Add rotation tests for different certificate options

integration/environment/machine.go

@@ -7,11 +7,15 @@ import (
 	"context"
 
 	"github.com/pkg/errors"
+	"go.uber.org/zap"
 
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
+	"code.cloudfoundry.org/quarks-secret/pkg/credsgen"
+	inmemorygenerator "code.cloudfoundry.org/quarks-secret/pkg/credsgen/in_memory_generator"
 	qsv1a1 "code.cloudfoundry.org/quarks-secret/pkg/kube/apis/quarkssecret/v1alpha1"
 	"code.cloudfoundry.org/quarks-secret/pkg/kube/client/clientset/versioned"
 	"code.cloudfoundry.org/quarks-utils/testing/machine"
@@ -61,3 +65,27 @@ func (m *Machine) WaitForQuarksSecretChange(namespace string, name string, chang
 		return changed(*qs), nil
 	})
 }
+
+// CreateCASecret creates a CA and stores it in a secret
+func (m *Machine) CreateCASecret(log *zap.SugaredLogger, namespace string, name string) (machine.TearDownFunc, error) {
+	generator := inmemorygenerator.NewInMemoryGenerator(log)
+	ca, err := generator.GenerateCertificate("default-ca", credsgen.CertificateGenerationRequest{
+		CommonName: "Fake CA",
+		IsCA:       true,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	casecret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			"ca":  ca.Certificate,
+			"key": ca.PrivateKey,
+		},
+	}
+	return m.CreateSecret(namespace, casecret)
+}

integration/quarks_secret_rotation_test.go

@@ -23,10 +23,6 @@ var _ = Describe("QuarksSecretRotation", func() {
 		qsecName = "test.qsec"
 	)
 
-	notGenerated := func(status qsv1a1.QuarksSecretStatus) bool {
-		return status.Generated == nil || (status.Generated != nil && !*status.Generated)
-	}
-
 	JustBeforeEach(func() {
 		By("Creating the quarks secret", func() {
 			_, tearDown, err := env.CreateQuarksSecret(env.Namespace, qsec)
@@ -60,13 +56,8 @@ var _ = Describe("QuarksSecretRotation", func() {
 		})
 
 		It("modifies quarks secret and a a new password is generated", func() {
-			err := env.WaitForQuarksSecretChange(env.Namespace, qsecName, func(qs qsv1a1.QuarksSecret) bool {
-				return notGenerated(qs.Status)
-			})
-			Expect(err).NotTo(HaveOccurred())
-
 			oldPassword = oldSecret.Data["password"]
-			err = env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
 				return !bytes.Equal(oldPassword, s.Data["password"])
 			})
 			Expect(err).NotTo(HaveOccurred())
@@ -75,17 +66,45 @@ var _ = Describe("QuarksSecretRotation", func() {
 
 	When("rotating a certificate", func() {
 		BeforeEach(func() {
-			qsec = env.CertificateQuarksSecret(qsecName, "mysecret", "ca", "key")
+			qsec = env.CertificateQuarksSecret(qsecName, "my-ca", "ca", "key")
+
+			By("creating the CA and storing it in a secret")
+			tearDown, err := env.CreateCASecret(env.Log, env.Namespace, "my-ca")
+			Expect(err).NotTo(HaveOccurred())
+			tearDowns = append(tearDowns, tearDown)
+		})
+
+		It("modifies quarks secret and updates certificate and key", func() {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+				return !bytes.Equal(oldSecret.Data["certificate"], s.Data["certificate"]) &&
+					!bytes.Equal(oldSecret.Data["private_key"], s.Data["private_key"])
+			})
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	When("rotating a cluster signed certificate", func() {
+		BeforeEach(func() {
+			qsec = env.CertificateQuarksSecret(qsecName, "", "", "")
 			qsec.Spec.Request.CertificateRequest.SignerType = qsv1a1.ClusterSigner
 		})
 
 		It("modifies quarks secret and updates certificate and key", func() {
-			err := env.WaitForQuarksSecretChange(env.Namespace, qsecName, func(qs qsv1a1.QuarksSecret) bool {
-				return notGenerated(qs.Status)
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+				return !bytes.Equal(oldSecret.Data["certificate"], s.Data["certificate"]) &&
+					!bytes.Equal(oldSecret.Data["private_key"], s.Data["private_key"])
 			})
 			Expect(err).NotTo(HaveOccurred())
+		})
+	})
 
-			err = env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+	When("rotating a CA certificate", func() {
+		BeforeEach(func() {
+			qsec = env.CACertificateQuarksSecret(qsecName, "", "", "")
+		})
+
+		It("modifies quarks secret and updates certificate and key", func() {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
 				return !bytes.Equal(oldSecret.Data["certificate"], s.Data["certificate"]) &&
 					!bytes.Equal(oldSecret.Data["private_key"], s.Data["private_key"])
 			})
@@ -99,12 +118,7 @@ var _ = Describe("QuarksSecretRotation", func() {
 		})
 
