mirror of
https://github.com/vmware-tanzu/velero.git
synced 2026-01-07 05:46:37 +00:00
f4233c0f9f
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> feat: Add CA cert fallback when caCertFile fails in download requests - Fallback to BSL cert when caCertFile cannot be opened - Combine certificate handling blocks to reuse CA pool initialization - Add comprehensive unit tests for fallback behavior This improves robustness by allowing downloads to proceed with BSL CA cert when the provided CA cert file is unavailable or unreadable. 🤖 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Co-Authored-By: Claude <noreply@anthropic.com>
378 lines
12 KiB
Go
378 lines
12 KiB
Go
/*
|
|
Copyright The Velero Contributors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package backup
|
|
|
|
import (
|
|
"bytes"
|
|
"compress/gzip"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"strconv"
|
|
"testing"
|
|
"time"
|
|
|
|
flag "github.com/spf13/pflag"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
kbclient "sigs.k8s.io/controller-runtime/pkg/client"
|
|
|
|
velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
|
|
"github.com/vmware-tanzu/velero/pkg/builder"
|
|
factorymocks "github.com/vmware-tanzu/velero/pkg/client/mocks"
|
|
cmdtest "github.com/vmware-tanzu/velero/pkg/cmd/test"
|
|
"github.com/vmware-tanzu/velero/pkg/cmd/util/cacert"
|
|
velerotest "github.com/vmware-tanzu/velero/pkg/test"
|
|
)
|
|
|
|
func TestNewLogsCommand(t *testing.T) {
|
|
t.Run("Flag test", func(t *testing.T) {
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
|
|
timeout := "1m0s"
|
|
insecureSkipTLSVerify := "true"
|
|
caCertFile := "testing"
|
|
|
|
flags.Parse([]string{"--timeout", timeout})
|
|
flags.Parse([]string{"--insecure-skip-tls-verify", insecureSkipTLSVerify})
|
|
flags.Parse([]string{"--cacert", caCertFile})
|
|
|
|
require.Equal(t, timeout, l.Timeout.String())
|
|
require.Equal(t, insecureSkipTLSVerify, strconv.FormatBool(l.InsecureSkipTLSVerify))
|
|
require.Equal(t, caCertFile, l.CaCertFile)
|
|
})
|
|
|
|
t.Run("Backup not complete test", func(t *testing.T) {
|
|
backupName := "bk-logs-1"
|
|
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
backup := builder.ForBackup(cmdtest.VeleroNameSpace, backupName).Result()
|
|
err := kbClient.Create(t.Context(), backup, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err = l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
err = l.Run(c, f)
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, fmt.Sprintf("logs for backup \"%s\" are not available until it's finished processing", backupName))
|
|
})
|
|
|
|
t.Run("Backup not exist test", func(t *testing.T) {
|
|
backupName := "not-exist"
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err := l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
err = l.Run(c, f)
|
|
require.Error(t, err)
|
|
|
|
require.Equal(t, fmt.Sprintf("backup \"%s\" does not exist", backupName), err.Error())
|
|
|
|
c.Execute()
|
|
})
|
|
|
|
t.Run("Normal backup log test", func(t *testing.T) {
|
|
backupName := "bk-logs-1"
|
|
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
backup := builder.ForBackup(cmdtest.VeleroNameSpace, backupName).Phase(velerov1api.BackupPhaseCompleted).Result()
|
|
err := kbClient.Create(t.Context(), backup, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err = l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
timeout := time.After(3 * time.Second)
|
|
done := make(chan bool)
|
|
go func() {
|
|
err = l.Run(c, f)
|
|
require.Error(t, err)
|
|
}()
|
|
|
|
select {
|
|
case <-timeout:
|
|
t.Skip("Test didn't finish in time, because BSL is not in Available state.")
