Tests for agent certs

cryostatio · Sep 9, 2024 · fc1918a · fc1918a
1 parent 237b0c6
commit fc1918a
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 47 deletions.
diff --git a/internal/controllers/certmanager.go b/internal/controllers/certmanager.go
@@ -135,7 +135,7 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 				return nil, err
 			}
 		}
-		certificates = append(certificates, agentCert) // TODO test
+		certificates = append(certificates, agentCert)
 	}
 
 	if len(agentCertsNotReady) > 0 {
@@ -168,22 +168,26 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 
 		// Delete any agent certificates removed target namespaces
 		agentCert := resources.NewAgentCert(cr, ns, r.gvk)
+
 		// Delete namespace copy
-		namespaceAgentSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      agentCert.Spec.SecretName,
-				Namespace: ns,
-			},
-		}
-		err = r.deleteSecret(ctx, namespaceAgentSecret)
-		if err != nil {
-			return nil, err
+		if ns != cr.InstallNamespace {
+			namespaceAgentSecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      agentCert.Spec.SecretName,
+					Namespace: ns,
+				},
+			}
+			err = r.deleteSecret(ctx, namespaceAgentSecret)
+			if err != nil {
+				return nil, err
+			}
 		}
+
 		// Delete certificate with original secret
 		err := r.deleteCertWithSecret(ctx, agentCert)
 		if err != nil {
 			return nil, err
-		} // TODO test
+		}
 	}
 
 	return tlsConfig, nil
@@ -203,20 +207,20 @@ func (r *Reconciler) finalizeTLS(ctx context.Context, cr *model.CryostatInstance
 			if err != nil {
 				return err
 			}
-		}
 
-		// Delete any agent certificate secrets in target namespaces
-		agentCert := resources.NewAgentCert(cr, ns, r.gvk)
-		namespaceAgentSecret := &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      agentCert.Spec.SecretName,
-				Namespace: ns,
-			},
+			// Delete any agent certificate secrets in target namespaces
+			agentCert := resources.NewAgentCert(cr, ns, r.gvk)
+			namespaceAgentSecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      agentCert.Spec.SecretName,
+					Namespace: ns,
+				},
+			}
+			err = r.deleteSecret(ctx, namespaceAgentSecret)
+			if err != nil {
+				return err
+			}
 		}
-		err := r.deleteSecret(ctx, namespaceAgentSecret)
-		if err != nil {
-			return err
-		} // TODO test
 	}
 
 	return nil
@@ -339,11 +343,11 @@ func (r *Reconciler) deleteCertWithSecret(ctx context.Context, cert *certv1.Cert
 			Namespace: cert.Namespace,
 		},
 	}
-
 	err := r.deleteSecret(ctx, secret)
 	if err != nil {
 		return err
 	}
+
 	// Delete the certificate
 	err = r.deleteCertificate(ctx, cert)
 	if err != nil {
@@ -359,22 +363,28 @@ func (r *Reconciler) reconcileAgentCertificate(ctx context.Context, cert *certv1
 		return err
 	}
 
-	// Fetch the certificate secret and create a copy in the target namespace
-	secret, err := r.GetCertificateSecret(ctx, cert)
-	if err != nil {
-		return err
-	}
+	// Fetch the certificate secret and create a copy in the target namespace (if not the install namespace)
+	if namespace != cr.InstallNamespace {
+		secret, err := r.GetCertificateSecret(ctx, cert)
+		if err != nil {
+			return err
+		}
 
