Skip to content

Commit

Permalink
Merge pull request #373 from harshad16/RHOAIENG-7327
Browse files Browse the repository at this point in the history
RHOAIENG-7327: Set certs on both creation and update of notebooks
  • Loading branch information
openshift-merge-bot[bot] authored Aug 26, 2024
2 parents 2aebc76 + 35263e2 commit 5d51c2b
Show file tree
Hide file tree
Showing 2 changed files with 114 additions and 43 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -159,31 +159,35 @@ var _ = Describe("The Openshift Notebook controller", func() {
}, duration, interval).Should(HaveOccurred())
})

It("Should mount a trusted-ca if exists on the given namespace", func() {
})

// New test case for notebook creation
When("Creating a Notebook, test certificate is mounted", func() {
const (
Name = "test-notebook"
Namespace = "default"
)

It("Should mount a trusted-ca when it exists on the given namespace", func() {
ctx := context.Background()
logger := logr.Discard()

By("By simulating the existence of odh-trusted-ca-bundle ConfigMap")
// Create a ConfigMap similar to odh-trusted-ca-bundle for simulation
workbenchTrustedCACertBundle := "workbench-trusted-ca-bundle"
trustedCACertBundle := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "odh-trusted-ca-bundle",
Namespace: "default",
Labels: map[string]string{
"config.openshift.io/inject-trusted-cabundle": "true",
},
trustedCACertBundle := createOAuthConfigmap(
"odh-trusted-ca-bundle",
"default",
map[string]string{
"config.openshift.io/inject-trusted-cabundle": "true",
},
Data: map[string]string{
"ca-bundle.crt": "-----BEGIN CERTIFICATE-----\n<base64-encoded-cert-data>\n-----END CERTIFICATE-----",
"odh-ca-bundle.crt": "-----BEGIN CERTIFICATE-----\n<base64-encoded-cert-data>\n-----END CERTIFICATE-----",
},
}
map[string]string{
"ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA==\n-----END CERTIFICATE-----",
"odh-ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA==\n-----END CERTIFICATE-----",
})

// Create the ConfigMap
if err := cli.Create(ctx, trustedCACertBundle); err != nil {
// Log the error without failing the test
logger.Info("Error occurred during creation of ConfigMap: %v", err)
}
Expect(cli.Create(ctx, trustedCACertBundle)).Should(Succeed())
defer func() {
// Clean up the ConfigMap after the test
if err := cli.Delete(ctx, trustedCACertBundle); err != nil {
Expand All @@ -192,14 +196,12 @@ var _ = Describe("The Openshift Notebook controller", func() {
}
}()

By("By checking and mounting the trusted-ca bundle")
// Invoke the function to mount the CA certificate bundle
err := CheckAndMountCACertBundle(ctx, cli, notebook, logger)
if err != nil {
// Log the error without failing the test
logger.Info("Error occurred during mounting CA certificate bundle: %v", err)
}
By("By creating a new Notebook")
notebook := createNotebook(Name, Namespace)
Expect(cli.Create(ctx, notebook)).Should(Succeed())
time.Sleep(interval)

By("By checking that trusted-ca bundle is mounted")
// Assert that the volume mount and volume are added correctly
volumeMountPath := "/etc/pki/tls/custom-certs/ca-bundle.crt"
expectedVolumeMount := corev1.VolumeMount{
Expand All @@ -208,13 +210,8 @@ var _ = Describe("The Openshift Notebook controller", func() {
SubPath: "ca-bundle.crt",
ReadOnly: true,
}
if len(notebook.Spec.Template.Spec.Containers[0].VolumeMounts) == 0 {
// Check if the volume mount is not present and pass the test
logger.Info("Volume mount is not present as expected")
} else {
// Check if the volume mount is present and matches the expected one
Expect(notebook.Spec.Template.Spec.Containers[0].VolumeMounts).To(ContainElement(expectedVolumeMount))
}
// Check if the volume mount is present and matches the expected one
Expect(notebook.Spec.Template.Spec.Containers[0].VolumeMounts).To(ContainElement(expectedVolumeMount))

expectedVolume := corev1.Volume{
Name: "trusted-ca",
Expand All @@ -231,13 +228,8 @@ var _ = Describe("The Openshift Notebook controller", func() {
},
},
}
if len(notebook.Spec.Template.Spec.Volumes) == 0 {
// Check if the volume is not present and pass the test
logger.Info("Volume is not present as expected")
} else {
// Check if the volume is present and matches the expected one
Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
}
// Check if the volume is present and matches the expected one
Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
})