|
|
case <-done:
|
|
}
|
|
})
|
|
|
|
t.Run("Invalid client test", func(t *testing.T) {
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
|
|
f.On("KubebuilderClient").Return(kbClient, fmt.Errorf("test error"))
|
|
err := l.Complete([]string{""}, f)
|
|
require.Equal(t, "test error", err.Error())
|
|
})
|
|
|
|
t.Run("Backup with BSL cacert test", func(t *testing.T) {
|
|
backupName := "bk-logs-with-cacert"
|
|
bslName := "test-bsl"
|
|
expectedCACert := "test-cacert-content"
|
|
expectedLogContent := "test backup log content"
|
|
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
|
|
// Create BSL with cacert
|
|
bsl := builder.ForBackupStorageLocation(cmdtest.VeleroNameSpace, bslName).
|
|
Provider("aws").
|
|
Bucket("test-bucket").
|
|
CACert([]byte(expectedCACert)).
|
|
Result()
|
|
err := kbClient.Create(t.Context(), bsl, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// Create backup referencing the BSL
|
|
backup := builder.ForBackup(cmdtest.VeleroNameSpace, backupName).
|
|
Phase(velerov1api.BackupPhaseCompleted).
|
|
StorageLocation(bslName).
|
|
Result()
|
|
err = kbClient.Create(t.Context(), backup, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err = l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
// Verify that the BSL cacert can be fetched correctly before running the command
|
|
fetchedBackup := &velerov1api.Backup{}
|
|
err = kbClient.Get(t.Context(), kbclient.ObjectKey{Namespace: cmdtest.VeleroNameSpace, Name: backupName}, fetchedBackup)
|
|
require.NoError(t, err)
|
|
|
|
// Test the cacert fetching logic directly
|
|
cacertValue, err := cacert.GetCACertFromBackup(t.Context(), kbClient, cmdtest.VeleroNameSpace, fetchedBackup)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, expectedCACert, cacertValue, "BSL cacert should be retrieved correctly")
|
|
|
|
// Create a mock HTTP server to serve the log content
|
|
mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// For logs, we need to gzip the content
|
|
gzipWriter := gzip.NewWriter(w)
|
|
defer gzipWriter.Close()
|
|
gzipWriter.Write([]byte(expectedLogContent))
|
|
}))
|
|
defer mockServer.Close()
|
|
|
|
// Mock the download request controller by updating DownloadRequests
|
|
go func() {
|
|
time.Sleep(50 * time.Millisecond) // Wait a bit for the request to be created
|
|
|
|
// List all DownloadRequests
|
|
downloadRequestList := &velerov1api.DownloadRequestList{}
|
|
if err := kbClient.List(t.Context(), downloadRequestList, &kbclient.ListOptions{
|
|
Namespace: cmdtest.VeleroNameSpace,
|
|
}); err == nil {
|
|
// Update each download request with the mock server URL
|
|
for _, dr := range downloadRequestList.Items {
|
|
if dr.Spec.Target.Kind == velerov1api.DownloadTargetKindBackupLog &&
|
|
dr.Spec.Target.Name == backupName {
|
|
dr.Status.DownloadURL = mockServer.URL
|
|
dr.Status.Phase = velerov1api.DownloadRequestPhaseProcessed
|
|
kbClient.Update(t.Context(), &dr)
|
|
}
|
|
}
|
|
}
|
|
}()
|
|
|
|
// Capture the output
|
|
var logOutput bytes.Buffer
|
|
// Temporarily redirect stdout
|
|
oldStdout := os.Stdout
|
|
r, w, _ := os.Pipe()
|
|
os.Stdout = w
|
|
|
|
// Run the logs command - it should now succeed
|
|
l.Timeout = 5 * time.Second
|
|
err = l.Run(c, f)
|
|
|
|
// Restore stdout and read the output
|
|
w.Close()
|
|
os.Stdout = oldStdout
|
|
io.Copy(&logOutput, r)
|
|
|
|
// Verify the command succeeded and output is correct
|
|
require.NoError(t, err)
|
|
assert.Equal(t, expectedLogContent, logOutput.String())
|
|
})
|
|
}
|
|
|
|
func TestBSLCACertBehavior(t *testing.T) {
|
|
t.Run("Backup with BSL without cacert test", func(t *testing.T) {
|
|
backupName := "bk-logs-without-cacert"
|
|
bslName := "test-bsl-no-cacert"
|
|
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
|
|
// Create BSL without cacert
|
|
bsl := builder.ForBackupStorageLocation(cmdtest.VeleroNameSpace, bslName).
