Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

validate the presence of specified issuer or clusterisssuer in tlspolicy #594

Merged
merged 1 commit into from
Sep 22, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
annotations:
alm-examples: '[]'
capabilities: Basic Install
createdAt: "2023-09-14T13:57:32Z"
createdAt: "2023-09-21T16:23:26Z"
operators.operatorframework.io/builder: operator-sdk-v1.28.0
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
name: multicluster-gateway-controller.v0.0.0
Expand Down Expand Up @@ -206,6 +206,20 @@ spec:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
14 changes: 14 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,20 @@ rules:
- patch
- update
- watch
- apiGroups:
- cert-manager.io
resources:
- clusterissuers
verbs:
- get
- list
- apiGroups:
- cert-manager.io
resources:
- issuers
verbs:
- get
- list
- apiGroups:
- cluster.open-cluster-management.io
resources:
Expand Down
20 changes: 20 additions & 0 deletions pkg/controllers/tlspolicy/certmanager_helper.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
package tlspolicy

import (
"context"
"fmt"

certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
"sigs.k8s.io/controller-runtime/pkg/client"
gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"

"github.com/Kuadrant/multicluster-gateway-controller/pkg/apis/v1alpha1"
Expand Down Expand Up @@ -113,3 +117,19 @@ func translatePolicy(crt *certmanv1.Certificate, tlsPolicy v1alpha1.TLSPolicySpe
}

}

// validateIssuer validates that the issuer specified exists
func validateIssuer(ctx context.Context, k8sClient client.Client, policy *v1alpha1.TLSPolicy) error {
var issuer client.Object
issuerNamespace := ""
switch policy.Spec.IssuerRef.Kind {
case "", certmanv1.IssuerKind:
issuer = &certmanv1.Issuer{}
issuerNamespace = policy.Namespace
case certmanv1.ClusterIssuerKind:
issuer = &certmanv1.ClusterIssuer{}
default:
return fmt.Errorf(`invalid value %q for issuerRef.kind. Must be empty, %q or %q`, policy.Spec.IssuerRef.Kind, certmanv1.IssuerKind, certmanv1.ClusterIssuerKind)
}
return k8sClient.Get(ctx, client.ObjectKey{Name: policy.Spec.IssuerRef.Name, Namespace: issuerNamespace}, issuer)
}
7 changes: 7 additions & 0 deletions pkg/controllers/tlspolicy/tlspolicy_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ type TLSPolicyReconciler struct {
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/status,verbs=get;update;patch
//+kubebuilder:rbac:groups=kuadrant.io,resources=tlspolicies/finalizers,verbs=update
//+kubebuilder:rbac:groups="cert-manager.io",resources=issuers,verbs=get;list;
//+kubebuilder:rbac:groups="cert-manager.io",resources=clusterissuers,verbs=get;list;

func (r *TLSPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
log := r.Logger().WithValues("TLSPolicy", req.NamespacedName)
Expand Down Expand Up @@ -151,6 +153,11 @@ func (r *TLSPolicyReconciler) reconcileResources(ctx context.Context, tlsPolicy
return err
}

err = validateIssuer(ctx, r.Client(), tlsPolicy)
if err != nil {
return err
}
mikenairn marked this conversation as resolved.
Show resolved Hide resolved

// reconcile based on gateway diffs
gatewayDiffObj, err := r.ComputeGatewayDiffs(ctx, tlsPolicy, targetNetworkObject, &TLSPolicyRefsConfig{})
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion test/e2e/gateway_single_spoke_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ var _ = Describe("Gateway single target cluster", func() {
err = tconfig.HubClient().Create(ctx, gw)
Expect(err).ToNot(HaveOccurred())

By("setting up TLSPolicy in the hub")
By("setting up TLSPolicy in the hub")
tlsPolicy = &mgcv1alpha1.TLSPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: testID,
Expand Down
62 changes: 57 additions & 5 deletions test/integration/tlspolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {

var testNamespace string
var gatewayClass *gatewayv1beta1.GatewayClass
var issuer *certmanv1.Issuer

BeforeAll(func() {
logger = zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))
Expand All @@ -42,6 +43,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {

BeforeEach(func() {
CreateNamespace(&testNamespace)
issuer = NewTestIssuer("testissuer", testNamespace)
Expect(k8sClient.Create(ctx, issuer)).To(BeNil())
Eventually(func() error { //issuer exists
return k8sClient.Get(ctx, client.ObjectKey{Name: issuer.Name, Namespace: issuer.Namespace}, issuer)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
laurafitzgerald marked this conversation as resolved.
Show resolved Hide resolved
})

