Skip to content

Commit

Permalink
[v0.14] backport old certs gc from #591
Browse files Browse the repository at this point in the history
Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
  • Loading branch information
chanwit committed May 19, 2023
1 parent ff59627 commit ec0b17e
Show file tree
Hide file tree
Showing 4 changed files with 309 additions and 25 deletions.
43 changes: 41 additions & 2 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,11 @@ jobs:
make dev-deploy MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=$VERSION || true
make dev-deploy MANAGER_IMG=test/tf-controller RUNNER_IMG=test/tf-runner TAG=$VERSION
# All of these old cert would be cleaned up by GC at the start of the test
kubectl -n tf-system apply -f config/testdata/gc-old-certs/test.yaml
# Increase the concurrency of the controller to speed up tests
# --cert-rotation-check-frequency=6m0s, then GC will run every 1 minute
kubectl patch deployment \
tf-controller \
--namespace tf-system \
Expand All @@ -109,6 +113,7 @@ jobs:
"--log-encoding=json",
"--enable-leader-election",
"--concurrent=10",
"--cert-rotation-check-frequency=6m0s",
]}]'
kubectl -n tf-system rollout status deploy/source-controller --timeout=1m
Expand Down Expand Up @@ -192,11 +197,17 @@ jobs:
- name: Set up chaos testing environment
run: |
# TODO we'll test a race condition with replica=3 later
kubectl -n tf-system scale --replicas=1 deploy/tf-controller
kubectl -n tf-system scale --replicas=0 deploy/tf-controller
sleep 3
kubectl -n chaos-testing apply -f ./config/testdata/chaos
kubectl -n chaos-testing apply -f ./config/testdata/source
# Set up namespace-scoped old certs for GC
kubectl -n chaos-testing apply -f ./config/testdata/gc-old-certs/test.yaml
kubectl -n tf-system scale --replicas=1 deploy/tf-controller
sleep 10
- name: Randomly delete runner pods
run: |
Expand All @@ -212,6 +223,34 @@ jobs:
kubectl -n chaos-testing wait terraform/helloworld-chaos03 --for=condition=ready --timeout=30m
kubectl -n chaos-testing wait terraform/helloworld-chaos04 --for=condition=ready --timeout=30m
kubectl -n chaos-testing wait terraform/helloworld-chaos05 --for=condition=ready --timeout=30m
- name: Check that all old certs were GCed
run: |
echo "wait 120 seconds for GC to happen"
sleep 120
(kubectl get secret terraform-runner.tls-0 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-1 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-2 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-3 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-4 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-5 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-6 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-7 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-8 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-9 -n chaos-testing >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-0 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-1 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-2 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-3 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-4 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-5 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-6 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-7 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-8 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
(kubectl get secret terraform-runner.tls-9 -n tf-system >/dev/null 2>&1 && exit 1 || exit 0)
echo "All tests are true, all of the old secrets were GCed."
- name: Logs
run: |
kubectl -n tf-system logs deploy/source-controller
Expand Down
90 changes: 90 additions & 0 deletions config/testdata/gc-old-certs/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-0
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-1
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-2
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-3
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-4
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-5
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-6
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-7
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-8
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: terraform-runner.tls-9
labels:
infra.contrib.fluxcd.io/terraform: "true"
stringData:
dummy: "true"
3 changes: 1 addition & 2 deletions mtls/grpc.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,11 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"net"

"github.com/weaveworks/tf-controller/runner"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
corev1 "k8s.io/api/core/v1"
"net"
controllerruntime "sigs.k8s.io/controller-runtime"
)

Expand Down
Loading

0 comments on commit ec0b17e

Please sign in to comment.