add e2e test

ruanxin · Nov 25, 2023 · ec8a0e8 · ec8a0e8
1 parent cc2cee4
commit ec8a0e8
Show file tree

Hide file tree

Showing 25 changed files with 326 additions and 201 deletions.
diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -36,7 +36,8 @@ jobs:
                     "purge-controller",
                     "purge-metrics",
                     "module-upgrade",
-                    "certificate-rotation"
+                    "ca-certificate-rotation"
+                    "self-signed-certificate-rotation"
         ]
     name: "E2E"
     needs: [wait-for-img]
@@ -133,8 +134,23 @@ jobs:
           cat purge_finalizer.yaml
           kustomize edit add patch --path purge_finalizer.yaml --kind Deployment
           popd
+      - name: Patch self signed certificate lifetime
+        if: ${{matrix.e2e-test == 'self-signed-certificate-rotation'}}
+        working-directory: lifecycle-manager
+        run: |
+          pushd config/watcher_local_test
+          echo \
+          "- op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --self-signed-cert-duration=1h
+          - op: add
+            path: /spec/template/spec/containers/0/args/-
+            value: --self-signed-cert-renew-before=59m" >> self-signed-cert.yaml
+          cat self-signed-cert.yaml
+          kustomize edit add patch --path self-signed-cert.yaml --kind Deployment
+          popd
       - name: Patch CA certificate renewBefore
-        if: ${{matrix.e2e-test == 'certificate-rotation'}}
+        if: ${{matrix.e2e-test == 'ca-certificate-rotation'}}
         working-directory: lifecycle-manager
         run: |
           pushd config/watcher_local_test
@@ -235,7 +251,10 @@ jobs:
           kubectl apply -f template.yaml
       - name: Expose Metrics Endpoint
         working-directory: lifecycle-manager
-        if: ${{ matrix.e2e-test == 'kyma-metrics' || matrix.e2e-test == 'purge-metrics' }}
+        if: ${{ matrix.e2e-test == 'kyma-metrics' ||
+          matrix.e2e-test == 'purge-metrics' ||
+          matrix.e2e-test == 'self-signed-certificate-rotation'
+          }}
         run: |
           kubectl patch svc klm-metrics-service -p '{"spec": {"type": "LoadBalancer"}}' -n kcp-system
       - name: Run ${{ matrix.e2e-test }}

diff --git a/cmd/flags.go b/cmd/flags.go
@@ -32,12 +32,12 @@ const (
 	defaultIstioNamespace                                = "istio-system"
 	defaultCaCertName                                    = "klm-watcher-serving-cert"
 	defaultCaCertCacheTTL                  time.Duration = 1 * time.Hour
-	defaultCertificateDuration             time.Duration = 90 * 24 * time.Hour
-	defaultCertificateRenewBefore          time.Duration = 60 * 24 * time.Hour
+	defaultSelfSignedCertDuration          time.Duration = 90 * 24 * time.Hour
+	defaultSelfSignedCertRenewBefore       time.Duration = 60 * 24 * time.Hour
 )
 
 //nolint:funlen
-func defineFlagVar() *FlagVar {
+func DefineFlagVar() *FlagVar {
 	flagVar := new(FlagVar)
 	flag.StringVar(&flagVar.metricsAddr, "metrics-bind-address", ":8080",
 		"The address the metric endpoint binds to.")
@@ -139,11 +139,12 @@ func defineFlagVar() *FlagVar {
 		"Name of the CA Certificate in Istio Namespace which is used to sign SKR Certificates")
 	flag.DurationVar(&flagVar.caCertCacheTTL, "ca-cert-cache-ttl", defaultCaCertCacheTTL,
 		"The ttl for the CA Certificate Cache")
-	flag.DurationVar(&flagVar.certificateDuration, "cert-duration", defaultCertificateDuration,
-		"The lifetime duration of certificate")
-	flag.DurationVar(&flagVar.certificateRenewBefore, "cert-renew-before", defaultCertificateRenewBefore,
-		"The duration time to renew certificate")
-	flag.BoolVar(&flagVar.isKymaManaged, "is-kyma-managed", false, "indicates whether Kyma is managed")
+	flag.DurationVar(&flagVar.SelfSignedCertDuration, "self-signed-cert-duration", defaultSelfSignedCertDuration,
+		"The lifetime duration of self-signed certificate")
+	flag.DurationVar(&flagVar.SelfSignedCertRenewBefore, "self-signed-cert-renew-before",
+		defaultSelfSignedCertRenewBefore,
+		"The duration time to renew self-signed certificate")
+	flag.BoolVar(&flagVar.IsKymaManaged, "is-kyma-managed", false, "indicates whether Kyma is managed")
 	return flagVar
 }
 
