weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7057 from inteon/startupapicheck

Browse Source 
Startupapicheck: validate that the validating and mutating webhooks are doing their job
This commit is contained in:
cert-manager-prow[bot] 2024-06-10 12:27:59 +00:00 committed by GitHub
commit 356f7411e0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 568 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/startupapicheck/LICENSES
View File

@ -1,3 +1,4 @@
github.com/Azure/go-ntlmssp,https://github.com/Azure/go-ntlmssp/blob/754e69321358/LICENSE,MIT
github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT
github.com/blang/semver/v4,https://github.com/blang/semver/blob/v4.0.0/v4/LICENSE,MIT
github.com/cert-manager/cert-manager,https://github.com/cert-manager/cert-manager/blob/HEAD/LICENSE,Apache-2.0
@ -8,7 +9,9 @@ github.com/emicklei/go-restful/v3,https://github.com/emicklei/go-restful/blob/v3
github.com/evanphx/json-patch,https://github.com/evanphx/json-patch/blob/v5.9.0/LICENSE,BSD-3-Clause
github.com/evanphx/json-patch/v5,https://github.com/evanphx/json-patch/blob/v5.9.0/v5/LICENSE,BSD-3-Clause
github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/v1.7.0/LICENSE,BSD-3-Clause
github.com/go-asn1-ber/asn1-ber,https://github.com/go-asn1-ber/asn1-ber/blob/v1.5.6/LICENSE,MIT
github.com/go-errors/errors,https://github.com/go-errors/errors/blob/v1.5.1/LICENSE.MIT,MIT
github.com/go-ldap/ldap/v3,https://github.com/go-ldap/ldap/blob/v3.4.8/v3/LICENSE,MIT
github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.4.1/LICENSE,Apache-2.0
github.com/go-logr/zapr,https://github.com/go-logr/zapr/blob/v1.3.0/LICENSE,Apache-2.0
github.com/go-openapi/jsonpointer,https://github.com/go-openapi/jsonpointer/blob/v0.21.0/LICENSE,Apache-2.0
@ -47,6 +50,7 @@ github.com/xlab/treeprint,https://github.com/xlab/treeprint/blob/v1.2.0/LICENSE,
go.starlark.net,https://github.com/google/starlark-go/blob/f457c4c2b267/LICENSE,BSD-3-Clause
go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.11.0/LICENSE.txt,MIT
go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.27.0/LICENSE,MIT
golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.23.0:LICENSE,BSD-3-Clause
golang.org/x/exp/maps,https://cs.opensource.google/go/x/exp/+/9bf2ced1:LICENSE,BSD-3-Clause
golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.25.0:LICENSE,BSD-3-Clause
golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/v0.20.0:LICENSE,BSD-3-Clause

7
cmd/startupapicheck/go.mod
View File

@ -15,6 +15,9 @@ replace github.com/prometheus/common => github.com/prometheus/common v0.46.0
replace github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.18.0
// Can be removed once github.com/go-ldap/ldap/v3 releases a version that requires this version.
replace github.com/go-asn1-ber/asn1-ber => github.com/go-asn1-ber/asn1-ber v1.5.6
replace github.com/cert-manager/cert-manager => ../../
require (
@ -30,6 +33,7 @@ require (
require (
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
@ -38,7 +42,9 @@ require (
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-ldap/ldap/v3 v3.4.8 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/zapr v1.3.0 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
@ -76,6 +82,7 @@ require (
go.starlark.net v0.0.0-20240510163022-f457c4c2b267 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.23.0 // indirect
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
golang.org/x/net v0.25.0 // indirect
golang.org/x/oauth2 v0.20.0 // indirect

69
cmd/startupapicheck/go.sum
View File

@ -1,5 +1,9 @@
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@ -21,8 +25,12 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0
github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM=
github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@ -58,12 +66,29 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@ -121,17 +146,23 @@ github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyh
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.starlark.net v0.0.0-20240510163022-f457c4c2b267 h1:nHGP5vKtg2WaXA/AozoZWx/DI9wvwxCeikONJbdKdFo=
go.starlark.net v0.0.0-20240510163022-f457c4c2b267/go.mod h1:YKMCv9b1WrfWmeqdV5MAuEHWsu5iC+fe6kYl2sQjdI8=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@ -143,14 +174,30 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
@ -158,18 +205,38 @@ golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
@ -178,6 +245,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

