Add test for existing Etcd cert

Signed-off-by: Chuck Ha <[email protected]>

Author: chuckha

Dockerfile.dev

@@ -33,7 +33,6 @@ COPY api/ api/
 COPY controllers/ controllers/
 COPY kubeadm/ kubeadm/
 COPY cloudinit/ cloudinit/
-COPY certs/ certs/
 COPY internal/ internal/
 
 # Allow containerd to restart pods by calling /restart.sh (mostly for tilt + fast dev cycles)

cloudinit/cloudinit_test.go

@@ -21,7 +21,8 @@ import (
 	"testing"
 
 	infrav1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/api/v1alpha2"
-	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal"
+	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal/cluster"
+	"sigs.k8s.io/cluster-api/util/certs"
 )
 
 func TestNewInitControlPlaneAdditionalFileEncodings(t *testing.T) {
@@ -45,14 +46,16 @@ func TestNewInitControlPlaneAdditionalFileEncodings(t *testing.T) {
 			Users:      nil,
 			NTP:        nil,
 		},
-		Certificates:         internal.NewCertificates(),
+		Certificates:         cluster.NewCertificates(),
 		ClusterConfiguration: "my-cluster-config",
 		InitConfiguration:    "my-init-config",
 	}
 
 	for _, certificate := range cpinput.Certificates {
-		certificate.KeyPair.Cert = []byte("some certificate")
-		certificate.KeyPair.Key = []byte("some key")
+		certificate.KeyPair = &certs.KeyPair{
+			Cert: []byte("some certificate"),
+			Key:  []byte("some key"),
+		}
 	}
 
 	out, err := NewInitControlPlane(cpinput)

cloudinit/controlplane_init.go

@@ -17,7 +17,7 @@ limitations under the License.
 package cloudinit
 
 import (
-	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal"
+	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal/cluster"
 )
 
 const (
@@ -43,7 +43,7 @@ runcmd:
 // ControlPlaneInput defines the context to generate a controlplane instance user data.
 type ControlPlaneInput struct {
 	BaseUserData
-	internal.Certificates
+	cluster.Certificates
 
 	ClusterConfiguration string
 	InitConfiguration    string
@@ -52,7 +52,7 @@ type ControlPlaneInput struct {
 // NewInitControlPlane returns the user data string to be used on a controlplane instance.
 func NewInitControlPlane(input *ControlPlaneInput) ([]byte, error) {
 	input.Header = cloudConfigHeader
-	if err := input.Certificates.Validate(); err != nil {
+	if err := input.Certificates.EnsureAllExist(); err != nil {
 		return nil, err
 	}
 

cloudinit/controlplane_join.go

@@ -18,7 +18,7 @@ package cloudinit
 
 import (
 	"github.com/pkg/errors"
-	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal"
+	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal/cluster"
 )
 
 const (
@@ -41,7 +41,7 @@ runcmd:
 // ControlPlaneJoinInput defines context to generate controlplane instance user data for control plane node join.
 type ControlPlaneJoinInput struct {
 	BaseUserData
-	internal.Certificates
+	cluster.Certificates
 
 	BootstrapToken    string
 	JoinConfiguration string
@@ -50,8 +50,8 @@ type ControlPlaneJoinInput struct {
 // NewJoinControlPlane returns the user data string to be used on a new control plane instance.
 func NewJoinControlPlane(input *ControlPlaneJoinInput) ([]byte, error) {
 	input.Header = cloudConfigHeader
-	if err := input.Certificates.Validate(); err != nil {
-		return nil, errors.Wrapf(err, "ControlPlaneInput is invalid")
+	if err := input.Certificates.EnsureAllExist(); err != nil {
+		return nil, err
 	}
 
 	input.WriteFiles = input.Certificates.AsFiles()

controllers/kubeadmconfig_controller.go

@@ -29,12 +29,13 @@ import (
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	bootstrapv1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/api/v1alpha2"
 	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/cloudinit"
-	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal"
+	internalcluster "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal/cluster"
 	kubeadmv1beta1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/kubeadm/v1beta1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha2"
 	capierrors "sigs.k8s.io/cluster-api/errors"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/patch"
+	"sigs.k8s.io/cluster-api/util/secret"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -217,8 +218,8 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 			return ctrl.Result{}, err
 		}
 
