Better wording and wrap long comment lines.
Co-authored-by: Maël Valais <mael@vls.dev> Signed-off-by: irbekrm <irbekrm@gmail.com>
This commit is contained in:
irbekrm
parent
245d0f5c27
commit
a89133b637
@ -194,15 +194,17 @@ func currentSecretValidForSpec(input Input) (string, string, bool) {
|
||||
return "", "", false
|
||||
}
|
||||
|
||||
// CurrentCertificateNearingExpiry returns a policy function that can be used to check whether
|
||||
// an x509 cert currently issued for a Certificate should be renewed
|
||||
// CurrentCertificateNearingExpiry returns a policy function that can be used to
|
||||
// check whether an X.509 cert currently issued for a Certificate should be
|
||||
// renewed.
|
||||
func CurrentCertificateNearingExpiry(c clock.Clock, defaultRenewBeforeExpiryDuration time.Duration) Func {
|
||||
|
||||
return func(input Input) (string, string, bool) {
|
||||
|
||||
// Determine if certificate is nearing expiry solely by looking at the actual cert if it exists
|
||||
// We assume that at this point we have called policy functions that check that
|
||||
// input.Secret and input.Secret.Data exists (SecretDoesNotExist and SecretHasData)
|
||||
// Determine if the certificate is nearing expiry solely by looking at
|
||||
// the actual cert if it exists. We assume that at this point we have
|
||||
// called policy functions that check that input.Secret and
|
||||
// input.Secret.Data exists (SecretDoesNotExist and SecretHasData).
|
||||
x509cert, err := pki.DecodeX509CertificateBytes(input.Secret.Data[corev1.TLSCertKey])
|
||||
if err != nil {
|
||||
// This case should never happen as it should always be caught by the
|
||||
|
||||
@ -124,8 +124,9 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) {
|
||||
defaultRenewBefore := time.Hour * 24
|
||||
|
||||
fakeClock := &fakeclock.FakeClock{}
|
||||
// only use the 'current certificate nearing expiry' policy chain during the test
|
||||
// as we want to test the very specific cases of triggering/not triggering depending on whether a renewal is required
|
||||
// Only use the 'current certificate nearing expiry' policy chain during the
|
||||
// test as we want to test the very specific cases of triggering/not
|
||||
// triggering depending on whether a renewal is required.
|
||||
policyChain := policies.Chain{policies.CurrentCertificateNearingExpiry(fakeClock, defaultRenewBefore)}
|
||||
// Build, instantiate and run the trigger controller.
|
||||
kubeClient, factory, cmCl, cmFactory := framework.NewClients(t, config)
|
||||
@ -157,15 +158,15 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
// Create a private key for x509 cert
|
||||
// Create a private key for X.509 cert
|
||||
sk, err := utilpki.GenerateRSAPrivateKey(2048)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
skBytes := utilpki.EncodePKCS1PrivateKey(sk)
|
||||
// Create an x509 cert
|
||||
// Create an X.509 cert
|
||||
x509CertBytes := selfSignCertificateWithNotBeforeAfter(t, skBytes, cert, notBefore.Time, notAfter.Time)
|
||||
// Create a Secret with the x509 cert
|
||||
// Create a Secret with the X.509 cert
|
||||
_, err = kubeClient.CoreV1().Secrets(namespace).Create(ctx, &corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: secretName,
|
||||
@ -200,21 +201,24 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// 1. Test that Certificate's Issuing condition is not set to True when the x509 cert is not approaching expiry
|
||||
// 1. Test that the Certificate's Issuing condition is not set to True when the
|
||||
// X.509 cert is not approaching expiry.
|
||||
// Wait for 2s, polling every 200ms to ensure that the controller does not set
|
||||
// the condition.
|
||||
t.Log("Ensuring Certificate does not have Issuing condition for 2s...")
|
||||
ensureCertificateDoesNotHaveIssuingCondition(ctx, t, cmCl, namespace, certName)
|
||||
|
||||
// 2. Test that a Certificate does get the Issuing status condition set to True when the x509 cert is nearing expiry
|
||||
// 2. Test that a Certificate does get the Issuing status condition set to
|
||||
// True when the X.509 cert is nearing expiry.
|
||||
t.Log("Advancing the clock forward to renewal time")
|
||||
// advance the clock to a millisecond after renewal time
|
||||
// Advance the clock to a millisecond after renewal time.
|
||||
// fakeclock implementation uses .After when checking whether to trigger timers.
|
||||
// renewalTime = notAfter - renewBefore
|
||||
renewalTime := notAfter.Add(renewBefore.Duration * -1)
|
||||
fakeClock.SetTime(renewalTime.Add(time.Millisecond * 2))
|
||||
|
||||
// Certificate's status.RenewalTime does not determine renewal, but we need to update some field to trigger a reconcile
|
||||
// Certificate's status.RenewalTime does not determine renewal, but we need to
|
||||
// update some field to trigger a reconcile.
|
||||
someRenewalTime := metav1.NewTime(now)
|
||||
cert.Status.RenewalTime = &someRenewalTime
|
||||
cert, err = cmCl.CertmanagerV1().Certificates(namespace).UpdateStatus(ctx, cert, metav1.UpdateOptions{})
|
||||
|
||||
Loading…
Reference in New Issue
Block a user