diff --git a/BUILD.bazel b/BUILD.bazel index 4e0de38a6..6cc3d9324 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -60,6 +60,7 @@ filegroup( "//test/acme/dns:all-srcs", "//test/e2e:all-srcs", "//test/unit/gen:all-srcs", + "//test/unit/listers:all-srcs", "//test/util:all-srcs", "//third_party:all-srcs", "//vendor:all-srcs", diff --git a/pkg/controller/certificaterequests/BUILD.bazel b/pkg/controller/certificaterequests/BUILD.bazel index 1951279fb..ca47a54af 100644 --- a/pkg/controller/certificaterequests/BUILD.bazel +++ b/pkg/controller/certificaterequests/BUILD.bazel @@ -46,6 +46,7 @@ filegroup( ":package-srcs", "//pkg/controller/certificaterequests/ca:all-srcs", "//pkg/controller/certificaterequests/fake:all-srcs", + "//pkg/controller/certificaterequests/util:all-srcs", ], tags = ["automanaged"], visibility = ["//visibility:public"], diff --git a/pkg/controller/certificaterequests/ca/BUILD.bazel b/pkg/controller/certificaterequests/ca/BUILD.bazel index 8f2e5b36d..d28efd349 100644 --- a/pkg/controller/certificaterequests/ca/BUILD.bazel +++ b/pkg/controller/certificaterequests/ca/BUILD.bazel @@ -10,11 +10,12 @@ go_library( "//pkg/apis/certmanager/v1alpha1:go_default_library", "//pkg/controller:go_default_library", "//pkg/controller/certificaterequests:go_default_library", + "//pkg/controller/certificaterequests/util:go_default_library", "//pkg/issuer:go_default_library", "//pkg/logs:go_default_library", + "//pkg/util/errors:go_default_library", "//pkg/util/kube:go_default_library", "//pkg/util/pki:go_default_library", - "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//vendor/k8s.io/client-go/listers/core/v1:go_default_library", "//vendor/k8s.io/client-go/tools/record:go_default_library", @@ -46,8 +47,10 @@ go_test( "//pkg/issuer:go_default_library", "//pkg/util/pki:go_default_library", "//test/unit/gen:go_default_library", + "//test/unit/listers:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//vendor/k8s.io/client-go/listers/core/v1:go_default_library", ], ) diff --git a/pkg/controller/certificaterequests/ca/ca.go b/pkg/controller/certificaterequests/ca/ca.go index a7e904add..3bc922ae3 100644 --- a/pkg/controller/certificaterequests/ca/ca.go +++ b/pkg/controller/certificaterequests/ca/ca.go @@ -20,7 +20,6 @@ import ( "context" "fmt" - corev1 "k8s.io/api/core/v1" k8sErrors "k8s.io/apimachinery/pkg/api/errors" corelisters "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/tools/record" @@ -29,8 +28,10 @@ import ( "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" controllerpkg "github.com/jetstack/cert-manager/pkg/controller" "github.com/jetstack/cert-manager/pkg/controller/certificaterequests" + crutil "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/util" issuerpkg "github.com/jetstack/cert-manager/pkg/issuer" logf "github.com/jetstack/cert-manager/pkg/logs" + cmerrors "github.com/jetstack/cert-manager/pkg/util/errors" "github.com/jetstack/cert-manager/pkg/util/kube" "github.com/jetstack/cert-manager/pkg/util/pki" ) @@ -76,60 +77,55 @@ func NewCA(ctx *controllerpkg.Context) *CA { } } -func (c *CA) Sign(ctx context.Context, cr *v1alpha1.CertificateRequest) (*issuerpkg.IssueResponse, error) { +func (c *CA) Sign(ctx context.Context, cr *v1alpha1.CertificateRequest, issuerObj v1alpha1.GenericIssuer) (*issuerpkg.IssueResponse, error) { log := logf.FromContext(ctx, "sign") + reporter := crutil.NewReporter(cr, c.recorder) - issuer, err := c.helper.GetGenericIssuer(cr.Spec.IssuerRef, cr.Namespace) - if k8sErrors.IsNotFound(err) { - apiutil.SetCertificateRequestCondition(cr, v1alpha1.CertificateRequestConditionReady, - v1alpha1.ConditionFalse, v1alpha1.CertificateRequestReasonPending, - fmt.Sprintf("Referenced %s not found", apiutil.IssuerKind(cr.Spec.IssuerRef))) - - c.recorder.Event(cr, corev1.EventTypeWarning, v1alpha1.CertificateRequestReasonPending, err.Error()) - - log.WithValues( - logf.RelatedResourceNameKey, cr.Spec.IssuerRef.Name, - logf.RelatedResourceKindKey, cr.Spec.IssuerRef.Kind, - ).Error(err, "failed