From bec5fe85cc985f87bb6bde4b91cd297e55dbc01e Mon Sep 17 00:00:00 2001 From: "Benjamin A. Petersen" Date: Tue, 19 Mar 2024 18:00:40 -0400 Subject: [PATCH] change WebhookAuthenticator TLSConnectionNegotiationValid to ConnectionProbeValid --- .../webhookcachefiller/webhookcachefiller.go | 42 +++++++++---------- .../webhookcachefiller_test.go | 30 ++++++------- ...cierge_webhookauthenticator_status_test.go | 16 +++---- 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index f5f8a3123..b96c0c754 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -39,24 +39,24 @@ import ( ) const ( - controllerName = "webhookcachefiller-controller" - typeReady = "Ready" - typeTLSConfigurationValid = "TLSConfigurationValid" - typeTLSConnectionNegotiationValid = "TLSConnectionNegotiationValid" - typeEndpointURLValid = "EndpointURLValid" - typeAuthenticatorValid = "AuthenticatorValid" - reasonSuccess = "Success" - reasonNotReady = "NotReady" - reasonUnableToValidate = "UnableToValidate" - reasonUnableToCreateTempFile = "UnableToCreateTempFile" - reasonUnableToMarshallKubeconfig = "UnableToMarshallKubeconfig" - reasonUnableToLoadKubeconfig = "UnableToLoadKubeconfig" - reasonUnableToInstantiateWebhook = "UnableToInstantiateWebhook" - reasonInvalidTLSConfiguration = "InvalidTLSConfiguration" - reasonInvalidEndpointURL = "InvalidEndpointURL" - reasonInvalidEndpointURLScheme = "InvalidEndpointURLScheme" - reasonUnableToDialServer = "UnableToDialServer" - msgUnableToValidate = "unable to validate; see other conditions for details" + controllerName = "webhookcachefiller-controller" + typeReady = "Ready" + typeTLSConfigurationValid = "TLSConfigurationValid" + typeConnectionProbeValid = "ConnectionProbeValid" + typeEndpointURLValid = "EndpointURLValid" + typeAuthenticatorValid = "AuthenticatorValid" + reasonSuccess = "Success" + reasonNotReady = "NotReady" + reasonUnableToValidate = "UnableToValidate" + reasonUnableToCreateTempFile = "UnableToCreateTempFile" + reasonUnableToMarshallKubeconfig = "UnableToMarshallKubeconfig" + reasonUnableToLoadKubeconfig = "UnableToLoadKubeconfig" + reasonUnableToInstantiateWebhook = "UnableToInstantiateWebhook" + reasonInvalidTLSConfiguration = "InvalidTLSConfiguration" + reasonInvalidEndpointURL = "InvalidEndpointURL" + reasonInvalidEndpointURLScheme = "InvalidEndpointURLScheme" + reasonUnableToDialServer = "UnableToDialServer" + msgUnableToValidate = "unable to validate; see other conditions for details" ) // New instantiates a new controllerlib.Controller which will populate the provided authncache.Cache. @@ -274,7 +274,7 @@ func newWebhookAuthenticator( func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.CertPool, endpointURL *url.URL, conditions []*metav1.Condition, prereqOk bool) ([]*metav1.Condition, error) { if !prereqOk { conditions = append(conditions, &metav1.Condition{ - Type: typeTLSConnectionNegotiationValid, + Type: typeConnectionProbeValid, Status: metav1.ConditionUnknown, Reason: reasonUnableToValidate, Message: msgUnableToValidate, @@ -300,7 +300,7 @@ func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.Cer errText := "cannot dial server" msg := fmt.Sprintf("%s: %s", errText, dialErr.Error()) conditions = append(conditions, &metav1.Condition{ - Type: typeTLSConnectionNegotiationValid, + Type: typeConnectionProbeValid, Status: metav1.ConditionFalse, Reason: reasonUnableToDialServer, Message: msg, @@ -315,7 +315,7 @@ func (c *webhookCacheFillerController) validateTLSNegotiation(certPool *x509.Cer } conditions = append(conditions, &metav1.Condition{ - Type: typeTLSConnectionNegotiationValid, + Type: typeConnectionProbeValid, Status: metav1.ConditionTrue, Reason: reasonSuccess, Message: "tls verified", diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go index 8aa3a6e55..4d4b4c2a3 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go @@ -267,9 +267,9 @@ func TestController(t *testing.T) { } } - happyTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { + happyConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { return metav1.Condition{ - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "True", ObservedGeneration: observedGeneration, LastTransitionTime: time, @@ -277,9 +277,9 @@ func TestController(t *testing.T) { Message: "tls verified", } } - unknownTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { + unknownConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { return metav1.Condition{ - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "Unknown", ObservedGeneration: observedGeneration, LastTransitionTime: time, @@ -287,9 +287,9 @@ func TestController(t *testing.T) { Message: "unable to validate; see other conditions for details", } } - sadTLSConnectionNegotiationValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { + sadConnectionProbeValid := func(time metav1.Time, observedGeneration int64) metav1.Condition { return metav1.Condition{ - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "False", ObservedGeneration: observedGeneration, LastTransitionTime: time, @@ -297,9 +297,9 @@ func TestController(t *testing.T) { Message: "cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority", } } - sadTLSConnectionNegotiationNoIPSANs := func(time metav1.Time, observedGeneration int64) metav1.Condition { + sadConnectionProbeValidNoIPSANs := func(time metav1.Time, observedGeneration int64) metav1.Condition { return metav1.Condition{ - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "False", ObservedGeneration: observedGeneration, LastTransitionTime: time, @@ -343,7 +343,7 @@ func TestController(t *testing.T) { return conditionstestutil.SortByType([]metav1.Condition{ happyTLSConfigurationValidCAParsed(someTime, observedGeneration), happyEndpointURLValid(someTime, observedGeneration), - happyTLSConnectionNegotiationValid(someTime, observedGeneration), + happyConnectionProbeValid(someTime, observedGeneration), happyAuthenticatorValid(someTime, observedGeneration), happyReadyCondition(someTime, observedGeneration), }) @@ -547,7 +547,7 @@ func TestController(t *testing.T) { allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ happyTLSConfigurationValidNoCA(frozenMetav1Now, 0), - sadTLSConnectionNegotiationValid(frozenMetav1Now, 0), + sadConnectionProbeValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), unknownAuthenticatorValid(frozenMetav1Now, 0), }, @@ -587,7 +587,7 @@ func TestController(t *testing.T) { allHappyConditionsSuccess(goodWebhookDefaultServingCertEndpoint, frozenMetav1Now, 0), []metav1.Condition{ sadTLSConfigurationValid(frozenMetav1Now, 0), - unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0), + unknownConnectionProbeValid(frozenMetav1Now, 0), unknownAuthenticatorValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), }, @@ -631,7 +631,7 @@ func TestController(t *testing.T) { []metav1.Condition{ happyTLSConfigurationValidNoCA(frozenMetav1Now, 0), sadEndpointURLValid("https://.café .com/café/café/café/coffee", frozenMetav1Now, 0), - unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0), + unknownConnectionProbeValid(frozenMetav1Now, 0), unknownAuthenticatorValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), }, @@ -674,7 +674,7 @@ func TestController(t *testing.T) { []metav1.Condition{ happyTLSConfigurationValidNoCA(frozenMetav1Now, 0), sadEndpointURLValidHTTPS("http://localhost", frozenMetav1Now, 0), - unknownTLSConnectionNegotiationValid(frozenMetav1Now, 0), + unknownConnectionProbeValid(frozenMetav1Now, 0), unknownAuthenticatorValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), }, @@ -715,7 +715,7 @@ func TestController(t *testing.T) { []metav1.Condition{ unknownAuthenticatorValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), - sadTLSConnectionNegotiationValid(frozenMetav1Now, 0), + sadConnectionProbeValid(frozenMetav1Now, 0), }, ), Phase: "Error", @@ -939,7 +939,7 @@ func TestController(t *testing.T) { Conditions: conditionstestutil.Replace( allHappyConditionsSuccess(hostLocalWithExampleDotComCertServer.URL, frozenMetav1Now, 0), []metav1.Condition{ - sadTLSConnectionNegotiationNoIPSANs(frozenMetav1Now, 0), + sadConnectionProbeValidNoIPSANs(frozenMetav1Now, 0), unknownAuthenticatorValid(frozenMetav1Now, 0), sadReadyCondition(frozenMetav1Now, 0), }, diff --git a/test/integration/concierge_webhookauthenticator_status_test.go b/test/integration/concierge_webhookauthenticator_status_test.go index e5aa0fe7e..fd9893428 100644 --- a/test/integration/concierge_webhookauthenticator_status_test.go +++ b/test/integration/concierge_webhookauthenticator_status_test.go @@ -67,7 +67,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { Reason: "InvalidTLSConfiguration", Message: "invalid TLS configuration: illegal base64 data at input byte 7", }, { - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "Unknown", Reason: "UnableToValidate", Message: "unable to validate; see other conditions for details", @@ -98,7 +98,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { Reason: "UnableToValidate", Message: "unable to validate; see other conditions for details", }, { - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "False", Reason: "UnableToDialServer", Message: "cannot dial server: tls: failed to verify certificate: x509: certificate signed by unknown authority", @@ -130,7 +130,7 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { Reason: "UnableToValidate", Message: "unable to validate; see other conditions for details", }, { - Type: "TLSConnectionNegotiationValid", + Type: "ConnectionProbeValid", Status: "False", Reason: "UnableToDialServer", Message: "cannot dial server: dial tcp 127.0.0.1:443: connect: connection refused", @@ -266,6 +266,11 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition { Status: "True", Reason: "Success", Message: "authenticator initialized", + }, { + Type: "ConnectionProbeValid", + Status: "True", + Reason: "Success", + Message: "tls verified", }, { Type: "EndpointURLValid", Status: "True", @@ -281,10 +286,5 @@ func allSuccessfulWebhookAuthenticatorConditions() []metav1.Condition { Status: "True", Reason: "Success", Message: "successfully parsed specified CA bundle", - }, { - Type: "TLSConnectionNegotiationValid", - Status: "True", - Reason: "Success", - Message: "tls verified", }} }