forked from TrueCloudLab/certificates
351c01cf7e
* Do not allow pods in one namespace to create certificates for hostnames from another namespace. * Make cluster domain configurable, clean up shouldMutate() logic, and make namespace restrictions configurable with restrictCertificatesToNamespace. * Return certificate hostname validation errors in the admission webhook response. * Appease the gometalinter.
75 lines
3.2 KiB
Go
75 lines
3.2 KiB
Go
package main
|
|
|
|
import (
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"testing"
|
|
)
|
|
|
|
func TestGetClusterDomain(t *testing.T) {
|
|
c := Config{}
|
|
if c.GetClusterDomain() != "cluster.local" {
|
|
t.Errorf("cluster domain should default to cluster.local, not: %s", c.GetClusterDomain())
|
|
}
|
|
|
|
c.ClusterDomain = "mydomain.com"
|
|
if c.GetClusterDomain() != "mydomain.com" {
|
|
t.Errorf("cluster domain should default to cluster.local, not: %s", c.GetClusterDomain())
|
|
}
|
|
}
|
|
|
|
func TestShouldMutate(t *testing.T) {
|
|
testCases := []struct {
|
|
description string
|
|
subject string
|
|
namespace string
|
|
expected bool
|
|
}{
|
|
{"full cluster domain", "test.default.svc.cluster.local", "default", true},
|
|
{"full cluster domain wrong ns", "test.default.svc.cluster.local", "kube-system", false},
|
|
{"left dots get stripped", ".test.default.svc.cluster.local", "default", true},
|
|
{"left dots get stripped wrong ns", ".test.default.svc.cluster.local", "kube-system", false},
|
|
{"right dots get stripped", "test.default.svc.cluster.local.", "default", true},
|
|
{"right dots get stripped wrong ns", "test.default.svc.cluster.local.", "kube-system", false},
|
|
{"dots get stripped", ".test.default.svc.cluster.local.", "default", true},
|
|
{"dots get stripped wrong ns", ".test.default.svc.cluster.local.", "kube-system", false},
|
|
{"partial cluster domain", "test.default.svc.cluster", "default", true},
|
|
{"partial cluster domain wrong ns is still allowed because not valid hostname", "test.default.svc.cluster", "kube-system", true},
|
|
{"service domain", "test.default.svc", "default", true},
|
|
{"service domain wrong ns", "test.default.svc", "kube-system", false},
|
|
{"two part domain", "test.default", "default", true},
|
|
{"two part domain different ns", "test.default", "kube-system", true},
|
|
{"one hostname", "test", "default", true},
|
|
{"no subject specified", "", "default", false},
|
|
{"three part not cluster", "test.default.com", "kube-system", true},
|
|
{"four part not cluster", "test.default.svc.com", "kube-system", true},
|
|
{"five part not cluster", "test.default.svc.cluster.com", "kube-system", true},
|
|
{"six part not cluster", "test.default.svc.cluster.local.com", "kube-system", true},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.description, func(t *testing.T) {
|
|
mutationAllowed, validationErr := shouldMutate(&metav1.ObjectMeta{
|
|
Annotations: map[string]string{
|
|
admissionWebhookAnnotationKey: testCase.subject,
|
|
},
|
|
}, testCase.namespace, "cluster.local", true)
|
|
if mutationAllowed != testCase.expected {
|
|
t.Errorf("shouldMutate did not return %t for %s", testCase.expected, testCase.description)
|
|
}
|
|
if testCase.subject != "" && mutationAllowed == false && validationErr == nil {
|
|
t.Errorf("shouldMutate should return validation error for invalid hostname")
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestShouldMutateNotRestrictToNamespace(t *testing.T) {
|
|
mutationAllowed, _ := shouldMutate(&metav1.ObjectMeta{
|
|
Annotations: map[string]string{
|
|
admissionWebhookAnnotationKey: "test.default.svc.cluster.local",
|
|
},
|
|
}, "kube-system", "cluster.local", false)
|
|
if mutationAllowed == false {
|
|
t.Errorf("shouldMutate should return true even with a wrong namespace if restrictToNamespace is false.")
|
|
}
|
|
}
|