k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kube-controller-manager/app/certificates_test.go (about) 1 /* 2 Copyright 2020 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package app 18 19 import ( 20 "testing" 21 "time" 22 23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 24 csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config" 25 ) 26 27 func TestCertSpecified(t *testing.T) { 28 allConfig := csrsigningconfig.CSRSigningControllerConfiguration{ 29 ClusterSigningCertFile: "/cluster-signing-cert", 30 ClusterSigningKeyFile: "/cluster-signing-key", 31 ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour}, 32 KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 33 CertFile: "/cluster-signing-kubelet-serving/cert-file", 34 KeyFile: "/cluster-signing-kubelet-serving/key-file", 35 }, 36 KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 37 CertFile: "/cluster-signing-kubelet-client/cert-file", 38 KeyFile: "/cluster-signing-kubelet-client/key-file", 39 }, 40 KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 41 CertFile: "/cluster-signing-kube-apiserver-client/cert-file", 42 KeyFile: "/cluster-signing-kube-apiserver-client/key-file", 43 }, 44 LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 45 CertFile: "/cluster-signing-legacy-unknown/cert-file", 46 KeyFile: "/cluster-signing-legacy-unknown/key-file", 47 }, 48 } 49 defaultOnly := csrsigningconfig.CSRSigningControllerConfiguration{ 50 ClusterSigningCertFile: "/cluster-signing-cert", 51 ClusterSigningKeyFile: "/cluster-signing-key", 52 ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour}, 53 } 54 specifiedOnly := csrsigningconfig.CSRSigningControllerConfiguration{ 55 KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 56 CertFile: "/cluster-signing-kubelet-serving/cert-file", 57 KeyFile: "/cluster-signing-kubelet-serving/key-file", 58 }, 59 KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 60 CertFile: "/cluster-signing-kubelet-client/cert-file", 61 KeyFile: "/cluster-signing-kubelet-client/key-file", 62 }, 63 KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 64 CertFile: "/cluster-signing-kube-apiserver-client/cert-file", 65 KeyFile: "/cluster-signing-kube-apiserver-client/key-file", 66 }, 67 LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 68 CertFile: "/cluster-signing-legacy-unknown/cert-file", 69 KeyFile: "/cluster-signing-legacy-unknown/key-file", 70 }, 71 } 72 halfASpecified := csrsigningconfig.CSRSigningControllerConfiguration{ 73 ClusterSigningCertFile: "/cluster-signing-cert", 74 ClusterSigningKeyFile: "/cluster-signing-key", 75 ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour}, 76 KubeletServingSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 77 CertFile: "/cluster-signing-kubelet-serving/cert-file", 78 KeyFile: "/cluster-signing-kubelet-serving/key-file", 79 }, 80 KubeletClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 81 CertFile: "/cluster-signing-kubelet-client/cert-file", 82 KeyFile: "/cluster-signing-kubelet-client/key-file", 83 }, 84 } 85 halfBSpecified := csrsigningconfig.CSRSigningControllerConfiguration{ 86 ClusterSigningCertFile: "/cluster-signing-cert", 87 ClusterSigningKeyFile: "/cluster-signing-key", 88 ClusterSigningDuration: metav1.Duration{Duration: 10 * time.Hour}, 89 KubeAPIServerClientSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 90 CertFile: "/cluster-signing-kube-apiserver-client/cert-file", 91 KeyFile: "/cluster-signing-kube-apiserver-client/key-file", 92 }, 93 LegacyUnknownSignerConfiguration: csrsigningconfig.CSRSigningConfiguration{ 94 CertFile: "/cluster-signing-legacy-unknown/cert-file", 95 KeyFile: "/cluster-signing-legacy-unknown/key-file", 