change WebhookAuthenticator TLSConnectionNegotiationValid to ConnectionProbeValid

2025-12-23 06:15:47 +00:00 · 2024-03-19 18:00:40 -04:00
parent 5bc4e678bf
commit bec5fe85cc
3 changed files with 44 additions and 44 deletions
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -39,24 +39,24 @@ import (
 )

 const (
-	controllerName                    = "webhookcachefiller-controller"
-	typeReady                         = "Ready"
-	typeTLSConfigurationValid         = "TLSConfigurationValid"
-	typeTLSConnectionNegotiationValid = "TLSConnectionNegotiationValid"
-	typeEndpointURLValid              = "EndpointURLValid"
-	typeAuthenticatorValid            = "AuthenticatorValid"
-	reasonSuccess                     = "Success"
-	reasonNotReady                    = "NotReady"
-	reasonUnableToValidate            = "UnableToValidate"
-	reasonUnableToCreateTempFile      = "UnableToCreateTempFile"
-	reasonUnableToMarshallKubeconfig  = "UnableToMarshallKubeconfig"
-	reasonUnableToLoadKubeconfig      = "UnableToLoadKubeconfig"
-	reasonUnableToInstantiateWebhook  = "UnableToInstantiateWebhook"
-	reasonInvalidTLSConfiguration     = "InvalidTLSConfiguration"
-	reasonInvalidEndpointURL          = "InvalidEndpointURL"
-	reasonInvalidEndpointURLScheme    = "InvalidEndpointURLScheme"
-	reasonUnableToDialServer          = "UnableToDialServer"
-	msgUnableToValidate               = "unable to validate; see other conditions for details"
+	controllerName                   = "webhookcachefiller-controller"
+	typeReady                        = "Ready"
+	typeTLSConfigurationValid        = "TLSConfigurationValid"
+	typeConnectionProbeValid         = "ConnectionProbeValid"
+	typeEndpointURLValid             = "EndpointURLValid"
+	typeAuthenticatorValid           = "AuthenticatorValid"
+	reasonSuccess                    = "Success"
+	reasonNotReady                   = "NotReady"
+	reasonUnableToValidate           = "UnableToValidate"
+	reasonUnableToCreateTempFile     = "UnableToCreateTempFile"
+	reasonUnableToMarshallKubeconfig = "UnableToMarshallKubeconfig"
+	reasonUnableToLoadKubeconfig     = "UnableToLoadKubeconfig"
+	reasonUnableToInstantiateWebhook = "UnableToInstantiateWebhook"
+	reasonInvalidTLSConfiguration    = "InvalidTLSConfiguration"
+	reasonInvalidEndpointURL         = "InvalidEndpointURL"
+	reasonInvalidEndpointURLScheme   = "InvalidEndpointURLScheme"
+	reasonUnableToDialServer         = "UnableToDialServer"
+	msgUnableToValidate              = "unable to validate; see other conditions for details"
 )

 // New instantiates a new controllerlib.Controller which will populate the provided authncache.Cache.
@@ -274,7 +274,7 @@ func newWebhookAuthenticator(
 func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.CertPool, endpointURL *url.URL, conditions []*metav1.Condition, prereqOk bool) ([]*metav1.Condition, error) {
 	if !prereqOk {
 		conditions = append(conditions, &metav1.Condition{
-			Type:    typeTLSConnectionNegotiationValid,
+			Type:    typeConnectionProbeValid,
 			Status:  metav1.ConditionUnknown,
 			Reason:  reasonUnableToValidate,
 			Message: msgUnableToValidate,
@@ -300,7 +300,7 @@ func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.Cer
 		errText := "cannot dial server"
 		msg := fmt.Sprintf("%s: %s", errText, dialErr.Error())
 		conditions = append(conditions, &metav1.Condition{
-			Type:    typeTLSConnectionNegotiationValid,
+			Type:    typeConnectionProbeValid,
 			Status:  metav1.ConditionFalse,
 			Reason:  reasonUnableToDialServer,
 			Message: msg,
@@ -315,7 +315,7 @@ func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.Cer
 	}

 	conditions = append(conditions, &metav1.Condition{
-		Type:    typeTLSConnectionNegotiationValid,
+		Type:    typeConnectionProbeValid,
 		Status:  metav1.ConditionTrue,
 		Reason:  reasonSuccess,
 		Message: "tls verified",
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
@@ -267,9 +267,9 @@ func TestController(t *testing.T) {
 		}
 	}