 		It("modifies quarks secret and the secret is updated", func() {
-			err := env.WaitForQuarksSecretChange(env.Namespace, qsecName, func(qs qsv1a1.QuarksSecret) bool {
-				return notGenerated(qs.Status)
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			err = env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
 				return !bytes.Equal(oldSecret.Data["private_key"], s.Data["private_key"]) &&
 					!bytes.Equal(oldSecret.Data["public_key_fingerprint"], s.Data["public_key_fingerprint"])
 			})
@@ -118,12 +132,7 @@ var _ = Describe("QuarksSecretRotation", func() {
 		})
 
 		It("modifies quarks secret and the secret is updated", func() {
-			err := env.WaitForQuarksSecretChange(env.Namespace, qsecName, func(qs qsv1a1.QuarksSecret) bool {
-				return notGenerated(qs.Status)
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			err = env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
 				return !bytes.Equal(oldSecret.Data["private_key"], s.Data["private_key"]) &&
 					!bytes.Equal(oldSecret.Data["public_key"], s.Data["public_key"])
 			})
@@ -137,12 +146,7 @@ var _ = Describe("QuarksSecretRotation", func() {
 		})
 
 		It("modifies quarks secret and the secret is updated", func() {
-			err := env.WaitForQuarksSecretChange(env.Namespace, qsecName, func(qs qsv1a1.QuarksSecret) bool {
-				return notGenerated(qs.Status)
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			err = env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
+			err := env.WaitForSecretChange(env.Namespace, qsec.Spec.SecretName, func(s corev1.Secret) bool {
 				return !bytes.Equal(oldSecret.Data["password"], s.Data["password"]) &&
 					bytes.Equal(oldSecret.Data["username"], s.Data["username"])
 			})

integration/quarks_secret_test.go

@@ -4,11 +4,6 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"code.cloudfoundry.org/quarks-secret/pkg/credsgen"
-	inmemorygenerator "code.cloudfoundry.org/quarks-secret/pkg/credsgen/in_memory_generator"
 	qsv1a1 "code.cloudfoundry.org/quarks-secret/pkg/kube/apis/quarkssecret/v1alpha1"
 	"code.cloudfoundry.org/quarks-utils/testing/machine"
 )
@@ -96,28 +91,11 @@ var _ = Describe("QuarksSecret", func() {
 
 	When("quarks secret is a certificate", func() {
 		BeforeEach(func() {
-			qs = env.CertificateQuarksSecret(qsName, "mysecret", "ca", "key")
+			qs = env.CertificateQuarksSecret(qsName, "my-ca", "ca", "key")
 			secretName = qs.Spec.SecretName
 
 			By("creating the CA and storing it in a secret")
-			generator := inmemorygenerator.NewInMemoryGenerator(env.Log)
-			ca, err := generator.GenerateCertificate("default-ca", credsgen.CertificateGenerationRequest{
-				CommonName: "Fake CA",
-				IsCA:       true,
-			})
-			Expect(err).ToNot(HaveOccurred())
-
-			casecret := corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "mysecret",
-					Namespace: env.Namespace,
-				},
-				Data: map[string][]byte{
-					"ca":  ca.Certificate,
-					"key": ca.PrivateKey,
-				},
-			}
-			tearDown, err := env.CreateSecret(env.Namespace, casecret)
+			tearDown, err := env.CreateCASecret(env.Log, env.Namespace, "my-ca")
 			Expect(err).NotTo(HaveOccurred())
 			tearDowns = append(tearDowns, tearDown)
 		})

testing/catalog.go

@@ -25,6 +25,28 @@ func (c *Catalog) DefaultQuarksSecret(name string) qsv1a1.QuarksSecret {
 	}
 }
 
+// CACertificateQuarksSecret for use in tests, creates a CA certificate
+func (c *Catalog) CACertificateQuarksSecret(name string, secretref string, cacertref string, keyref string) qsv1a1.QuarksSecret {
+	return qsv1a1.QuarksSecret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: qsv1a1.QuarksSecretSpec{
+			SecretName: "generated-cert-secret",
+			Type:       "certificate",
+			Request: qsv1a1.Request{
+				CertificateRequest: qsv1a1.CertificateRequest{
+					IsCA:             true,
+					CommonName:       "example.com",
+					CARef:            qsv1a1.SecretReference{Name: secretref, Key: cacertref},
+					CAKeyRef:         qsv1a1.SecretReference{Name: secretref, Key: keyref},
+					AlternativeNames: []string{"qux.com"},
+				},
+			},
+		},
+	}
+}
+
 // CertificateQuarksSecret for use in tests, creates a certificate
 func (c *Catalog) CertificateQuarksSecret(name string, secretref string, cacertref string, keyref string) qsv1a1.QuarksSecret {
 	return qsv1a1.QuarksSecret{