to find referenced issuer") - - return nil, nil - } - if err != nil { - return nil, err - } - - resourceNamespace := c.issuerOptions.ResourceNamespace(issuer) + secretName := issuerObj.GetSpec().CA.SecretName + resourceNamespace := c.issuerOptions.ResourceNamespace(issuerObj) // get a copy of the CA certificate named on the Issuer - caCerts, caKey, err := kube.SecretTLSKeyPair(ctx, c.secretsLister, resourceNamespace, issuer.GetSpec().CA.SecretName) - if k8sErrors.IsNotFound(err) { - log := logf.WithRelatedResourceName(log, issuer.GetSpec().CA.SecretName, resourceNamespace, "Secret") - log.Info("error getting signing CA for Issuer") - - c.recorder.Event(cr, corev1.EventTypeWarning, v1alpha1.CertificateRequestReasonPending, err.Error()) - - return nil, nil - } + caCerts, caKey, err := kube.SecretTLSKeyPair(ctx, c.secretsLister, resourceNamespace, issuerObj.GetSpec().CA.SecretName) if err != nil { + log := logf.WithRelatedResourceName(log, issuerObj.GetSpec().CA.SecretName, resourceNamespace, "Secret") + + if k8sErrors.IsNotFound(err) { + message := fmt.Sprintf("Referenced secret %s/%s not found", resourceNamespace, secretName) + + reporter.Pending(err, "MissingSecret", message) + log.Error(err, message) + + return nil, nil + } + + if cmerrors.IsInvalidData(err) { + message := fmt.Sprintf("Failed to parse signing CA keypair from secret %s/%s", resourceNamespace, secretName) + + reporter.Pending(err, "ErrorParsingSecret", message) + log.Error(err, message) + return nil, nil + } + + // We are probably in a network error here so we should backoff and retry + message := fmt.Sprintf("Failed to get certificate key pair from secret %s/%s", resourceNamespace, secretName) + reporter.Pending(err, "ErrorGettingSecret", message) + log.Error(err, message) return nil, err } template, err := pki.GenerateTemplateFromCertificateRequest(cr) if err != nil { - apiutil.SetCertificateRequestCondition(cr, v1alpha1.CertificateRequestConditionReady, - v1alpha1.ConditionFalse, v1alpha1.CertificateRequestReasonFailed, - fmt.Sprintf("Failed to generate certificate template: %s", err)) - - // TODO: add mechanism here to handle invalid input errors which should result in a permanent failure - log.Error(err, "error generating certificate template") - c.recorder.Eventf(cr, corev1.EventTypeWarning, "ErrorSigning", "Error generating certificate template: %v", err) + message := "Error generating certificate template" + reporter.Failed(err, "ErrorSigning", message) + log.Error(err, message) return nil, nil } certPEM, caPEM, err := pki.SignCSRTemplate(caCerts, caKey, template) if err != nil { - log.Error(err, "error signing certificate") - c.recorder.Eventf(cr, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err) + message := "Error signing certificate" + reporter.Failed(err, "ErrorSigning", message) + log.Error(err, message) return nil, err } diff --git a/pkg/controller/certificaterequests/ca/ca_test.go b/pkg/controller/certificaterequests/ca/ca_test.go index f667663c3..f0a7ac2a6 100644 --- a/pkg/controller/certificaterequests/ca/ca_test.go +++ b/pkg/controller/certificaterequests/ca/ca_test.go @@ -26,6 +26,7 @@ import ( "crypto/x509/pkix" "encoding/asn1" "encoding/pem" + "errors" "reflect" "testing" "time" @@ -33,6 +34,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + clientcorev1 "k8s.io/client-go/listers/core/v1" "github.com/jetstack/cert-manager/pkg/apis/certmanager" "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" @@ -40,6 +42,7 @@ import ( "github.com/jetstack/cert-manager/pkg/issuer" "github.com/jetstack/cert-manager/pkg/util/pki" "github.com/jetstack/cert-manager/test/unit/gen" + testlisters "github.com/jetstack/cert-manager/test/unit/listers" ) func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey { @@ -166,8 +169,13 @@ func TestSign(t *testing.T) { rootRSANoKeySecret := rootRSACASecret.DeepCopy() rootRSANoKeySecret.Data[corev1.TLSPrivateKeyKey] = make([]byte, 