2
cmd/startupapicheck/pkg/check/api/api.go
View File

@ -24,7 +24,6 @@ import (
"time"
"github.com/spf13/cobra"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait"
cmcmdutil "github.com/cert-manager/cert-manager/internal/cmd/util"
@ -54,7 +53,6 @@ func (o *Options) Complete() error {
o.APIChecker, err = cmapichecker.New(
o.RESTConfig,
runtime.NewScheme(),
o.Namespace,
)
if err != nil {

2
cmd/webhook/go.mod
View File

@ -23,7 +23,6 @@ replace github.com/cert-manager/cert-manager => ../../
require (
github.com/cert-manager/cert-manager v0.0.0-00010101000000-000000000000
github.com/spf13/cobra v1.8.0
k8s.io/apimachinery v0.30.1
k8s.io/component-base v0.30.1
sigs.k8s.io/controller-runtime v0.18.2
)
@ -101,6 +100,7 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.30.1 // indirect
k8s.io/apiextensions-apiserver v0.30.1 // indirect
k8s.io/apimachinery v0.30.1 // indirect
k8s.io/apiserver v0.30.1 // indirect
k8s.io/client-go v0.30.1 // indirect
k8s.io/klog/v2 v2.120.1 // indirect

2
deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml
View File

@ -18,7 +18,7 @@ metadata:
{{- end }}
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
resources: ["certificaterequests"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1

