diff --git a/internal/controllers/reconciler_test.go b/internal/controllers/reconciler_test.go index 612c69f4e..40a71f33f 100644 --- a/internal/controllers/reconciler_test.go +++ b/internal/controllers/reconciler_test.go @@ -1795,6 +1795,66 @@ func (c *controllerTest) commonTests() { t.expectCertificates() }) }) + Context("with modified certificates", func() { + var oldCerts []*certv1.Certificate + BeforeEach(func() { + t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer()) + oldCerts = []*certv1.Certificate{ + t.OtherCACert(), + t.OtherAgentProxyCert(), + t.OtherCryostatCert(), + t.OtherReportsCert(), + } + // Add an annotation for each cert, the test will assert that + // the annotation is gone. + for i, cert := range oldCerts { + metav1.SetMetaDataAnnotation(&oldCerts[i].ObjectMeta, "bad", "cert") + t.objs = append(t.objs, cert) + } + }) + JustBeforeEach(func() { + cr := t.getCryostatInstance() + for _, cert := range oldCerts { + // Make the old certs owned by the Cryostat CR + err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme()) + Expect(err).ToNot(HaveOccurred()) + err = t.Client.Update(context.Background(), cert) + Expect(err).ToNot(HaveOccurred()) + } + t.reconcileCryostatFully() + }) + It("should recreate certificates", func() { + t.expectCertificates() + }) + }) + Context("with a modified certificate TLS CommonName", func() { + var oldCerts []*certv1.Certificate + BeforeEach(func() { + oldCerts = []*certv1.Certificate{ + t.NewCryostatCert(), + t.NewReportsCert(), + t.NewAgentProxyCert(), + } + t.objs = append(t.objs, t.NewCryostat().Object, t.OtherCAIssuer()) + for _, cert := range oldCerts { + t.objs = append(t.objs, cert) + } + }) + JustBeforeEach(func() { + cr := t.getCryostatInstance() + for _, cert := range oldCerts { + // Make the old certs owned by the Cryostat CR + err := controllerutil.SetControllerReference(cr.Object, cert, t.Client.Scheme()) + Expect(err).ToNot(HaveOccurred()) + err = t.Client.Update(context.Background(), cert) + Expect(err).ToNot(HaveOccurred()) + } + t.reconcileCryostatFully() + }) + It("should recreate certificates", func() { + t.expectCertificates() + }) + }) Context("reconciling a multi-namespace request", func() { targetNamespaces := []string{"multi-test-one", "multi-test-two"} diff --git a/internal/test/resources.go b/internal/test/resources.go index bcad9166c..b5e89a0d0 100644 --- a/internal/test/resources.go +++ b/internal/test/resources.go @@ -1058,6 +1058,12 @@ func (r *TestResources) NewCryostatCert() *certv1.Certificate { } } +func (r *TestResources) OtherCryostatCert() *certv1.Certificate { + cert := r.NewCryostatCert() + cert.Spec.CommonName = fmt.Sprintf("%s.%s.svc", r.Name, r.Namespace) + return cert +} + func (r *TestResources) NewReportsCert() *certv1.Certificate { return &certv1.Certificate{ ObjectMeta: metav1.ObjectMeta{ @@ -1084,6 +1090,12 @@ func (r *TestResources) NewReportsCert() *certv1.Certificate { } } +func (r *TestResources) OtherReportsCert() *certv1.Certificate { + cert := r.NewReportsCert() + cert.Spec.CommonName = fmt.Sprintf("%s-reports.%s.svc", r.Name, r.Namespace) + return cert +} + func (r *TestResources) NewAgentProxyCert() *certv1.Certificate { return &certv1.Certificate{ ObjectMeta: metav1.ObjectMeta{ @@ -1110,6 +1122,12 @@ func (r *TestResources) NewAgentProxyCert() *certv1.Certificate { } } +func (r *TestResources) OtherAgentProxyCert() *certv1.Certificate { + cert := r.NewAgentProxyCert() + cert.Spec.CommonName = fmt.Sprintf("%s-agent.%s.svc", r.Name, r.Namespace) + return cert +} + func (r *TestResources) NewCACert() *certv1.Certificate { return &certv1.Certificate{ ObjectMeta: metav1.ObjectMeta{ @@ -1127,6 +1145,13 @@ func (r *TestResources) NewCACert() *certv1.Certificate { } } +func (r *TestResources) OtherCACert() *certv1.Certificate { + cert := r.NewCACert() + cert.Spec.CommonName = fmt.Sprintf("ca.%s.cert-manager", r.Name) + cert.Spec.SecretName = r.Name + "-ca" + return cert +} + func (r *TestResources) NewAgentCert(namespace string) *certv1.Certificate { name := r.getClusterUniqueNameForAgent(namespace) return &certv1.Certificate{