Fix autodiscovery of Fulcio Root CA in CTlog

Author: osmman

controllers/common/test/action/support.go

@@ -0,0 +1,38 @@
+package action
+
+import (
+	"github.com/go-logr/logr"
+	consolev1 "github.com/openshift/api/console/v1"
+	routev1 "github.com/openshift/api/route/v1"
+	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
+	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/controllers/common/action"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func FakeClientBuilder() *fake.ClientBuilder {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(monitoringv1.AddToScheme(scheme))
+	utilruntime.Must(v1alpha1.AddToScheme(scheme))
+	utilruntime.Must(routev1.AddToScheme(scheme))
+	utilruntime.Must(v1.AddToScheme(scheme))
+	utilruntime.Must(consolev1.AddToScheme(scheme))
+	utilruntime.Must(apiextensions.AddToScheme(scheme))
+	cl := fake.NewClientBuilder().WithScheme(scheme)
+	return cl
+}
+
+func PrepareAction[T interface{}](c client.Client, a action.Action[T]) action.Action[T] {
+	a.InjectClient(c)
+	a.InjectLogger(logr.Logger{})
+	a.InjectRecorder(record.NewFakeRecorder(10))
+	return a
+}

controllers/ctlog/actions/handle_fulcio_root.go

@@ -53,21 +53,6 @@ func (g handleFulcioCert) CanHandle(ctx context.Context, instance *v1alpha1.CTlo
 
 func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog) *action.Result {
 
-	scr, err := k8sutils.FindSecret(ctx, g.Client, instance.Namespace, actions.FulcioCALabel)
-	if err != nil {
-		return g.Failed(err)
-	}
-	if scr == nil && len(instance.Spec.RootCertificates) == 0 {
-		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
-			Type:    CertCondition,
-			Status:  metav1.ConditionFalse,
-			Reason:  constants.Failure,
-			Message: "Cert not found",
-		})
-		g.StatusUpdate(ctx, instance)
-		return g.Requeue()
-	}
-
 	if meta.FindStatusCondition(instance.Status.Conditions, constants.Ready).Reason != constants.Creating {
 		meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
 			Type:   constants.Ready,
@@ -78,16 +63,36 @@ func (g handleFulcioCert) Handle(ctx context.Context, instance *v1alpha1.CTlog)
 		return g.StatusUpdate(ctx, instance)
 	}
 
-	instance.Status.RootCertificates = append(instance.Spec.RootCertificates, v1alpha1.SecretKeySelector{
-		LocalObjectReference: v1alpha1.LocalObjectReference{
-			Name: scr.Name,
-		},
-		Key: scr.Labels[actions.FulcioCALabel],
-	})
+	if len(instance.Spec.RootCertificates) == 0 {
+		scr, err := k8sutils.FindSecret(ctx, g.Client, instance.Namespace, actions.FulcioCALabel)
+		if err != nil {
+			return g.Failed(err)
+		}
+		if scr == nil {
+			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+				Type:    CertCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  constants.Failure,
+				Message: "Cert not found",
+			})
+			g.StatusUpdate(ctx, instance)
+			return g.Requeue()
+		}
+		instance.Status.RootCertificates = []v1alpha1.SecretKeySelector{
+			{
+				LocalObjectReference: v1alpha1.LocalObjectReference{
+					Name: scr.Name,
+				},
+				Key: scr.Labels[actions.FulcioCALabel],
+			},
+		}
+	} else {
+		instance.Status.RootCertificates = instance.Spec.RootCertificates
+	}
 
