Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault CertificateRequest controller #1934

Merged
merged 22 commits into from Aug 14, 2019
Merged

Vault CertificateRequest controller #1934

merged 22 commits into from Aug 14, 2019

Conversation

JoshVanL
Copy link
Collaborator

@JoshVanL JoshVanL commented Jul 28, 2019
edited

What this PR does / why we need it:
Adds the vault CertificateRequest controller to resolve CertificateRequests that have vault issuer references.

TODO:

  • Add suite unit tests
  • Add e2e tests
Adds Vault CertificateRequest support.

/assign

@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 28, 2019
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 28, 2019
@jetstack-bot jetstack-bot added area/testing Issues relating to testing size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 28, 2019
@jetstack-bot jetstack-bot added the area/vault Indicates a PR directly modifies the Vault Issuer code label Jul 29, 2019
@JoshVanL JoshVanL added this to the v0.10 milestone Jul 29, 2019
@JoshVanL
Copy link
Collaborator Author

/retest

@JoshVanL JoshVanL changed the title WIP: Vault CertificateRequest controller Vault CertificateRequest controller Jul 29, 2019
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 29, 2019
@JoshVanL
Copy link
Collaborator Author

/retest

@jetstack-bot jetstack-bot added the area/api Indicates a PR directly modifies the 'pkg/apis' directory label Jul 30, 2019
@JoshVanL
Copy link
Collaborator Author

/retest

@JoshVanL
Copy link
Collaborator Author

💚 😎

munnerz
munnerz reviewed Aug 2, 2019
View reviewed changes
pkg/apis/certmanager/validation/certificate.go Outdated Show resolved Hide resolved
pkg/controller/certificaterequests/test/util.go Outdated
return pk
}

func GenerateCSR(t *testing.T, secretKey crypto.Signer) []byte {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

t is not used here and this function smells a lot like functions in pkg/util/pki - can the callsites be refactored to pass in something that allows greater configuration? We are statically setting the CommonName to test here, which is awkward behaviour to integrate in other packages

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

	if err != nil {
		t.Error(err)
		t.FailNow()
	}

t does get used here. How would you suggest the function look/be moved to?

pkg/controller/certificaterequests/test/util.go Outdated Show resolved Hide resolved
pkg/controller/certificaterequests/test/util.go Outdated Show resolved Hide resolved
pkg/controller/certificaterequests/test/util.go Outdated Show resolved Hide resolved
pkg/controller/certificaterequests/vault/vault_test.go Outdated

tests := map[string]testT{
"a badly formed CSR should report failure": {
issuer: gen.Issuer("vault-issuer"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: pre-define this as baseIssuer so that the gen.SetCertificateRequestIssuer can reference the name as baseIssuer.Name

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, because the Sign implementation never deep copies the CR resource (due to the way the certificaterequests controller works), you'll need to DeepCopy here too.. 😬

pkg/controller/certificaterequests/vault/vault_test.go Outdated
CheckFn: testcr.MustNoResponse,
},
expectedErr: false,
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any ExpectedActions here that ensure it was marked as failed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order to use ExpectedActions, you're going to need to test the actual CertificateRequests controller itself with this issuer loaded. I think we discussed this before, but doing so will save you implementing/having to use additional logic in the CheckFn (and thus make our tests more consistent/easier to write IMO).

Whilst I see your point about testing at a lower level, given the nature of this code relies upon being run as a controller anyway (we absorb errors and return nil due to the controller-like design), given we actually use the same testing strategy as we do when testing controllers (yet can't test the full surface), I feel like so far we've only lost granularity in our tests with this.

pkg/controller/test/fake/lister.go Outdated Show resolved Hide resolved
pkg/internal/internal.go Outdated
Sys() *vault.Sys
}

type VaultClient interface {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come this is under pkg/internal and not pkg/internal/vault?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its so we can fake the struct and keep the name the same. Happy to move it change the naming?

test/unit/gen/lister.go Outdated
type FakeSecretListerModifier func(*fake.FakeSecretLister)
type FakeSecretNamespaceListerModifier func(*fake.FakeSecretNamespaceLister)

func FakeSecretLister(mods ...FakeSecretListerModifier) *fake.FakeSecretLister {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? If so, I think it'd be better to move it out of this package.. whilst maybe poorly named, test/unit/gen is meant to be for generating API types and this pulls in a dependency on client-go to this package 😅

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 13, 2019
@JoshVanL
Adds initial vault CR controller
60b349e 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Update CA CR controller to use a shared reporter util
6b13415 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds status reports to vault sign method
356953c 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Fixes CR sync api reporting
312a050 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds initial cr vault unit tests
ad5e109 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds new internal vault client pkg
5923c0b 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Both CR controller and legacy issuer use new vault client for signing
bf13366 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds unit tests to vault CR controller
a8e7584 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Fix circular dependency
779c07b 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds CR vault e2e tests
f5df357 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Fix vault duration panic + util.CertDuration to default
635aae6 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds issuer to CR sign function
179fc03 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Use RSA keys for e2e vault CR tests
40f9153 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Get CR before checking duration on cert
1cf8150 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Rebase vault CR controller to use new reporter
cefd45b 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Move DefaultCertDuration to pkg/util/api
1bbdd03 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Code organisation and cleaning up code
ea84dfd 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Move pkg/internal/internal.go into ./pkg/internal/vault
f607503 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Fix pkg/internal/vault/fake
25f374d 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Cleans up some code and clearer naming
5f70998 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Improve code flow and remove unused issuer helper in vault cr controller
d588d5f 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Update reporter in vault CR controller to use new signature
b11d69a 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Aug 13, 2019
@munnerz
Copy link
Member

munnerz commented Aug 14, 2019

/lgtm
/hold cancel

@jetstack-bot jetstack-bot added lgtm Indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 14, 2019
@jetstack-bot jetstack-bot merged commit a51e66a into cert-manager:master Aug 14, 2019
@munnerz munnerz added this to Done in v0.10 Aug 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

Assignees

@munnerz munnerz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/testing Issues relating to testing area/vault Indicates a PR directly modifies the Vault Issuer code dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
No open projects
v0.10
  
Done
Milestone
v0.10
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JoshVanL @jetstack-bot @munnerz