-	targetSecret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      secret.Name,
-			Namespace: namespace,
-		},
+		targetSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secret.Name,
+				Namespace: namespace,
+			},
+		}
+		err = r.createOrUpdateSecret(ctx, targetSecret, nil, func() error {
+			targetSecret.Data = secret.Data
+			return nil
+		})
+		if err != nil {
+			return err
+		}
 	}
-	return r.createOrUpdateSecret(ctx, targetSecret, nil, func() error {
-		targetSecret.Data = secret.Data
-		return nil
-	})
+	return nil
 }
 
 func (r *Reconciler) createOrUpdateCertificate(ctx context.Context, cert *certv1.Certificate, owner metav1.Object) error {

diff --git a/internal/controllers/reconciler_test.go b/internal/controllers/reconciler_test.go
@@ -1804,21 +1804,40 @@ func (c *controllerTest) commonTests() {
 							t.expectNoCryostat()
 						})
 					})
+					Context("with cert-manager enabled", func() {
+						JustBeforeEach(func() {
+							err := t.Client.Delete(context.Background(), t.NewRoleBinding(targetNamespaces[0]))
+							Expect(err).ToNot(HaveOccurred())
+							t.reconcileDeletedCryostat()
+						})
+						It("should delete CA cert secrets from each namespace", func() {
+							t.checkCASecretsDeleted()
+						})
+						It("should delete agent cert secrets from each namespace", func() {
+							t.checkAgentCertSecretsDeleted()
+						})
+						It("should delete Cryostat", func() {
+							t.expectNoCryostat()
+						})
+					})
 				})
 			})
 
 			Context("with removed target namespaces", func() {
 				BeforeEach(func() {
+					t.TargetNamespaces = targetNamespaces
+					t.objs = append(t.objs, t.NewCryostat().Object)
+				})
+				JustBeforeEach(func() {
 					// Begin with RBAC set up for two namespaces,
 					// and remove the second namespace from the spec
 					t.TargetNamespaces = targetNamespaces[:1]
-					cr := t.NewCryostat()
-					*cr.TargetNamespaceStatus = targetNamespaces
-					t.objs = append(t.objs, cr.Object,
-						t.NewRoleBinding(targetNamespaces[0]),
-						t.NewRoleBinding(targetNamespaces[1]),
-						t.NewCACertSecret(targetNamespaces[0]),
-						t.NewCACertSecret(targetNamespaces[1]))
+					cr := t.getCryostatInstance()
+					cr.Spec.TargetNamespaces = t.TargetNamespaces
+					t.updateCryostatInstance(cr)
+
+					// Reconcile again
+					t.reconcileCryostatFully()
 				})
 				It("should create the expected main deployment", func() {
 					t.expectMainDeployment()
@@ -1832,15 +1851,33 @@ func (c *controllerTest) commonTests() {
 					Expect(err).ToNot(BeNil())
 					Expect(kerrors.IsNotFound(err)).To(BeTrue())
 				})
-				It("leave CA Cert secret for the first namespace", func() {
+				It("leave certficate secrets for the first namespace", func() {
 					t.expectCertificates()
 				})
-				It("should remove CA Cert secret from the second namespace", func() {
+				It("should remove CA cert secret from the second namespace", func() {
 					secret := t.NewCACertSecret(targetNamespaces[1])
 					err := t.Client.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, secret)
 					Expect(err).ToNot(BeNil())
 					Expect(kerrors.IsNotFound(err)).To(BeTrue())
 				})
+				It("should remove agent certificate for the second namespace", func() {
+					cert := t.NewAgentCert(targetNamespaces[1])
+					err := t.Client.Get(context.Background(), types.NamespacedName{Name: cert.Name, Namespace: cert.Namespace}, cert)
+					Expect(err).ToNot(BeNil())
+					Expect(kerrors.IsNotFound(err)).To(BeTrue())
+				})
+				It("should remove agent cert secret for the second namespace", func() {
+					secret := t.NewAgentCertSecret(targetNamespaces[1])
+					err := t.Client.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, secret)
+					Expect(err).ToNot(BeNil())
+					Expect(kerrors.IsNotFound(err)).To(BeTrue())
+				})
+				It("should remove agent cert secret copy from the second namespace", func() {
+					secret := t.NewAgentCertSecretCopy(targetNamespaces[1])
+					err := t.Client.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, secret)
+					Expect(err).ToNot(BeNil())
+					Expect(kerrors.IsNotFound(err)).To(BeTrue())
+				})
 				It("should update the target namespaces in Status", func() {
 					t.expectTargetNamespaces()
 				})
@@ -2281,6 +2318,36 @@ func (t *cryostatTestInput) expectCertificates() {
 			Expect(secret.Type).To(Equal(expectedSecret.Type))
 		}
 	}
+
+	// Check agent certificates and secrets
+	for _, ns := range t.TargetNamespaces {
+		// Check certificate object
+		expectedCert := t.NewAgentCert(ns)
+		cert := &certv1.Certificate{}
+		err := t.Client.Get(context.Background(), types.NamespacedName{Name: expectedCert.Name, Namespace: expectedCert.Namespace}, cert)
+		Expect(err).ToNot(HaveOccurred())
+		t.checkMetadata(cert, expectedCert)
+		Expect(cert.Spec).To(Equal(expectedCert.Spec))
+
+		// Check certificate secret is created and owned by CR
+		expectedSecret := t.NewAgentCertSecret(ns)
+		secret := &corev1.Secret{}
+		err = t.Client.Get(context.Background(), types.NamespacedName{Name: expectedSecret.Name, Namespace: expectedSecret.Namespace}, secret)
+		Expect(err).ToNot(HaveOccurred())
+		t.checkMetadata(secret, expectedSecret)
+		Expect(secret.Data).To(Equal(expectedSecret.Data))
+
+		if ns != t.Namespace {
+			// Ensure secret is copied into the target namespace
+			expectedSecret = t.NewAgentCertSecretCopy(ns)
+			secret = &corev1.Secret{}
+			err = t.Client.Get(context.Background(), types.NamespacedName{Name: expectedSecret.Name, Namespace: expectedSecret.Namespace}, secret)
+			Expect(err).ToNot(HaveOccurred())
+			t.checkMetadataNoOwner(secret, expectedSecret)
+			Expect(secret.GetOwnerReferences()).To(BeEmpty())
+			Expect(secret.Data).To(Equal(expectedSecret.Data))
+		}
+	}
 }
 
