Add tests for TLS mounts and volumes

Signed-off-by: Brendan Shephard <bshephar@redhat.com>
bshephar · Feb 7, 2025 · fa0ce3c · fa0ce3c
1 parent d0ed14a
commit fa0ce3c
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -115,7 +115,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ginkgo ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" $(GINKGO) --trace --cover --coverpkg=../../pkg/horizon,../../controllers,../../api/v1beta1 --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./tests/...
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" $(GINKGO) --trace --cover --coverpkg=../../pkg/horizon,../../controllers,../../api/v1beta1 --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) ./tests/... ./pkg/horizon/...
 
 ##@ Build
 

diff --git a/go.mod b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250128130522-53b65fcdadca
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20250128130522-53b65fcdadca
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20250128130522-53b65fcdadca
+	github.com/stretchr/testify v1.9.0
 	k8s.io/api v0.29.13
 	k8s.io/apimachinery v0.29.13
 	k8s.io/client-go v0.29.13
@@ -53,6 +54,7 @@ require (
 	github.com/openshift/api v3.9.0+incompatible // indirect
 	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20250128130522-53b65fcdadca // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.19.0 // indirect
 	github.com/prometheus/client_model v0.6.0 // indirect
 	github.com/prometheus/common v0.51.1 // indirect

diff --git a/pkg/horizon/deployment.go b/pkg/horizon/deployment.go
@@ -72,12 +72,6 @@ func Deployment(
 	volumes := getVolumes(instance.Name, instance.Spec.ExtraMounts, HorizonPropagation)
 	volumeMounts := getVolumeMounts(instance.Spec.ExtraMounts, HorizonPropagation)
 
-	// add CA cert if defined
-	if instance.Spec.TLS.CaBundleSecretName != "" {
-		volumes = append(volumes, instance.Spec.TLS.CreateVolume())
-		volumeMounts = append(volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
-	}
-
 	if instance.Spec.TLS.Enabled() {
 		tlsRequireOptions := TLSRequiredOptions{
 			&containerPort,
@@ -222,6 +216,12 @@ func (t *TLSRequiredOptions) formatTLSOptions(instance *horizonv1.Horizon) ([]co
 		return t.volumes, t.volumeMounts, err
 	}
 
+	// add CA cert if defined
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		t.volumes = append(t.volumes, instance.Spec.TLS.CreateVolume())
+		t.volumeMounts = append(t.volumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
+	}
+
 	t.containerPort.ContainerPort = HorizonPortTLS
 	t.livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
 	t.readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS

diff --git a/pkg/horizon/deployment_test.go b/pkg/horizon/deployment_test.go
@@ -0,0 +1,122 @@
+package horizon
+
+import (
+	"testing"
+
+	horizonv1 "github.com/openstack-k8s-operators/horizon-operator/api/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+type testCase struct {
+	name            string
+	instance        *horizonv1.Horizon
+	expectedVolumes []corev1.Volume
+	expectedMounts  []corev1.VolumeMount
+	expectedError   bool
+	errorContains   string
+}
+
+func TestFormatTLSOptions(t *testing.T) {
+
+	var tlsSecretName string = "generic-tls-secret"
+	var defaultMode int32 = 256
+	testCases := []testCase{
+		{
+			name: "Valid TLS Configuration",
+			instance: &horizonv1.Horizon{
+				Spec: horizonv1.HorizonSpec{
+					HorizonSpecCore: horizonv1.HorizonSpecCore{
+						TLS: tls.SimpleService{
+							GenericService: tls.GenericService{
+								SecretName: &tlsSecretName,
+							},
+						},
+					},
+				},
+			},
+			expectedVolumes: []corev1.Volume{
+				{
+					Name: "horizon-tls-certs",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  "generic-tls-secret",
+							DefaultMode: &defaultMode,
+						},
+					},
+				},
+				{Name: "combined-ca-bundle",
+					VolumeSource: corev1.VolumeSource{
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  "combined-ca-bundle",
+							DefaultMode: &defaultMode,
+						},
+					},
+				},
+			},
+
+			expectedMounts: []corev1.VolumeMount{
+				{
+					Name:             "horizon-tls-certs",
+					MountPath:        "/var/lib/config-data/tls/certs/horizon.crt",
+					ReadOnly:         true,
+					SubPath:          "tls.crt",
+					MountPropagation: nil,
+					SubPathExpr:      "",
+				},
+				{
+					Name:             "combined-ca-bundle",
+					ReadOnly:         true,
+					SubPath:          "tls-ca-bundle.pem",
+					MountPath:        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+					MountPropagation: nil,
+					SubPathExpr:      "",
+				},
+				{
+					Name:             "horizon-tls-certs",
+					ReadOnly:         true,
+					SubPath:          "tls.key",
+					MountPath:        "/var/lib/config-data/tls/private/horizon.key",
+					MountPropagation: nil,
+					SubPathExpr:      "",
+				},
+			},
+			expectedError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			options := &TLSRequiredOptions{
+				containerPort:  &corev1.ContainerPort{},
+				livenessProbe:  &corev1.Probe{ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{}}},
+				readinessProbe: &corev1.Probe{ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{}}},
+				startupProbe:   &corev1.Probe{ProbeHandler: corev1.ProbeHandler{HTTPGet: &corev1.HTTPGetAction{}}},
+			}
+
+			volumes, mounts, err := options.formatTLSOptions(tc.instance)
+
+			if tc.expectedError {
+				assert.Error(t, err)
+				if tc.errorContains != "" {
+					assert.Contains(t, err.Error(), tc.errorContains)
+				}
+			} else {
+				assert.NoError(t, err)
+				for _, elem := range volumes {
+					assert.Contains(t, tc.expectedVolumes, elem)
+				}
+				for _, elem := range mounts {
+					assert.Contains(t, tc.expectedMounts, elem)
+				}
+
+				assert.Equal(t, corev1.URISchemeHTTPS, options.livenessProbe.HTTPGet.Scheme)
+				assert.Equal(t, corev1.URISchemeHTTPS, options.readinessProbe.HTTPGet.Scheme)
+				assert.Equal(t, corev1.URISchemeHTTPS, options.startupProbe.HTTPGet.Scheme)
+				assert.Equal(t, int32(HorizonPortTLS), options.containerPort.ContainerPort)
+
+			}
+		})
+	}
+}