96 }, 97 } 98 99 tests := []struct { 100 name string 101 config csrsigningconfig.CSRSigningControllerConfiguration 102 specifiedFn func(config csrsigningconfig.CSRSigningControllerConfiguration) bool 103 expectedSpecified bool 104 filesFn func(config csrsigningconfig.CSRSigningControllerConfiguration) (string, string) 105 expectedCert string 106 expectedKey string 107 }{ 108 { 109 name: "allConfig-KubeletServingSignerFilesSpecified", 110 config: allConfig, 111 specifiedFn: areKubeletServingSignerFilesSpecified, 112 expectedSpecified: true, 113 filesFn: getKubeletServingSignerFiles, 114 expectedCert: "/cluster-signing-kubelet-serving/cert-file", 115 expectedKey: "/cluster-signing-kubelet-serving/key-file", 116 }, 117 { 118 name: "defaultOnly-KubeletServingSignerFilesSpecified", 119 config: defaultOnly, 120 specifiedFn: areKubeletServingSignerFilesSpecified, 121 expectedSpecified: false, 122 filesFn: getKubeletServingSignerFiles, 123 expectedCert: "/cluster-signing-cert", 124 expectedKey: "/cluster-signing-key", 125 }, 126 { 127 name: "specifiedOnly-KubeletServingSignerFilesSpecified", 128 config: specifiedOnly, 129 specifiedFn: areKubeletServingSignerFilesSpecified, 130 expectedSpecified: true, 131 filesFn: getKubeletServingSignerFiles, 132 expectedCert: "/cluster-signing-kubelet-serving/cert-file", 133 expectedKey: "/cluster-signing-kubelet-serving/key-file", 134 }, 135 { 136 name: "halfASpecified-KubeletServingSignerFilesSpecified", 137 config: halfASpecified, 138 specifiedFn: areKubeletServingSignerFilesSpecified, 139 expectedSpecified: true, 140 filesFn: getKubeletServingSignerFiles, 141 expectedCert: "/cluster-signing-kubelet-serving/cert-file", 142 expectedKey: "/cluster-signing-kubelet-serving/key-file", 143 }, 144 { 145 name: "halfBSpecified-KubeletServingSignerFilesSpecified", 146 config: halfBSpecified, 147 specifiedFn: areKubeletServingSignerFilesSpecified, 148 expectedSpecified: false, 149 filesFn: getKubeletServingSignerFiles, 150 expectedCert: "", 151 expectedKey: "", 152 }, 153 154 { 155 name: "allConfig-KubeletClientSignerFiles", 156 config: allConfig, 157 specifiedFn: areKubeletClientSignerFilesSpecified, 158 expectedSpecified: true, 159 filesFn: getKubeletClientSignerFiles, 160 expectedCert: "/cluster-signing-kubelet-client/cert-file", 161 expectedKey: "/cluster-signing-kubelet-client/key-file", 162 }, 163 { 164 name: "defaultOnly-KubeletClientSignerFiles", 165 config: defaultOnly, 166 specifiedFn: areKubeletClientSignerFilesSpecified, 167 expectedSpecified: false, 168 filesFn: getKubeletClientSignerFiles, 169 expectedCert: "/cluster-signing-cert", 170 expectedKey: "/cluster-signing-key", 171 }, 172 { 173 name: "specifiedOnly-KubeletClientSignerFiles", 174 config: specifiedOnly, 175 specifiedFn: areKubeletClientSignerFilesSpecified, 176 expectedSpecified: true, 177 filesFn: getKubeletClientSignerFiles, 178 expectedCert: "/cluster-signing-kubelet-client/cert-file", 179 expectedKey: "/cluster-signing-kubelet-client/key-file", 180 }, 181 { 182 name: "halfASpecified-KubeletClientSignerFiles", 183 config: halfASpecified, 184 specifiedFn: areKubeletClientSignerFilesSpecified, 185 expectedSpecified: true, 186 filesFn: getKubeletClientSignerFiles, 187 expectedCert: "/cluster-signing-kubelet-client/cert-file", 188 expectedKey: "/cluster-signing-kubelet-client/key-file", 189 }, 190 { 191 name: "halfBSpecified-KubeletClientSignerFiles", 192 config: halfBSpecified, 193 specifiedFn: areKubeletClientSignerFilesSpecified, 194 expectedSpecified: false, 195 filesFn: getKubeletClientSignerFiles, 196 expectedCert: "", 197 expectedKey: "", 198 }, 199 200 { 201 name: "allConfig-KubeletClientSignerFiles", 