163
pkg/util/cmapichecker/cmapichecker.go
View File

@ -17,17 +17,22 @@ limitations under the License.
package cmapichecker
import (
"bytes"
"context"
"encoding/pem"
"fmt"
"net/http"
"regexp"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/rest"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
)
var (
@ -35,19 +40,26 @@ var (
ErrWebhookServiceFailure = fmt.Errorf("the cert-manager webhook service is not created yet")
ErrWebhookDeploymentFailure = fmt.Errorf("the cert-manager webhook deployment is not ready yet")
ErrWebhookCertificateFailure = fmt.Errorf("the cert-manager webhook CA bundle is not injected yet")
)
ErrMutationWebhookMissing = fmt.Errorf("the cert-manager mutation webhook did not mutate the dry-run CertificateRequest object")
ErrValidatingWebhookMissing = fmt.Errorf("the cert-manager validating webhook did not validate the dry-run CertificateRequest object")
ErrMutationWebhookIncorrect = fmt.Errorf("the cert-manager validating webhook failed because the dry-run CertificateRequest object was mutated incorrectly")
const (
crdsMapping1Error = `error finding the scope of the object: failed to get restmapping: failed to find API group "cert-manager.io"`
crdsMapping2Error = `error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"`
crdsNotFoundError = `the server could not find the requested resource (post certificates.cert-manager.io)`
ErrFailedToCheckAPI = fmt.Errorf("failed to check the cert-manager API")
)
var (
regexErrCertManagerCRDsNotFound = regexp.MustCompile(`^(` + regexp.QuoteMeta(crdsMapping1Error) + `|` + regexp.QuoteMeta(crdsMapping2Error) + `|` + regexp.QuoteMeta(crdsNotFoundError) + `)$`)
regexErrCertManagerCRDsNotFound1 = regexp.MustCompile(`the server could not find the requested resource`)
regexErrCertManagerCRDsNotFound2 = regexp.MustCompile(`failed to find API group "cert-manager\.io"`)
regexErrCertManagerCRDsNotFound3 = regexp.MustCompile(`no resources found for group "cert-manager\.io/v1"`)
regexErrCertManagerCRDsNotFound4 = regexp.MustCompile(`no matches for kind "CertificateRequest" in group "cert-manager\.io"`)
regexErrCertManagerCRDsNotFound5 = regexp.MustCompile(`no matches for kind "CertificateRequest" in version "cert-manager\.io/v1"`)
regexErrWebhookServiceFailure = regexp.MustCompile(`Post "(.*)": service "(.*)-webhook" not found`)
regexErrWebhookDeploymentFailure = regexp.MustCompile(`Post "(.*)": (.*): connect: connection refused`)
regexErrWebhookCertificateFailure = regexp.MustCompile(`Post "(.*)": x509: certificate signed by unknown authority`)
regexErrCertmanagerDeniedRequest = regexp.MustCompile(`admission webhook "webhook\.cert-manager\.io" denied the request: (.*)`)
regexErrForbidden = regexp.MustCompile(`certificaterequests\.cert-manager\.io is forbidden`)
regexErrDenied = regexp.MustCompile(`admission webhook "(.*)" denied the request: (.*)`)
)
// Interface is used to check that the cert-manager CRDs have been installed and are usable.
@ -57,23 +69,94 @@ type Interface interface {
type cmapiChecker struct {
client client.Client
testValidCR *cmapi.CertificateRequest
testInvalidCR *cmapi.CertificateRequest
}
// New returns a cert-manager API checker
func New(restcfg *rest.Config, scheme *runtime.Scheme, namespace string) (Interface, error) {
func New(restcfg *rest.Config, namespace string) (Interface, error) {
httpClient, err := rest.HTTPClientFor(restcfg)
if err != nil {
return nil, fmt.Errorf("while creating HTTP client: %w", err)
}
return NewForConfigAndClient(restcfg, httpClient, namespace)
}
func NewForConfigAndClient(restcfg *rest.Config, httpClient *http.Client, namespace string) (Interface, error) {
scheme := runtime.NewScheme()
if err := cmapi.AddToScheme(scheme); err != nil {
return nil, fmt.Errorf("while configuring scheme: %w", err)
}
cl, err := client.New(restcfg, client.Options{
Scheme: scheme,
HTTPClient: httpClient,
Scheme: scheme,
DryRun: ptr.To(true),
})
if err != nil {
return nil, fmt.Errorf("while creating client: %w", err)
}
cl = client.NewNamespacedClient(cl, namespace)
x509CertReq, err := pki.GenerateCSR(
&cmapi.Certificate{
Spec: cmapi.CertificateSpec{
DNSNames: []string{"example.com"},
PrivateKey: &cmapi.CertificatePrivateKey{
Algorithm: "ECDSA",
Size: 521,
},
