Skip to content

Commit

Permalink
Add secret test
Browse files Browse the repository at this point in the history 
Signed-off-by: Shubham Gupta <[email protected]>
  • Loading branch information
@shubham-cmyk
shubham-cmyk committed Nov 10, 2023
1 parent 682f04d commit 978de66
Show file tree
Hide file tree
Showing 7 changed files with 501 additions and 69 deletions.
6 changes: 6 additions & 0 deletions k8sutils/finalizers_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,21 @@ import (
"fmt"
"testing"

// "time"

"github.com/OT-CONTAINER-KIT/redis-operator/api/v1beta2"
"github.com/go-logr/logr/testr"
"github.com/stretchr/testify/assert"
corev1 "k8s.io/api/core/v1"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"

// "k8s.io/apimachinery/pkg/types"
// utilruntime "k8s.io/apimachinery/pkg/util/runtime"
k8sClientFake "k8s.io/client-go/kubernetes/fake"
"k8s.io/utils/pointer"
// ctrlClientFake "sigs.k8s.io/controller-runtime/pkg/client/fake"
)

// func TestHandleRedisFinalizer(t *testing.T) {
Expand Down
8 changes: 4 additions & 4 deletions k8sutils/redis.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -334,14 +334,14 @@ func configureRedisClient(client kubernetes.Interface, logger logr.Logger, cr *r
Addr: getRedisServerIP(redisInfo) + ":6379",
Password: pass,
DB: 0,
TLSConfig: getRedisTLSConfig(cr, redisInfo),
TLSConfig: getRedisTLSConfig(client, logger, cr, redisInfo),

Check warning on line 337 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L337 

Added line #L337 was not covered by tests
})
} else {
redisClient = redis.NewClient(&redis.Options{

Check warning on line 340 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L340 

Added line #L340 was not covered by tests
Addr: getRedisServerIP(redisInfo) + ":6379",
Password: "",
DB: 0,
TLSConfig: getRedisTLSConfig(cr, redisInfo),
TLSConfig: getRedisTLSConfig(client, logger, cr, redisInfo),

Check warning on line 344 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L344 

Added line #L344 was not covered by tests
})
}
return redisClient

Check warning on line 347 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L347 

Added line #L347 was not covered by tests
Expand Down Expand Up @@ -455,14 +455,14 @@ func configureRedisReplicationClient(client kubernetes.Interface, logger logr.Lo
Addr: getRedisServerIP(redisInfo) + ":6379",
Password: pass,
DB: 0,
TLSConfig: getRedisReplicationTLSConfig(cr, redisInfo),
TLSConfig: getRedisReplicationTLSConfig(client, logger, cr, redisInfo),

Check warning on line 458 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L458 

Added line #L458 was not covered by tests
})
} else {
redisClient = redis.NewClient(&redis.Options{

Check warning on line 461 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L461 

Added line #L461 was not covered by tests
Addr: getRedisServerIP(redisInfo) + ":6379",
Password: "",
DB: 0,
TLSConfig: getRedisReplicationTLSConfig(cr, redisInfo),
TLSConfig: getRedisReplicationTLSConfig(client, logger, cr, redisInfo),

Check warning on line 465 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L465 

Added line #L465 was not covered by tests
})
}
return redisClient

Check warning on line 468 in k8sutils/redis.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/redis.go#L468 

Added line #L468 was not covered by tests
Expand Down
110 changes: 45 additions & 65 deletions k8sutils/secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"strings"

redisv1beta2 "github.com/OT-CONTAINER-KIT/redis-operator/api/v1beta2"
Expand All @@ -30,110 +31,89 @@ func getRedisPassword(client kubernetes.Interface, logger logr.Logger, namespace
return "", nil
}

func secretLogger(namespace string, name string) logr.Logger {
reqLogger := log.WithValues("Request.Secret.Namespace", namespace, "Request.Secret.Name", name)
return reqLogger
}

func getRedisTLSConfig(cr *redisv1beta2.RedisCluster, redisInfo RedisDetails) *tls.Config {
client, err := GenerateK8sClient(GenerateK8sConfig)
if err != nil {
return nil
}
func getRedisTLSConfig(client kubernetes.Interface, logger logr.Logger, cr *redisv1beta2.RedisCluster, redisInfo RedisDetails) *tls.Config {
if cr.Spec.TLS != nil {
reqLogger := log.WithValues("Request.Namespace", cr.Namespace, "Request.Name", cr.ObjectMeta.Name)
secretName, err := client.CoreV1().Secrets(cr.Namespace).Get(context.TODO(), cr.Spec.TLS.Secret.SecretName, metav1.GetOptions{})
secret, err := client.CoreV1().Secrets(cr.Namespace).Get(context.TODO(), cr.Spec.TLS.Secret.SecretName, metav1.GetOptions{})
if err != nil {
reqLogger.Error(err, "Failed in getting TLS secret for redis")
logger.Error(err, "Failed in getting TLS secret for redis cluster")
logger.V(1).Error(err, "Failed in getting TLS secret for redis cluster", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisClusterName", cr.Name)
return nil
}

var (
tlsClientCert []byte
tlsClientKey []byte
tlsCaCertificate []byte
tlsCaCertificates *x509.CertPool
tlsClientCertificates []tls.Certificate
)
for key, value := range secretName.Data {
if key == cr.Spec.TLS.CaKeyFile || key == "ca.crt" {
tlsCaCertificate = value
} else if key == cr.Spec.TLS.CertKeyFile || key == "tls.crt" {
tlsClientCert = value
} else if key == cr.Spec.TLS.KeyFile || key == "tls.key" {
tlsClientKey = value
}
tlsClientCert, certExists := secret.Data["tls.crt"]
tlsClientKey, keyExists := secret.Data["tls.key"]
tlsCaCertificate, caExists := secret.Data["ca.crt"]

if !certExists || !keyExists || !caExists {
logger.Error(errors.New("required TLS keys are missing in the secret"), "Missing TLS keys in the secret")
return nil
}

cert, err := tls.X509KeyPair(tlsClientCert, tlsClientKey)
if err != nil {
reqLogger.Error(err, "Couldn't load TLS client key pair")
logger.Error(err, "Couldn't load TLS client key pair")
logger.V(1).Error(err, "Couldn't load TLS client key pair", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisClusterName", cr.Name)
return nil

