diff --git a/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go b/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go index c324aaddd0fc928bd0bc80c88264737bc7c337bd..401da39287aeb8644810e569fe35e6cc5800e872 100644 --- a/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go +++ b/vertical-pod-autoscaler/pkg/admission-controller/certs_test.go @@ -276,120 +276,119 @@ func TestChangedCAReloader(t *testing.T) { assert.NotEqual(t, oldCAEncodedString, newCAEncodedString, "expected CA to change") } -// TODO(omerap12): Temporary workaround for flakiness (#7831) -// func TestUnchangedCAReloader(t *testing.T) { -// tempDir := t.TempDir() -// caCert := &x509.Certificate{ -// SerialNumber: big.NewInt(0), -// Subject: pkix.Name{ -// Organization: []string{"ca"}, -// }, -// NotBefore: time.Now(), -// NotAfter: time.Now().AddDate(2, 0, 0), -// IsCA: true, -// ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, -// KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, -// BasicConstraintsValid: true, -// } -// caKey, err := rsa.GenerateKey(rand.Reader, 4096) -// if err != nil { -// t.Error(err) -// } -// caBytes, err := x509.CreateCertificate(rand.Reader, caCert, caCert, &caKey.PublicKey, caKey) -// if err != nil { -// t.Error(err) -// } -// caPath := path.Join(tempDir, "ca.crt") -// caFile, err := os.Create(caPath) -// if err != nil { -// t.Error(err) -// } -// err = pem.Encode(caFile, &pem.Block{ -// Type: "CERTIFICATE", -// Bytes: caBytes, -// }) -// if err != nil { -// t.Error(err) -// } - -// testClientSet := fake.NewSimpleClientset() - -// selfRegistration( -// testClientSet, -// readFile(caPath), -// 0*time.Second, -// "default", -// "vpa-service", -// "http://example.com/", -// true, -// int32(32), -// "", -// []string{}, -// false, -// "key1:value1,key2:value2", -// ) - -// webhookConfigInterface := testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations() -// oldWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{}) -// if err != nil { -// t.Error(err) -// } - -// assert.Len(t, oldWebhookConfig.Webhooks, 1, "expected one webhook configuration") -// webhook := oldWebhookConfig.Webhooks[0] -// oldWebhookCABundle := webhook.ClientConfig.CABundle - -// var reloadWebhookCACalled, patchCalled atomic.Bool -// reloadWebhookCACalled.Store(false) -// patchCalled.Store(false) -// testClientSet.PrependReactor("get", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) { -// reloadWebhookCACalled.Store(true) -// return false, nil, nil -// }) -// testClientSet.PrependReactor("patch", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) { -// patchCalled.Store(true) -// return false, nil, nil -// }) - -// reloader := certReloader{ -// clientCaPath: caPath, -// mutatingWebhookClient: testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations(), -// } -// stop := make(chan struct{}) -// defer close(stop) -// if err := reloader.start(stop); err != nil { -// t.Error(err) -// } - -// originalCaFile, err := os.ReadFile(caPath) -// if err != nil { -// t.Error(err) -// } -// err = os.WriteFile(caPath, originalCaFile, 0666) -// if err != nil { -// t.Error(err) -// } - -// oldCAEncodedString := base64.StdEncoding.EncodeToString(oldWebhookCABundle) - -// for tries := 0; tries < 10; tries++ { -// if reloadWebhookCACalled.Load() { -// break -// } -// time.Sleep(1 * time.Second) -// } -// if !reloadWebhookCACalled.Load() { -// t.Error("expected reloadWebhookCA to be called") -// } - -// assert.False(t, patchCalled.Load(), "expected patch to not be called") - -// newWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{}) -// assert.Nil(t, err, "expected no error") -// assert.NotNil(t, newWebhookConfig, "expected