-		certificates := internal.NewCertificates()
-		if err := certificates.GetOrCreateCertificates(ctx, r.Client, cluster, config); err != nil {
+		certificates := internalcluster.NewCertificates()
+		if err := certificates.LookupOrGenerate(ctx, r.Client, cluster, config); err != nil {
 			log.Error(err, "unable to lookup or create cluster certificates")
 			return ctrl.Result{}, err
 		}
@@ -258,22 +259,25 @@ func (r *KubeadmConfigReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, re
 		return ctrl.Result{}, errors.New("Control plane already exists for the cluster, only KubeadmConfig objects with JoinConfiguration are allowed")
 	}
 
-	certificates := internal.NewCertificates()
-	if err := certificates.GetCertificates(ctx, r.Client, cluster); err != nil {
+	certificates := internalcluster.NewCertificates()
+	if err := certificates.Lookup(ctx, r.Client, cluster); err != nil {
 		log.Error(err, "unable to lookup cluster certificates")
 		return ctrl.Result{}, err
 	}
-	hashes, err := certificates.GetCertificateByName(internal.ClusterCAName).Hashes()
+	if err := certificates.EnsureAllExist(); err != nil {
+		return ctrl.Result{}, err
+	}
+
+	hashes, err := certificates.GetByPurpose(secret.ClusterCA).Hashes()
 	if err != nil {
 		log.Error(err, "Unable to generate Cluster CA certificate hashes")
 		return ctrl.Result{}, err
 	}
-	if hashes != nil {
-		if config.Spec.JoinConfiguration.Discovery.BootstrapToken == nil {
-			config.Spec.JoinConfiguration.Discovery.BootstrapToken = &kubeadmv1beta1.BootstrapTokenDiscovery{}
-		}
-		config.Spec.JoinConfiguration.Discovery.BootstrapToken.CACertHashes = hashes
+	// TODO: move this into reconcile.Discovery so that defaults for the Discovery are all in the same place
+	if config.Spec.JoinConfiguration.Discovery.BootstrapToken == nil {
+		config.Spec.JoinConfiguration.Discovery.BootstrapToken = &kubeadmv1beta1.BootstrapTokenDiscovery{}
 	}
+	config.Spec.JoinConfiguration.Discovery.BootstrapToken.CACertHashes = hashes
 
 	// ensure that joinConfiguration.Discovery is properly set for joining node on the current cluster
 	if err := r.reconcileDiscovery(cluster, config); err != nil {

controllers/kubeadmconfig_controller_test.go

@@ -32,7 +32,7 @@ import (
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/klog/klogr"
 	bootstrapv1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/api/v1alpha2"
-	"sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal"
+	internalcluster "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/internal/cluster"
 	kubeadmv1beta1 "sigs.k8s.io/cluster-api-bootstrap-provider-kubeadm/kubeadm/v1beta1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha2"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -371,20 +371,24 @@ func TestKubeadmConfigReconciler_Reconcile_ErrorIfAWorkerHasNoJoinConfigurationA
 
 // If a controlplane has an invalid JoinConfiguration then user intervention is required.
 func TestKubeadmConfigReconciler_Reconcile_ErrorIfJoiningControlPlaneHasInvalidConfiguration(t *testing.T) {
+	// TODO: extract this kind of code into a setup function that puts the state of objects into an initialized controlplane (implies secrets exist)
 	cluster := newCluster("cluster")
 	cluster.Status.InfrastructureReady = true
 	cluster.Status.ControlPlaneInitialized = true
 	cluster.Status.APIEndpoints = []clusterv1.APIEndpoint{{Host: "100.105.150.1", Port: 6443}}
-
 	controlPlaneMachine := newControlPlaneMachine(cluster)
-	controlPlaneJoinConfig := newControlPlaneJoinKubeadmConfig(controlPlaneMachine, "control-plane-join-cfg")
+	controlPlaneInitConfig := newControlPlaneInitKubeadmConfig(controlPlaneMachine, "control-plane-init-cfg")
+
+	controlPlaneJoinMachine := newControlPlaneMachine(cluster)
+	controlPlaneJoinConfig := newControlPlaneJoinKubeadmConfig(controlPlaneJoinMachine, "control-plane-join-cfg")
 	controlPlaneJoinConfig.Spec.JoinConfiguration.ControlPlane = nil // Makes controlPlaneJoinConfig invalid for a control plane machine
 
