SetupTempDir(t)
 	defer os.RemoveAll(certDir)
-	cert := &certs.KubeadmCertAPIServer
+	cert := certs.KubeadmCertAPIServer()
 
 	certsData := &testCertsData{
 		cfg: testutil.GetDefaultInternalConfig(t),

cmd/kubeadm/app/phases/certs/certlist.go

@@ -212,36 +212,36 @@ func (c Certificates) AsMap() CertificateMap {
 // GetDefaultCertList returns  all of the certificates kubeadm requires to function.
 func GetDefaultCertList() Certificates {
 	return Certificates{
-		&KubeadmCertRootCA,
-		&KubeadmCertAPIServer,
-		&KubeadmCertKubeletClient,
+		KubeadmCertRootCA(),
+		KubeadmCertAPIServer(),
+		KubeadmCertKubeletClient(),
 		// Front Proxy certs
-		&KubeadmCertFrontProxyCA,
-		&KubeadmCertFrontProxyClient,
+		KubeadmCertFrontProxyCA(),
+		KubeadmCertFrontProxyClient(),
 		// etcd certs
-		&KubeadmCertEtcdCA,
-		&KubeadmCertEtcdServer,
-		&KubeadmCertEtcdPeer,
-		&KubeadmCertEtcdHealthcheck,
-		&KubeadmCertEtcdAPIClient,
+		KubeadmCertEtcdCA(),
+		KubeadmCertEtcdServer(),
+		KubeadmCertEtcdPeer(),
+		KubeadmCertEtcdHealthcheck(),
+		KubeadmCertEtcdAPIClient(),
 	}
 }
 
 // GetCertsWithoutEtcd returns all of the certificates kubeadm needs when etcd is hosted externally.
 func GetCertsWithoutEtcd() Certificates {
 	return Certificates{
-		&KubeadmCertRootCA,
-		&KubeadmCertAPIServer,
-		&KubeadmCertKubeletClient,
+		KubeadmCertRootCA(),
+		KubeadmCertAPIServer(),
+		KubeadmCertKubeletClient(),
 		// Front Proxy certs
-		&KubeadmCertFrontProxyCA,
-		&KubeadmCertFrontProxyClient,
+		KubeadmCertFrontProxyCA(),
+		KubeadmCertFrontProxyClient(),
 	}
 }
 
-var (
-	// KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.
-	KubeadmCertRootCA = KubeadmCert{
+// KubeadmCertRootCA is the definition of the Kubernetes Root CA for the API Server and kubelet.
+func KubeadmCertRootCA() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "ca",
 		LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components",
 		BaseName: kubeadmconstants.CACertAndKeyBaseName,
@@ -251,8 +251,11 @@ var (
 			},
 		},
 	}
-	// KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
-	KubeadmCertAPIServer = KubeadmCert{
+}
+
+// KubeadmCertAPIServer is the definition of the cert used to serve the Kubernetes API.
+func KubeadmCertAPIServer() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "apiserver",
 		LongName: "certificate for serving the Kubernetes API",
 		BaseName: kubeadmconstants.APIServerCertAndKeyBaseName,
@@ -267,8 +270,11 @@ var (
 			makeAltNamesMutator(pkiutil.GetAPIServerAltNames),
 		},
 	}
-	// KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
-	KubeadmCertKubeletClient = KubeadmCert{
+}
+
+// KubeadmCertKubeletClient is the definition of the cert used by the API server to access the kubelet.
+func KubeadmCertKubeletClient() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "apiserver-kubelet-client",
 		LongName: "certificate for the API server to connect to kubelet",
 		BaseName: kubeadmconstants.APIServerKubeletClientCertAndKeyBaseName,
@@ -281,9 +287,11 @@ var (
 			},
 		},
 	}
+}
 
-	// KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
-	KubeadmCertFrontProxyCA = KubeadmCert{
+// KubeadmCertFrontProxyCA is the definition of the CA used for the front end proxy.
+func KubeadmCertFrontProxyCA() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "front-proxy-ca",
 		LongName: "self-signed CA to provision identities for front proxy",
 		BaseName: kubeadmconstants.FrontProxyCACertAndKeyBaseName,
@@ -293,9 +301,11 @@ var (
 			},
 		},
 	}
+}
 
-	// KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.
-	KubeadmCertFrontProxyClient = KubeadmCert{
+// KubeadmCertFrontProxyClient is the definition of the cert used by the API server to access the front proxy.
+func KubeadmCertFrontProxyClient() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "front-proxy-client",
 		BaseName: kubeadmconstants.FrontProxyClientCertAndKeyBaseName,
 		LongName: "certificate for the front proxy client",
@@ -307,9 +317,11 @@ var (
 			},
 		},
 	}
+}
 