 	// invalidate server config
 	if instance.Status.ServerConfigRef != nil {
-		if err = g.Client.Delete(ctx, &v1.Secret{
+		if err := g.Client.Delete(ctx, &v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Status.ServerConfigRef.Name,
 				Namespace: instance.Namespace,

controllers/ctlog/actions/handle_fulcio_root_test.go

@@ -0,0 +1,253 @@
+package actions
+
+import (
+	"context"
+	. "github.com/onsi/gomega"
+	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/controllers/common/action"
+	testAction "github.com/securesign/operator/controllers/common/test/action"
+	"github.com/securesign/operator/controllers/common/utils/kubernetes"
+	"github.com/securesign/operator/controllers/constants"
+	"github.com/securesign/operator/controllers/fulcio/actions"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"testing"
+)
+
+func Test_HandleFulcioCert_Autodiscover(t *testing.T) {
+	g := NewWithT(t)
+
+	instance := &v1alpha1.CTlog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "auto",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.CTlogSpec{},
+		Status: v1alpha1.CTlogStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:   constants.Ready,
+					Reason: constants.Creating,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		},
+	}
+
+	c := testAction.FakeClientBuilder().WithObjects(
+		kubernetes.CreateSecret("secret", "default",
+			map[string][]byte{"key": nil}, map[string]string{actions.FulcioCALabel: "key"}),
+		instance,
+	).Build()
+
+	i := &v1alpha1.CTlog{}
+	if err := c.Get(context.TODO(), types.NamespacedName{Name: instance.GetName(), Namespace: instance.GetNamespace()}, i); err != nil {
+		t.Error(err)
+	}
+
+	a := testAction.PrepareAction(c, NewHandleFulcioCertAction())
+	g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue())
+
+	_ = a.Handle(context.TODO(), i)
+
+	g.Expect(len(i.Status.RootCertificates)).Should(Equal(1))
+	g.Expect(i.Status.RootCertificates[0].Key).Should(Equal("key"))
+	g.Expect(i.Status.RootCertificates[0].Name).Should(Equal("secret"))
+
+	g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue())
+}
+
+
+func Test_HandleFulcioCert_Empty(t *testing.T) {
+	g := NewWithT(t)
+
+	instance := &v1alpha1.CTlog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "empty",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.CTlogSpec{},
+		Status: v1alpha1.CTlogStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:   constants.Ready,
+					Reason: constants.Creating,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		},
+	}
+
+	c := testAction.FakeClientBuilder().WithObjects(
+		instance,
+	).Build()
+
+	i := &v1alpha1.CTlog{}
+	if err := c.Get(context.TODO(), types.NamespacedName{Name: instance.GetName(), Namespace: instance.GetNamespace()}, i); err != nil {
+		t.Error(err)
+	}
+
+	a := testAction.PrepareAction(c, NewHandleFulcioCertAction())
+	g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue())
+
+	result := a.Handle(context.TODO(), i)
+	var dummyAction = action.BaseAction{}
+	g.Expect(result).To(Equal(dummyAction.Requeue()))
+}
+
+func Test_HandleFulcioCert_Configured(t *testing.T) {
+	g := NewWithT(t)
+
+	instance := &v1alpha1.CTlog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "configured",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.CTlogSpec{
+			RootCertificates: []v1alpha1.SecretKeySelector{
+				{
+					Key: "key",
+					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"},
+				},
+				{
+					Key: "key",
+					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret-2"},
+				},
+			},
+		},
+		Status: v1alpha1.CTlogStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:   constants.Ready,
+					Reason: constants.Creating,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		},
+	}
+
+	c := testAction.FakeClientBuilder().WithObjects(
+		kubernetes.CreateSecret("secret", "default",
+			map[string][]byte{"key": nil}, map[string]string{}),
