New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accidentally removed CA should trigger crt recreation (and rolling update) #2756
Conversation
…date) Signed-off-by: Stanislav Knot <sknot@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just left some thoughts, hope they are useful. :)
@@ -234,14 +234,14 @@ public static Secret buildSecret(ClusterCa clusterCa, Secret secret, String name | |||
reasons.add("certificate doesn't exist yet"); | |||
shouldBeRegenerated = true; | |||
} else { | |||
if (clusterCa.certRenewed() || (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)) { | |||
if (clusterCa.keyCreated() || clusterCa.certRenewed() || (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I am reading the logic correctly, might it make sense to put isMaintenanceTimeWindowsSatisfied
first, i.e
if (isMaintenanceTimeWindowsSatisfied && ...
As the prior three checks dont matter if this is false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isMaintenanceTimeWindowsSatisfied
is tied just for this part of condition: (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)
However it makes sense to move is as the first one in this scope. Good catch.
@@ -737,6 +741,10 @@ public boolean keyReplaced() { | |||
return renewalType == RenewalType.REPLACE_KEY; | |||
} | |||
|
|||
public boolean keyCreated() { | |||
return renewalType == RenewalType.CREATE; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is mostly stylistic but I believe .equals
is generally preferred to ==
as we can choose to override how we compare objects and can avoid object hashes not matching https://stackoverflow.com/questions/7520432/what-is-the-difference-between-and-equals-in-java
99% of the time it doesn't matter but thought it was worth a mention.
@@ -777,6 +778,41 @@ void testTriggerRollingUpdateAfterOverrideBootstrap() throws CertificateExceptio | |||
// TODO: send and recv messages via this new bootstrap (after client builder) https://github.com/strimzi/strimzi-kafka-operator/pull/2520 | |||
} | |||
|
|||
@Test | |||
void testAccidentallyRemovedCaTriggersRollingUpdate() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be overly nit-picky, but the cause of why it is removed could be seen as not part of the 'test'
I would opt to have it be called something like
testClusterCaRemovedTriggersRollingUpdate
and then have a documented comment explaining the context of this test is it being accidentally removed.
@@ -737,6 +741,10 @@ public boolean keyReplaced() { | |||
return renewalType == RenewalType.REPLACE_KEY; | |||
} | |||
|
|||
public boolean keyCreated() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isKeyCreated
would be slightly more idiomatic, but given the other similar methods are not using is
I can understand why you matched the convention
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway looks good, and thanks for creating the ST :)))
systemtest/src/test/java/io/strimzi/systemtest/RollingUpdateST.java
Outdated
Show resolved
Hide resolved
systemtest/src/test/java/io/strimzi/systemtest/RollingUpdateST.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Nothing to add than the comments already left.
…date) (strimzi#2756) * Accidentally removed CA should trigger crt recreation (and rolling update) Signed-off-by: Stanislav Knot <sknot@redhat.com> * comments Signed-off-by: Stanislav Knot <sknot@redhat.com> Signed-off-by: Javier Criado <javier.criado@MAC00083.home>
…date) (strimzi#2756) * Accidentally removed CA should trigger crt recreation (and rolling update) Signed-off-by: Stanislav Knot <sknot@redhat.com> * comments Signed-off-by: Stanislav Knot <sknot@redhat.com>
Signed-off-by: Stanislav Knot sknot@redhat.com
Type of change
Description
Fixes #542
Checklist
./design