Check warning on line 56 in k8sutils/secrets.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/secrets.go#L54-L56 

Added lines #L54 - L56 were not covered by tests
}
tlsClientCertificates = append(tlsClientCertificates, cert)

tlsCaCertificates = x509.NewCertPool()
tlsCaCertificates := x509.NewCertPool()
ok := tlsCaCertificates.AppendCertsFromPEM(tlsCaCertificate)
if !ok {
reqLogger.V(1).Info("Failed to load CA Certificates from Secret")
logger.Error(errors.New("failed to load CA Certificates from secret"), "Invalid CA Certificates")
logger.V(1).Error(err, "Invalid CA Certificates", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisClusterName", cr.Name)
return nil

Check warning on line 64 in k8sutils/secrets.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/secrets.go#L62-L64 

Added lines #L62 - L64 were not covered by tests
}

return &tls.Config{
Certificates: tlsClientCertificates,
Certificates: []tls.Certificate{cert},
ServerName: redisInfo.PodName,
RootCAs: tlsCaCertificates,
MinVersion: 2,
ClientAuth: 0,
MinVersion: tls.VersionTLS12,
ClientAuth: tls.NoClientCert,
}
}
return nil
}

func getRedisReplicationTLSConfig(cr *redisv1beta2.RedisReplication, redisInfo RedisDetails) *tls.Config {
client, err := GenerateK8sClient(GenerateK8sConfig)
if err != nil {
return nil
}
func getRedisReplicationTLSConfig(client kubernetes.Interface, logger logr.Logger, cr *redisv1beta2.RedisReplication, redisInfo RedisDetails) *tls.Config {
if cr.Spec.TLS != nil {
reqLogger := log.WithValues("Request.Namespace", cr.Namespace, "Request.Name", cr.ObjectMeta.Name)
secretName, err := client.CoreV1().Secrets(cr.Namespace).Get(context.TODO(), cr.Spec.TLS.Secret.SecretName, metav1.GetOptions{})
secret, err := client.CoreV1().Secrets(cr.Namespace).Get(context.TODO(), cr.Spec.TLS.Secret.SecretName, metav1.GetOptions{})
if err != nil {
reqLogger.Error(err, "Failed in getting TLS secret for redis")
logger.Error(err, "Failed in getting TLS secret for redis replication")
logger.V(1).Error(err, "Failed in getting TLS secret for redis replication", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisReplicationName", cr.Name)
return nil
}

var (
tlsClientCert []byte
tlsClientKey []byte
tlsCaCertificate []byte
tlsCaCertificates *x509.CertPool
tlsClientCertificates []tls.Certificate
)
for key, value := range secretName.Data {
if key == cr.Spec.TLS.CaKeyFile || key == "ca.crt" {
tlsCaCertificate = value
} else if key == cr.Spec.TLS.CertKeyFile || key == "tls.crt" {
tlsClientCert = value
} else if key == cr.Spec.TLS.KeyFile || key == "tls.key" {
tlsClientKey = value
}
tlsClientCert, certExists := secret.Data["tls.crt"]
tlsClientKey, keyExists := secret.Data["tls.key"]
tlsCaCertificate, caExists := secret.Data["ca.crt"]

if !certExists || !keyExists || !caExists {
logger.Error(errors.New("required TLS keys are missing in the secret"), "Missing TLS keys in the secret")
return nil
}

cert, err := tls.X509KeyPair(tlsClientCert, tlsClientKey)
if err != nil {
reqLogger.Error(err, "Couldn't load TLS client key pair")
logger.Error(err, "Couldn't load TLS client key pair")
logger.V(1).Error(err, "Couldn't load TLS client key pair", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisReplicationName", cr.Name)
return nil

Check warning on line 100 in k8sutils/secrets.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/secrets.go#L98-L100 

Added lines #L98 - L100 were not covered by tests
}
tlsClientCertificates = append(tlsClientCertificates, cert)

tlsCaCertificates = x509.NewCertPool()
tlsCaCertificates := x509.NewCertPool()
ok := tlsCaCertificates.AppendCertsFromPEM(tlsCaCertificate)
if !ok {
reqLogger.V(1).Info("Failed to load CA Certificates from Secret")
logger.Error(errors.New("failed to load CA Certificates from secret"), "Invalid CA Certificates")
logger.V(1).Error(err, "Invalid CA Certificates", "secretName", cr.Spec.TLS.Secret.SecretName, "namespace", cr.Namespace, "redisReplicationName", cr.Name)
return nil

Check warning on line 108 in k8sutils/secrets.go

View check run for this annotation

Codecov / codecov/patch

k8sutils/secrets.go#L106-L108 

Added lines #L106 - L108 were not covered by tests
}

return &tls.Config{
Certificates: tlsClientCertificates,
Certificates: []tls.Certificate{cert},
ServerName: redisInfo.PodName,
RootCAs: tlsCaCertificates,
MinVersion: 2,
ClientAuth: 0,
MinVersion: tls.VersionTLS12,
ClientAuth: tls.NoClientCert,
}
}
return nil
Expand Down
Loading

0 comments on commit 978de66

Please sign in to comment.