 	objects := []runtime.Object{
 		cluster,
-		controlPlaneMachine,
+		controlPlaneJoinMachine,
 		controlPlaneJoinConfig,
 	}
+	objects = append(objects, createSecrets(t, cluster, controlPlaneInitConfig)...)
 	myclient := fake.NewFakeClientWithScheme(setupScheme(), objects...)
 
 	k := &KubeadmConfigReconciler{
@@ -411,6 +415,8 @@ func TestKubeadmConfigReconciler_Reconcile_RequeueIfControlPlaneIsMissingAPIEndp
 	cluster := newCluster("cluster")
 	cluster.Status.InfrastructureReady = true
 	cluster.Status.ControlPlaneInitialized = true
+	controlPlaneMachine := newControlPlaneMachine(cluster)
+	controlPlaneInitConfig := newControlPlaneInitKubeadmConfig(controlPlaneMachine, "control-plane-init-cfg")
 
 	workerMachine := newWorkerMachine(cluster)
 	workerJoinConfig := newWorkerJoinKubeadmConfig(workerMachine)
@@ -420,6 +426,8 @@ func TestKubeadmConfigReconciler_Reconcile_RequeueIfControlPlaneIsMissingAPIEndp
 		workerMachine,
 		workerJoinConfig,
 	}
+	objects = append(objects, createSecrets(t, cluster, controlPlaneInitConfig)...)
+
 	myclient := fake.NewFakeClientWithScheme(setupScheme(), objects...)
 
 	k := &KubeadmConfigReconciler{
@@ -966,6 +974,38 @@ func TestKubeadmConfigReconciler_ClusterToKubeadmConfigs(t *testing.T) {
 	}
 }
 
+// Reconcile should not fail if the Etcd CA Secret already exists
+func TestKubeadmConfigReconciler_Reconcile_DoesNotFailIfCASecretsAlreadyExist(t *testing.T) {
+	cluster := newCluster("my-cluster")
+	cluster.Status.InfrastructureReady = true
+	cluster.Status.ControlPlaneInitialized = false
+	m := newControlPlaneMachine(cluster)
+	configName := "my-config"
+	c := newControlPlaneInitKubeadmConfig(m, configName)
+	scrt := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-%s", cluster.Name, internalcluster.EtcdCA),
+			Namespace: "default",
+		},
+		Data: map[string][]byte{
+			"tls.crt": []byte("hello world"),
+			"tls.key": []byte("hello world"),
+		},
+	}
+	fakec := fake.NewFakeClientWithScheme(setupScheme(), []runtime.Object{cluster, m, c, scrt}...)
+	reconciler := &KubeadmConfigReconciler{
+		Log:             log.Log,
+		Client:          fakec,
+		KubeadmInitLock: &myInitLocker{},
+	}
+	req := ctrl.Request{
+		NamespacedName: types.NamespacedName{Namespace: "default", Name: configName},
+	}
+	if _, err := reconciler.Reconcile(req); err != nil {
+		t.Fatal(err)
+	}
+}
+
 // test utils
 
 // newCluster return a CAPI cluster object
@@ -1072,8 +1112,8 @@ func newControlPlaneInitKubeadmConfig(machine *clusterv1.Machine, name string) *
 
 func createSecrets(t *testing.T, cluster *clusterv1.Cluster, owner *bootstrapv1.KubeadmConfig) []runtime.Object {
 	out := []runtime.Object{}
-	certificates := internal.NewCertificates()
-	if err := certificates.GenerateCertificates(); err != nil {
+	certificates := internalcluster.NewCertificates()
+	if err := certificates.Generate(); err != nil {
 		t.Fatal(err)
 	}
 	for _, certificate := range certificates {