From dd4f5f4e39740c97787843f3efb5aca8b53d9828 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 29 Apr 2024 19:51:17 +0200 Subject: [PATCH] fix unparam linter Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .golangci.yaml | 1 - .../certificates/policies/gatherer_test.go | 66 +++---- .../acmechallenges/scheduler/scheduler.go | 26 +-- .../scheduler/scheduler_test.go | 9 +- pkg/controller/acmeorders/sync.go | 8 +- pkg/controller/certificate-shim/sync_test.go | 184 +++++++++--------- .../certificaterequests/vault/vault_test.go | 5 +- .../certificaterequests/venafi/venafi.go | 5 +- .../certificaterequests/venafi/venafi_test.go | 16 +- .../issuing/internal/keystore_test.go | 32 ++- .../certificates/issuing/internal/secret.go | 4 +- .../issuing/internal/secret_test.go | 2 +- .../certificates/metrics/controller.go | 6 +- .../requestmanager_controller_test.go | 14 +- .../venafi/venafi.go | 15 +- .../venafi/venafi_test.go | 16 +- pkg/issuer/acme/dns/dns_test.go | 54 ++--- pkg/issuer/acme/dns/route53/route53.go | 9 +- pkg/issuer/acme/dns/route53/route53_test.go | 7 +- pkg/issuer/venafi/client/fake/venafi.go | 14 +- pkg/issuer/venafi/client/request.go | 10 +- pkg/issuer/venafi/client/request_test.go | 8 +- pkg/issuer/venafi/client/venaficlient.go | 4 +- pkg/metrics/certificates.go | 20 +- pkg/metrics/certificates_test.go | 9 +- pkg/util/pki/certificatetemplate_test.go | 2 +- pkg/util/pki/csr_test.go | 2 +- pkg/util/pki/kube_test.go | 2 +- pkg/util/pki/match.go | 4 +- pkg/util/util_test.go | 6 +- test/e2e/framework/addon/vault/vault.go | 18 +- .../certificaterequests/approval/approval.go | 48 +++-- .../certificates/vault/vault_approle.go | 12 +- .../vault/approle.go | 12 +- .../vault/kubernetes.go | 6 +- .../certificates/trigger_controller_test.go | 8 +- 36 files changed, 312 insertions(+), 352 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index d2e1d06ce..6c7842895 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -4,7 +4,6 @@ issues: - dogsled - errcheck - contextcheck - - unparam - promlinter - errname - tenv diff --git a/internal/controller/certificates/policies/gatherer_test.go b/internal/controller/certificates/policies/gatherer_test.go index e02c5bb72..021db02f0 100644 --- a/internal/controller/certificates/policies/gatherer_test.go +++ b/internal/controller/certificates/policies/gatherer_test.go @@ -38,6 +38,13 @@ import ( ) func TestDataForCertificate(t *testing.T) { + cr := func(crName, ownerCertUID string, annot map[string]string) *cmapi.CertificateRequest { + return gen.CertificateRequest(crName, gen.SetCertificateRequestNamespace("ns-1"), + gen.AddCertificateRequestOwnerReferences(gen.CertificateRef("some-cert-name-that-does-not-matter", ownerCertUID)), + gen.AddCertificateRequestAnnotations(annot), + ) + } + tests := map[string]struct { builder *testpkg.Builder givenCert *cmapi.Certificate @@ -68,8 +75,8 @@ func TestDataForCertificate(t *testing.T) { gen.SetCertificateRevision(1), ), builder: &testpkg.Builder{CertManagerObjects: []runtime.Object{ - cr("cr-unknown-rev1", "ns-1", "unknown-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-unknown-rev2", "ns-1", "unknown-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-unknown-rev1", "unknown-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-unknown-rev2", "unknown-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), }}, wantCurCR: nil, wantNextCR: nil, @@ -79,17 +86,17 @@ func TestDataForCertificate(t *testing.T) { gen.SetCertificateUID("cert-1-uid"), ), builder: &testpkg.Builder{CertManagerObjects: []runtime.Object{ - cr("cr-1-rev1", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-1-rev2", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-1-rev1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-1-rev2", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), // Edge cases. - cr("cr-1-norev", "ns-1", "cert-1-uid", nil), - cr("cr-1-empty", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": ""}), - cr("cr-unrelated-rev1", "ns-1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-unrelated-rev2", "ns-1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-1-norev", "cert-1-uid", nil), + cr("cr-1-empty", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": ""}), + cr("cr-unrelated-rev1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-unrelated-rev2", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), }}, wantCurCR: nil, - wantNextCR: cr("cr-1-rev1", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + wantNextCR: cr("cr-1-rev1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), }, "when cert revision=1, should return the current CR with revision=1 and the next CR with revision=2": { givenCert: gen.Certificate("cert-1", gen.SetCertificateNamespace("ns-1"), @@ -97,20 +104,20 @@ func TestDataForCertificate(t *testing.T) { gen.SetCertificateRevision(1), ), builder: &testpkg.Builder{CertManagerObjects: []runtime.Object{ - cr("cr-1-rev1", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-1-rev2", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), - cr("cr-1-rev3", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "3"}), + cr("cr-1-rev1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-1-rev2", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-1-rev3", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "3"}), // Edge cases. - cr("cr-1-no-revision", "ns-1", "cert-1-uid", nil), - cr("cr-1-empty", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": ""}), - cr("cr-2-rev1", "ns-1", "cert-2-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-unrelated-rev1", "ns-1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-unrelated-rev2", "ns-1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), - cr("cr-unrelated-rev3", "ns-1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "3"}), + cr("cr-1-no-revision", "cert-1-uid", nil), + cr("cr-1-empty", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": ""}), + cr("cr-2-rev1", "cert-2-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-unrelated-rev1", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-unrelated-rev2", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-unrelated-rev3", "cert-unrelated-uid", map[string]string{"cert-manager.io/certificate-revision": "3"}), }}, - wantCurCR: cr("cr-1-rev1", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - wantNextCR: cr("cr-1-rev2", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + wantCurCR: cr("cr-1-rev1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + wantNextCR: cr("cr-1-rev2", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), }, "should error when duplicate current CRs are found": { givenCert: gen.Certificate("cert-1", gen.SetCertificateNamespace("ns-1"), @@ -118,8 +125,8 @@ func TestDataForCertificate(t *testing.T) { gen.SetCertificateRevision(1), ), builder: &testpkg.Builder{CertManagerObjects: []runtime.Object{ - cr("cr-1-rev1a", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), - cr("cr-1-rev1b", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-1-rev1a", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), + cr("cr-1-rev1b", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "1"}), }}, wantErr: `multiple CertificateRequests were found for the 'current' revision 1, issuance is skipped until there are no more duplicates`, }, @@ -129,8 +136,8 @@ func TestDataForCertificate(t *testing.T) { gen.SetCertificateRevision(1), ), builder: &testpkg.Builder{CertManagerObjects: []runtime.Object{ - cr("cr-1-rev2a", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), - cr("cr-1-rev2b", "ns-1", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-1-rev2a", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), + cr("cr-1-rev2b", "cert-1-uid", map[string]string{"cert-manager.io/certificate-revision": "2"}), }}, wantErr: `multiple CertificateRequests were found for the 'next' revision 2, issuance is skipped until there are no more duplicates`, }, @@ -139,7 +146,7 @@ func TestDataForCertificate(t *testing.T) { t.Run(name, func(t *testing.T) { fakeClockStart, _ := time.Parse(time.RFC3339, "2021-01-02T15:04:05Z07:00") log := logtesting.NewTestLogger(t) - turnOnKlogIfVerboseTest(t) + turnOnKlogIfVerboseTest() test.builder.T = t test.builder.Clock = fakeclock.NewFakeClock(fakeClockStart) @@ -224,7 +231,7 @@ func TestDataForCertificate(t *testing.T) { // The logs are helpful for debugging client-go-related issues (informer // not starting...). This function passes the flag -v=4 to klog when the // tests are being run with -v. Otherwise, the default klog level is used. -func turnOnKlogIfVerboseTest(t *testing.T) { +func turnOnKlogIfVerboseTest() { hasVerboseFlag := flag.Lookup("test.v").Value.String() == "true" if !hasVerboseFlag { return @@ -234,10 +241,3 @@ func turnOnKlogIfVerboseTest(t *testing.T) { klog.InitFlags(klogFlags) _ = klogFlags.Set("v", "4") } - -func cr(crName, crNamespace, ownerCertUID string, annot map[string]string) *cmapi.CertificateRequest { - return gen.CertificateRequest(crName, gen.SetCertificateRequestNamespace(crNamespace), - gen.AddCertificateRequestOwnerReferences(gen.CertificateRef("some-cert-name-that-does-not-matter", ownerCertUID)), - gen.AddCertificateRequestAnnotations(annot), - ) -} diff --git a/pkg/controller/acmechallenges/scheduler/scheduler.go b/pkg/controller/acmechallenges/scheduler/scheduler.go index 945098444..73499bfcc 100644 --- a/pkg/controller/acmechallenges/scheduler/scheduler.go +++ b/pkg/controller/acmechallenges/scheduler/scheduler.go @@ -55,17 +55,14 @@ func (s *Scheduler) ScheduleN(n int) ([]*cmacme.Challenge, error) { return nil, err } - return s.scheduleN(n, allChallenges) + return s.scheduleN(n, allChallenges), nil } -func (s *Scheduler) scheduleN(n int, allChallenges []*cmacme.Challenge) ([]*cmacme.Challenge, error) { +func (s *Scheduler) scheduleN(n int, allChallenges []*cmacme.Challenge) []*cmacme.Challenge { // Determine the list of challenges that could feasibly be scheduled on // this pass of the scheduler. // This function returns a list of candidates sorted by creation timestamp. - candidates, inProgressChallengeCount, err := s.determineChallengeCandidates(allChallenges) - if err != nil { - return nil, err - } + candidates, inProgressChallengeCount := s.determineChallengeCandidates(allChallenges) numberToSelect := n remainingNumberAllowedChallenges := s.maxConcurrentChallenges - inProgressChallengeCount @@ -76,23 +73,18 @@ func (s *Scheduler) scheduleN(n int, allChallenges []*cmacme.Challenge) ([]*cmac numberToSelect = remainingNumberAllowedChallenges } - candidates, err = s.selectChallengesToSchedule(candidates, numberToSelect) - if err != nil { - return nil, err - } - - return candidates, nil + return s.selectChallengesToSchedule(candidates, numberToSelect) } // selectChallengesToSchedule