Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

Commit

Permalink
Merge pull request #594 from laurafitzgerald/gh-581-tlspolicy-status
Browse files Browse the repository at this point in the history
validate the presence of specified issuer or clusterisssuer in tlspolicy
  • Loading branch information
maleck13 authored Sep 22, 2023
2 parents 37d2951 + b024117 commit 7bd2464
Show file tree
Hide file tree
Showing 8 changed files with 137 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
alm-examples: '[]'
capabilities: Basic Install
createdAt: "2023-09-14T13:57:32Z"
createdAt: "2023-09-21T16:23:26Z"
operators.operatorframework.io/builder: operator-sdk-v1.28.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
name: multicluster-gateway-controller.v0.0.0
Expand Down Expand Up @@ -206,6 +206,20 @@ spec:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
14 changes: 14 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,20 @@ rules:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
20 changes: 20 additions & 0 deletions pkg/controllers/tlspolicy/certmanager_helper.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
package tlspolicy

import (
"context"
"fmt"

certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
"sigs.k8s.io/controller-runtime/pkg/client"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"

"github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1"
Expand Down Expand Up @@ -113,3 +117,19 @@ func translatePolicy(crt *certmanv1.Certificate, tlsPolicy v1alpha1.TLSPolicySpe
}

}

// validateIssuer validates that the issuer specified exists
func validateIssuer(ctx context.Context, k8sClient client.Client, policy *v1alpha1.TLSPolicy) error {
var issuer client.Object
issuerNamespace := ""
switch policy.Spec.IssuerRef.Kind {
case "", certmanv1.IssuerKind:
issuer = &certmanv1.Issuer{}
issuerNamespace = policy.Namespace
case certmanv1.ClusterIssuerKind:
issuer = &certmanv1.ClusterIssuer{}
default:
return fmt.Errorf(`invalid value %q for issuerRef.kind. Must be empty, %q or %q`, policy.Spec.IssuerRef.Kind, certmanv1.IssuerKind, certmanv1.ClusterIssuerKind)
}
return k8sClient.Get(ctx, client.ObjectKey{Name: policy.Spec.IssuerRef.Name, Namespace: issuerNamespace}, issuer)
}
7 changes: 7 additions & 0 deletions pkg/controllers/tlspolicy/tlspolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ type TLSPolicyReconciler struct {
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/finalizers,verbs=update
//+kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;
//+kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;

func (r *TLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := r.Logger().WithValues("TLSPolicy", req.NamespacedName)
Expand Down Expand Up @@ -156,6 +158,11 @@ func (r *TLSPolicyReconciler) reconcileResources(ctx context.Context, tlsPolicy
return err
}

err = validateIssuer(ctx, r.Client(), tlsPolicy)
if err != nil {
return err
}

// reconcile based on gateway diffs
gatewayDiffObj, err := r.ComputeGatewayDiffs(ctx, tlsPolicy, targetNetworkObject, &TLSPolicyRefsConfig{})
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion test/e2e/gateway_single_spoke_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ var _ = Describe("Gateway single target cluster", func() {
err = tconfig.HubClient().Create(ctx, gw)
Expect(err).ToNot(HaveOccurred())

By("setting up TLSPolicy in the hub")
By("setting up TLSPolicy in the hub")
tlsPolicy = &mgcv1alpha1.TLSPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: testID,
Expand Down
62 changes: 57 additions & 5 deletions test/integration/tlspolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {

var testNamespace string
var gatewayClass *gatewayv1beta1.GatewayClass
var issuer *certmanv1.Issuer

BeforeAll(func() {
logger = zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))
Expand All @@ -42,6 +43,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {

BeforeEach(func() {
CreateNamespace(&testNamespace)
issuer = NewTestIssuer("testissuer", testNamespace)
Expect(k8sClient.Create(ctx, issuer)).To(BeNil())
Eventually(func() error { //issuer exists
return k8sClient.Get(ctx, client.ObjectKey{Name: issuer.Name, Namespace: issuer.Namespace}, issuer)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
})

AfterEach(func() {
Expand All @@ -55,6 +61,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {
for _, policy := range policyList.Items {
k8sClient.Delete(ctx, &policy)
}
issuerList := certmanv1.IssuerList{}
Expect(k8sClient.List(ctx, &issuerList)).To(BeNil())
for _, issuer := range issuerList.Items {
k8sClient.Delete(ctx, &issuer)
}
})

AfterAll(func() {
Expand All @@ -74,7 +85,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
Expect(err).ToNot(HaveOccurred())
})

Context("valid target and policy", func() {
Context("valid target, issuer and policy", func() {

BeforeEach(func() {
gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
Expand All @@ -84,7 +95,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -165,6 +177,43 @@ var _ = Describe("TLSPolicy", Ordered, func() {

})

Context("valid target, clusterissuer and policy", func() {
var clusterIssuer *certmanv1.ClusterIssuer

BeforeEach(func() {
gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
WithHTTPListener("test.example.com").Gateway
Expect(k8sClient.Create(ctx, gateway)).To(BeNil())
Eventually(func() error { //gateway exists
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).
WithIssuer("testclusterissuer", certmanv1.ClusterIssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
clusterIssuer = NewTestClusterIssuer("testclusterissuer")
Expect(k8sClient.Create(ctx, clusterIssuer)).To(BeNil())
Eventually(func() error { //clusterIssuer exists
return k8sClient.Get(ctx, client.ObjectKey{Name: clusterIssuer.Name}, clusterIssuer)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
})

It("should have ready status", func() {
Eventually(func() error {
if err := k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy); err != nil {
return err
}
if !meta.IsStatusConditionTrue(tlsPolicy.Status.Conditions, string(conditions.ConditionTypeReady)) {
return fmt.Errorf("expected tlsPolicy status condition to be %s", string(conditions.ConditionTypeReady))
}
return nil
}, time.Second*15, time.Second).Should(BeNil())
})
})

Context("with http listener", func() {

BeforeEach(func() {
Expand All @@ -175,7 +224,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -222,7 +272,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -258,7 +309,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down
5 changes: 5 additions & 0 deletions test/util/suite_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"strconv"

"github.com/goombaio/namegenerator"
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
ocm_cluster_v1 "open-cluster-management.io/api/cluster/v1"
ocm_cluster_v1beta1 "open-cluster-management.io/api/cluster/v1beta1"
ocm_cluster_v1beta2 "open-cluster-management.io/api/cluster/v1beta2"
Expand Down Expand Up @@ -110,6 +111,10 @@ func (cfg *SuiteConfig) Build() error {
if err != nil {
return err
}
err = certmanv1.AddToScheme(scheme.Scheme)
if err != nil {
return err
}

cfg.cpClient, err = client.New(restcfg, client.Options{Scheme: scheme.Scheme})
if err != nil {
Expand Down
18 changes: 18 additions & 0 deletions test/util/test_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package testutil

import (
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -34,6 +35,23 @@ func NewTestGateway(gwName, gwClassName, ns string) *TestGateway {
}
}

func NewTestIssuer(name, ns string) *certmanv1.Issuer {
return &certmanv1.Issuer{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
}
}

func NewTestClusterIssuer(name string) *certmanv1.ClusterIssuer {
return &certmanv1.ClusterIssuer{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
}
}

func (t *TestGateway) WithListener(listener gatewayv1beta1.Listener) *TestGateway {
t.Spec.Listeners = append(t.Spec.Listeners, listener)
return t
Expand Down

0 comments on commit 7bd2464

Please sign in to comment.