Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

Commit

Permalink
validate the presence of specified cluster or clusterisssuer in tlspo…
Browse files Browse the repository at this point in the history
…licy
  • Loading branch information
laurafitzgerald committed Sep 21, 2023
1 parent 59f52d3 commit 0f193e3
Show file tree
Hide file tree
Showing 8 changed files with 90 additions and 6 deletions.
12 changes: 12 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
2 changes: 2 additions & 0 deletions pkg/controllers/gateway/gateway_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ type GatewayPlacer interface {
// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;delete
// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;
// +kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;

// GatewayReconciler reconciles a Gateway object
type GatewayReconciler struct {
Expand Down
20 changes: 20 additions & 0 deletions pkg/controllers/tlspolicy/certmanager_helper.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
package tlspolicy

import (
"context"
"fmt"

certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
"sigs.k8s.io/controller-runtime/pkg/client"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"

"github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1"
Expand Down Expand Up @@ -113,3 +117,19 @@ func translatePolicy(crt *certmanv1.Certificate, tlsPolicy v1alpha1.TLSPolicySpe
}

}

// validateIssuer validates that the issuer specified exists
func validateIssuer(ctx context.Context, k8sClient client.Client, policy *v1alpha1.TLSPolicy) error {
var issuer client.Object
issuerNamespace := ""
switch policy.Spec.IssuerRef.Kind {
case "", certmanv1.IssuerKind:
issuer = &certmanv1.Issuer{}
issuerNamespace = policy.Namespace
case certmanv1.ClusterIssuerKind:
issuer = &certmanv1.ClusterIssuer{}
default:
return fmt.Errorf(`invalid value %q for issuerRef.kind. Must be empty, %q or %q`, policy.Spec.IssuerRef.Kind, certmanv1.IssuerKind, certmanv1.ClusterIssuerKind)
}
return k8sClient.Get(ctx, client.ObjectKey{Name: policy.Spec.IssuerRef.Name, Namespace: issuerNamespace}, issuer)
}
5 changes: 5 additions & 0 deletions pkg/controllers/tlspolicy/tlspolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,11 @@ func (r *TLSPolicyReconciler) reconcileResources(ctx context.Context, tlsPolicy
return err
}

err = validateIssuer(ctx, r.Client(), tlsPolicy)
if err != nil {
return err
}

// reconcile based on gateway diffs
gatewayDiffObj, err := r.ComputeGatewayDiffs(ctx, tlsPolicy, targetNetworkObject, &TLSPolicyRefsConfig{})
if err != nil {
Expand Down
17 changes: 16 additions & 1 deletion test/e2e/gateway_single_spoke_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"strings"
"time"

v1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmetav1 "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand Down Expand Up @@ -39,6 +40,7 @@ var _ = Describe("Gateway single target cluster", func() {
var gw *gatewayapi.Gateway
var placement *ocm_cluster_v1beta1.Placement
var tlsPolicy *v1alpha1.TLSPolicy
var issuer *v1.Issuer

BeforeEach(func(ctx SpecContext) {
testID = "t-e2e-" + tconfig.GenerateName()
Expand Down Expand Up @@ -87,7 +89,20 @@ var _ = Describe("Gateway single target cluster", func() {
err = tconfig.HubClient().Create(ctx, gw)
Expect(err).ToNot(HaveOccurred())

By("setting up TLSPolicy in the hub")
By("setting up Issuer in the hub")
issuer = &v1.Issuer{
ObjectMeta: metav1.ObjectMeta{
Name: testID,
Namespace: tconfig.HubNamespace(),
},
Spec: v1.IssuerSpec{
IssuerConfig: v1.IssuerConfig{},
},
}
err = tconfig.HubClient().Create(ctx, issuer)
Expect(err).ToNot(HaveOccurred())

By("setting up TLSPolicy in the hub")
tlsPolicy = &mgcv1alpha1.TLSPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: testID,
Expand Down
25 changes: 20 additions & 5 deletions test/integration/tlspolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {

var testNamespace string
var gatewayClass *gatewayv1beta1.GatewayClass
var issuer *certmanv1.Issuer

BeforeAll(func() {
logger = zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))
Expand All @@ -42,6 +43,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {

BeforeEach(func() {
CreateNamespace(&testNamespace)
issuer = NewTestIssuer("testissuer", testNamespace)
Expect(k8sClient.Create(ctx, issuer)).To(BeNil())
Eventually(func() error { //issuer exists
return k8sClient.Get(ctx, client.ObjectKey{Name: issuer.Name, Namespace: issuer.Namespace}, issuer)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
})

AfterEach(func() {
Expand All @@ -55,6 +61,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {
for _, policy := range policyList.Items {
k8sClient.Delete(ctx, &policy)
}
issuerList := certmanv1.IssuerList{}
Expect(k8sClient.List(ctx, &issuerList)).To(BeNil())
for _, issuer := range issuerList.Items {
k8sClient.Delete(ctx, &issuer)
}
})

AfterAll(func() {
Expand All @@ -74,7 +85,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
Expect(err).ToNot(HaveOccurred())
})

Context("valid target and policy", func() {
Context("valid target, issuer and policy", func() {

BeforeEach(func() {
gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
Expand All @@ -84,7 +95,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -154,7 +166,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -182,7 +195,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -218,7 +232,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down
5 changes: 5 additions & 0 deletions test/util/suite_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"strconv"

"github.com/goombaio/namegenerator"
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
ocm_cluster_v1 "open-cluster-management.io/api/cluster/v1"
ocm_cluster_v1beta1 "open-cluster-management.io/api/cluster/v1beta1"
ocm_cluster_v1beta2 "open-cluster-management.io/api/cluster/v1beta2"
Expand Down Expand Up @@ -110,6 +111,10 @@ func (cfg *SuiteConfig) Build() error {
if err != nil {
return err
}
err = certmanv1.AddToScheme(scheme.Scheme)
if err != nil {
return err
}

cfg.cpClient, err = client.New(restcfg, client.Options{Scheme: scheme.Scheme})
if err != nil {
Expand Down
10 changes: 10 additions & 0 deletions test/util/test_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package testutil

import (
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -34,6 +35,15 @@ func NewTestGateway(gwName, gwClassName, ns string) *TestGateway {
}
}

func NewTestIssuer(name, ns string) *certmanv1.Issuer {
return &certmanv1.Issuer{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
}
}

func (t *TestGateway) WithListener(listener gatewayv1beta1.Listener) *TestGateway {
t.Spec.Listeners = append(t.Spec.Listeners, listener)
return t
Expand Down

0 comments on commit 0f193e3

Please sign in to comment.