will apply some sorting heuristic to the allowed // challenge candidates and return a maximum of N challenges that should be // scheduled for processing. -func (s *Scheduler) selectChallengesToSchedule(candidates []*cmacme.Challenge, n int) ([]*cmacme.Challenge, error) { +func (s *Scheduler) selectChallengesToSchedule(candidates []*cmacme.Challenge, n int) []*cmacme.Challenge { // Trim the candidates returned to 'n' if len(candidates) > n { candidates = candidates[:n] } - return candidates, nil + return candidates } // determineChallengeCandidates will determine which, if any, challenges can @@ -100,7 +92,7 @@ func (s *Scheduler) selectChallengesToSchedule(candidates []*cmacme.Challenge, n // processing. // The returned challenges will be sorted in ascending order based on timestamp // (i.e. the oldest challenge will be element zero). -func (s *Scheduler) determineChallengeCandidates(allChallenges []*cmacme.Challenge) ([]*cmacme.Challenge, int, error) { +func (s *Scheduler) determineChallengeCandidates(allChallenges []*cmacme.Challenge) ([]*cmacme.Challenge, int) { // consider the entire set of challenges for 'in progress', in case a challenge // has processing=true whilst still being in a 'final' state inProgress := processingChallenges(allChallenges) @@ -111,7 +103,7 @@ func (s *Scheduler) determineChallengeCandidates(allChallenges []*cmacme.Challen // hit the maximum number of challenges. if inProgressChallengeCount >= s.maxConcurrentChallenges { s.log.V(logs.DebugLevel).Info("hit maximum concurrent challenge limit. refusing to schedule more challenges.", "in_progress", len(inProgress), "max_concurrent", s.maxConcurrentChallenges) - return []*cmacme.Challenge{}, inProgressChallengeCount, nil + return []*cmacme.Challenge{}, inProgressChallengeCount } // Calculate incomplete challenges @@ -139,7 +131,7 @@ func (s *Scheduler) determineChallengeCandidates(allChallenges []*cmacme.Challen // Finally, sorted the challenges by timestamp to ensure a stable output sortChallengesByTimestamp(candidates) - return candidates, inProgressChallengeCount, nil + return candidates, inProgressChallengeCount } func sortChallengesByTimestamp(chs []*cmacme.Challenge) { diff --git a/pkg/controller/acmechallenges/scheduler/scheduler_test.go b/pkg/controller/acmechallenges/scheduler/scheduler_test.go index b24ea13f7..ce7b6bda3 100644 --- a/pkg/controller/acmechallenges/scheduler/scheduler_test.go +++ b/pkg/controller/acmechallenges/scheduler/scheduler_test.go @@ -82,8 +82,7 @@ func BenchmarkScheduleAscending(b *testing.B) { s := &Scheduler{} b.ResetTimer() for n := 0; n < b.N; n++ { - _, err := s.scheduleN(30, chs) - require.NoError(b, err) + _ = s.scheduleN(30, chs) } }) } @@ -97,8 +96,7 @@ func BenchmarkScheduleRandom(b *testing.B) { s := &Scheduler{} b.ResetTimer() for n := 0; n < b.N; n++ { - _, err := s.scheduleN(30, chs) - require.NoError(b, err) + _ = s.scheduleN(30, chs) } }) } @@ -112,8 +110,7 @@ func BenchmarkScheduleDuplicates(b *testing.B) { s := &Scheduler{} b.ResetTimer() for n := 0; n < b.N; n++ { - _, err := s.scheduleN(30, chs) - require.NoError(b, err) + _ = s.scheduleN(30, chs) } }) } diff --git a/pkg/controller/acmeorders/sync.go b/pkg/controller/acmeorders/sync.go index 46dd2f031..8fb17683e 100644 --- a/pkg/controller/acmeorders/sync.go +++ b/pkg/controller/acmeorders/sync.go @@ -202,7 +202,7 @@ func (c *controller) Sync(ctx context.Context, o *cmacme.Order) (err error) { // correctly. Do not change this unless there is a real need for // it. log.V(logf.DebugLevel).Info("Update Order status as at least one Challenge has failed") - _, err := c.updateOrderStatusFromACMEOrder(ctx, cl, o, acmeOrder) + _, err := c.updateOrderStatusFromACMEOrder(o, acmeOrder) if acmeErr, ok := err.(*acmeapi.Error); ok { if acmeErr.StatusCode >= 400 && acmeErr.StatusCode < 500 { log.Error(err, "failed to update Order status due to a 4xx error, marking Order as failed") @@ -242,7 +242,7 @@ func (c *controller) Sync(ctx context.Context, o *cmacme.Order) (err error) { case !anyChallengesFailed(challenges) && allChallengesFinal(challenges): log.V(logf.DebugLevel).Info("All challenges are in a final state, updating order state") - _, err := c.updateOrderStatusFromACMEOrder(ctx, cl, o, acmeOrder) + _, err := c.updateOrderStatusFromACMEOrder(o, acmeOrder) if acmeErr, ok := err.(*acmeapi.Error); ok { if acmeErr.StatusCode >= 400 && acmeErr.StatusCode < 500 { log.Error(err, "failed to update Order status due to a 4xx error, marking Order as failed") @@ -312,10 +312,10 @@ func (c *controller) updateOrderStatus(ctx context.Context, cl acmecl.Interface, return nil, err } - return c.updateOrderStatusFromACMEOrder(ctx, cl, o, acmeOrder) + return c.updateOrderStatusFromACMEOrder(o, acmeOrder) } -func (c *controller) updateOrderStatusFromACMEOrder(ctx context.Context, cl acmecl.Interface, o *cmacme.Order, acmeOrder *acmeapi.Order) (*acmeapi.Order, error) { +func (c *controller) updateOrderStatusFromACMEOrder(o *cmacme.Order, acmeOrder *acmeapi.Order) (*acmeapi.Order, error) { // Workaround bug in golang.org/x/crypto/acme implementation whereby the // order's URI field will be empty when calling GetOrder due to the // 'Location' header not being set on the response from the ACME server. diff --git a/pkg/controller/certificate-shim/sync_test.go b/pkg/controller/certificate-shim/sync_test.go index ca71eea32..e3e0d6378 100644 --- a/pkg/controller/certificate-shim/sync_test.go +++ b/pkg/controller/certificate-shim/sync_test.go @@ -35,7 +35,6 @@ import ( cmacme "github.com/cert-manager/cert-manager/pkg/apis/acme/v1" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - "github.com/cert-manager/cert-manager/pkg/controller" controllerpkg "github.com/cert-manager/cert-manager/pkg/controller" testpkg "github.com/cert-manager/cert-manager/pkg/controller/test" "github.com/cert-manager/cert-manager/test/unit/gen" @@ -129,7 +128,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -179,7 +178,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -230,7 +229,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -281,7 +280,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -336,7 +335,7 @@ func TestSync(t *testing.T) { cmacme.ACMECertificateHTTP01IngressNameOverride: "ingress-name", cmapi.IssueTemporaryCertificateAnnotation: "true", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -389,7 +388,7 @@ func TestSync(t *testing.T) { cmacme.ACMECertificateHTTP01IngressNameOverride: "ingress-name", cmapi.IssueTemporaryCertificateAnnotation: "true", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -431,7 +430,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -474,7 +473,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -518,7 +517,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), Annotations: map[string]string{ cmacme.ACMECertificateHTTP01IngressClassOverride: "cert-ing", }, @@ -564,7 +563,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -664,7 +663,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -706,7 +705,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -751,7 +750,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -800,7 +799,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -849,7 +848,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -905,7 +904,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -945,7 +944,7 @@ func TestSync(t *testing.T) { CertificateLister: []runtime.Object{ buildCertificate("existing-crt", gen.DefaultTestNamespace, - buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + buildIngressOwnerReferences("ingress-name"), ), }, DefaultIssuerKind: "Issuer", @@ -955,7 +954,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1003,7 +1002,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "a-different-value": "should be removed", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1025,7 +1024,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1068,7 +1067,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1088,7 +1087,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1133,7 +1132,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1156,7 +1155,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1204,7 +1203,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1227,7 +1226,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1276,7 +1275,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1299,7 +1298,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1350,7 +1349,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1373,7 +1372,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "cert-secret-name", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1463,7 +1462,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("not-ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("not-ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1496,7 +1495,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1515,7 +1514,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1557,7 +1556,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1578,7 +1577,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1692,7 +1691,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -1747,7 +1746,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildIngressOwnerReferences("ingress-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("ingress-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com"}, @@ -1824,7 +1823,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1886,7 +1885,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -1950,7 +1949,7 @@ func TestSync(t *testing.T) { cmacme.ACMECertificateHTTP01IngressNameOverride: "gateway-name", cmapi.IssueTemporaryCertificateAnnotation: "true", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2013,7 +2012,7 @@ func TestSync(t *testing.T) { cmacme.ACMECertificateHTTP01IngressNameOverride: "gateway-name", cmapi.IssueTemporaryCertificateAnnotation: "true", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2065,7 +2064,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2118,7 +2117,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2172,7 +2171,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), Annotations: map[string]string{ cmacme.ACMECertificateHTTP01IngressClassOverride: "cert-ing", }, @@ -2229,7 +2228,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2281,7 +2280,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2386,7 +2385,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2449,7 +2448,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"www.example.com"}, @@ -2515,7 +2514,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2565,7 +2564,7 @@ func TestSync(t *testing.T) { CertificateLister: []runtime.Object{ buildCertificate("existing-crt", gen.DefaultTestNamespace, - buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + buildGatewayOwnerReferences("gateway-name"), ), }, DefaultIssuerKind: "Issuer", @@ -2575,7 +2574,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2633,7 +2632,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "a-different-value": "should be removed", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2655,7 +2654,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2759,7 +2758,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildIngressOwnerReferences("not-gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildIngressOwnerReferences("not-gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2792,7 +2791,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2811,7 +2810,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "existing-crt", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2863,7 +2862,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2884,7 +2883,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -2969,7 +2968,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com", "www.example.com", "foo.example.com"}, @@ -3041,7 +3040,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "foo-example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"foo.example.com"}, @@ -3058,7 +3057,7 @@ func TestSync(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Name: "bar-example-com-tls", Namespace: gen.DefaultTestNamespace, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"bar.example.com"}, @@ -3155,7 +3154,7 @@ func TestSync(t *testing.T) { Labels: map[string]string{ "my-test-label": "should be copied", }, - OwnerReferences: buildGatewayOwnerReferences("gateway-name", gen.DefaultTestNamespace), + OwnerReferences: buildGatewayOwnerReferences("gateway-name"), }, Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, @@ -3226,7 +3225,7 @@ func TestSync(t *testing.T) { } b.Init() defer b.Stop() - sync := SyncFnFor(b.Recorder, logr.Discard(), b.CMClient, b.SharedInformerFactory.Certmanager().V1().Certificates().Lister(), controller.IngressShimOptions{ + sync := SyncFnFor(b.Recorder, logr.Discard(), b.CMClient, b.SharedInformerFactory.Certmanager().V1().Certificates().Lister(), controllerpkg.IngressShimOptions{ DefaultIssuerName: test.DefaultIssuerName, DefaultIssuerKind: test.DefaultIssuerKind, DefaultIssuerGroup: test.DefaultIssuerGroup, @@ -3381,20 +3380,21 @@ func buildGateway(name, namespace string, annotations map[string]string) *gwapi. Name: name, Namespace: namespace, Annotations: annotations, + UID: types.UID(name), }, } } -func buildIngressOwnerReferences(name, namespace string) []metav1.OwnerReference { +func buildIngressOwnerReferences(name string) []metav1.OwnerReference { return []metav1.OwnerReference{ - *metav1.NewControllerRef(buildIngress(name, namespace, nil), ingressV1GVK), + *metav1.NewControllerRef(buildIngress(name, gen.DefaultTestNamespace, nil), ingressV1GVK), } } // The Gateway name and UID are set to the same. -func buildGatewayOwnerReferences(name, namespace string) []metav1.OwnerReference { +func buildGatewayOwnerReferences(name string) []metav1.OwnerReference { return []metav1.OwnerReference{ - *metav1.NewControllerRef(buildIngress(name, namespace, nil), gatewayGVK), + *metav1.NewControllerRef(buildGateway(name, gen.DefaultTestNamespace, nil), gatewayGVK), } } @@ -3419,7 +3419,7 @@ func Test_validateGatewayListenerBlock(t *testing.T) { ingLike: &gwapi.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "gateway", - Namespace: "default", + Namespace: gen.DefaultTestNamespace, }, }, listener: gwapi.Listener{ @@ -3434,7 +3434,7 @@ func Test_validateGatewayListenerBlock(t *testing.T) { ingLike: &gwapi.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "gateway", - Namespace: "default", + Namespace: gen.DefaultTestNamespace, }, }, listener: gwapi.Listener{ @@ -3459,7 +3459,7 @@ func Test_validateGatewayListenerBlock(t *testing.T) { ingLike: &gwapi.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "example", - Namespace: "default", + Namespace: gen.DefaultTestNamespace, }, }, listener: gwapi.Listener{ @@ -3523,7 +3523,7 @@ func Test_validateGatewayListenerBlock(t *testing.T) { ingLike: &gwapi.Gateway{ ObjectMeta: metav1.ObjectMeta{ Name: "example", - Namespace: "default", + Namespace: gen.DefaultTestNamespace, }, }, listener: gwapi.Listener{ @@ -3595,14 +3595,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("ingress-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("ingress-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &networkingv1.Ingress{ - ObjectMeta: metav1.ObjectMeta{Name: "ingress-2", Namespace: "default", UID: "ingress-2"}, + ObjectMeta: metav1.ObjectMeta{Name: "ingress-2", Namespace: gen.DefaultTestNamespace, UID: "ingress-2"}, Spec: networkingv1.IngressSpec{TLS: []networkingv1.IngressTLS{{SecretName: "secret-name"}}}, }, wantToBeRemoved: nil, @@ -3612,14 +3612,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("ingress-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("ingress-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &networkingv1.Ingress{ - ObjectMeta: metav1.ObjectMeta{Name: "ingress-1", Namespace: "default", UID: "ingress-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "ingress-1", Namespace: gen.DefaultTestNamespace, UID: "ingress-1"}, Spec: networkingv1.IngressSpec{TLS: []networkingv1.IngressTLS{{SecretName: "secret-name"}}}, }, wantToBeRemoved: nil, @@ -3629,14 +3629,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("ingress-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("ingress-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &networkingv1.Ingress{ - ObjectMeta: metav1.ObjectMeta{Name: "ingress-1", Namespace: "default", UID: "ingress-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "ingress-1", Namespace: gen.DefaultTestNamespace, UID: "ingress-1"}, }, wantToBeRemoved: []string{"cert-1"}, }, @@ -3645,14 +3645,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("gw-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("gw-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &gwapi.Gateway{ - ObjectMeta: metav1.ObjectMeta{Name: "gw-2", Namespace: "default", UID: "gw-2"}, + ObjectMeta: metav1.ObjectMeta{Name: "gw-2", Namespace: gen.DefaultTestNamespace, UID: "gw-2"}, Spec: gwapi.GatewaySpec{Listeners: []gwapi.Listener{{ TLS: &gwapi.GatewayTLSConfig{CertificateRefs: []gwapi.SecretObjectReference{ { @@ -3668,14 +3668,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("gw-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("gw-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &gwapi.Gateway{ - ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: "default", UID: "gw-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: gen.DefaultTestNamespace, UID: "gw-1"}, Spec: gwapi.GatewaySpec{Listeners: []gwapi.Listener{ {TLS: &gwapi.GatewayTLSConfig{CertificateRefs: []gwapi.SecretObjectReference{{Name: "not-secret-name"}}}}, }}, @@ -3687,14 +3687,14 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { givenCerts: []*cmapi.Certificate{{ ObjectMeta: metav1.ObjectMeta{ Name: "cert-1", - Namespace: "default", - OwnerReferences: buildGatewayOwnerReferences("gw-1", "default"), + Namespace: gen.DefaultTestNamespace, + OwnerReferences: buildGatewayOwnerReferences("gw-1"), }, Spec: cmapi.CertificateSpec{ SecretName: "secret-name", }}, }, ingLike: &gwapi.Gateway{ - ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: "default", UID: "gw-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: gen.DefaultTestNamespace, UID: "gw-1"}, Spec: gwapi.GatewaySpec{Listeners: []gwapi.Listener{ {TLS: &gwapi.GatewayTLSConfig{CertificateRefs: []gwapi.SecretObjectReference{{Name: "secret-name"}}}}, }}, @@ -3712,7 +3712,7 @@ func Test_findCertificatesToBeRemoved(t *testing.T) { func Test_secretNameUsedIn_nilPointerGateway(t *testing.T) { got := secretNameUsedIn("secret-name", &gwapi.Gateway{ - ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: "default", UID: "gw-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: gen.DefaultTestNamespace, UID: "gw-1"}, Spec: gwapi.GatewaySpec{Listeners: []gwapi.Listener{ {TLS: nil}, {TLS: &gwapi.GatewayTLSConfig{CertificateRefs: nil}}, @@ -3722,7 +3722,7 @@ func Test_secretNameUsedIn_nilPointerGateway(t *testing.T) { assert.Equal(t, true, got) got = secretNameUsedIn("secret-name", &gwapi.Gateway{ - ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: "default", UID: "gw-1"}, + ObjectMeta: metav1.ObjectMeta{Name: "gw-1", Namespace: gen.DefaultTestNamespace, UID: "gw-1"}, Spec: gwapi.GatewaySpec{Listeners: []gwapi.Listener{ {TLS: nil}, {TLS: &gwapi.GatewayTLSConfig{CertificateRefs: nil}}, diff --git a/pkg/controller/certificaterequests/vault/vault_test.go b/pkg/controller/certificaterequests/vault/vault_test.go index 0cb69b5fc..2224eb912 100644 --- a/pkg/controller/certificaterequests/vault/vault_test.go +++ b/pkg/controller/certificaterequests/vault/vault_test.go @@ -64,8 +64,7 @@ func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { return csr } -func generateSelfSignedCertFromCR(cr *cmapi.CertificateRequest, key crypto.Signer, - duration time.Duration) ([]byte, error) { +func generateSelfSignedCertFromCR(cr *cmapi.CertificateRequest, key crypto.Signer) ([]byte, error) { template, err := pki.CertificateTemplateFromCertificateRequest(cr) if err != nil { return nil, fmt.Errorf("error generating template: %v", err) @@ -134,7 +133,7 @@ func TestSign(t *testing.T) { }), ) - rsaPEMCert, err := generateSelfSignedCertFromCR(baseCR, rsaSK, time.Hour*24*60) + rsaPEMCert, err := generateSelfSignedCertFromCR(baseCR, rsaSK) if err != nil { t.Error(err) t.FailNow() diff --git a/pkg/controller/certificaterequests/venafi/venafi.go b/pkg/controller/certificaterequests/venafi/venafi.go index 77ee5334f..623d21713 100644 --- a/pkg/controller/certificaterequests/venafi/venafi.go +++ b/pkg/controller/certificaterequests/venafi/venafi.go @@ -115,12 +115,11 @@ func (v *Venafi) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerO } } - duration := apiutil.DefaultCertDuration(cr.Spec.Duration) pickupID := cr.ObjectMeta.Annotations[cmapi.VenafiPickupIDAnnotationKey] // check if the pickup ID annotation is there, if not set it up. if pickupID == "" { - pickupID, err = client.RequestCertificate(cr.Spec.Request, duration, customFields) + pickupID, err = client.RequestCertificate(cr.Spec.Request, customFields) // Check some known error types if err != nil { switch err.(type) { @@ -148,7 +147,7 @@ func (v *Venafi) Sign(ctx context.Context, cr *cmapi.CertificateRequest, issuerO return nil, nil } - certPem, err := client.RetrieveCertificate(pickupID, cr.Spec.Request, duration, customFields) + certPem, err := client.RetrieveCertificate(pickupID, cr.Spec.Request, customFields) if err != nil { switch err.