},
},
pki.WithEncodeBasicConstraintsInRequest(true),
)
if err != nil {
return nil, fmt.Errorf("while generating CSR: %w", err)
}
pk, err := pki.GenerateECPrivateKey(521)
if err != nil {
return nil, fmt.Errorf("while generating private key: %w", err)
}
csrDER, err := pki.EncodeCSR(x509CertReq, pk)
if err != nil {
return nil, fmt.Errorf("while encoding CSR: %w", err)
}
csrPEM := bytes.NewBuffer([]byte{})
err = pem.Encode(csrPEM, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER})
if err != nil {
return nil, fmt.Errorf("while encoding CSR to PEM: %w", err)
}
return &cmapiChecker{
client: client.NewNamespacedClient(client.NewDryRunClient(cl), namespace),
client: cl,
testValidCR: &cmapi.CertificateRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "cmapichecker-valid-",
},
Spec: cmapi.CertificateRequestSpec{
Request: csrPEM.Bytes(),
IssuerRef: cmmeta.ObjectReference{
Name: "cmapichecker",
},
},
},
testInvalidCR: &cmapi.CertificateRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "cmapichecker-invalid-",
},
Spec: cmapi.CertificateRequestSpec{
Request: []byte("invalid-csr"),
IssuerRef: cmmeta.ObjectReference{
Name: "cmapichecker",
},
},
},
}, nil
}
@ -85,22 +168,37 @@ func New(restcfg *rest.Config, scheme *runtime.Scheme, namespace string) (Interf
// we have disabled the serving of non-v1 CRD versions, so it is no longer
// possible to test the reachability of the conversion webhook.
func (o *cmapiChecker) Check(ctx context.Context) error {
cert := &cmapi.Certificate{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "cmapichecker-",
},
Spec: cmapi.CertificateSpec{
DNSNames: []string{"cmapichecker.example"},
SecretName: "cmapichecker",
IssuerRef: cmmeta.ObjectReference{
Name: "cmapichecker",
},
},
}
// Test the mutating webhook, which should add the username, UID, and groups
if err := func() error {
certReq := o.testValidCR.DeepCopy()
if err := o.client.Create(ctx, certReq); err != nil {
return err
}
if err := o.client.Create(ctx, cert); err != nil {
if certReq.Spec.Username == "" &&
certReq.Spec.UID == "" {
return ErrMutationWebhookMissing
}
return nil
}(); err != nil {
return err
}
// Test the validating webhook, which should reject the request
if err := func() error {
certReq := o.testInvalidCR.DeepCopy()
if err := o.client.Create(ctx, certReq); err == nil {
return ErrValidatingWebhookMissing
} else if !regexErrCertmanagerDeniedRequest.MatchString(err.Error()) {
return err
}
return nil
}(); err != nil {
return err
}
return nil
}
@ -115,11 +213,23 @@ func (o *cmapiChecker) Check(ctx context.Context) error {
// - Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.38.90:443: connect: connection refused
// ErrWebhookCertificateFailure:
// - Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca")
// ErrMutationWebhookIncorrect:
// - admission webhook "webhook.cert-manager.io" denied the request: [spec.username: Forbidden: username identity must be that of the requester, spec.groups: Forbidden: groups identity must be that of the requester]
// ErrFailedToCheckAPI:
// - certificaterequests.cert-manager.io is forbidden: User "test" cannot create resource "certificaterequests" in API group "cert-manager.io" in the namespace "default"
// - admission webhook "validate.kyverno.svc-fail" denied the request: ...
func TranslateToSimpleError(err error) error {
s := err.Error()
if err == nil {
return nil
}
s := err.Error()
switch {
case regexErrCertManagerCRDsNotFound.MatchString(s):
case regexErrCertManagerCRDsNotFound1.MatchString(s) ||
regexErrCertManagerCRDsNotFound2.MatchString(s) ||
regexErrCertManagerCRDsNotFound3.MatchString(s) ||
regexErrCertManagerCRDsNotFound4.MatchString(s) ||
regexErrCertManagerCRDsNotFound5.MatchString(s):
return ErrCertManagerCRDsNotFound
case regexErrWebhookServiceFailure.MatchString(s):
return ErrWebhookServiceFailure
@ -127,6 +237,11 @@ func TranslateToSimpleError(err error) error {
return ErrWebhookDeploymentFailure
case regexErrWebhookCertificateFailure.MatchString(s):
return ErrWebhookCertificateFailure
case regexErrCertmanagerDeniedRequest.MatchString(s):
return ErrMutationWebhookIncorrect
case regexErrForbidden.MatchString(s) ||
regexErrDenied.MatchString(s):
return ErrFailedToCheckAPI
default:
return nil
}