@@ -193,7 +194,7 @@ type FlagVar struct {
 	caCertName                             string
 	caCertCacheTTL                         time.Duration
 	enableVerification                     bool
-	isKymaManaged                          bool
-	certificateDuration                    time.Duration
-	certificateRenewBefore                 time.Duration
+	IsKymaManaged                          bool
+	SelfSignedCertDuration                 time.Duration
+	SelfSignedCertRenewBefore              time.Duration
 }
diff --git a/cmd/main.go b/cmd/main.go
@@ -86,7 +86,7 @@ func init() {
 }
 
 func main() {
-	flagVar := defineFlagVar()
+	flagVar := DefineFlagVar()
 	flag.Parse()
 	ctrl.SetLogger(log.ConfigLogger(int8(flagVar.logLevel), zapcore.Lock(os.Stdout)))
 	if flagVar.pprof {
@@ -249,7 +249,7 @@ func setupKymaReconciler(mgr ctrl.Manager, remoteClientCache *remote.ClientCache
 		},
 		InKCPMode:           flagVar.inKCPMode,
 		RemoteSyncNamespace: flagVar.remoteSyncNamespace,
-		IsManagedKyma:       flagVar.isKymaManaged,
+		IsManagedKyma:       flagVar.IsKymaManaged,
 		KymaMetrics:         metrics.NewKymaMetrics(),
 	}).SetupWithManager(
 		mgr, options, controller.SetupUpSetting{
@@ -264,7 +264,7 @@ func setupKymaReconciler(mgr ctrl.Manager, remoteClientCache *remote.ClientCache
 }
 
 func createSkrWebhookManager(mgr ctrl.Manager, flagVar *FlagVar) (*watcher.SKRWebhookManifestManager, error) {
-	caCertificateCache := watcher.NewCertificateCache(flagVar.caCertCacheTTL)
+	caCertificateCache := watcher.NewCACertificateCache(flagVar.caCertCacheTTL)
 	return watcher.NewSKRWebhookManifestManager(mgr.GetConfig(), mgr.GetScheme(), caCertificateCache,
 		watcher.SkrWebhookManagerConfig{
 			SKRWatcherPath:         flagVar.skrWatcherPath,
@@ -277,8 +277,8 @@ func createSkrWebhookManager(mgr ctrl.Manager, flagVar *FlagVar) (*watcher.SKRWe
 			RemoteSyncNamespace: flagVar.remoteSyncNamespace,
 			CACertificateName:   flagVar.caCertName,
 			AdditionalDNSNames:  strings.Split(flagVar.additionalDNSNames, ","),
-			Duration:            apimetav1.Duration{Duration: flagVar.certificateDuration},
-			RenewBefore:         apimetav1.Duration{Duration: flagVar.certificateRenewBefore},
+			Duration:            apimetav1.Duration{Duration: flagVar.SelfSignedCertDuration},
+			RenewBefore:         apimetav1.Duration{Duration: flagVar.SelfSignedCertRenewBefore},
 		}, watcher.GatewayConfig{
 			IstioGatewayName:          flagVar.istioGatewayName,
 			IstioGatewayNamespace:     flagVar.istioGatewayNamespace,
@@ -302,7 +302,7 @@ func setupPurgeReconciler(mgr ctrl.Manager,
 		ResolveRemoteClient:   resolveRemoteClientFunc,
 		PurgeFinalizerTimeout: flagVar.purgeFinalizerTimeout,
 		SkipCRDs:              matcher.CreateCRDMatcherFrom(flagVar.skipPurgingFor),
-		IsManagedKyma:         flagVar.isKymaManaged,
+		IsManagedKyma:         flagVar.IsKymaManaged,
 		Metrics:               metrics.NewPurgeMetrics(),
 	}).SetupWithManager(
 		mgr, options,

diff --git a/internal/controller/watcher_controller.go b/internal/controller/watcher_controller.go
@@ -147,7 +147,7 @@ func (r *WatcherReconciler) handleDeletingState(ctx context.Context, watcherCR *
 func (r *WatcherReconciler) handleProcessingState(ctx context.Context,
 	watcherCR *v1beta2.Watcher,
 ) (ctrl.Result, error) {
-	// Create virtualService in Memory
+	// CreateSelfSignedCert virtualService in Memory
 	virtualSvc, err := r.IstioClient.NewVirtualService(ctx, watcherCR)
 	if err != nil {
 		return r.updateWatcherState(ctx, watcherCR, shared.StateError, err)

diff --git a/internal/declarative/v2/factory.go b/internal/declarative/v2/factory.go
@@ -83,7 +83,7 @@ func NewSingletonClients(info *ClusterInfo) (*SingletonClients, error) {
 	discoveryRESTMapper := restmapper.NewDeferredDiscoveryRESTMapper(cachedDiscoveryClient)
 	discoveryShortcutExpander := restmapper.NewShortcutExpander(discoveryRESTMapper, cachedDiscoveryClient)
 