(type) { case endpoint.ErrCertificatePending, endpoint.ErrRetrieveCertificateTimeout: diff --git a/pkg/controller/certificaterequests/venafi/venafi_test.go b/pkg/controller/certificaterequests/venafi/venafi_test.go index 644cdb3b1..dd8e84a2b 100644 --- a/pkg/controller/certificaterequests/venafi/venafi_test.go +++ b/pkg/controller/certificaterequests/venafi/venafi_test.go @@ -222,10 +222,10 @@ func TestSign(t *testing.T) { } clientReturnsPending := &internalvenafifake.Venafi{ - RequestCertificateFn: func(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) { + RequestCertificateFn: func(csrPEM []byte, customFields []api.CustomField) (string, error) { return "test", nil }, - RetrieveCertificateFn: func(string, []byte, time.Duration, []api.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(string, []byte, []api.CustomField) ([]byte, error) { return nil, endpoint.ErrCertificatePending{ CertificateID: "test-cert-id", Status: "test-status-pending", @@ -233,33 +233,33 @@ func TestSign(t *testing.T) { }, } clientReturnsGenericError := &internalvenafifake.Venafi{ - RequestCertificateFn: func(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) { + RequestCertificateFn: func(csrPEM []byte, customFields []api.CustomField) (string, error) { return "", errors.New("this is an error") }, } clientReturnsCert := &internalvenafifake.Venafi{ - RequestCertificateFn: func(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) { + RequestCertificateFn: func(csrPEM []byte, customFields []api.CustomField) (string, error) { return "test", nil }, - RetrieveCertificateFn: func(string, []byte, time.Duration, []api.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(string, []byte, []api.CustomField) ([]byte, error) { return append(certPEM, rootPEM...), nil }, } clientReturnsCertIfCustomField := &internalvenafifake.Venafi{ - RequestCertificateFn: func(csrPEM []byte, duration time.Duration, fields []api.CustomField) (string, error) { + RequestCertificateFn: func(csrPEM []byte, fields []api.CustomField) (string, error) { if len(fields) > 0 && fields[0].Name == "cert-manager-test" && fields[0].Value == "test ok" { return "test", nil } return "", errors.New("Custom field not set") }, - RetrieveCertificateFn: func(string, []byte, time.Duration, []api.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(string, []byte, []api.CustomField) ([]byte, error) { return append(certPEM, rootPEM...), nil }, } clientReturnsInvalidCustomFieldType := &internalvenafifake.Venafi{ - RequestCertificateFn: func(csrPEM []byte, duration time.Duration, fields []api.CustomField) (string, error) { + RequestCertificateFn: func(csrPEM []byte, fields []api.CustomField) (string, error) { return "", client.ErrCustomFieldsType{Type: fields[0].Type} }, } diff --git a/pkg/controller/certificates/issuing/internal/keystore_test.go b/pkg/controller/certificates/issuing/internal/keystore_test.go index 4f666580e..e0f6a6792 100644 --- a/pkg/controller/certificates/issuing/internal/keystore_test.go +++ b/pkg/controller/certificates/issuing/internal/keystore_test.go @@ -48,10 +48,8 @@ func mustGeneratePrivateKey(t *testing.T, encoding cmapi.PrivateKeyEncoding) []b return pkBytes } -func mustSelfSignCertificate(t *testing.T, pkBytes []byte) []byte { - if pkBytes == nil { - pkBytes = mustGeneratePrivateKey(t, cmapi.PKCS8) - } +func mustSelfSignCertificate(t *testing.T) []byte { + pkBytes := mustGeneratePrivateKey(t, cmapi.PKCS8) pk, err := pki.DecodePrivateKeyBytes(pkBytes) if err != nil { t.Fatal(err) @@ -74,7 +72,7 @@ func mustSelfSignCertificate(t *testing.T, pkBytes []byte) []byte { func mustSelfSignCertificates(t *testing.T, count int) []byte { var buf bytes.Buffer for i := 0; i < count; i++ { - buf.Write(mustSelfSignCertificate(t, nil)) + buf.Write(mustSelfSignCertificate(t)) } return buf.Bytes() } @@ -165,7 +163,7 @@ func TestEncodeJKSKeystore(t *testing.T) { password: "password", alias: "alias", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS1), - certPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -192,7 +190,7 @@ func TestEncodeJKSKeystore(t *testing.T) { password: "password", alias: "alias", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS8), - certPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -217,8 +215,8 @@ func TestEncodeJKSKeystore(t *testing.T) { password: "password", alias: "alias", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS8), - certPEM: mustSelfSignCertificate(t, nil), - caPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), + caPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -242,7 +240,7 @@ func TestEncodeJKSKeystore(t *testing.T) { password: "password", alias: "alias", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS8), - certPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), caPEM: mustSelfSignCertificates(t, 3), verify: func(t *testing.T, out []byte, err error) { if err != nil { @@ -356,7 +354,7 @@ func TestEncodePKCS12Keystore(t *testing.T) { "encode a JKS bundle for a PKCS1 key and certificate only": { password: "password", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS1), - certPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -377,7 +375,7 @@ func TestEncodePKCS12Keystore(t *testing.T) { "encode a JKS bundle for a PKCS8 key and certificate only": { password: "password", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS8), - certPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -398,8 +396,8 @@ func TestEncodePKCS12Keystore(t *testing.T) { "encode a JKS bundle for a key, certificate and ca": { password: "password", rawKey: mustGeneratePrivateKey(t, cmapi.PKCS8), - certPEM: mustSelfSignCertificate(t, nil), - caPEM: mustSelfSignCertificate(t, nil), + certPEM: mustSelfSignCertificate(t), + caPEM: mustSelfSignCertificate(t), verify: func(t *testing.T, out []byte, err error) { if err != nil { t.Errorf("expected no error but got: %v", err) @@ -450,7 +448,7 @@ func TestEncodePKCS12Keystore(t *testing.T) { }) t.Run("encodePKCS12Keystore *prepends* non-leaf certificates to the supplied CA certificate chain", func(t *testing.T) { const password = "password" - caChainInPEM := mustSelfSignCertificate(t, nil) + caChainInPEM := mustSelfSignCertificate(t) caChainIn, err := pki.DecodeX509CertificateChainBytes(caChainInPEM) require.NoError(t, err) @@ -534,8 +532,8 @@ func TestEncodePKCS12Truststore(t *testing.T) { func TestManyPasswordLengths(t *testing.T) { rawKey := mustGeneratePrivateKey(t, cmapi.PKCS8) - certPEM := mustSelfSignCertificate(t, nil) - caPEM := mustSelfSignCertificate(t, nil) + certPEM := mustSelfSignCertificate(t) + caPEM := mustSelfSignCertificate(t) const testN = 10000 diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index c259f754e..475585e55 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -86,7 +86,7 @@ func NewSecretsManager( // If the Secret resource does not exist, it will be created on Apply. // UpdateData will also update deprecated annotations if they exist. func (s *SecretsManager) UpdateData(ctx context.Context, crt *cmapi.Certificate, data SecretData) error { - secret, err := s.getCertificateSecret(ctx, crt) + secret, err := s.getCertificateSecret(crt) if err != nil { return err } @@ -207,7 +207,7 @@ func (s *SecretsManager) setValues(crt *cmapi.Certificate, secret *corev1.Secret // getCertificateSecret will return a secret which is ready for fields to be // applied. Only the Secret Type will be persisted from the original Secret. -func (s *SecretsManager) getCertificateSecret(ctx context.Context, crt *cmapi.Certificate) (*corev1.Secret, error) { +func (s *SecretsManager) getCertificateSecret(crt *cmapi.Certificate) (*corev1.Secret, error) { // Get existing secret if it exists. existingSecret, err := s.secretLister.Secrets(crt.Namespace).Get(crt.Spec.SecretName) diff --git a/pkg/controller/certificates/issuing/internal/secret_test.go b/pkg/controller/certificates/issuing/internal/secret_test.go index 790200bc7..c6f42b9fa 100644 --- a/pkg/controller/certificates/issuing/internal/secret_test.go +++ b/pkg/controller/certificates/issuing/internal/secret_test.go @@ -865,7 +865,7 @@ func Test_getCertificateSecret(t *testing.T) { builder.Start() defer builder.Stop() - gotSecret, err := s.getCertificateSecret(context.Background(), crt) + gotSecret, err := s.getCertificateSecret(crt) assert.NoError(t, err) assert.Equal(t, test.expSecret, gotSecret, "unexpected returned secret") diff --git a/pkg/controller/certificates/metrics/controller.go b/pkg/controller/certificates/metrics/controller.go index 8e28af500..e24048e62 100644 --- a/pkg/controller/certificates/metrics/controller.go +++ b/pkg/controller/certificates/metrics/controller.go @@ -75,10 +75,6 @@ func NewController(ctx *controllerpkg.Context) (*controller, workqueue.RateLimit } func (c *controller) ProcessItem(ctx context.Context, key string) error { - // Set context deadline for full sync in 10 seconds - ctx, cancel := context.WithTimeout(ctx, time.Second*10) - defer cancel() - namespace, name, err := cache.SplitMetaNamespaceKey(key) if err != nil { return nil @@ -95,7 +91,7 @@ func (c *controller) ProcessItem(ctx context.Context, key string) error { } // Update that Certificates metrics - c.metrics.UpdateCertificate(ctx, crt) + c.metrics.UpdateCertificate(crt) return nil } diff --git a/pkg/controller/certificates/requestmanager/requestmanager_controller_test.go b/pkg/controller/certificates/requestmanager/requestmanager_controller_test.go index 1b512bac1..8a4383535 100644 --- a/pkg/controller/certificates/requestmanager/requestmanager_controller_test.go +++ b/pkg/controller/certificates/requestmanager/requestmanager_controller_test.go @@ -43,8 +43,8 @@ import ( "github.com/cert-manager/cert-manager/test/unit/gen" ) -func mustGenerateRSA(t *testing.T, keySize int) []byte { - pk, err := pki.GenerateRSAPrivateKey(keySize) +func mustGenerateRSA(t *testing.T) []byte { + pk, err := pki.GenerateRSAPrivateKey(2048) if err != nil { t.Fatal(err) } @@ -293,7 +293,7 @@ func TestProcessItem(t *testing.T) { secrets: []runtime.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "exists"}, - Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t, 2048)}, + Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t)}, }, }, certificate: gen.CertificateFrom(bundle1.certificate, @@ -326,7 +326,7 @@ func TestProcessItem(t *testing.T) { secrets: []runtime.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "exists"}, - Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t, 2048)}, + Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t)}, }, }, certificate: gen.CertificateFrom(bundle1.certificate, @@ -414,7 +414,7 @@ func TestProcessItem(t *testing.T) { secrets: []runtime.