+		instance,
+	).Build()
+
+	i := &v1alpha1.CTlog{}
+	if err := c.Get(context.TODO(), types.NamespacedName{Name: instance.GetName(), Namespace: instance.GetNamespace()}, i); err != nil {
+		t.Error(err)
+	}
+
+	a := testAction.PrepareAction(c, NewHandleFulcioCertAction())
+	g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue())
+
+	_ = a.Handle(context.TODO(), i)
+	g.Expect(len(i.Status.RootCertificates)).Should(Equal(2))
+	g.Expect(i.Status.RootCertificates[0].Key).Should(Equal("key"))
+	g.Expect(i.Status.RootCertificates[0].Name).Should(Equal("secret"))
+	g.Expect(i.Status.RootCertificates[1].Key).Should(Equal("key"))
+	g.Expect(i.Status.RootCertificates[1].Name).Should(Equal("secret-2"))
+
+	g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue())
+}
+
+func Test_HandleFulcioCert_Configured_Priority(t *testing.T) {
+	g := NewWithT(t)
+
+	instance := &v1alpha1.CTlog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "configured-priority",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.CTlogSpec{
+			RootCertificates: []v1alpha1.SecretKeySelector{
+				{
+					Key: "key",
+					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "my-secret"},
+				},
+			},
+		},
+		Status: v1alpha1.CTlogStatus{
+			Conditions: []metav1.Condition{
+				{
+					Type:   constants.Ready,
+					Reason: constants.Creating,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		},
+	}
+
+	c := testAction.FakeClientBuilder().WithObjects(
+		kubernetes.CreateSecret("my-secret", "default",
+			map[string][]byte{"key": nil}, map[string]string{}),
+		kubernetes.CreateSecret("incorrect-secret", "default",
+			map[string][]byte{"key": nil}, map[string]string{actions.FulcioCALabel: "key"}),
+		instance,
+	).Build()
+
+	i := &v1alpha1.CTlog{}
+	if err := c.Get(context.TODO(), types.NamespacedName{Name: instance.GetName(), Namespace: instance.GetNamespace()}, i); err != nil {
+		t.Error(err)
+	}
+
+	a := testAction.PrepareAction(c, NewHandleFulcioCertAction())
+	g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue())
+
+	_ = a.Handle(context.TODO(), i)
+	g.Expect(len(i.Status.RootCertificates)).Should(Equal(1))
+	g.Expect(i.Status.RootCertificates[0].Key).Should(Equal("key"))
+	g.Expect(i.Status.RootCertificates[0].Name).Should(Equal("my-secret"))
+
+	g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue())
+}
+
+func Test_HandleFulcioCert_Delete_ServerConfig(t *testing.T) {
+	g := NewWithT(t)
+
+	instance := &v1alpha1.CTlog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "delete-config",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.CTlogSpec{
+			RootCertificates: []v1alpha1.SecretKeySelector{
+				{
+					Key: "key",
+					LocalObjectReference: v1alpha1.LocalObjectReference{Name: "secret"},
+				},
+			},
+		},
+		Status: v1alpha1.CTlogStatus{
+			ServerConfigRef: &v1alpha1.LocalObjectReference{Name: "ctlog-config"},
+			Conditions: []metav1.Condition{
+				{
+					Type:   constants.Ready,
+					Reason: constants.Creating,
+					Status: metav1.ConditionFalse,
+				},
+			},
+		},
+	}
+
+	c := testAction.FakeClientBuilder().WithObjects(
+		kubernetes.CreateImmutableSecret("ctlog-config", instance.Namespace, map[string][]byte{},  map[string]string{}),
+		instance,
+	).Build()
+
+	i := &v1alpha1.CTlog{}
+	if err := c.Get(context.TODO(), types.NamespacedName{Name: instance.GetName(), Namespace: instance.GetNamespace()}, i); err != nil {
+		t.Error(err)
+	}
+
+	a := testAction.PrepareAction(c, NewHandleFulcioCertAction())
+	g.Expect(a.CanHandle(context.TODO(), i)).To(BeTrue())
+
+	_ = a.Handle(context.TODO(), i)
+	g.Expect(meta.IsStatusConditionTrue(i.Status.Conditions, CertCondition)).To(BeTrue())
+
+	g.Expect(i.Status.ServerConfigRef).To(BeNil())
+	g.Expect(c.Get(context.TODO(), types.NamespacedName{Name: "ctlog-config", Namespace: instance.GetNamespace()}, &v1.Secret{})).To(HaveOccurred())
+}
+