498
pkg/util/cmapichecker/cmapichecker_test.go
View File

@ -18,175 +18,371 @@ package cmapichecker
import (
"context"
"errors"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"k8s.io/apimachinery/pkg/runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/rest"
)
type fakeErrorClient struct {
client.Client
createError error
}
func (cl *fakeErrorClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
if cl.createError != nil {
return cl.createError
}
return cl.Client.Create(ctx, obj, opts...)
}
func newFakeCmapiChecker() (*fakeErrorClient, Interface, error) {
scheme := runtime.NewScheme()
if err := cmapi.AddToScheme(scheme); err != nil {
return nil, nil, err
}
cl := fake.NewClientBuilder().WithScheme(scheme).Build()
errorClient := &fakeErrorClient{
Client: cl,
createError: nil,
}
return errorClient, &cmapiChecker{
client: errorClient,
}, nil
}
const (
errCertManagerCRDsMapping = `error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"`
errCertManagerCRDsNotFound = `the server could not find the requested resource (post certificates.cert-manager.io)`
errMutatingWebhookServiceFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": service "cert-manager-webhook" not found`
errMutatingWebhookDeploymentFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.38.90:443: connect: connection refused`
errMutatingWebhookCertificateFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca"`
// These /convert error examples test that we can correctly parse errors
// while connecting to the conversion webhook,
// but as of cert-manager 1.6 the conversion webhook will no-longer be used
// because legacy CRD versions will no longer be "served"
// and in 1.7 the conversion webhook may be removed at which point these can
// be removed too.
// TODO: Add tests for errors when connecting to the /validate
// ValidatingWebhook endpoint.
errConversionWebhookServiceFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": service "cert-manager-webhook" not found`
errConversionWebhookDeploymentFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": dial tcp 10.96.38.90:443: connect: connection refused`
errConversionWebhookCertificateFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": x509: certificate signed by unknown authority`
crNoMutation = `{
"kind":"CertificateRequest",
"apiVersion":"cert-manager.io/v1",
"metadata":{
"name":"cmapichecker-0001",
"namespace":"test-namespace"
},
"spec":{
"issuerRef":{"name":"cmapichecker"},
"request":"PENTUi1WQUxVRT4="
}
}`
crAfterMutation = `{
"kind":"CertificateRequest",
"apiVersion":"cert-manager.io/v1",
"metadata":{
"name":"cmapichecker-0001",
"namespace":"test-namespace"
},
"spec":{
"issuerRef":{"name":"cmapichecker"},
"request":"PENTUi1WQUxVRT4=",
"username":"test-user",
"uid":"test-uid"
},
"status":{}
}`
)
func TestCmapiChecker(t *testing.T) {
func TestCheck(t *testing.T) {
type testT struct {
apisResponse func(t *testing.T, r *http.Request) (int, []byte)
discoveryResponse func(t *testing.T, r *http.Request) (int, []byte)
createValidResponse func(t *testing.T, r *http.Request) (int, []byte)
createInvalidResponse func(t *testing.T, r *http.Request) (int, []byte)
expectedError string
expectedSimpleError string
}
tests := map[string]testT{
"check API without errors": {
createError: nil,
expectedSimpleError: "",
expectedVerboseError: "",
"no errors": {},
"without any cert-manager CRDs installed (missing from /apis)": {
apisResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusOK, []byte(`{
"kind": "APIGroupList",
"apiVersion": "v1",
"groups": []
}`)
},
expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`,
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
},
"check API without CRDs installed 1": {
createError: errors.New(errCertManagerCRDsMapping),
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
expectedVerboseError: errCertManagerCRDsMapping,
"without any cert-manager CRDs installed (404)": {
discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusNotFound, nil
},
expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`,
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
},
"check API without CRDs installed 2": {
createError: errors.New(errCertManagerCRDsNotFound),
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
expectedVerboseError: errCertManagerCRDsNotFound,
"without any cert-manager CRDs installed (empty list)": {
discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusOK, []byte(`{
"kind":"APIResourceList",
"apiVersion":"v1",
"groupVersion":"cert-manager.io/v1",
"resources":[]
}`)
},
expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`,
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
},
"check API with mutating webhook service not ready": {
createError: errors.New(errMutatingWebhookServiceFailure),
expectedSimpleError: ErrWebhookServiceFailure.Error(),
expectedVerboseError: errMutatingWebhookServiceFailure,
"without certificate request CRD installed": {
discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusOK, []byte(`{
"kind":"APIResourceList",
