mirror of
https://github.com/prometheus-operator/prometheus-operator.git
synced 2025-04-13 15:56:28 +00:00
512 lines
15 KiB
Go
512 lines
15 KiB
Go
// Copyright 2024 The prometheus-operator Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package clustertlsconfig_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
"gotest.tools/v3/golden"
|
|
v1 "k8s.io/api/core/v1"
|
|
"k8s.io/utils/ptr"
|
|
|
|
"github.com/prometheus-operator/prometheus-operator/pkg/alertmanager/clustertlsconfig"
|
|
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
|
|
)
|
|
|
|
func TestCreateOrUpdateClusterTLSConfigSecret(t *testing.T) {
|
|
|
|
tc := []struct {
|
|
name string
|
|
clusterTLSConfig *monitoringv1.ClusterTLSConfig
|
|
golden string
|
|
}{
|
|
{
|
|
name: "cluster tls config not defined",
|
|
clusterTLSConfig: nil,
|
|
golden: "clusterTLS_config_not_defined.golden",
|
|
},
|
|
{
|
|
name: "minimal cluster TLS config with server certificate from secret",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
InsecureSkipVerify: ptr.To(true),
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.ca",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.KeySecret",
|
|
},
|
|
},
|
|
},
|
|
golden: "minimal_clusterTLS_config_with_certificate_from_secret.golden",
|
|
},
|
|
{
|
|
name: "minimal cluster TLS config with server and client certificates from configmap",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
ConfigMap: &v1.ConfigMapKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-configmap",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
InsecureSkipVerify: ptr.To(true),
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "cert.pem",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
ConfigMap: &v1.ConfigMapKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-configmap",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
},
|
|
golden: "minimal_clusterTLS_config_with_certificate_from_configmap.golden",
|
|
},
|
|
{
|
|
name: "minimal cluster TLS config with server TLS cert and clientCA from configmap",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
ConfigMap: &v1.ConfigMapKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-configmap",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
ClientCA: monitoringv1.SecretOrConfigMap{
|
|
ConfigMap: &v1.ConfigMapKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-configmap",
|
|
},
|
|
Key: "tls.client_ca",
|
|
},
|
|
},
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
InsecureSkipVerify: ptr.To(true),
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.ca",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
},
|
|
golden: "minimal_clusterTLS_config_with_client_CA_from_configmap.golden",
|
|
},
|
|
{
|
|
name: "cluster tls config with all parameters from secrets",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
ClientCA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.ca",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.keySecret",
|
|
},
|
|
ClientAuthType: ptr.To("RequireAnyClientCert"),
|
|
MinVersion: ptr.To("TLS11"),
|
|
MaxVersion: ptr.To("TLS13"),
|
|
CipherSuites: []string{"cipher-1", "cipher-2"},
|
|
PreferServerCipherSuites: ptr.To(false),
|
|
CurvePreferences: []string{"curve-1", "curve-2"},
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
InsecureSkipVerify: ptr.To(true),
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.ca",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
},
|
|
golden: "clusterTLS_config_with_all_parameters_from_secrets.golden",
|
|
},
|
|
{
|
|
name: "cluster tls config with server client CA, cert and key files",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
ClientCAFile: ptr.To("/etc/ssl/certs/tls.client_ca"),
|
|
CertFile: ptr.To("/etc/ssl/certs/tls.crt"),
|
|
KeyFile: ptr.To("/etc/ssl/secrets/tls.key"),
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
InsecureSkipVerify: ptr.To(true),
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "cert.pem",
|
|
},
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "cert.pem",
|
|
},
|
|
},
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "test-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
},
|
|
},
|
|
golden: "clusterTLS_config_with_client_CA_cert_and_key_files.golden",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tc {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
secretName := "test-secret"
|
|
config, err := clustertlsconfig.New("/cluster_tls_certs_path_prefix", secretName, tt.clusterTLSConfig)
|
|
require.NoError(t, err)
|
|
|
|
data, err := config.ClusterTLSConfiguration()
|
|
require.NoError(t, err)
|
|
|
|
golden.Assert(t, string(data), tt.golden)
|
|
})
|
|
}
|
|
|
|
}
|
|
|
|
func TestGetMountParameters(t *testing.T) {
|
|
ts := []struct {
|
|
name string
|
|
clusterTLSConfig *monitoringv1.ClusterTLSConfig
|
|
expectedVolumes []v1.Volume
|
|
expectedMounts []v1.VolumeMount
|
|
}{
|
|
{
|
|
name: "cluster tls config not defined",
|
|
clusterTLSConfig: nil,
|
|
expectedVolumes: []v1.Volume{
|
|
{
|
|
Name: "cluster-tls-config",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "cluster-tls-config",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectedMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "cluster-tls-config",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/cluster-tls-config.yaml",
|
|
SubPath: "cluster-tls-config.yaml",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
name: "cluster tls config completely defined",
|
|
clusterTLSConfig: &monitoringv1.ClusterTLSConfig{
|
|
ServerTLS: monitoringv1.WebTLSConfig{
|
|
KeySecret: v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
ClientCA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.client_ca",
|
|
},
|
|
},
|
|
},
|
|
ClientTLS: monitoringv1.SafeTLSConfig{
|
|
KeySecret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.key",
|
|
},
|
|
Cert: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.crt",
|
|
},
|
|
},
|
|
CA: monitoringv1.SecretOrConfigMap{
|
|
Secret: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: "some-secret",
|
|
},
|
|
Key: "tls.client_ca",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectedVolumes: []v1.Volume{
|
|
{
|
|
Name: "cluster-tls-config",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "cluster-tls-config",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-key-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-cert-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-client-ca-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-key-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-cert-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-client-ca-some-secret-3556f148",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "some-secret",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
expectedMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "cluster-tls-config",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/cluster-tls-config.yaml",
|
|
SubPath: "cluster-tls-config.yaml",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-key-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/server_tls/secret/some-secret-key",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-cert-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/server_tls/secret/some-secret-cert",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-server-config-secret-client-ca-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/server_tls/secret/some-secret-ca",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-key-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/client_tls/secret/some-secret-key",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-cert-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/client_tls/secret/some-secret-cert",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
{
|
|
Name: "cluster-tls-client-config-secret-client-ca-some-secret-3556f148",
|
|
ReadOnly: true,
|
|
MountPath: "/etc/prometheus/cluster_tls_config/client_tls/secret/some-secret-ca",
|
|
MountPropagation: nil,
|
|
SubPathExpr: "",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range ts {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
tlsAssets, err := clustertlsconfig.New("/etc/prometheus/cluster_tls_config", "cluster-tls-config", tt.clusterTLSConfig)
|
|
require.NoError(t, err)
|
|
|
|
_, volumes, mounts, err := tlsAssets.GetMountParameters()
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, tt.expectedVolumes, volumes)
|
|
require.Equal(t, tt.expectedMounts, mounts)
|
|
})
|
|
}
|
|
}
|