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "exists"}, - Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t, 2048)}, + Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t)}, }, }, certificate: gen.CertificateFrom(bundle1.certificate, @@ -453,7 +453,7 @@ func TestProcessItem(t *testing.T) { secrets: []runtime.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "exists"}, - Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t, 2048)}, + Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t)}, }, }, certificate: gen.CertificateFrom(bundle1.certificate, @@ -538,7 +538,7 @@ func TestProcessItem(t *testing.T) { secrets: []runtime.Object{ &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Namespace: "testns", Name: "exists"}, - Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t, 2048)}, + Data: map[string][]byte{corev1.TLSPrivateKeyKey: mustGenerateRSA(t)}, }, }, certificate: gen.CertificateFrom(bundle1.certificate, diff --git a/pkg/controller/certificatesigningrequests/venafi/venafi.go b/pkg/controller/certificatesigningrequests/venafi/venafi.go index 282399ffe..d3b55be2e 100644 --- a/pkg/controller/certificatesigningrequests/venafi/venafi.go +++ b/pkg/controller/certificatesigningrequests/venafi/venafi.go @@ -40,7 +40,6 @@ import ( venafiapi "github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api" logf "github.com/cert-manager/cert-manager/pkg/logs" "github.com/cert-manager/cert-manager/pkg/metrics" - "github.com/cert-manager/cert-manager/pkg/util/pki" utilpki "github.com/cert-manager/cert-manager/pkg/util/pki" ) @@ -130,16 +129,6 @@ func (v *Venafi) Sign(ctx context.Context, csr *certificatesv1.CertificateSignin } } - duration, err := pki.DurationFromCertificateSigningRequest(csr) - if err != nil { - message := fmt.Sprintf("Failed to parse requested duration: %s", err) - log.Error(err, message) - v.recorder.Event(csr, corev1.EventTypeWarning, "ErrorParseDuration", message) - util.CertificateSigningRequestSetFailed(csr, "ErrorParseDuration", message) - _, userr := util.UpdateOrApplyStatus(ctx, v.certClient, csr, certificatesv1.CertificateFailed, v.fieldManager) - return userr - } - // The signing process with Venafi is slow. The "pickupID" allows us to track // the progress of the certificate signing. It is set as an annotation the // first time the Certificate is reconciled. @@ -147,7 +136,7 @@ func (v *Venafi) Sign(ctx context.Context, csr *certificatesv1.CertificateSignin // check if the pickup ID annotation is there, if not set it up. if len(pickupID) == 0 { - pickupID, err := client.RequestCertificate(csr.Spec.Request, duration, customFields) + pickupID, err := client.RequestCertificate(csr.Spec.Request, customFields) // Check some known error types if err != nil { switch err.(type) { @@ -177,7 +166,7 @@ func (v *Venafi) Sign(ctx context.Context, csr *certificatesv1.CertificateSignin return uerr } - certPem, err := client.RetrieveCertificate(pickupID, csr.Spec.Request, duration, customFields) + certPem, err := client.RetrieveCertificate(pickupID, csr.Spec.Request, customFields) if err != nil { switch err.(type) { case endpoint.ErrCertificatePending: diff --git a/pkg/controller/certificatesigningrequests/venafi/venafi_test.go b/pkg/controller/certificatesigningrequests/venafi/venafi_test.go index 3bed80976..be983abd9 100644 --- a/pkg/controller/certificatesigningrequests/venafi/venafi_test.go +++ b/pkg/controller/certificatesigningrequests/venafi/venafi_test.go @@ -390,7 +390,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RequestCertificateFn: func(_ []byte, _ time.Duration, _ []venafiapi.CustomField) (string, error) { + RequestCertificateFn: func(_ []byte, _ []venafiapi.CustomField) (string, error) { return "", venaficlient.ErrCustomFieldsType{Type: "test-type"} }, }, nil @@ -461,7 +461,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RequestCertificateFn: func(_ []byte, _ time.Duration, _ []venafiapi.CustomField) (string, error) { + RequestCertificateFn: func(_ []byte, _ []venafiapi.CustomField) (string, error) { return "", errors.New("generic error") }, }, nil @@ -532,7 +532,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RequestCertificateFn: func(_ []byte, _ time.Duration, _ []venafiapi.CustomField) (string, error) { + RequestCertificateFn: func(_ []byte, _ []venafiapi.CustomField) (string, error) { return "test-pickup-id", nil }, }, nil @@ -594,7 +594,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RetrieveCertificateFn: func(_ string, _ []byte, _ time.Duration, _ []venafiapi.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(_ string, _ []byte, _ []venafiapi.CustomField) ([]byte, error) { return nil, endpoint.ErrCertificatePending{} }, }, nil @@ -645,7 +645,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RetrieveCertificateFn: func(_ string, _ []byte, _ time.Duration, _ []venafiapi.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(_ string, _ []byte, _ []venafiapi.CustomField) ([]byte, error) { return nil, endpoint.ErrRetrieveCertificateTimeout{} }, }, nil @@ -696,7 +696,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RetrieveCertificateFn: func(_ string, _ []byte, _ time.Duration, _ []venafiapi.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(_ string, _ []byte, _ []venafiapi.CustomField) ([]byte, error) { return nil, errors.New("generic error") }, }, nil @@ -747,7 +747,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RetrieveCertificateFn: func(_ string, _ []byte, _ time.Duration, _ []venafiapi.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(_ string, _ []byte, _ []venafiapi.CustomField) ([]byte, error) { return []byte("garbage"), nil }, }, nil @@ -820,7 +820,7 @@ func TestProcessItem(t *testing.T) { ), clientBuilder: func(_ string, _ internalinformers.SecretLister, _ cmapi.GenericIssuer, _ *metrics.Metrics, _ logr.Logger, _ string) (venaficlient.Interface, error) { return &fakevenaficlient.Venafi{ - RetrieveCertificateFn: func(_ string, _ []byte, _ time.Duration, _ []venafiapi.CustomField) ([]byte, error) { + RetrieveCertificateFn: func(_ string, _ []byte, _ []venafiapi.CustomField) ([]byte, error) { return []byte(fmt.Sprintf("%s%s", certBundle.ChainPEM, certBundle.CAPEM)), nil }, }, nil diff --git a/pkg/issuer/acme/dns/dns_test.go b/pkg/issuer/acme/dns/dns_test.go index 39ce2b665..48562e535 100644 --- a/pkg/issuer/acme/dns/dns_test.go +++ b/pkg/issuer/acme/dns/dns_test.go @@ -36,11 +36,11 @@ import ( "github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util" ) -func newIssuer(name, namespace string) *v1.Issuer { +func newIssuer() *v1.Issuer { return &v1.Issuer{ ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, + Name: "test", + Namespace: "default", }, Spec: v1.IssuerSpec{ IssuerConfig: v1.IssuerConfig{ @@ -50,11 +50,11 @@ func newIssuer(name, namespace string) *v1.Issuer { } } -func newSecret(name, namespace string, data map[string][]byte) *corev1.Secret { +func newSecret(name string, data map[string][]byte) *corev1.Secret { return &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: name, - Namespace: namespace, + Namespace: "default", }, Data: data, } @@ -71,12 +71,12 @@ func TestSolverFor(t *testing.T) { solverFixture: &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("cloudflare-key", "default", map[string][]byte{ + newSecret("cloudflare-key", map[string][]byte{ "api-key": []byte("a-cloudflare-api-key"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -102,12 +102,12 @@ func TestSolverFor(t *testing.T) { solverFixture: &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("cloudflare-token", "default", map[string][]byte{ + newSecret("cloudflare-token", map[string][]byte{ "api-token": []byte("a-cloudflare-api-token"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -131,7 +131,7 @@ func TestSolverFor(t *testing.T) { }, "fails to load a cloudflare provider with a missing secret": { solverFixture: &solverFixture{ - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), // don't include any secrets in the lister Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ @@ -156,7 +156,7 @@ func TestSolverFor(t *testing.T) { }, "fails to load a cloudflare provider when key and token are provided": { solverFixture: &solverFixture{ - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), // don't include any secrets in the lister Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ @@ -189,12 +189,12 @@ func TestSolverFor(t *testing.T) { solverFixture: &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("cloudflare-key", "default", map[string][]byte{ + newSecret("cloudflare-key", map[string][]byte{ "api-key-oops": []byte("a-cloudflare-api-key"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -220,12 +220,12 @@ func TestSolverFor(t *testing.T) { solverFixture: &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("cloudflare-token", "default", map[string][]byte{ + newSecret("cloudflare-token", map[string][]byte{ "api-key-oops": []byte("a-cloudflare-api-token"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -251,12 +251,12 @@ func TestSolverFor(t *testing.T) { solverFixture: &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("acmedns-key", "default", map[string][]byte{ + newSecret("acmedns-key", map[string][]byte{ "acmedns.json": []byte("{}"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -305,12 +305,12 @@ func TestSolveForDigitalOcean(t *testing.T) { f := &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("digitalocean", "default", map[string][]byte{ + newSecret("digitalocean", map[string][]byte{ "token": []byte("FAKE-TOKEN"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -356,12 +356,12 @@ func TestRoute53TrimCreds(t *testing.T) { f := &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("route53", "default", map[string][]byte{ + newSecret("route53", map[string][]byte{ "secret": []byte("AKIENDINNEWLINE \n"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -408,13 +408,13 @@ func TestRoute53SecretAccessKey(t *testing.T) { f := &solverFixture{ Builder: &test.Builder{ KubeObjects: []runtime.Object{ - newSecret("route53", "default", map[string][]byte{ + newSecret("route53", map[string][]byte{ "accessKeyID": []byte("AWSACCESSKEYID"), "secretAccessKey": []byte("AKIENDINNEWLINE \n"), }), }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ Solver: cmacme.ACMEChallengeSolver{ @@ -484,7 +484,7 @@ func TestRoute53AmbientCreds(t *testing.T) { }, }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), dnsProviders: newFakeDNSProviders(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ @@ -517,7 +517,7 @@ func TestRoute53AmbientCreds(t *testing.T) { }, }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), dnsProviders: newFakeDNSProviders(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ @@ -580,7 +580,7 @@ func TestRoute53AssumeRole(t *testing.T) { }, }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), dnsProviders: newFakeDNSProviders(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ @@ -614,7 +614,7 @@ func TestRoute53AssumeRole(t *testing.T) { }, }, }, - Issuer: newIssuer("test", "default"), + Issuer: newIssuer(), dnsProviders: newFakeDNSProviders(), Challenge: &cmacme.Challenge{ Spec: cmacme.ChallengeSpec{ diff --git a/pkg/issuer/acme/dns/route53/route53.go b/pkg/issuer/acme/dns/route53/route53.go index 34ca5e268..84b409567 100644 --- a/pkg/issuer/acme/dns/route53/route53.go +++ b/pkg/issuer/acme/dns/route53/route53.go @@ -122,7 +122,7 @@ func (d *sessionProvider) GetSession() (aws.Config, error) { return cfg, nil } -func newSessionProvider(accessKeyID, secretAccessKey, region, role string, ambient bool, userAgent string) (*sessionProvider, error) { +func newSessionProvider(accessKeyID, secretAccessKey, region, role string, ambient bool, userAgent string) *sessionProvider { return &sessionProvider{ AccessKeyID: accessKeyID, SecretAccessKey: secretAccessKey, @@ -132,7 +132,7 @@ func newSessionProvider(accessKeyID, secretAccessKey, region, role string, ambie StsProvider: defaultSTSProvider, log: logf.Log.WithName("route53-session-provider"), userAgent: userAgent, - }, nil + } } func defaultSTSProvider(cfg aws.Config) StsClient { @@ -147,10 +147,7 @@ func NewDNSProvider(accessKeyID, secretAccessKey, hostedZoneID, region, role str dns01Nameservers []string, userAgent string, ) (*DNSProvider, error) { - provider, err := newSessionProvider(accessKeyID, secretAccessKey, region, role, ambient, userAgent) - if err != nil { - return nil, err - } + provider := newSessionProvider(accessKeyID, secretAccessKey, region, role, ambient, userAgent) cfg, err := provider.GetSession() if err != nil { diff --git a/pkg/issuer/acme/dns/route53/route53_test.go b/pkg/issuer/acme/dns/route53/route53_test.go index 389597629..94e0c5609 100644 --- a/pkg/issuer/acme/dns/route53/route53_test.go +++ b/pkg/issuer/acme/dns/route53/route53_test.go @@ -251,10 +251,9 @@ func TestAssumeRole(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - provider, err := makeMockSessionProvider(func(aws.Config) StsClient { + provider := makeMockSessionProvider(func(aws.Config) StsClient { return c.mockSTS }, c.key, c.secret, c.region, c.role, c.ambient) - assert.NoError(t, err) cfg, err := provider.GetSession() if c.expErr { assert.NotNil(t, err) @@ -287,7 +286,7 @@ func makeMockSessionProvider( defaultSTSProvider func(aws.Config) StsClient, accessKeyID, secretAccessKey, region, role string, ambient bool, -) (*sessionProvider, error) { +) *sessionProvider { return &sessionProvider{ AccessKeyID: accessKeyID, SecretAccessKey: secretAccessKey, @@ -296,7 +295,7 @@ func makeMockSessionProvider( Role: role, StsProvider: defaultSTSProvider, log: logf.Log.WithName("route53-session"), - }, nil + } } func Test_removeReqID(t *testing.T) { diff --git a/pkg/issuer/venafi/client/fake/venafi.go b/pkg/issuer/venafi/client/fake/venafi.go index fb9e2688f..f5758b55e 100644 --- a/pkg/issuer/venafi/client/fake/venafi.go +++ b/pkg/issuer/venafi/client/fake/venafi.go @@ -17,8 +17,6 @@ limitations under the License. package fake import ( - "time" - "github.com/Venafi/vcert/v5/pkg/endpoint" "github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/api" @@ -26,8 +24,8 @@ import ( type Venafi struct { PingFn func() error - RequestCertificateFn func(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) - RetrieveCertificateFn func(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) + RequestCertificateFn func(csrPEM []byte, customFields []api.CustomField) (string, error) + RetrieveCertificateFn func(pickupID string, csrPEM []byte, customFields []api.CustomField) ([]byte, error) ReadZoneConfigurationFn func() (*endpoint.ZoneConfiguration, error) VerifyCredentialsFn func() error } @@ -36,12 +34,12 @@ func (v *Venafi) Ping() error { return v.PingFn() } -func (v *Venafi) RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) { - return v.RequestCertificateFn(csrPEM, duration, customFields) +func (v *Venafi) RequestCertificate(csrPEM []byte, customFields []api.CustomField) (string, error) { + return v.RequestCertificateFn(csrPEM, customFields) } -func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) { - return v.RetrieveCertificateFn(pickupID, csrPEM, duration, customFields) +func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, customFields []api.CustomField) ([]byte, error) { + return v.RetrieveCertificateFn(pickupID, csrPEM, customFields) } func (v *Venafi) ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error) { diff --git a/pkg/issuer/venafi/client/request.go b/pkg/issuer/venafi/client/request.go index 090cdfca9..b907b6746 100644 --- a/pkg/issuer/venafi/client/request.go +++ b/pkg/issuer/venafi/client/request.go @@ -45,8 +45,8 @@ var ErrorMissingSubject = errors.New("Certificate requests submitted to Venafi i // The CSR will be decoded to be validated against the zone configuration policy. // Upon the template being successfully defaulted and validated, the CSR will be sent, as is. // It will return a pickup ID which can be used with RetrieveCertificate to get the certificate -func (v *Venafi) RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) { - vreq, err := v.buildVReq(csrPEM, duration, customFields) +func (v *Venafi) RequestCertificate(csrPEM []byte, customFields []api.CustomField) (string, error) { + vreq, err := v.buildVReq(csrPEM, customFields) if err != nil { return "", err } @@ -81,8 +81,8 @@ func (v *Venafi) RequestCertificate(csrPEM []byte, duration time.Duration, custo return v.vcertClient.RequestCertificate(vreq) } -func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) { - vreq, err := v.buildVReq(csrPEM, duration, customFields) +func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, customFields []api.CustomField) ([]byte, error) { + vreq, err := v.buildVReq(csrPEM, customFields) if err != nil { return nil, err } @@ -103,7 +103,7 @@ func (v *Venafi) RetrieveCertificate(pickupID string, csrPEM []byte, duration ti return []byte(chain), nil } -func (v *Venafi) buildVReq(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (*certificate.Request, error) { +func (v *Venafi) buildVReq(csrPEM []byte, customFields []api.CustomField) (*certificate.Request, error) { // Retrieve a copy of the Venafi zone. // This contains default values and policy control info that we can apply // and check against locally. diff --git a/pkg/issuer/venafi/client/request_test.go b/pkg/issuer/venafi/client/request_test.go index 8f7278e62..9d6692a8f 100644 --- a/pkg/issuer/venafi/client/request_test.go +++ b/pkg/issuer/venafi/client/request_test.go @@ -20,7 +20,6 @@ import ( "crypto" "errors" "testing" - "time" "github.com/Venafi/vcert/v5/pkg/certificate" "github.com/Venafi/vcert/v5/pkg/endpoint" @@ -215,7 +214,7 @@ func TestVenafi_RequestCertificate(t *testing.T) { "foo.example.com", "bar.example.com"}) } - got, err := v.RequestCertificate(tt.args.csrPEM, time.Minute, tt.args.customFields) + got, err := v.RequestCertificate(tt.args.csrPEM, tt.args.customFields) if (err != nil) != tt.wantErr { t.Errorf("RequestCertificate() error = %v, wantErr %v", err, tt.wantErr) return @@ -236,7 +235,6 @@ func TestVenafi_RetrieveCertificate(t *testing.T) { type args struct { csrPEM []byte - duration time.Duration customFields []api.CustomField } tests := []struct { @@ -280,11 +278,11 @@ func TestVenafi_RetrieveCertificate(t *testing.T) { // this is needed to provide the fake venafi client with a "valid" pickup id // testing errors in this should be done in TestVenafi_RequestCertificate // any error returned in these tests is a hard fail - pickupID, err := v.RequestCertificate(tt.args.csrPEM, tt.args.duration, tt.args.customFields) + pickupID, err := v.RequestCertificate(tt.args.csrPEM, tt.args.customFields) if err != nil { t.Errorf("RequestCertificate() should but error but got error = %v", err) } - got, err := v.RetrieveCertificate(pickupID, tt.args.csrPEM, tt.args.duration, tt.args.customFields) + got, err := v.RetrieveCertificate(pickupID, tt.args.csrPEM, tt.args.customFields) if (err != nil) != tt.wantErr { t.Errorf("RetrieveCertificate() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go index be42f4a61..707a011be 100644 --- a/pkg/issuer/venafi/client/venaficlient.go +++ b/pkg/issuer/venafi/client/venaficlient.go @@ -52,8 +52,8 @@ type VenafiClientBuilder func(namespace string, secretsLister internalinformers. // Interface implements a Venafi client type Interface interface { - RequestCertificate(csrPEM []byte, duration time.Duration, customFields []api.CustomField) (string, error) - RetrieveCertificate(pickupID string, csrPEM []byte, duration time.Duration, customFields []api.CustomField) ([]byte, error) + RequestCertificate(csrPEM []byte, customFields []api.CustomField) (string, error) + RetrieveCertificate(pickupID string, csrPEM []byte, customFields []api.CustomField) ([]byte, error) Ping() error ReadZoneConfiguration() (*endpoint.ZoneConfiguration, error) SetClient(endpoint.Connector) diff --git a/pkg/metrics/certificates.go b/pkg/metrics/certificates.go index 071e53897..4feeb28a4 100644 --- a/pkg/metrics/certificates.go +++ b/pkg/metrics/certificates.go @@ -17,33 +17,23 @@ limitations under the License. package metrics import ( - "context" - "github.com/prometheus/client_golang/prometheus" "k8s.io/client-go/tools/cache" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - logf "github.com/cert-manager/cert-manager/pkg/logs" ) // UpdateCertificate will update the given Certificate's metrics for its expiry, renewal, and status // condition. -func (m *Metrics) UpdateCertificate(ctx context.Context, crt *cmapi.Certificate) { - key, err := cache.MetaNamespaceKeyFunc(crt) - if err != nil { - log := logf.WithRelatedResource(m.log, crt) - log.Error(err, "failed to get key from certificate object") - return - } - - m.updateCertificateStatus(key, crt) - m.updateCertificateExpiry(ctx, key, crt) +func (m *Metrics) UpdateCertificate(crt *cmapi.Certificate) { + m.updateCertificateStatus(crt) + m.updateCertificateExpiry(crt) m.updateCertificateRenewalTime(crt) } // updateCertificateExpiry updates the expiry time of a certificate -func (m *Metrics) updateCertificateExpiry(ctx context.Context, key string, crt *cmapi.Certificate) { +func (m *Metrics) updateCertificateExpiry(crt *cmapi.Certificate) { expiryTime := 0.0 if crt.Status.NotAfter != nil { @@ -76,7 +66,7 @@ func (m *Metrics) updateCertificateRenewalTime(crt *cmapi.Certificate) { } // updateCertificateStatus will update the metric for that Certificate -func (m *Metrics) updateCertificateStatus(key string, crt *cmapi.Certificate) { +func (m *Metrics) updateCertificateStatus(crt *cmapi.Certificate) { for _, c := range crt.Status.Conditions { if c.Type == cmapi.CertificateConditionReady { m.updateCertificateReadyStatus(crt, c.Status) diff --git a/pkg/metrics/certificates_test.go b/pkg/metrics/certificates_test.go index e530a4395..835d36554 100644 --- a/pkg/metrics/certificates_test.go +++ b/pkg/metrics/certificates_test.go @@ -17,7 +17,6 @@ limitations under the License. package metrics import ( - "context" "strings" "testing" "time" @@ -195,7 +194,7 @@ func TestCertificateMetrics(t *testing.T) { for n, test := range tests { t.Run(n, func(t *testing.T) { m := New(logtesting.NewTestLogger(t), clock.RealClock{}) - m.UpdateCertificate(context.TODO(), test.crt) + m.UpdateCertificate(test.crt) if err := testutil.CollectAndCompare(m.certificateExpiryTimeSeconds, strings.NewReader(expiryMetadata+test.expectedExpiry), @@ -279,9 +278,9 @@ func TestCertificateCache(t *testing.T) { ) // Observe all three Certificate metrics - m.UpdateCertificate(context.TODO(), crt1) - m.UpdateCertificate(context.TODO(), crt2) - m.UpdateCertificate(context.TODO(), crt3) + m.UpdateCertificate(crt1) + m.UpdateCertificate(crt2) + m.UpdateCertificate(crt3) // Check all three metrics exist if err := testutil.CollectAndCompare(m.certificateReadyStatus, diff --git a/pkg/util/pki/certificatetemplate_test.go b/pkg/util/pki/certificatetemplate_test.go index ded264a9c..b97dfb057 100644 --- a/pkg/util/pki/certificatetemplate_test.go +++ b/pkg/util/pki/certificatetemplate_test.go @@ -36,7 +36,7 @@ func TestCertificateTemplateFromCSR(t *testing.T) { sansGenerator := func(t *testing.T, generalNames []asn1.RawValue, critical bool) pkix.Extension { val, err := asn1.Marshal(generalNames) if err != nil { - panic(err) + t.Fatal(err) } return pkix.Extension{ diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index 033649629..9fb1078d6 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -379,7 +379,7 @@ func TestGenerateCSR(t *testing.T) { sansGenerator := func(t *testing.T, generalNames []asn1.RawValue, critical bool) pkix.Extension { val, err := asn1.Marshal(generalNames) if err != nil { - panic(err) + t.Fatal(err) } return pkix.Extension{ diff --git a/pkg/util/pki/kube_test.go b/pkg/util/pki/kube_test.go index 089bebeaa..c5d8ba88e 100644 --- a/pkg/util/pki/kube_test.go +++ b/pkg/util/pki/kube_test.go @@ -42,7 +42,7 @@ func TestCertificateTemplateFromCertificateSigningRequest(t *testing.T) { val, err := asn1.Marshal(generalNames) if err != nil { - panic(err) + t.Fatal(err) } return pkix.Extension{ diff --git a/pkg/util/pki/match.go b/pkg/util/pki/match.go index 0b4537ef2..9f07d0593 100644 --- a/pkg/util/pki/match.go +++ b/pkg/util/pki/match.go @@ -47,7 +47,7 @@ func PrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) ([] case "", cmapi.RSAKeyAlgorithm: return rsaPrivateKeyMatchesSpec(pk, spec) case cmapi.Ed25519KeyAlgorithm: - return ed25519PrivateKeyMatchesSpec(pk, spec) + return ed25519PrivateKeyMatchesSpec(pk) case cmapi.ECDSAKeyAlgorithm: return ecdsaPrivateKeyMatchesSpec(pk, spec) default: @@ -97,7 +97,7 @@ func ecdsaPrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec return violations, nil } -func ed25519PrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) ([]string, error) { +func ed25519PrivateKeyMatchesSpec(pk crypto.PrivateKey) ([]string, error) { _, ok := pk.(ed25519.PrivateKey) if !ok { return []string{"spec.privateKey.algorithm"}, nil diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go index b73db617b..cbc708e35 100644 --- a/pkg/util/util_test.go +++ b/pkg/util/util_test.go @@ -129,8 +129,8 @@ func TestEqualIPsUnsorted(t *testing.T) { } for name, spec := range specs { - s1 := parseIPs(t, spec.s1) - s2 := parseIPs(t, spec.s2) + s1 := parseIPs(spec.s1) + s2 := parseIPs(spec.s2) t.Run(name, func(t *testing.T) { got := EqualIPsUnsorted(s1, s2) @@ -244,7 +244,7 @@ func parseURLs(t *testing.T, urlStrs []string) []*url.URL { return urls } -func parseIPs(t *testing.T, ipStrs []string) []net.IP { +func parseIPs(ipStrs []string) []net.IP { var ips []net.IP for _, i := range ipStrs { diff --git a/test/e2e/framework/addon/vault/vault.go b/test/e2e/framework/addon/vault/vault.go index be07e5ccd..8dfd48588 100644 --- a/test/e2e/framework/addon/vault/vault.go +++ b/test/e2e/framework/addon/vault/vault.go @@ -287,15 +287,9 @@ func (v *Vault) Setup(cfg *config.Config, leaderData ...internal.AddonTransferab } v.details.VaultCA = vaultCA - v.vaultCert, v.vaultCertPrivateKey, err = generateVaultServingCert(vaultCA, vaultCAPrivateKey, dnsName) - if err != nil { - return nil, err - } + v.vaultCert, v.vaultCertPrivateKey = generateVaultServingCert(vaultCA, vaultCAPrivateKey, dnsName) - vaultClientCertificate, vaultClientPrivateKey, err := generateVaultClientCert(vaultCA, vaultCAPrivateKey) - if err != nil { - return nil, err - } + vaultClientCertificate, vaultClientPrivateKey := generateVaultClientCert(vaultCA, vaultCAPrivateKey) v.details.VaultClientCertificate = vaultClientCertificate v.details.VaultClientPrivateKey = vaultClientPrivateKey v.details.EnforceMtls = v.EnforceMtls @@ -447,7 +441,7 @@ func (v *Vault) Logs() (map[string]string, error) { return v.chart.Logs() } -func generateVaultServingCert(vaultCA []byte, vaultCAPrivateKey []byte, dnsName string) ([]byte, []byte, error) { +func generateVaultServingCert(vaultCA []byte, vaultCAPrivateKey []byte, dnsName string) ([]byte, []byte) { catls, _ := tls.X509KeyPair(vaultCA, vaultCAPrivateKey) ca, _ := x509.ParseCertificate(catls.Certificate[0]) @@ -470,10 +464,10 @@ func generateVaultServingCert(vaultCA []byte, vaultCAPrivateKey []byte, dnsName privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) certBytes, _ := x509.CreateCertificate(rand.Reader, cert, ca, &privateKey.PublicKey, catls.PrivateKey) - return encodePublicKey(certBytes), encodePrivateKey(privateKey), nil + return encodePublicKey(certBytes), encodePrivateKey(privateKey) } -func generateVaultClientCert(vaultCA []byte, vaultCAPrivateKey []byte) ([]byte, []byte, error) { +func generateVaultClientCert(vaultCA []byte, vaultCAPrivateKey []byte) ([]byte, []byte) { catls, _ := tls.X509KeyPair(vaultCA, vaultCAPrivateKey) ca, _ := x509.ParseCertificate(catls.Certificate[0]) @@ -494,7 +488,7 @@ func generateVaultClientCert(vaultCA []byte, vaultCAPrivateKey []byte) ([]byte, privateKey, _ := rsa.GenerateKey(rand.Reader, 2048) certBytes, _ := x509.CreateCertificate(rand.Reader, cert, ca, &privateKey.PublicKey, catls.PrivateKey) - return encodePublicKey(certBytes), encodePrivateKey(privateKey), nil + return encodePublicKey(certBytes), encodePrivateKey(privateKey) } func GenerateCA() ([]byte, []byte, error) { diff --git a/test/e2e/suite/certificaterequests/approval/approval.go b/test/e2e/suite/certificaterequests/approval/approval.go index 173425256..70db251f9 100644 --- a/test/e2e/suite/certificaterequests/approval/approval.go +++ b/test/e2e/suite/certificaterequests/approval/approval.go @@ -28,6 +28,7 @@ import ( crdapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" crdclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/rand" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/util/retry" @@ -54,9 +55,10 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { saclient clientset.Interface request *cmapi.CertificateRequest - crd *crdapi.CustomResourceDefinition - crdclient crdclientset.Interface - group string + crd *crdapi.CustomResourceDefinition + crdclient crdclientset.Interface + issuerKind string + group string ) // isNotFoundError returns true if an error from the cert-manager admission @@ -107,6 +109,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { var err error crdclient, err = crdclientset.NewForConfig(f.KubeClientConfig) Expect(err).NotTo(HaveOccurred()) + issuerKind = fmt.Sprintf("Issuer%s", rand.String(5)) group = e2eutil.RandomSubdomain("example.io") sa, err = f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name).Create(context.TODO(), &corev1.ServiceAccount{ @@ -215,7 +218,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { gen.SetCertificateRequestCSR(csr), gen.SetCertificateRequestIssuer(cmmeta.ObjectReference{ Name: "test-issuer", - Kind: "Issuer", + Kind: issuerKind, Group: group, }), ) @@ -240,7 +243,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("attempting to approve a certificate request without the approve permission should error", func() { - createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) approvedCR := request.DeepCopy() apiutil.SetCertificateRequestCondition(approvedCR, cmapi.CertificateRequestConditionApproved, cmmeta.ConditionTrue, "cert-manager.io", "e2e") err := retry.OnError(retry.DefaultBackoff, retryOnNotFound(approvedCR.Spec.IssuerRef), func() error { @@ -251,7 +254,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("attempting to deny a certificate request without the approve permission should error", func() { - createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) deniedCR := request.DeepCopy() apiutil.SetCertificateRequestCondition(deniedCR, cmapi.CertificateRequestConditionDenied, cmmeta.ConditionTrue, "cert-manager.io", "e2e") err := retry.OnError(retry.DefaultBackoff, retryOnNotFound(deniedCR.Spec.IssuerRef), func() error { @@ -293,7 +296,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for cluster scoped issuers.example.io/* should be able to approve requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/*", group)) approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -306,7 +309,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for cluster scoped issuers.example.io/* should be able to deny requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/*", group)) deniedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -319,7 +322,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for cluster scoped issuers.example.io/test-issuer should be able to approve requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/test-issuer", group)) approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -331,8 +334,21 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { })).ToNot(HaveOccurred()) }) + It("a service account with the approve permissions for cluster scoped clusterissuers.example.io/test-issuer should be able to approve requests", func() { + crd = createCRD(crdclient, group, "clusterissuers", issuerKind, crdapi.ClusterScoped) + bindServiceAccountToApprove(f, sa, fmt.Sprintf("clusterissuers.