-	// KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
-	KubeadmCertEtcdCA = KubeadmCert{
+// KubeadmCertEtcdCA is the definition of the root CA used by the hosted etcd server.
+func KubeadmCertEtcdCA() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "etcd-ca",
 		LongName: "self-signed CA to provision identities for etcd",
 		BaseName: kubeadmconstants.EtcdCACertAndKeyBaseName,
@@ -319,8 +331,11 @@ var (
 			},
 		},
 	}
-	// KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
-	KubeadmCertEtcdServer = KubeadmCert{
+}
+
+// KubeadmCertEtcdServer is the definition of the cert used to serve etcd to clients.
+func KubeadmCertEtcdServer() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "etcd-server",
 		LongName: "certificate for serving etcd",
 		BaseName: kubeadmconstants.EtcdServerCertAndKeyBaseName,
@@ -339,8 +354,11 @@ var (
 			setCommonNameToNodeName(),
 		},
 	}
-	// KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
-	KubeadmCertEtcdPeer = KubeadmCert{
+}
+
+// KubeadmCertEtcdPeer is the definition of the cert used by etcd peers to access each other.
+func KubeadmCertEtcdPeer() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "etcd-peer",
 		LongName: "certificate for etcd nodes to communicate with each other",
 		BaseName: kubeadmconstants.EtcdPeerCertAndKeyBaseName,
@@ -355,8 +373,11 @@ var (
 			setCommonNameToNodeName(),
 		},
 	}
-	// KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
-	KubeadmCertEtcdHealthcheck = KubeadmCert{
+}
+
+// KubeadmCertEtcdHealthcheck is the definition of the cert used by Kubernetes to check the health of the etcd server.
+func KubeadmCertEtcdHealthcheck() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "etcd-healthcheck-client",
 		LongName: "certificate for liveness probes to healthcheck etcd",
 		BaseName: kubeadmconstants.EtcdHealthcheckClientCertAndKeyBaseName,
@@ -369,8 +390,11 @@ var (
 			},
 		},
 	}
-	// KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
-	KubeadmCertEtcdAPIClient = KubeadmCert{
+}
+
+// KubeadmCertEtcdAPIClient is the definition of the cert used by the API server to access etcd.
+func KubeadmCertEtcdAPIClient() *KubeadmCert {
+	return &KubeadmCert{
 		Name:     "apiserver-etcd-client",
 		LongName: "certificate the apiserver uses to access etcd",
 		BaseName: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName,
@@ -383,7 +407,7 @@ var (
 			},
 		},
 	}
-)
+}
 
 func makeAltNamesMutator(f func(*kubeadmapi.InitConfiguration) (*certutil.AltNames, error)) configMutatorsFunc {
 	return func(mc *kubeadmapi.InitConfiguration, cc *pkiutil.CertConfig) error {

cmd/kubeadm/app/phases/certs/certs_test.go

@@ -685,15 +685,15 @@ func TestValidateMethods(t *testing.T) {
 }
 
 func TestNewCSR(t *testing.T) {
-	kubeadmCert := KubeadmCertAPIServer
+	kubeadmCert := KubeadmCertAPIServer()
 	cfg := testutil.GetDefaultInternalConfig(t)
 
 	certConfig, err := kubeadmCert.GetConfig(cfg)
 	if err != nil {
 		t.Fatalf("couldn't get cert config: %v", err)
 	}
 
-	csr, _, err := NewCSR(&kubeadmCert, cfg)
+	csr, _, err := NewCSR(kubeadmCert, cfg)
 
 	if err != nil {
 		t.Errorf("invalid signature on CSR: %v", err)

cmd/kubeadm/app/phases/upgrade/staticpods.go

@@ -554,9 +554,9 @@ func renewCertsByComponent(cfg *kubeadmapi.InitConfiguration, component string,
 	if component == constants.Etcd {
 		if cfg.Etcd.Local != nil {
 			certificates = []string{
-				certsphase.KubeadmCertEtcdServer.Name,
-				certsphase.KubeadmCertEtcdPeer.Name,
-				certsphase.KubeadmCertEtcdHealthcheck.Name,
+				certsphase.KubeadmCertEtcdServer().Name,
+				certsphase.KubeadmCertEtcdPeer().Name,
+				certsphase.KubeadmCertEtcdHealthcheck().Name,
 			}
 		}
 	}
@@ -565,12 +565,12 @@ func renewCertsByComponent(cfg *kubeadmapi.InitConfiguration, component string,
 	//if local etcd, renew also the etcd client certificate
 	if component == constants.KubeAPIServer {
 		certificates = []string{
-			certsphase.KubeadmCertAPIServer.Name,
-			certsphase.KubeadmCertKubeletClient.Name,
-			certsphase.KubeadmCertFrontProxyClient.Name,
+			certsphase.KubeadmCertAPIServer().Name,
+			certsphase.KubeadmCertKubeletClient().Name,
+			certsphase.KubeadmCertFrontProxyClient().Name,
 		}
 		if cfg.Etcd.Local != nil {
-			certificates = append(certificates, certsphase.KubeadmCertEtcdAPIClient.Name)
+			certificates = append(certificates, certsphase.KubeadmCertEtcdAPIClient().Name)
 		}
 	}