0) + basicIssuer := gen.Issuer("ca-issuer", + gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), + ) + tests := map[string]testT{ "sign a CertificateRequest": { + issuer: basicIssuer, certificateRequest: gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), gen.SetCertificateRequestCSR(caCSR), @@ -178,17 +186,14 @@ func TestSign(t *testing.T) { }), ), builder: &testpkg.Builder{ - KubeObjects: []runtime.Object{rootRSACASecret}, - CertManagerObjects: []runtime.Object{ - gen.Issuer("ca-issuer", - gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), - ), - }, + KubeObjects: []runtime.Object{rootRSACASecret}, + CertManagerObjects: []runtime.Object{}, // we are not expecting key on response CheckFn: noPrivateKeyFieldsSetCheck(rsaPEMCert), }, }, "fail to find CA tls key pair": { + issuer: basicIssuer, certificateRequest: gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), gen.SetCertificateRequestCSR(caCSR), @@ -199,17 +204,16 @@ func TestSign(t *testing.T) { }), ), builder: &testpkg.Builder{ - KubeObjects: []runtime.Object{}, - CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer", - gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), - )}, + KubeObjects: []runtime.Object{}, + CertManagerObjects: []runtime.Object{}, ExpectedEvents: []string{ - `Warning Pending secret "root-ca-secret" not found`, + `Normal MissingSecret Referenced secret default-unit-test-ns/root-ca-secret not found: secret "root-ca-secret" not found`, }, CheckFn: mustNoResponse, }, }, "given bad CSR should fail Certificate generation": { + issuer: basicIssuer, certificateRequest: gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), gen.SetCertificateRequestCSR([]byte("bad-csr")), @@ -220,10 +224,8 @@ func TestSign(t *testing.T) { }), ), builder: &testpkg.Builder{ - KubeObjects: []runtime.Object{rootRSACASecret}, - CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer", - gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), - )}, + KubeObjects: []runtime.Object{rootRSACASecret}, + CertManagerObjects: []runtime.Object{}, ExpectedEvents: []string{ `Warning ErrorSigning Error generating certificate template: failed to decode csr from certificate request resource default-unit-test-ns/test-cr`, }, @@ -231,6 +233,7 @@ func TestSign(t *testing.T) { }, }, "no CA certificate should fail a signing": { + issuer: basicIssuer, certificateRequest: gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), gen.SetCertificateRequestCSR(caCSR), @@ -241,22 +244,17 @@ func TestSign(t *testing.T) { }), ), builder: &testpkg.Builder{ - KubeObjects: []runtime.Object{rootRSANoCASecret}, - CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer", - gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), - )}, - CheckFn: func(builder *testpkg.Builder, args ...interface{}) { - err := args[1].(error) - badCAError := `error decoding cert PEM block` - if err == nil || err.Error() != badCAError { - t.Errorf("unexpected error, exp='%s' got='%+v'", badCAError, err) - } - mustNoResponse(builder, args...) + KubeObjects: []runtime.Object{rootRSANoCASecret}, + CertManagerObjects: []runtime.Object{}, + ExpectedEvents: []string{ + `Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding cert PEM block`, }, + CheckFn: mustNoResponse, }, - expectedErr: true, + expectedErr: false, }, "no CA key should fail a signing": { + issuer: basicIssuer, certificateRequest: gen.CertificateRequest("test-cr", gen.SetCertificateRequestIsCA(true), gen.SetCertificateRequestCSR(caCSR), @@ -267,18 +265,41 @@ func TestSign(t *testing.T) { }), ), builder: &testpkg.Builder{ - KubeObjects: []runtime.Object{rootRSANoKeySecret}, - CertManagerObjects: []runtime.Object{gen.Issuer("ca-issuer", - gen.SetIssuerCA(v1alpha1.CAIssuer{SecretName: "root-ca-secret"}), - )}, - CheckFn: func(builder *testpkg.Builder, args ...interface{}) { - err := args[1].