test

internal/controllers/reconciler_test.go

@@ -1795,6 +1795,66 @@ func (c *controllerTest) commonTests() {
 				t.expectCertificates()
 			})
 		})
+		Context("with modified certificates", func() {
+			var oldCerts []*certv1.Certificate
+			BeforeEach(func() {
+				t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer())
+				oldCerts = []*certv1.Certificate{
+					t.OtherCACert(),
+					t.OtherAgentProxyCert(),
+					t.OtherCryostatCert(),
+					t.OtherReportsCert(),
+				}
+				// Add an annotation for each cert, the test will assert that
+				// the annotation is gone.
+				for i, cert := range oldCerts {
+					metav1.SetMetaDataAnnotation(&oldCerts[i].ObjectMeta, "bad", "cert")
+					t.objs = append(t.objs, cert)
+				}
+			})
+			JustBeforeEach(func() {
+				cr := t.getCryostatInstance()
+				for _, cert := range oldCerts {
+					// Make the old certs owned by the Cryostat CR
+					err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme())
+					Expect(err).ToNot(HaveOccurred())
+					err = t.Client.Update(context.Background(), cert)
+					Expect(err).ToNot(HaveOccurred())
+				}
+				t.reconcileCryostatFully()
+			})
+			It("should recreate certificates", func() {
+				t.expectCertificates()
+			})
+		})
+		Context("with a modified certificate TLS CommonName", func() {
+			var oldCerts []*certv1.Certificate
+			BeforeEach(func() {
+				oldCerts = []*certv1.Certificate{
+					t.NewCryostatCert(),
+					t.NewReportsCert(),
+					t.NewAgentProxyCert(),
+				}
+				t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer())
+				for _, cert := range oldCerts {
+					t.objs = append(t.objs, cert)
+				}
+			})
+			JustBeforeEach(func() {
+				cr := t.getCryostatInstance()
+				for _, cert := range oldCerts {
+					// Make the old certs owned by the Cryostat CR
+					err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme())
+					Expect(err).ToNot(HaveOccurred())
+					err = t.Client.Update(context.Background(), cert)
+					Expect(err).ToNot(HaveOccurred())
+				}
+				t.reconcileCryostatFully()
+			})
+			It("should recreate certificates", func() {
+				t.expectCertificates()
+			})
+		})
 
 		Context("reconciling a multi-namespace request", func() {
 			targetNamespaces := []string{"multi-test-one", "multi-test-two"}

internal/test/resources.go

@@ -1058,6 +1058,12 @@ func (r *TestResources) NewCryostatCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherCryostatCert() *certv1.Certificate {
+	cert := r.NewCryostatCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewReportsCert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1084,6 +1090,12 @@ func (r *TestResources) NewReportsCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherReportsCert() *certv1.Certificate {
+	cert := r.NewReportsCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s-reports.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewAgentProxyCert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1110,6 +1122,12 @@ func (r *TestResources) NewAgentProxyCert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherAgentProxyCert() *certv1.Certificate {
+	cert := r.NewAgentProxyCert()
+	cert.Spec.CommonName = fmt.Sprintf("%s-agent.%s.svc", r.Name, r.Namespace)
+	return cert
+}
+
 func (r *TestResources) NewCACert() *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -1127,6 +1145,13 @@ func (r *TestResources) NewCACert() *certv1.Certificate {
 	}
 }
 
+func (r *TestResources) OtherCACert() *certv1.Certificate {
+	cert := r.NewCACert()
+	cert.Spec.CommonName = fmt.Sprintf("ca.%s.cert-manager", r.Name)
+	cert.Spec.SecretName = r.Name + "-ca"
+	return cert
+}
+
 func (r *TestResources) NewAgentCert(namespace string) *certv1.Certificate {
 	name := r.getClusterUniqueNameForAgent(namespace)
 	return &certv1.Certificate{