%s/test-issuer", group)) + + approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) + Expect(err).NotTo(HaveOccurred()) + apiutil.SetCertificateRequestCondition(approvedCR, cmapi.CertificateRequestConditionApproved, cmmeta.ConditionTrue, "cert-manager.io", "e2e") + Expect(retry.OnError(retry.DefaultBackoff, retryOnNotFound(approvedCR.Spec.IssuerRef), func() error { + _, err = saclient.CertmanagerV1().CertificateRequests(f.Namespace.Name).UpdateStatus(context.TODO(), approvedCR, metav1.UpdateOptions{}) + return err + })).ToNot(HaveOccurred()) + }) + It("a service account with the approve permissions for cluster scoped issuers.example.io/.test-issuer should not be able to approve requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/%s.test-issuer", f.Namespace.Name, group)) approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -346,7 +362,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for namespaced scoped issuers.example.io/.test-issuer should be able to approve requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/%s.test-issuer", group, f.Namespace.Name)) approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -359,7 +375,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for namespaced scoped issuers.example.io/test-issuer should not be able to approve requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/test-issuer", group)) approvedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -375,7 +391,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { // It("a service account with the approve permissions for cluster scoped issuers.example.io/test-issuer should be able to deny requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/test-issuer", group)) deniedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -388,7 +404,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for cluster scoped issuers.example.io/.test-issuer should not be able to deny requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.ClusterScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.ClusterScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/%s.test-issuer", f.Namespace.Name, group)) deniedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -402,7 +418,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for namespaced scoped issuers.example.io/.test-issuer should be able to deny requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/%s.test-issuer", group, f.Namespace.Name)) deniedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) @@ -415,7 +431,7 @@ var _ = framework.CertManagerDescribe("Approval CertificateRequests", func() { }) It("a service account with the approve permissions for namespaced scoped issuers.example.io/test-issuer should not be able to denied requests", func() { - crd = createCRD(crdclient, group, "issuers", "Issuer", crdapi.NamespaceScoped) + crd = createCRD(crdclient, group, "issuers", issuerKind, crdapi.NamespaceScoped) bindServiceAccountToApprove(f, sa, fmt.Sprintf("issuers.%s/test-issuer", group)) deniedCR, err := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name).Get(context.TODO(), request.Name, metav1.GetOptions{}) diff --git a/test/e2e/suite/conformance/certificates/vault/vault_approle.go b/test/e2e/suite/conformance/certificates/vault/vault_approle.go index c6d64962f..a37525d1d 100644 --- a/test/e2e/suite/conformance/certificates/vault/vault_approle.go +++ b/test/e2e/suite/conformance/certificates/vault/vault_approle.go @@ -91,7 +91,7 @@ func (v *vaultAppRoleProvisioner) createIssuer(f *framework.Framework) cmmeta.Ob appRoleSecretGeneratorName := "vault-approle-secret-" By("Creating a VaultAppRole Issuer") - v.vaultSecrets = v.initVault(f) + v.vaultSecrets = v.initVault() sec, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(context.TODO(), vault.NewVaultAppRoleSecret(appRoleSecretGeneratorName, v.secretID), metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") @@ -103,7 +103,7 @@ func (v *vaultAppRoleProvisioner) createIssuer(f *framework.Framework) cmmeta.Ob ObjectMeta: metav1.ObjectMeta{ GenerateName: "vault-issuer-", }, - Spec: v.createIssuerSpec(f), + Spec: v.createIssuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") @@ -123,7 +123,7 @@ func (v *vaultAppRoleProvisioner) createClusterIssuer(f *framework.Framework) cm appRoleSecretGeneratorName := "vault-approle-secret-" By("Creating a VaultAppRole ClusterIssuer") - v.vaultSecrets = v.initVault(f) + v.vaultSecrets = v.initVault() sec, err := f.KubeClientSet.CoreV1().Secrets(f.Config.Addons.CertManager.ClusterResourceNamespace).Create(context.TODO(), vault.NewVaultAppRoleSecret(appRoleSecretGeneratorName, v.secretID), metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") @@ -135,7 +135,7 @@ func (v *vaultAppRoleProvisioner) createClusterIssuer(f *framework.Framework) cm ObjectMeta: metav1.ObjectMeta{ GenerateName: "vault-cluster-issuer-", }, - Spec: v.createIssuerSpec(f), + Spec: v.createIssuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") @@ -151,7 +151,7 @@ func (v *vaultAppRoleProvisioner) createClusterIssuer(f *framework.Framework) cm } } -func (v *vaultAppRoleProvisioner) initVault(f *framework.Framework) *vaultSecrets { +func (v *vaultAppRoleProvisioner) initVault() *vaultSecrets { By("Configuring the VaultAppRole server") v.setup = vault.NewVaultInitializerAppRole( addon.Base.Details().KubeClient, @@ -170,7 +170,7 @@ func (v *vaultAppRoleProvisioner) initVault(f *framework.Framework) *vaultSecret } } -func (v *vaultAppRoleProvisioner) createIssuerSpec(f *framework.Framework) cmapi.IssuerSpec { +func (v *vaultAppRoleProvisioner) createIssuerSpec() cmapi.IssuerSpec { return cmapi.IssuerSpec{ IssuerConfig: cmapi.IssuerConfig{ Vault: &cmapi.VaultIssuer{ diff --git a/test/e2e/suite/conformance/certificatesigningrequests/vault/approle.go b/test/e2e/suite/conformance/certificatesigningrequests/vault/approle.go index f4cd90b8f..fce7e554d 100644 --- a/test/e2e/suite/conformance/certificatesigningrequests/vault/approle.go +++ b/test/e2e/suite/conformance/certificatesigningrequests/vault/approle.go @@ -123,7 +123,7 @@ func (a *approle) createIssuer(f *framework.Framework) string { appRoleSecretGeneratorName := "vault-approle-secret-" By("Creating a VaultAppRole Issuer") - a.secrets = a.initVault(f) + a.secrets = a.initVault() sec, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(context.TODO(), vault.NewVaultAppRoleSecret(appRoleSecretGeneratorName, a.secretID), metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") @@ -135,7 +135,7 @@ func (a *approle) createIssuer(f *framework.Framework) string { ObjectMeta: metav1.ObjectMeta{ GenerateName: "vault-issuer-", }, - Spec: a.createIssuerSpec(f), + Spec: a.createIssuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") @@ -151,7 +151,7 @@ func (a *approle) createClusterIssuer(f *framework.Framework) string { appRoleSecretGeneratorName := "vault-approle-secret-" By("Creating a VaultAppRole ClusterIssuer") - a.secrets = a.initVault(f) + a.secrets = a.initVault() sec, err := f.KubeClientSet.CoreV1().Secrets(f.Config.Addons.CertManager.ClusterResourceNamespace).Create(context.TODO(), vault.NewVaultAppRoleSecret(appRoleSecretGeneratorName, a.secretID), metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") @@ -163,7 +163,7 @@ func (a *approle) createClusterIssuer(f *framework.Framework) string { ObjectMeta: metav1.ObjectMeta{ GenerateName: "vault-cluster-issuer-", }, - Spec: a.createIssuerSpec(f), + Spec: a.createIssuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") @@ -175,7 +175,7 @@ func (a *approle) createClusterIssuer(f *framework.Framework) string { return fmt.Sprintf("clusterissuers.cert-manager.io/%s", issuer.Name) } -func (a *approle) initVault(f *framework.Framework) *secrets { +func (a *approle) initVault() *secrets { By("Configuring the VaultAppRole server") a.setup = vault.NewVaultInitializerAppRole( addon.Base.Details().KubeClient, @@ -194,7 +194,7 @@ func (a *approle) initVault(f *framework.Framework) *secrets { } } -func (a *approle) createIssuerSpec(f *framework.Framework) cmapi.IssuerSpec { +func (a *approle) createIssuerSpec() cmapi.IssuerSpec { return cmapi.IssuerSpec{ IssuerConfig: cmapi.IssuerConfig{ Vault: &cmapi.VaultIssuer{ diff --git a/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go b/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go index d98437ca7..d0dab692b 100644 --- a/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go +++ b/test/e2e/suite/conformance/certificatesigningrequests/vault/kubernetes.go @@ -82,7 +82,7 @@ func (k *kubernetes) createIssuer(f *framework.Framework) string { GenerateName: "vault-issuer-", Namespace: f.Namespace.Name, }, - Spec: k.issuerSpec(f), + Spec: k.issuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred()) @@ -102,7 +102,7 @@ func (k *kubernetes) createClusterIssuer(f *framework.Framework) string { ObjectMeta: metav1.ObjectMeta{ GenerateName: "vault-issuer-", }, - Spec: k.issuerSpec(f), + Spec: k.issuerSpec(), }, metav1.CreateOptions{}) Expect(err).NotTo(HaveOccurred()) @@ -150,7 +150,7 @@ func (k *kubernetes) initVault(f *framework.Framework, boundNS string) { Expect(err).NotTo(HaveOccurred()) } -func (k *kubernetes) issuerSpec(f *framework.Framework) cmapi.IssuerSpec { +func (k *kubernetes) issuerSpec() cmapi.IssuerSpec { return cmapi.IssuerSpec{ IssuerConfig: cmapi.IssuerConfig{ Vault: &cmapi.VaultIssuer{ diff --git a/test/integration/certificates/trigger_controller_test.go b/test/integration/certificates/trigger_controller_test.go index 10dc9c526..c7a80866f 100644 --- a/test/integration/certificates/trigger_controller_test.go +++ b/test/integration/certificates/trigger_controller_test.go @@ -60,7 +60,7 @@ func TestTriggerController(t *testing.T) { // Build, instantiate and run the trigger controller. kubeClient, factory, cmCl, cmFactory, scheme := framework.NewClients(t, config) - namespace := "testns" + namespace := "testns-trigger" // Create Namespace ns := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}} @@ -96,7 +96,7 @@ func TestTriggerController(t *testing.T) { // Create a Certificate resource and wait for it to have the 'Issuing' condition. cert, err := cmCl.CertmanagerV1().Certificates(namespace).Create(ctx, &cmapi.Certificate{ - ObjectMeta: metav1.ObjectMeta{Name: "testcrt", Namespace: "testns"}, + ObjectMeta: metav1.ObjectMeta{Name: "testcrt", Namespace: namespace}, Spec: cmapi.CertificateSpec{ SecretName: "example", CommonName: "example.com", @@ -125,7 +125,7 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) { // Build, instantiate and run the trigger controller. kubeClient, factory, cmCl, cmFactory, scheme := framework.NewClients(t, config) - namespace := "testns" + namespace := "testns-renew-near-expiry" secretName := "example" certName := "testcrt" @@ -247,7 +247,7 @@ func TestTriggerController_ExpBackoff(t *testing.T) { // Build, instantiate and run the trigger controller. kubeClient, factory, cmCl, cmFactory, scheme := framework.NewClients(t, config) - namespace := "testns" + namespace := "testns-expbackoff" secretName := "example" certName := "testcrt"