AfterEach(func() {
Expand All @@ -55,6 +61,11 @@ var _ = Describe("TLSPolicy", Ordered, func() {
for _, policy := range policyList.Items {
k8sClient.Delete(ctx, &policy)
}
issuerList := certmanv1.IssuerList{}
Expect(k8sClient.List(ctx, &issuerList)).To(BeNil())
for _, issuer := range issuerList.Items {
k8sClient.Delete(ctx, &issuer)
}
})

AfterAll(func() {
Expand All @@ -74,7 +85,7 @@ var _ = Describe("TLSPolicy", Ordered, func() {
Expect(err).ToNot(HaveOccurred())
})

Context("valid target and policy", func() {
Context("valid target, issuer and policy", func() {

BeforeEach(func() {
gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
Expand All @@ -84,7 +95,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -144,6 +156,43 @@ var _ = Describe("TLSPolicy", Ordered, func() {

})

Context("valid target, clusterissuer and policy", func() {
var clusterIssuer *certmanv1.ClusterIssuer

BeforeEach(func() {
gateway = NewTestGateway("test-gateway", gwClassName, testNamespace).
WithHTTPListener("test.example.com").Gateway
Expect(k8sClient.Create(ctx, gateway)).To(BeNil())
Eventually(func() error { //gateway exists
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).
WithIssuer("testclusterissuer", certmanv1.ClusterIssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
clusterIssuer = NewTestClusterIssuer("testclusterissuer")
Expect(k8sClient.Create(ctx, clusterIssuer)).To(BeNil())
Eventually(func() error { //clusterIssuer exists
return k8sClient.Get(ctx, client.ObjectKey{Name: clusterIssuer.Name}, clusterIssuer)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
})

It("should have ready status", func() {
Eventually(func() error {
if err := k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy); err != nil {
return err
}
if !meta.IsStatusConditionTrue(tlsPolicy.Status.Conditions, string(conditions.ConditionTypeReady)) {
return fmt.Errorf("expected tlsPolicy status condition to be %s", string(conditions.ConditionTypeReady))
}
return nil
}, time.Second*15, time.Second).Should(BeNil())
})
})

Context("with http listener", func() {

BeforeEach(func() {
Expand All @@ -154,7 +203,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -182,7 +232,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down Expand Up @@ -218,7 +269,8 @@ var _ = Describe("TLSPolicy", Ordered, func() {
return k8sClient.Get(ctx, client.ObjectKey{Name: gateway.Name, Namespace: gateway.Namespace}, gateway)
}, TestTimeoutMedium, TestRetryIntervalMedium).ShouldNot(HaveOccurred())
tlsPolicy = NewTestTLSPolicy("test-tls-policy", testNamespace).
WithTargetGateway(gateway.Name).TLSPolicy
WithTargetGateway(gateway.Name).
WithIssuer("testissuer", certmanv1.IssuerKind, "cert-manager.io").TLSPolicy
Expect(k8sClient.Create(ctx, tlsPolicy)).To(BeNil())
Eventually(func() error { //tls policy exists
return k8sClient.Get(ctx, client.ObjectKey{Name: tlsPolicy.Name, Namespace: tlsPolicy.Namespace}, tlsPolicy)
Expand Down
5 changes: 5 additions & 0 deletions test/util/suite_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"strconv"

"github.com/goombaio/namegenerator"
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
ocm_cluster_v1 "open-cluster-management.io/api/cluster/v1"
ocm_cluster_v1beta1 "open-cluster-management.io/api/cluster/v1beta1"
ocm_cluster_v1beta2 "open-cluster-management.io/api/cluster/v1beta2"
Expand Down Expand Up @@ -110,6 +111,10 @@ func (cfg *SuiteConfig) Build() error {
if err != nil {
return err
}
err = certmanv1.AddToScheme(scheme.Scheme)
if err != nil {
return err
}

cfg.cpClient, err = client.New(restcfg, client.Options{Scheme: scheme.Scheme})
if err != nil {
Expand Down
18 changes: 18 additions & 0 deletions test/util/test_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
package testutil

import (
certmanv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -34,6 +35,23 @@ func NewTestGateway(gwName, gwClassName, ns string) *TestGateway {
}
}

func NewTestIssuer(name, ns string) *certmanv1.Issuer {
return &certmanv1.Issuer{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: ns,
},
}
}

func NewTestClusterIssuer(name string) *certmanv1.ClusterIssuer {
return &certmanv1.ClusterIssuer{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
}
}

func (t *TestGateway) WithListener(listener gatewayv1beta1.Listener) *TestGateway {
t.Spec.Listeners = append(t.Spec.Listeners, listener)
return t
Expand Down