"apiVersion":"v1",
"groupVersion":"cert-manager.io/v1",
"resources":[
{
"name":"test",
"singularName":"",
"namespaced":true,
"kind":"Test",
"verbs":["get","patch","update"]
}
]
}`)
},
expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`,
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
},
"check API with conversion webhook service not ready": {
createError: errors.New(errConversionWebhookServiceFailure),
expectedSimpleError: ErrWebhookServiceFailure.Error(),
expectedVerboseError: errConversionWebhookServiceFailure,
"with missing certificate request endpoint": {
discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusNotFound, nil
},
expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`,
expectedSimpleError: ErrCertManagerCRDsNotFound.Error(),
},
"check API with mutating webhook pod not accepting connections": {
createError: errors.New(errMutatingWebhookDeploymentFailure),
expectedSimpleError: ErrWebhookDeploymentFailure.Error(),
expectedVerboseError: errMutatingWebhookDeploymentFailure,
"dry-run certificate request was not mutated": {
createValidResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusOK, []byte(crNoMutation)
},
expectedError: ErrMutationWebhookMissing.Error(),
},
"check API with conversion webhook pod not accepting connections": {
createError: errors.New(errConversionWebhookDeploymentFailure),
expectedSimpleError: ErrWebhookDeploymentFailure.Error(),
expectedVerboseError: errConversionWebhookDeploymentFailure,
"cr was denied by 3rd party webhook": {
createInvalidResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusNotAcceptable, []byte(`{
"kind":"Status",
"apiVersion":"v1",
"metadata":{},
"status":"Failure",
"message":"admission webhook \"other-webhook.io\" denied the request: [ERROR MESSAGE]",
"reason":"NotAcceptable",
"code":406
}`)
},
expectedError: "admission webhook \"other-webhook.io\" denied the request: [ERROR MESSAGE]",
expectedSimpleError: ErrFailedToCheckAPI.Error(),
},
"check API with webhook certificate not updated in mutation webhook resource definitions": {
createError: errors.New(errMutatingWebhookCertificateFailure),
expectedSimpleError: ErrWebhookCertificateFailure.Error(),
expectedVerboseError: errMutatingWebhookCertificateFailure,
},
"check API with webhook certificate not updated in conversion webhook resource definitions": {
createError: errors.New(errConversionWebhookCertificateFailure),
expectedSimpleError: ErrWebhookCertificateFailure.Error(),
expectedVerboseError: errConversionWebhookCertificateFailure,
},
"unexpected error": {
createError: errors.New("unexpected error"),
expectedSimpleError: "",
expectedVerboseError: "unexpected error",
"missing validation error": {
createInvalidResponse: func(t *testing.T, r *http.Request) (int, []byte) {
return http.StatusOK, []byte(crAfterMutation)
},
expectedError: ErrValidatingWebhookMissing.Error(),
},
}
for n, test := range tests {
t.Run(n, func(t *testing.T) {
runTest(t, test)
type testFailure struct {
message string
reason string
code int
simpleError string
}
for name, test := range map[string]testFailure{
"no permission": {
message: `certificaterequests.cert-manager.io is forbidden: User "test" cannot create resource "certificaterequests" in API group "cert-manager.io" in the namespace "test-namespace"`,
reason: "Forbidden",
code: http.StatusForbidden,
simpleError: ErrFailedToCheckAPI.Error(),
},
"service not found": {
message: `failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": service "cert-manager-webhook" not found`,
reason: "InternalError",
code: 500,
simpleError: ErrWebhookServiceFailure.Error(),
},
"connection refused": {
message: `failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.96.19.42:443: connect: connection refused`,
reason: "InternalError",
code: 500,
simpleError: ErrWebhookDeploymentFailure.Error(),
},
"certificate signed by unknown authority": {
message: `failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": x509: certificate signed by unknown authority`,
reason: "NotAcceptable",
code: 406,
simpleError: ErrWebhookCertificateFailure.Error(),
},
"certificate signed by unknown authority (ECDSA verification failure)": {
message: `failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca"`,
reason: "NotAcceptable",
code: 406,
simpleError: ErrWebhookCertificateFailure.Error(),
},
"validating webhook error (3rd party)": {
message: `admission webhook "other-webhook.io" denied the request: [ERROR MESSAGE]`,
reason: "NotAcceptable",
code: 406,
simpleError: ErrFailedToCheckAPI.Error(),
},
"missing mutating webhook": {
message: `admission webhook "webhook.cert-manager.io" denied the request: [spec.username: Forbidden: username identity must be that of the requester, spec.groups: Forbidden: groups identity must be that of the requester]`,
reason: "NotAcceptable",
code: 406,
simpleError: ErrMutationWebhookIncorrect.Error(),
},
"validating webhook error": {
message: `admission webhook "webhook.cert-manager.io" denied the request: spec.request: Invalid value: []byte{0x00}: error decoding certificate request PEM block`,