webhook configuration") -// assert.Len(t, newWebhookConfig.Webhooks, 1, "expected one webhook configuration") - -// newWebhookCABundle := newWebhookConfig.Webhooks[0].ClientConfig.CABundle -// newCAEncodedString := base64.StdEncoding.EncodeToString(newWebhookCABundle) -// assert.Equal(t, oldCAEncodedString, newCAEncodedString, "expected CA to not change") -// } +func TestUnchangedCAReloader(t *testing.T) { + tempDir := t.TempDir() + caCert := &x509.Certificate{ + SerialNumber: big.NewInt(0), + Subject: pkix.Name{ + Organization: []string{"ca"}, + }, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(2, 0, 0), + IsCA: true, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + BasicConstraintsValid: true, + } + caKey, err := rsa.GenerateKey(rand.Reader, 4096) + if err != nil { + t.Error(err) + } + caBytes, err := x509.CreateCertificate(rand.Reader, caCert, caCert, &caKey.PublicKey, caKey) + if err != nil { + t.Error(err) + } + caPath := path.Join(tempDir, "ca.crt") + caFile, err := os.Create(caPath) + if err != nil { + t.Error(err) + } + err = pem.Encode(caFile, &pem.Block{ + Type: "CERTIFICATE", + Bytes: caBytes, + }) + if err != nil { + t.Error(err) + } + + testClientSet := fake.NewSimpleClientset() + + selfRegistration( + testClientSet, + readFile(caPath), + 0*time.Second, + "default", + "vpa-service", + "http://example.com/", + true, + int32(32), + "", + []string{}, + false, + "key1:value1,key2:value2", + ) + + webhookConfigInterface := testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations() + oldWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{}) + if err != nil { + t.Error(err) + } + + assert.Len(t, oldWebhookConfig.Webhooks, 1, "expected one webhook configuration") + webhook := oldWebhookConfig.Webhooks[0] + oldWebhookCABundle := webhook.ClientConfig.CABundle + + var reloadWebhookCACalled, patchCalled atomic.Bool + reloadWebhookCACalled.Store(false) + patchCalled.Store(false) + testClientSet.PrependReactor("get", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) { + reloadWebhookCACalled.Store(true) + return false, nil, nil + }) + testClientSet.PrependReactor("patch", "mutatingwebhookconfigurations", func(action k8stesting.Action) (bool, runtime.Object, error) { + patchCalled.Store(true) + return false, nil, nil + }) + + reloader := certReloader{ + clientCaPath: caPath, + mutatingWebhookClient: testClientSet.AdmissionregistrationV1().MutatingWebhookConfigurations(), + } + stop := make(chan struct{}) + defer close(stop) + if err := reloader.start(stop); err != nil { + t.Error(err) + } + + originalCaFile, err := os.ReadFile(caPath) + if err != nil { + t.Error(err) + } + err = os.WriteFile(caPath, originalCaFile, 0666) + if err != nil { + t.Error(err) + } + + oldCAEncodedString := base64.StdEncoding.EncodeToString(oldWebhookCABundle) + + for tries := 0; tries < 10; tries++ { + if reloadWebhookCACalled.Load() { + break + } + time.Sleep(1 * time.Second) + } + if !reloadWebhookCACalled.Load() { + t.Error("expected reloadWebhookCA to be called") + } + + assert.False(t, patchCalled.Load(), "expected patch to not be called") + + newWebhookConfig, err := webhookConfigInterface.Get(context.TODO(), webhookConfigName, metav1.GetOptions{}) + assert.Nil(t, err, "expected no error") + assert.NotNil(t, newWebhookConfig, "expected webhook configuration") + assert.Len(t, newWebhookConfig.Webhooks, 1, "expected one webhook configuration") + + newWebhookCABundle := newWebhookConfig.Webhooks[0].ClientConfig.CABundle + newCAEncodedString := base64.StdEncoding.EncodeToString(newWebhookCABundle) + assert.Equal(t, oldCAEncodedString, newCAEncodedString, "expected CA to not change") +}