 func (t *cryostatTestInput) expectRBAC() {
@@ -2333,6 +2400,24 @@ func (t *cryostatTestInput) checkRoleBindingsDeleted() {
 	}
 }
 
+func (t *cryostatTestInput) checkCASecretsDeleted() {
+	for _, ns := range t.TargetNamespaces {
+		expected := t.NewCACertSecret(ns)
+		secret := &corev1.Secret{}
+		err := t.Client.Get(context.Background(), types.NamespacedName{Name: expected.Name, Namespace: expected.Namespace}, secret)
+		Expect(kerrors.IsNotFound(err)).To(BeTrue())
+	}
+}
+
+func (t *cryostatTestInput) checkAgentCertSecretsDeleted() {
+	for _, ns := range t.TargetNamespaces {
+		expected := t.NewAgentCertSecretCopy(ns)
+		secret := &corev1.Secret{}
+		err := t.Client.Get(context.Background(), types.NamespacedName{Name: expected.Name, Namespace: expected.Namespace}, secret)
+		Expect(kerrors.IsNotFound(err)).To(BeTrue())
+	}
+}
+
 func (t *cryostatTestInput) expectNoRoutes() {
 	svc := &openshiftv1.Route{}
 	err := t.Client.Get(context.Background(), types.NamespacedName{Name: t.Name, Namespace: t.Namespace}, svc)

diff --git a/internal/test/resources.go b/internal/test/resources.go
@@ -852,6 +852,26 @@ func (r *TestResources) NewCACertSecret(ns string) *corev1.Secret {
 	}
 }
 
+func (r *TestResources) NewAgentCertSecret(ns string) *corev1.Secret {
+	name := r.getClusterUniqueNameForAgent(ns)
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: r.Namespace,
+		},
+		Data: map[string][]byte{
+			corev1.TLSPrivateKeyKey: []byte(name + "-key"),
+			corev1.TLSCertKey:       []byte(name + "-bytes"),
+		},
+	}
+}
+
+func (r *TestResources) NewAgentCertSecretCopy(ns string) *corev1.Secret {
+	secret := r.NewAgentCertSecret(ns)
+	secret.Namespace = ns
+	return secret
+}
+
 func (r *TestResources) NewDatabaseSecret() *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{