|
|
Provider("aws").
|
|
Bucket("test-bucket").
|
|
// No CACert() call - BSL will have no cacert
|
|
Result()
|
|
err := kbClient.Create(t.Context(), bsl, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
// Create backup referencing the BSL
|
|
backup := builder.ForBackup(cmdtest.VeleroNameSpace, backupName).
|
|
Phase(velerov1api.BackupPhaseCompleted).
|
|
StorageLocation(bslName).
|
|
Result()
|
|
err = kbClient.Create(t.Context(), backup, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
assert.Equal(t, "Get backup logs", c.Short)
|
|
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err = l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
// Verify that the BSL cacert returns empty string when not present
|
|
fetchedBackup := &velerov1api.Backup{}
|
|
err = kbClient.Get(t.Context(), kbclient.ObjectKey{Namespace: cmdtest.VeleroNameSpace, Name: backupName}, fetchedBackup)
|
|
require.NoError(t, err)
|
|
|
|
// Test the cacert fetching logic directly
|
|
cacertValue, err := cacert.GetCACertFromBackup(t.Context(), kbClient, cmdtest.VeleroNameSpace, fetchedBackup)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, cacertValue, "BSL cacert should be empty when not configured")
|
|
|
|
// The command should still work without cacert
|
|
l.Timeout = 100 * time.Millisecond
|
|
err = l.Run(c, f)
|
|
require.Error(t, err)
|
|
// The error should be about download request timeout, not about cacert fetching
|
|
assert.Contains(t, err.Error(), "download")
|
|
})
|
|
|
|
t.Run("Backup with nonexistent BSL test", func(t *testing.T) {
|
|
backupName := "bk-logs-with-missing-bsl"
|
|
bslName := "nonexistent-bsl"
|
|
|
|
// create a factory
|
|
f := &factorymocks.Factory{}
|
|
|
|
kbClient := velerotest.NewFakeControllerRuntimeClient(t)
|
|
|
|
// Create backup referencing a BSL that doesn't exist
|
|
backup := builder.ForBackup(cmdtest.VeleroNameSpace, backupName).
|
|
Phase(velerov1api.BackupPhaseCompleted).
|
|
StorageLocation(bslName).
|
|
Result()
|
|
err := kbClient.Create(t.Context(), backup, &kbclient.CreateOptions{})
|
|
require.NoError(t, err)
|
|
|
|
f.On("Namespace").Return(cmdtest.VeleroNameSpace)
|
|
f.On("KubebuilderClient").Return(kbClient, nil)
|
|
|
|
c := NewLogsCommand(f)
|
|
l := NewLogsOptions()
|
|
flags := new(flag.FlagSet)
|
|
l.BindFlags(flags)
|
|
err = l.Complete([]string{backupName}, f)
|
|
require.NoError(t, err)
|
|
|
|
// Verify that the BSL cacert returns empty string when BSL doesn't exist
|
|
fetchedBackup := &velerov1api.Backup{}
|
|
err = kbClient.Get(t.Context(), kbclient.ObjectKey{Namespace: cmdtest.VeleroNameSpace, Name: backupName}, fetchedBackup)
|
|
require.NoError(t, err)
|
|
|
|
// Test the cacert fetching logic directly - should not error when BSL is missing
|
|
cacertValue, err := cacert.GetCACertFromBackup(t.Context(), kbClient, cmdtest.VeleroNameSpace, fetchedBackup)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, cacertValue, "BSL cacert should be empty when BSL doesn't exist")
|
|
|
|
// The command should still try to run even without BSL
|
|
l.Timeout = 100 * time.Millisecond
|
|
err = l.Run(c, f)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "download")
|
|
})
|
|
}
|