202 config: allConfig, 203 specifiedFn: areKubeAPIServerClientSignerFilesSpecified, 204 expectedSpecified: true, 205 filesFn: getKubeAPIServerClientSignerFiles, 206 expectedCert: "/cluster-signing-kube-apiserver-client/cert-file", 207 expectedKey: "/cluster-signing-kube-apiserver-client/key-file", 208 }, 209 { 210 name: "defaultOnly-KubeletClientSignerFiles", 211 config: defaultOnly, 212 specifiedFn: areKubeAPIServerClientSignerFilesSpecified, 213 expectedSpecified: false, 214 filesFn: getKubeAPIServerClientSignerFiles, 215 expectedCert: "/cluster-signing-cert", 216 expectedKey: "/cluster-signing-key", 217 }, 218 { 219 name: "specifiedOnly-KubeletClientSignerFiles", 220 config: specifiedOnly, 221 specifiedFn: areKubeAPIServerClientSignerFilesSpecified, 222 expectedSpecified: true, 223 filesFn: getKubeAPIServerClientSignerFiles, 224 expectedCert: "/cluster-signing-kube-apiserver-client/cert-file", 225 expectedKey: "/cluster-signing-kube-apiserver-client/key-file", 226 }, 227 { 228 name: "halfASpecified-KubeletClientSignerFiles", 229 config: halfASpecified, 230 specifiedFn: areKubeAPIServerClientSignerFilesSpecified, 231 expectedSpecified: false, 232 filesFn: getKubeAPIServerClientSignerFiles, 233 expectedCert: "", 234 expectedKey: "", 235 }, 236 { 237 name: "halfBSpecified-KubeletClientSignerFiles", 238 config: halfBSpecified, 239 specifiedFn: areKubeAPIServerClientSignerFilesSpecified, 240 expectedSpecified: true, 241 filesFn: getKubeAPIServerClientSignerFiles, 242 expectedCert: "/cluster-signing-kube-apiserver-client/cert-file", 243 expectedKey: "/cluster-signing-kube-apiserver-client/key-file", 244 }, 245 246 { 247 name: "allConfig-LegacyUnknownSignerFiles", 248 config: allConfig, 249 specifiedFn: areLegacyUnknownSignerFilesSpecified, 250 expectedSpecified: true, 251 filesFn: getLegacyUnknownSignerFiles, 252 expectedCert: "/cluster-signing-legacy-unknown/cert-file", 253 expectedKey: "/cluster-signing-legacy-unknown/key-file", 254 }, 255 { 256 name: "defaultOnly-LegacyUnknownSignerFiles", 257 config: defaultOnly, 258 specifiedFn: areLegacyUnknownSignerFilesSpecified, 259 expectedSpecified: false, 260 filesFn: getLegacyUnknownSignerFiles, 261 expectedCert: "/cluster-signing-cert", 262 expectedKey: "/cluster-signing-key", 263 }, 264 { 265 name: "specifiedOnly-LegacyUnknownSignerFiles", 266 config: specifiedOnly, 267 specifiedFn: areLegacyUnknownSignerFilesSpecified, 268 expectedSpecified: true, 269 filesFn: getLegacyUnknownSignerFiles, 270 expectedCert: "/cluster-signing-legacy-unknown/cert-file", 271 expectedKey: "/cluster-signing-legacy-unknown/key-file", 272 }, 273 { 274 name: "halfASpecified-LegacyUnknownSignerFiles", 275 config: halfASpecified, 276 specifiedFn: areLegacyUnknownSignerFilesSpecified, 277 expectedSpecified: false, 278 filesFn: getLegacyUnknownSignerFiles, 279 expectedCert: "", 280 expectedKey: "", 281 }, 282 { 283 name: "halfBSpecified-LegacyUnknownSignerFiles", 284 config: halfBSpecified, 285 specifiedFn: areLegacyUnknownSignerFilesSpecified, 286 expectedSpecified: true, 287 filesFn: getLegacyUnknownSignerFiles, 288 expectedCert: "/cluster-signing-legacy-unknown/cert-file", 289 expectedKey: "/cluster-signing-legacy-unknown/key-file", 290 }, 291 } 292 293 for _, test := range tests { 294 t.Run(test.name, func(t *testing.T) { 295 actualSpecified := test.specifiedFn(test.config) 296 if actualSpecified != test.expectedSpecified { 297 t.Error(actualSpecified) 298 } 299 300 actualCert, actualKey := test.filesFn(test.config) 301 if actualCert != test.expectedCert { 302 t.Error(actualCert) 303 } 304 if actualKey != test.expectedKey { 305 t.Error(actualKey) 306 } 307 }) 308 } 309 }