-	happyTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+	happyConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
 		return metav1.Condition{
-			Type:               "TLSConnectionNegotiationValid",
+			Type:               "ConnectionProbeValid",
 			Status:             "True",
 			ObservedGeneration: observedGeneration,
 			LastTransitionTime: time,
@@ -277,9 +277,9 @@ func TestController(t *testing.T) {
 			Message:            "tls verified",
 		}
 	}
-	unknownTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+	unknownConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
 		return metav1.Condition{
-			Type:               "TLSConnectionNegotiationValid",
+			Type:               "ConnectionProbeValid",
 			Status:             "Unknown",
 			ObservedGeneration: observedGeneration,
 			LastTransitionTime: time,
@@ -287,9 +287,9 @@ func TestController(t *testing.T) {
 			Message:            "unable to validate; see other conditions for details",
 		}
 	}
-	sadTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+	sadConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition {
 		return metav1.Condition{
-			Type:               "TLSConnectionNegotiationValid",
+			Type:               "ConnectionProbeValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
 			LastTransitionTime: time,
@@ -297,9 +297,9 @@ func TestController(t *testing.T) {
 			Message:            "cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority",
 		}
 	}
-	sadTLSConnectionNegotiationNoIPSANs := func(time metav1.Time, observedGeneration int64) metav1.Condition {
+	sadConnectionProbeValidNoIPSANs := func(time metav1.Time, observedGeneration int64) metav1.Condition {
 		return metav1.Condition{
-			Type:               "TLSConnectionNegotiationValid",
+			Type:               "ConnectionProbeValid",
 			Status:             "False",
 			ObservedGeneration: observedGeneration,
 			LastTransitionTime: time,
@@ -343,7 +343,7 @@ func TestController(t *testing.T) {
 		return conditionstestutil.SortByType([]metav1.Condition{
 			happyTLSConfigurationValidCAParsed(someTime, observedGeneration),
 			happyEndpointURLValid(someTime, observedGeneration),
-			happyTLSConnectionNegotiationValid(someTime, observedGeneration),
+			happyConnectionProbeValid(someTime, observedGeneration),
 			happyAuthenticatorValid(someTime, observedGeneration),
 			happyReadyCondition(someTime, observedGeneration),
 		})
@@ -547,7 +547,7 @@ func TestController(t *testing.T) {
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
 								happyTLSConfigurationValidNoCA(frozenMetav1Now, 0),
-								sadTLSConnectionNegotiationValid(frozenMetav1Now, 0),
+								sadConnectionProbeValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 							},
@@ -587,7 +587,7 @@ func TestController(t *testing.T) {
 							allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0),
 							[]metav1.Condition{
 								sadTLSConfigurationValid(frozenMetav1Now, 0),
-								unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0),
+								unknownConnectionProbeValid(frozenMetav1Now, 0),
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
 							},
@@ -631,7 +631,7 @@ func TestController(t *testing.T) {
 							[]metav1.Condition{
 								happyTLSConfigurationValidNoCA(frozenMetav1Now, 0),
 								sadEndpointURLValid("https://.café   .com/café/café/café/coffee", frozenMetav1Now, 0),
-								unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0),
+								unknownConnectionProbeValid(frozenMetav1Now, 0),
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
 							},
@@ -674,7 +674,7 @@ func TestController(t *testing.T) {
 							[]metav1.Condition{
 								happyTLSConfigurationValidNoCA(frozenMetav1Now, 0),
 								sadEndpointURLValidHTTPS("http://localhost", frozenMetav1Now, 0),
-								unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0),
+								unknownConnectionProbeValid(frozenMetav1Now, 0),
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
 							},
@@ -715,7 +715,7 @@ func TestController(t *testing.T) {
 							[]metav1.Condition{
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
-								sadTLSConnectionNegotiationValid(frozenMetav1Now, 0),
+								sadConnectionProbeValid(frozenMetav1Now, 0),
 							},
 						),
 						Phase: "Error",
@@ -939,7 +939,7 @@ func TestController(t *testing.T) {
 						Conditions: conditionstestutil.Replace(
 							allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0),
 							[]metav1.Condition{
-								sadTLSConnectionNegotiationNoIPSANs(frozenMetav1Now, 0),
+								sadConnectionProbeValidNoIPSANs(frozenMetav1Now, 0),
 								unknownAuthenticatorValid(frozenMetav1Now, 0),
 								sadReadyCondition(frozenMetav1Now, 0),
 							},
--- a/test/integration/concierge_webhookauthenticator_status_test.go
+++ b/test/integration/concierge_webhookauthenticator_status_test.go
@@ -67,7 +67,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 						Reason:  "InvalidTLSConfiguration",
 						Message: "invalid TLS configuration: illegal base64 data at input byte 7",
 					}, {
-						Type:    "TLSConnectionNegotiationValid",
+						Type:    "ConnectionProbeValid",
 						Status:  "Unknown",
 						Reason:  "UnableToValidate",
 						Message: "unable to validate; see other conditions for details",
@@ -98,7 +98,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 						Reason:  "UnableToValidate",
 						Message: "unable to validate; see other conditions for details",
 					}, {
-						Type:    "TLSConnectionNegotiationValid",
+						Type:    "ConnectionProbeValid",
 						Status:  "False",
 						Reason:  "UnableToDialServer",
 						Message: "cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority",
@@ -130,7 +130,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
 						Reason:  "UnableToValidate",
 						Message: "unable to validate; see other conditions for details",
 					}, {
-						Type:    "TLSConnectionNegotiationValid",
+						Type:    "ConnectionProbeValid",
 						Status:  "False",
 						Reason:  "UnableToDialServer",
 						Message: "cannot dial server: dial tcp 127.0.0.1:443: connect: connection refused",
@@ -266,6 +266,11 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition {
 		Status:  "True",
 		Reason:  "Success",
 		Message: "authenticator initialized",
+	}, {
+		Type:    "ConnectionProbeValid",
+		Status:  "True",
+		Reason:  "Success",
+		Message: "tls verified",
 	}, {
 		Type:    "EndpointURLValid",
 		Status:  "True",
@@ -281,10 +286,5 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition {
 		Status:  "True",
 		Reason:  "Success",
 		Message: "successfully parsed specified CA bundle",
-	}, {
-		Type:    "TLSConnectionNegotiationValid",
-		Status:  "True",
-		Reason:  "Success",
-		Message: "tls verified",
 	}}
 }