as raised in#3634 - RFC 5280 states that the issuer field cannot be
empty, but this could easily happen with selfsigned certs which had
an empty subject (as the issuer matches the subject when the cert is
self signed)
this commit detects when a cert would be issued selfsigned with an
empty subject DN and emits a warning event, allowing cluster operators
to detect the warning and potentially either re-issue to generate a
compliant cert, or else accept the risk.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Truncating the time to the second did not seem to be enough. Some CI
builds would fail due to the truncation yielding different times.
Instead of truncating, I propose to use a delta of 1 second.
Signed-off-by: Maël Valais <mael@vls.dev>
The stack frames displayed using assert.Fail was not very informative.
That is due to t.Cleanup being called "outside" of the test case
context. There was no mention of the test file itself, gatherer_test.go
in the following example:
certificaterequest.go:205:
Error Trace: certificaterequest.go:205
testing.go:872
testing.go:866
testing.go:873
testing.go:949
testing.go:1121
Error: lister.CertificateRequests was expected to be called but was not called
Test: TestDataForCertificate/should_return_error_when_the_list_func_returns_an_error
With this patch that vendors a simple version of assert.Fail, we get the
correct stack frames that the user needs in order to locate where this
failure happened:
certificaterequest.go:254:
Error Trace: gatherer_test.go:230
gatherer_test.go:240
Error: lister.CertificateRequests was expected to be called but was not called
Test: TestDataForCertificate/should_return_error_when_the_list_func_returns_an_error
Signed-off-by: Maël Valais <mael@vls.dev>
At first, I tried to follow the "generator" pattern that had already
been implemented for the order and secret objects. These generators look
like:
import (
"github.com/jetstack/cert-manager/test/unit/listers"
)
fake := listers.FakeSecretListerFrom(listers.NewFakeSecretLister(),
listers.SetFakeSecretNamespaceListerGet(nil, errors.New("not found")),
)
The major issue I was finding with this approach is that you cannot
enforce any behavior with these fakes: no way to check (or prevent)
unwanted called, no way to check that the correct namespace was used for
the call:
fake.Secrets("default").Get("secret-1")
which is annoying; I want to be able to check every input, output and
call numbers made to the mocked function.
So I propose a gomock-like approach. I could not use mockgen due to the
fact that (again) client-go is overly nested, which means I would have
to use quite a lot of glue code in order to use mockgen-generated mocks.
Signed-off-by: Maël Valais <mael@vls.dev>
I initially thought about using the fake clientset like anywhere else,
but this time I thought: what about trying out the hard way, i.e.,
writing all the mocking code myself?
Result: not that hard, but requires more time than just using the fake
clientset.
Signed-off-by: Maël Valais <mael@vls.dev>