})
Expand Down Expand Up @@ -273,6 +265,71 @@ var _ = Describe("The Openshift Notebook controller", func() {
return notebook.Spec.Template.Spec.Containers[0].Image
}, duration, interval).Should(Equal(updatedImage))
})

It("When notebook CR is updated, should mount a trusted-ca if it exists on the given namespace", func() {
ctx := context.Background()
logger := logr.Discard()

By("By simulating the existence of odh-trusted-ca-bundle ConfigMap")
// Create a ConfigMap similar to odh-trusted-ca-bundle for simulation
workbenchTrustedCACertBundle := "workbench-trusted-ca-bundle"
trustedCACertBundle := createOAuthConfigmap(
"odh-trusted-ca-bundle",
"default",
map[string]string{
"config.openshift.io/inject-trusted-cabundle": "true",
},
map[string]string{
"ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA==\n-----END CERTIFICATE-----",
"odh-ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nMIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW1KyLa2tJElMzrdfkviT8tQp21KW8EA==\n-----END CERTIFICATE-----",
})
// Create the ConfigMap
Expect(cli.Create(ctx, trustedCACertBundle)).Should(Succeed())
defer func() {
// Clean up the ConfigMap after the test
if err := cli.Delete(ctx, trustedCACertBundle); err != nil {
// Log the error without failing the test
logger.Info("Error occurred during deletion of ConfigMap: %v", err)
}
}()

By("By updating the Notebook's image")
key := types.NamespacedName{Name: Name, Namespace: Namespace}
Expect(cli.Get(ctx, key, notebook)).Should(Succeed())

updatedImage := "registry.redhat.io/ubi8/ubi:updated"
notebook.Spec.Template.Spec.Containers[0].Image = updatedImage
Expect(cli.Update(ctx, notebook)).Should(Succeed())
time.Sleep(interval)

By("By checking that trusted-ca bundle is mounted")
// Assert that the volume mount and volume are added correctly
volumeMountPath := "/etc/pki/tls/custom-certs/ca-bundle.crt"
expectedVolumeMount := corev1.VolumeMount{
Name: "trusted-ca",
MountPath: volumeMountPath,
SubPath: "ca-bundle.crt",
ReadOnly: true,
}
Expect(notebook.Spec.Template.Spec.Containers[0].VolumeMounts).To(ContainElement(expectedVolumeMount))

expectedVolume := corev1.Volume{
Name: "trusted-ca",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{Name: workbenchTrustedCACertBundle},
Optional: pointer.Bool(true),
Items: []corev1.KeyToPath{
{
Key: "ca-bundle.crt",
Path: "ca-bundle.crt",
},
},
},
},
}
Expect(notebook.Spec.Template.Spec.Volumes).To(ContainElement(expectedVolume))
})
})

When("Creating a Notebook, test Networkpolicies", func() {
Expand Down Expand Up @@ -969,3 +1026,16 @@ func createOAuthNetworkPolicy(name, namespace string, npProtocol corev1.Protocol
},
}
}

// createOAuthConfigmap creates a ConfigMap
// this function can be used to create any kinda of ConfigMap
func createOAuthConfigmap(name, namespace string, label map[string]string, configMapData map[string]string) *corev1.ConfigMap {
return &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Labels: label,
},
Data: configMapData,
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -247,11 +247,6 @@ func (w *NotebookWebhook) Handle(ctx context.Context, req admission.Request) adm
return admission.Errored(http.StatusInternalServerError, err)
}

// Only Mount ca bundle on new notebook creation
err = CheckAndMountCACertBundle(ctx, w.Client, notebook, log)
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}
}

// Check Imagestream Info both on create and update operations
Expand All @@ -261,6 +256,12 @@ func (w *NotebookWebhook) Handle(ctx context.Context, req admission.Request) adm
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}

// Mount ca bundle on notebook creation and update
err = CheckAndMountCACertBundle(ctx, w.Client, notebook, log)
if err != nil {
return admission.Errored(http.StatusInternalServerError, err)
}
}

// Inject the OAuth proxy if the annotation is present but only if Service Mesh is disabled
Expand Down

0 comments on commit 5d51c2b

Please sign in to comment.