-	// Create target cluster client only if not passed.
+	// CreateSelfSignedCert target cluster client only if not passed.
 	// Clients should be passed only in two cases:
 	// 1. Single cluster mode is enabled.
 	// Since such clients are similar to the root client instance.

diff --git a/internal/pkg/metrics/common.go b/internal/pkg/metrics/common.go
@@ -11,7 +11,7 @@ import (
 const (
 	shootIDLabel    = "shoot"
 	instanceIDLabel = "instance_id"
-	kymaNameLabel   = "kyma_name"
+	KymaNameLabel   = "kyma_name"
 )
 
 var (

diff --git a/internal/pkg/metrics/kyma.go b/internal/pkg/metrics/kyma.go
@@ -11,8 +11,8 @@ import (
 )
 
 const (
-	metricKymaState   = "lifecycle_mgr_kyma_state"
-	metricModuleState = "lifecycle_mgr_module_state"
+	MetricKymaState   = "lifecycle_mgr_kyma_state"
+	MetricModuleState = "lifecycle_mgr_module_state"
 	stateLabel        = "state"
 	moduleNameLabel   = "module_name"
 )
@@ -25,14 +25,14 @@ type KymaMetrics struct {
 func NewKymaMetrics() *KymaMetrics {
 	kymaMetrics := &KymaMetrics{
 		kymaStateGauge: prometheus.NewGaugeVec(prometheus.GaugeOpts{
-			Name: metricKymaState,
+			Name: MetricKymaState,
 			Help: "Indicates the Status.state for a given Kyma object",
-		}, []string{kymaNameLabel, stateLabel, shootIDLabel, instanceIDLabel}),
+		}, []string{KymaNameLabel, stateLabel, shootIDLabel, instanceIDLabel}),
 
 		moduleStateGauge: prometheus.NewGaugeVec(prometheus.GaugeOpts{
-			Name: metricModuleState,
+			Name: MetricModuleState,
 			Help: "Indicates the Status.state for modules of Kyma",
-		}, []string{moduleNameLabel, kymaNameLabel, stateLabel, shootIDLabel, instanceIDLabel}),
+		}, []string{moduleNameLabel, KymaNameLabel, stateLabel, shootIDLabel, instanceIDLabel}),
 	}
 	ctrlmetrics.Registry.MustRegister(kymaMetrics.kymaStateGauge)
 	ctrlmetrics.Registry.MustRegister(kymaMetrics.moduleStateGauge)
@@ -61,18 +61,18 @@ func (k *KymaMetrics) UpdateAll(kyma *v1beta2.Kyma) error {
 // 'lifecycle_mgr_module_state' metrics for the matching Kyma.
 func (k *KymaMetrics) CleanupMetrics(kymaName string) {
 	k.kymaStateGauge.DeletePartialMatch(prometheus.Labels{
-		kymaNameLabel: kymaName,
+		KymaNameLabel: kymaName,
 	})
 	k.moduleStateGauge.DeletePartialMatch(prometheus.Labels{
-		kymaNameLabel: kymaName,
+		KymaNameLabel: kymaName,
 	})
 }
 
 // RemoveModuleStateMetrics deletes all 'lifecycle_mgr_module_state' metrics for the matching module.
 func (k *KymaMetrics) RemoveModuleStateMetrics(kyma *v1beta2.Kyma, moduleName string) {
 	k.moduleStateGauge.DeletePartialMatch(prometheus.Labels{
 		moduleNameLabel: moduleName,
-		kymaNameLabel:   kyma.Name,
+		KymaNameLabel:   kyma.Name,
 	})
 }
 
@@ -81,7 +81,7 @@ func (k *KymaMetrics) setKymaStateGauge(newState shared.State, kymaName, shootID
 	for _, state := range states {
 		newValue := calcStateValue(state, newState)
 		k.kymaStateGauge.With(prometheus.Labels{
-			kymaNameLabel:   kymaName,
+			KymaNameLabel:   kymaName,
 			shootIDLabel:    shootID,
 			instanceIDLabel: instanceID,
 			stateLabel:      string(state),
@@ -95,7 +95,7 @@ func (k *KymaMetrics) setModuleStateGauge(newState shared.State, moduleName, kym
 		newValue := calcStateValue(state, newState)
 		k.moduleStateGauge.With(prometheus.Labels{
 			moduleNameLabel: moduleName,
-			kymaNameLabel:   kymaName,
+			KymaNameLabel:   kymaName,
 			shootIDLabel:    shootID,
 			instanceIDLabel: instanceID,
 			stateLabel:      string(state),