(error) - noKeyError := "error decoding private key PEM block" - if err == nil || err.Error() != noKeyError { - builder.T.Errorf("unexpected error, exp='%s' got='%+v'", noKeyError, err) + KubeObjects: []runtime.Object{rootRSANoKeySecret}, + CertManagerObjects: []runtime.Object{}, + ExpectedEvents: []string{ + `Normal ErrorParsingSecret Failed to parse signing CA keypair from secret default-unit-test-ns/root-ca-secret: error decoding private key PEM block`, + }, + CheckFn: mustNoResponse, + }, + expectedErr: false, + }, + "a CertificateRequest that transiently fails a secret lookup should backoff error to retry": { + issuer: basicIssuer, + certificateRequest: gen.CertificateRequest("test-cr", + gen.SetCertificateRequestIsCA(true), + gen.SetCertificateRequestCSR(caCSR), + gen.SetCertificateRequestIssuer(v1alpha1.ObjectReference{ + Name: "ca-issuer", + Group: certmanager.GroupName, + Kind: "Issuer", + }), + ), + builder: &testpkg.Builder{ + KubeObjects: []runtime.Object{rootRSACASecret}, + CertManagerObjects: []runtime.Object{}, + CheckFn: mustNoResponse, + ExpectedEvents: []string{ + `Normal ErrorGettingSecret Failed to get certificate key pair from secret default-unit-test-ns/root-ca-secret: this is a network error`, + }, + }, + fakeLister: &testlisters.FakeSecretLister{ + SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister { + return &testlisters.FakeSecretNamespaceLister{ + GetFn: func(name string) (ret *corev1.Secret, err error) { + return nil, errors.New("this is a network error") + }, } - - mustNoResponse(builder, args...) }, }, expectedErr: true, @@ -295,9 +316,11 @@ func TestSign(t *testing.T) { type testT struct { builder *testpkg.Builder certificateRequest *v1alpha1.CertificateRequest + issuer v1alpha1.GenericIssuer - checkFn func(*testpkg.Builder, ...interface{}) expectedErr bool + + fakeLister *testlisters.FakeSecretLister } func runTest(t *testing.T, test testT) { @@ -306,9 +329,14 @@ func runTest(t *testing.T, test testT) { defer test.builder.Stop() c := NewCA(test.builder.Context) + + if test.fakeLister != nil { + c.secretsLister = test.fakeLister + } + test.builder.Sync() - resp, err := c.Sign(context.Background(), test.certificateRequest) + resp, err := c.Sign(context.Background(), test.certificateRequest, test.issuer) if err != nil && !test.expectedErr { t.Errorf("expected to not get an error, but got: %v", err) } diff --git a/pkg/controller/certificaterequests/controller.go b/pkg/controller/certificaterequests/controller.go index 45fa613e3..803dbb772 100644 --- a/pkg/controller/certificaterequests/controller.go +++ b/pkg/controller/certificaterequests/controller.go @@ -41,7 +41,7 @@ const ( var keyFunc = controllerpkg.KeyFunc type Issuer interface { - Sign(ctx context.Context, cr *v1alpha1.CertificateRequest) (*issuer.IssueResponse, error) + Sign(context.Context, *v1alpha1.CertificateRequest, v1alpha1.GenericIssuer) (*issuer.IssueResponse, error) } type Controller struct { diff --git a/pkg/controller/certificaterequests/fake/fake.go b/pkg/controller/certificaterequests/fake/fake.go index 5c8a38789..c48f32ea0 100644 --- a/pkg/controller/certificaterequests/fake/fake.go +++ b/pkg/controller/certificaterequests/fake/fake.go @@ -24,11 +24,11 @@ import ( ) type Issuer struct { - FakeSign func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) + FakeSign func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) } // Sign attempts to issue a certificate as described by the CertificateRequest // resource given -func (i *Issuer) Sign(ctx context.Context, cr *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { - return i.FakeSign(ctx, cr) +func (i *Issuer) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerObj cmapi.GenericIssuer) (*issuer.IssueResponse, error) { + return i.FakeSign(ctx, cr, issuerObj) } diff --git a/pkg/controller/certificaterequests/sync.go b/pkg/controller/certificaterequests/sync.go index 644c52e9b..5b6acdcb5 100644 --- a/pkg/controller/certificaterequests/sync.go +++ b/pkg/controller/certificaterequests/sync.go @@ -130,7 +130,7 @@ func (c *Controller) Sync(ctx context.Context, cr *v1alpha1.CertificateRequest) dbg.Info("invoking sign function as existing certificate does not exist") // Attempt to call the Sign function on our issuer - resp, err := c.issuer.Sign(ctx, crCopy) + resp, err := c.issuer.Sign(ctx, crCopy, issuerObj) if err != nil { log.Error(err, "error issuing certificate request") return err diff --git a/pkg/controller/certificaterequests/sync_test.go b/pkg/controller/certificaterequests/sync_test.go index 60fce6c2c..eb00d9c6b 100644 --- a/pkg/controller/certificaterequests/sync_test.go +++ b/pkg/controller/certificaterequests/sync_test.go @@ -242,7 +242,7 @@ func TestSync(t *testing.T) { }), ), issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { // By not returning a response, we trigger a 'no-op' action which // causes the certificate request controller to update the status of // the CertificateRequest with !Ready - CertPending. @@ -267,7 +267,7 @@ func TestSync(t *testing.T) { "should update the status with a freshly signed certificate only when one doesn't exist and group ref=''": { certificateRequest: exampleCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return &issuer.IssueResponse{ Certificate: certPEM, }, nil @@ -295,7 +295,7 @@ func TestSync(t *testing.T) { "should update the status with a freshly signed certificate only when one doesn't exist and issuer group ref='certmanager.k8s.io'": { certificateRequest: exampleCRCorrectIssuerRefGroup, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return &issuer.IssueResponse{ Certificate: certPEM, }, nil @@ -324,7 +324,7 @@ func TestSync(t *testing.T) { "should exit sync nil if issuerRef group does not match certmanager.k8s.io": { certificateRequest: exampleCRWrongIssuerRefGroup, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -344,7 +344,7 @@ func TestSync(t *testing.T) { "should not update certificate request if certificate exists, even if out of date": { certificateRequest: exampleSignedExpiredCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -364,7 +364,7 @@ func TestSync(t *testing.T) { "fail if bytes contains no certificate but len > 0": { certificateRequest: exampleGarbageCertCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -390,7 +390,7 @@ func TestSync(t *testing.T) { "return nil if generic issuer doesn't exist, will sync when on ready": { certificateRequest: exampleCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -409,7 +409,7 @@ func TestSync(t *testing.T) { "exit nil if we cannot determine the issuer type (probably not meant for us)": { certificateRequest: exampleCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -436,7 +436,7 @@ func TestSync(t *testing.T) { "exit nil if the issuer type is not meant for us": { certificateRequest: exampleCRWrongIssuerRefType, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -456,7 +456,7 @@ func TestSync(t *testing.T) { "exit if we fail validation during a sync": { certificateRequest: exampleEmptyCSRCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, @@ -483,7 +483,7 @@ func TestSync(t *testing.T) { "should exit sync nil if condition is failed": { certificateRequest: exampleFailedCR, issuerImpl: &fake.Issuer{ - FakeSign: func(context.Context, *cmapi.CertificateRequest) (*issuer.IssueResponse, error) { + FakeSign: func(context.Context, *cmapi.CertificateRequest, cmapi.GenericIssuer) (*issuer.IssueResponse, error) { return nil, errors.New("unexpected sign call") }, }, diff --git a/pkg/controller/certificaterequests/util/BUILD.bazel b/pkg/controller/certificaterequests/util/BUILD.bazel new file mode 100644 index 000000000..f6bdb0ee2 --- /dev/null +++ b/pkg/controller/certificaterequests/util/BUILD.bazel @@ -0,0 +1,28 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["reporter.go"], + importpath = "github.com/jetstack/cert-manager/pkg/controller/certificaterequests/util", + visibility = ["//visibility:public"], + deps = [ + "//pkg/api/util:go_default_library", + "//pkg/apis/certmanager/v1alpha1:go_default_library", + "//vendor/k8s.io/api/core/v1:go_default_library", + "//vendor/k8s.io/client-go/tools/record:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/pkg/controller/certificaterequests/util/reporter.go b/pkg/controller/certificaterequests/util/reporter.go new file mode 100644 index 000000000..211634e6f --- /dev/null +++ b/pkg/controller/certificaterequests/util/reporter.go @@ -0,0 +1,49 @@ +/* +Copyright 2019 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + "k8s.io/client-go/tools/record" + + apiutil "github.com/jetstack/cert-manager/pkg/api/util" + "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" +) + +type Reporter struct { + cr *v1alpha1.CertificateRequest + recorder record.EventRecorder +} + +func NewReporter(cr *v1alpha1.CertificateRequest, recorder record.EventRecorder) *Reporter { + return &Reporter{ + cr: cr, + recorder: recorder, + } +} + +func (r *Reporter) Failed(err error, reason, message string) { + r.recorder.Event(r.cr, corev1.EventTypeWarning, reason, fmt.Sprintf("%s: %v", message, err)) + apiutil.SetCertificateRequestCondition(r.cr, v1alpha1.CertificateRequestReasonFailed, v1alpha1.ConditionFalse, reason, message) +} + +func (r *Reporter) Pending(err error, reason, message string) { + r.recorder.Event(r.cr, corev1.EventTypeNormal, reason, fmt.Sprintf("%s: %v", message, err)) + apiutil.SetCertificateRequestCondition(r.cr, v1alpha1.CertificateRequestReasonPending, v1alpha1.ConditionFalse, reason, message) +} diff --git a/test/unit/listers/BUILD.bazel b/test/unit/listers/BUILD.bazel new file mode 100644 index 000000000..488b63503 --- /dev/null +++ b/test/unit/listers/BUILD.bazel @@ -0,0 +1,27 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["secret.go"], + importpath = "github.com/jetstack/cert-manager/test/unit/listers", + visibility = ["//visibility:public"], + deps = [ + "//vendor/k8s.io/api/core/v1:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", + "//vendor/k8s.io/client-go/listers/core/v1:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/test/unit/listers/secret.go b/test/unit/listers/secret.go new file mode 100644 index 000000000..069d7a449 --- /dev/null +++ b/test/unit/listers/secret.go @@ -0,0 +1,75 @@ +/* +Copyright 2019 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package lister + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/labels" + clientcorev1 "k8s.io/client-go/listers/core/v1" +) + +var _ clientcorev1.SecretLister = &FakeSecretLister{} +var _ clientcorev1.SecretNamespaceLister = &FakeSecretNamespaceLister{} + +type FakeSecretLister struct { + ListFn func(selector labels.Selector) (ret []*corev1.Secret, err error) + SecretsFn func(namespace string) clientcorev1.SecretNamespaceLister +} + +type FakeSecretNamespaceLister struct { + ListFn func(selector labels.Selector) (ret []*corev1.Secret, err error) + GetFn func(name string) (ret *corev1.Secret, err error) +} + +func NewFakeSecretLister() *FakeSecretLister { + return &FakeSecretLister{ + ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) { + return nil, nil + }, + + SecretsFn: func(namespace string) clientcorev1.SecretNamespaceLister { + return nil + }, + } +} + +func NewFakeSecretNamespaceLister() *FakeSecretNamespaceLister { + return &FakeSecretNamespaceLister{ + ListFn: func(selector labels.Selector) (ret []*corev1.Secret, err error) { + return nil, nil + }, + GetFn: func(name string) (ret *corev1.Secret, err error) { + return nil, nil + }, + } +} + +func (f *FakeSecretLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) { + return f.ListFn(selector) +} + +func (f *FakeSecretLister) Secrets(namespace string) clientcorev1.SecretNamespaceLister { + return f.SecretsFn(namespace) +} + +func (f *FakeSecretNamespaceLister) List(selector labels.Selector) (ret []*corev1.Secret, err error) { + return f.ListFn(selector) +} + +func (f *FakeSecretNamespaceLister) Get(name string) (*corev1.Secret, error) { + return f.GetFn(name) +}