New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault CertificateRequest controller #1934
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoshVanL The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/retest |
/retest |
💚 😎 |
return pk | ||
} | ||
|
||
func GenerateCSR(t *testing.T, secretKey crypto.Signer) []byte { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
t
is not used here and this function smells a lot like functions in pkg/util/pki
- can the callsites be refactored to pass in something that allows greater configuration? We are statically setting the CommonName
to test
here, which is awkward behaviour to integrate in other packages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if err != nil {
t.Error(err)
t.FailNow()
}
t
does get used here. How would you suggest the function look/be moved to?
|
||
tests := map[string]testT{ | ||
"a badly formed CSR should report failure": { | ||
issuer: gen.Issuer("vault-issuer"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: pre-define this as baseIssuer
so that the gen.SetCertificateRequestIssuer
can reference the name as baseIssuer.Name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, because the Sign implementation never deep copies the CR resource (due to the way the certificaterequests controller works), you'll need to DeepCopy here too.. 😬
CheckFn: testcr.MustNoResponse, | ||
}, | ||
expectedErr: false, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any ExpectedActions here that ensure it was marked as failed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to use ExpectedActions, you're going to need to test the actual CertificateRequests controller itself with this issuer loaded. I think we discussed this before, but doing so will save you implementing/having to use additional logic in the CheckFn (and thus make our tests more consistent/easier to write IMO).
Whilst I see your point about testing at a lower level, given the nature of this code relies upon being run as a controller anyway (we absorb errors and return nil due to the controller-like design), given we actually use the same testing strategy as we do when testing controllers (yet can't test the full surface), I feel like so far we've only lost granularity in our tests with this.
pkg/internal/internal.go
Outdated
Sys() *vault.Sys | ||
} | ||
|
||
type VaultClient interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How come this is under pkg/internal
and not pkg/internal/vault
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its so we can fake the struct and keep the name the same. Happy to move it change the naming?
test/unit/gen/lister.go
Outdated
type FakeSecretListerModifier func(*fake.FakeSecretLister) | ||
type FakeSecretNamespaceListerModifier func(*fake.FakeSecretNamespaceLister) | ||
|
||
func FakeSecretLister(mods ...FakeSecretListerModifier) *fake.FakeSecretLister { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary? If so, I think it'd be better to move it out of this package.. whilst maybe poorly named, test/unit/gen
is meant to be for generating API types and this pulls in a dependency on client-go
to this package 😅
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
/lgtm |
What this PR does / why we need it:
Adds the vault CertificateRequest controller to resolve CertificateRequests that have vault issuer references.
TODO:
/assign