diff --git a/internal/pkg/metrics/purge.go b/internal/pkg/metrics/purge.go
@@ -40,7 +40,7 @@ func NewPurgeMetrics() *PurgeMetrics {
 		purgeErrorGauge: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Name: metricPurgeError,
 			Help: "Indicates purge errors",
-		}, []string{kymaNameLabel, shootIDLabel, instanceIDLabel, errorReasonLabel}),
+		}, []string{KymaNameLabel, shootIDLabel, instanceIDLabel, errorReasonLabel}),
 	}
 	ctrlmetrics.Registry.MustRegister(purgeMetrics.purgeTimeGauge)
 	ctrlmetrics.Registry.MustRegister(purgeMetrics.purgeRequestsCounter)
@@ -66,7 +66,7 @@ func (p *PurgeMetrics) UpdatePurgeError(kyma *v1beta2.Kyma, purgeError PurgeErro
 		return fmt.Errorf("%w: %w", errMetric, err)
 	}
 	metric, err := p.purgeErrorGauge.GetMetricWith(prometheus.Labels{
-		kymaNameLabel:    kyma.Name,
+		KymaNameLabel:    kyma.Name,
 		shootIDLabel:     shootID,
 		instanceIDLabel:  instanceID,
 		errorReasonLabel: string(purgeError),

diff --git a/internal/pkg/metrics/watcher.go b/internal/pkg/metrics/watcher.go
@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	CertNotRenewMetrics = "lifecycle_mgr_cert_not_renew"
+	SelfSignedCertNotRenewMetrics = "lifecycle_mgr_self_signed_cert_not_renew"
 )
 
 type WatcherMetrics struct {
@@ -17,9 +17,9 @@ type WatcherMetrics struct {
 func NewWatcherMetrics() *WatcherMetrics {
 	watcherMetrics := &WatcherMetrics{
 		certNotRenewGauge: prometheus.NewGaugeVec(prometheus.GaugeOpts{
-			Name: CertNotRenewMetrics,
-			Help: "Indicates the Certificate CR of related Kyma is not renewed yet",
-		}, []string{kymaNameLabel}),
+			Name: SelfSignedCertNotRenewMetrics,
+			Help: "Indicates the self-signed Certificate of related Kyma is not renewed yet",
+		}, []string{KymaNameLabel}),
 	}
 	ctrlmetrics.Registry.MustRegister(watcherMetrics.certNotRenewGauge)
 	watchermetrics.Init(ctrlmetrics.Registry)
@@ -28,12 +28,12 @@ func NewWatcherMetrics() *WatcherMetrics {
 
 func (w *WatcherMetrics) CleanupMetrics(kymaName string) {
 	w.certNotRenewGauge.DeletePartialMatch(prometheus.Labels{
-		kymaNameLabel: kymaName,
+		KymaNameLabel: kymaName,
 	})
 }
 
 func (w *WatcherMetrics) SetCertNotRenew(kymaName string) {
 	w.certNotRenewGauge.With(prometheus.Labels{
-		kymaNameLabel: kymaName,
+		KymaNameLabel: kymaName,
 	}).Set(1)
 }
diff --git a/pkg/testutils/deployment.go b/pkg/testutils/deployment.go
@@ -7,9 +7,14 @@ import (
 
 	apiappsv1 "k8s.io/api/apps/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/kyma-project/lifecycle-manager/api/v1beta2"
 )
 
-var ErrDeploymentNotReady = errors.New("deployment is not ready")
+var (
+	ErrDeploymentNotReady   = errors.New("deployment is not ready")
+	ErrDeploymentNotStopped = errors.New("deployment is not stopped")
+)
 
 func DeploymentIsReady(ctx context.Context, name, namespace string, clnt client.Client) error {
 	deploy := &apiappsv1.Deployment{}
@@ -23,3 +28,25 @@ func DeploymentIsReady(ctx context.Context, name, namespace string, clnt client.
 	}
 	return ErrDeploymentNotReady
 }
+
+func StopDeployment(ctx context.Context, clnt client.Client,
+	name, namespace string,
+) error {
+	deploy := &apiappsv1.Deployment{}
+	if err := clnt.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, deploy); err != nil {
+		return fmt.Errorf("could not get deployment: %w", err)
+	}
+	if deploy.Status.AvailableReplicas == 0 {
+		return nil
+	}
+	deploy.Spec.Replicas = int32Ptr(0)
+	err := clnt.Patch(ctx, deploy, client.Apply,
+		client.ForceOwnership,
+		client.FieldOwner(v1beta2.OperatorName))
+	if err != nil {
+		return err
+	}
+	return ErrDeploymentNotStopped
+}
+
+func int32Ptr(i int32) *int32 { return &i }