Accidentally removed CA should trigger crt recreation (and rolling update) #2756
Conversation
…date) Signed-off-by: Stanislav Knot <sknot@redhat.com>
| @@ -234,14 +234,14 @@ public static Secret buildSecret(ClusterCa clusterCa, Secret secret, String name | |||
| reasons.add("certificate doesn't exist yet"); | |||
| shouldBeRegenerated = true; | |||
| } else { | |||
| if (clusterCa.certRenewed() || (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)) { | |||
| if (clusterCa.keyCreated() || clusterCa.certRenewed() || (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)) { | |||
There was a problem hiding this comment.
If I am reading the logic correctly, might it make sense to put isMaintenanceTimeWindowsSatisfied first, i.e
if (isMaintenanceTimeWindowsSatisfied && ...
As the prior three checks dont matter if this is false?
There was a problem hiding this comment.
isMaintenanceTimeWindowsSatisfied is tied just for this part of condition: (clusterCa.isExpiring(secret, keyCertName + ".crt") && isMaintenanceTimeWindowsSatisfied)
However it makes sense to move is as the first one in this scope. Good catch.
| @@ -737,6 +741,10 @@ public boolean keyReplaced() { | |||
| return renewalType == RenewalType.REPLACE_KEY; | |||
| } | |||
|
|
|||
| public boolean keyCreated() { | |||
| return renewalType == RenewalType.CREATE; | |||
There was a problem hiding this comment.
This is mostly stylistic but I believe .equals is generally preferred to == as we can choose to override how we compare objects and can avoid object hashes not matching https://stackoverflow.com/questions/7520432/what-is-the-difference-between-and-equals-in-java
99% of the time it doesn't matter but thought it was worth a mention.
| @@ -777,6 +778,41 @@ void testTriggerRollingUpdateAfterOverrideBootstrap() throws CertificateExceptio | |||
| // TODO: send and recv messages via this new bootstrap (after client builder) https://github.com/strimzi/strimzi-kafka-operator/pull/2520 | |||
| } | |||
|
|
|||
| @Test | |||
| void testAccidentallyRemovedCaTriggersRollingUpdate() { | |||
There was a problem hiding this comment.
Might be overly nit-picky, but the cause of why it is removed could be seen as not part of the 'test'
I would opt to have it be called something like
testClusterCaRemovedTriggersRollingUpdate
and then have a documented comment explaining the context of this test is it being accidentally removed.
| @@ -737,6 +741,10 @@ public boolean keyReplaced() { | |||
| return renewalType == RenewalType.REPLACE_KEY; | |||
| } | |||
|
|
|||
| public boolean keyCreated() { | |||
There was a problem hiding this comment.
isKeyCreated would be slightly more idiomatic, but given the other similar methods are not using is I can understand why you matched the convention
systemtest/src/test/java/io/strimzi/systemtest/RollingUpdateST.java
Outdated
Show resolved
Hide resolved
systemtest/src/test/java/io/strimzi/systemtest/RollingUpdateST.java
Outdated
Show resolved
Hide resolved
…date) (strimzi#2756) * Accidentally removed CA should trigger crt recreation (and rolling update) Signed-off-by: Stanislav Knot <sknot@redhat.com> * comments Signed-off-by: Stanislav Knot <sknot@redhat.com> Signed-off-by: Javier Criado <javier.criado@MAC00083.home>
…date) (strimzi#2756) * Accidentally removed CA should trigger crt recreation (and rolling update) Signed-off-by: Stanislav Knot <sknot@redhat.com> * comments Signed-off-by: Stanislav Knot <sknot@redhat.com>
Signed-off-by: Stanislav Knot sknot@redhat.com
Type of change
Description
Fixes #542
Checklist
./design