reason: "NotAcceptable",
code: 406,
simpleError: ErrMutationWebhookIncorrect.Error(),
},
"unknown error": {
message: `UNKNOWN ERROR`,
reason: "InternalError",
code: 500,
},
} {
tests["valid_failure_"+name] = testT{
createValidResponse: func(t *testing.T, r *http.Request) (int, []byte) {
byteResponse, err := json.Marshal(map[string]interface{}{
"kind": "Status",
"apiVersion": "v1",
"metadata": map[string]interface{}{},
"status": "Failure",
"message": test.message,
"reason": test.reason,
"code": test.code,
})
if err != nil {
t.Error(err)
}
return test.code, byteResponse
},
expectedError: test.message,
expectedSimpleError: test.simpleError,
}
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
// fake https server to simulate the Kubernetes API server responses
mockKubernetesAPI := func(t *testing.T, r *http.Request) (int, []byte) {
switch r.URL.Path {
case "/api":
return http.StatusOK, []byte(`{"kind":"APIVersions","versions":["v1"]}`)
case "/apis":
if test.apisResponse != nil {
return test.apisResponse(t, r)
}
return http.StatusOK, []byte(`{
"kind": "APIGroupList",
"apiVersion": "v1",
"groups": [{
"name": "cert-manager.io",
"versions": [{
"groupVersion": "cert-manager.io/v1",
"version": "v1"
}],
"preferredVersion": {
"groupVersion": "cert-manager.io/v1",
"version": "v1"
}
}]
}`)
case "/apis/cert-manager.io/v1":
if test.discoveryResponse != nil {
return test.discoveryResponse(t, r)
}
return http.StatusOK, []byte(`{
"kind":"APIResourceList",
"apiVersion":"v1",
"groupVersion":"cert-manager.io/v1",
"resources":[
{
"name":"certificaterequests",
"singularName":"certificaterequest",
"namespaced":true,
"kind":"CertificateRequest",
"verbs":["delete","deletecollection","get","list","patch","create","update","watch"],
"shortNames":["cr","crs"],
"categories":["cert-manager"],
"storageVersionHash":"tuxiikMaACg="
},
{
"name":"certificaterequests/status",
"singularName":"",
"namespaced":true,
"kind":"CertificateRequest",
"verbs":["get","patch","update"]
}
]
}`)
case "/apis/cert-manager.io/v1/namespaces/test-namespace/certificaterequests":
obj := metav1.PartialObjectMetadata{}
if err := json.NewDecoder(r.Body).Decode(&obj); err != nil {
t.Errorf("failed to decode request body: %v", err)
}
switch obj.GenerateName {
case "cmapichecker-valid-":
if test.createValidResponse != nil {
return test.createValidResponse(t, r)
}
return http.StatusOK, []byte(crAfterMutation)
case "cmapichecker-invalid-":
if test.createInvalidResponse != nil {
return test.createInvalidResponse(t, r)
}
return http.StatusNotAcceptable, []byte(`{
"kind":"Status",
"apiVersion":"v1",
"metadata":{},
"status":"Failure",
"message":"admission webhook \"webhook.cert-manager.io\" denied the request: [ERROR MESSAGE]",
"reason":"NotAcceptable",
"code":406
}`)
}
default:
}
return http.StatusNotFound, nil
}
testServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
statusCode, content := mockKubernetesAPI(t, r)
w.WriteHeader(statusCode)
if content == nil {
return
}
if _, err := w.Write(content); err != nil {
t.Errorf("failed to write response: %v", err)
}
}))
t.Cleanup(testServer.Close)
restConfig := &rest.Config{
Host: testServer.URL,
}
checker, err := NewForConfigAndClient(restConfig, testServer.Client(), "test-namespace")
if err != nil {
t.Fatalf("failed to create checker: %v", err)
}
for i := 0; i < 10; i++ {
t.Logf("# check %d", i)
err = checker.Check(context.Background())
switch {
case err == nil && test.expectedError == "":
case err == nil && test.expectedError != "":
t.Errorf("expected error %q, got nil", test.expectedError)
case err.Error() != test.expectedError:
t.Errorf("expected error %q, got %q", test.expectedError, err.Error())
}
simpleErr := TranslateToSimpleError(err)
switch {
case simpleErr == nil && test.expectedSimpleError == "":
case simpleErr == nil && test.expectedSimpleError != "":
t.Errorf("expected error %q, got nil", test.expectedSimpleError)
case simpleErr.Error() != test.expectedSimpleError:
t.Errorf("expected error %q, got %q", test.expectedSimpleError, simpleErr.Error())
}
}
})
}
}
type testT struct {
createError error
expectedSimpleError string
expectedVerboseError string
}
func runTest(t *testing.T, test testT) {
errorClient, checker, err := newFakeCmapiChecker()
if err != nil {
t.Error(err)
}
errorClient.createError = test.createError
var simpleError error
err = checker.Check(context.TODO())
if err != nil {
if err.Error() != test.expectedVerboseError {
t.Errorf("error differs from expected error:\n%s\n vs \n%s", err.Error(), test.expectedVerboseError)
}
simpleError = TranslateToSimpleError(err)
} else if test.expectedVerboseError != "" {
t.Errorf("expected error did not occure:\n%s", test.expectedVerboseError)
}
if simpleError != nil {
if simpleError.Error() != test.expectedSimpleError {
t.Errorf("simple error differs from expected error:\n%s\n vs \n%s", simpleError.Error(), test.expectedSimpleError)
}
} else {
if test.expectedSimpleError != "" {
t.Errorf("expected simple error did not occure:\n%s", test.expectedSimpleError)
}
}
}