Revert "Make bootstrap client cert loading part of rotation"

This reverts commit 0af19875add7deb562b2cf7bf6b1d273c44bab1b. Revert "Ensure the bootstrap rotation code is tested by forcing rotation" This reverts commit de293b2d7ddb687850258370f2a7f30f224f0ec1. Kubernetes-commit: 34642222676640b3c1dd255cc453000f2743ccde
2025-09-20 18:48:02 +00:00 · 2018-11-17 10:24:23 -05:00
parent 4e63d755dc
commit 57b75fe80b
2 changed files with 64 additions and 141 deletions
--- a/util/certificate/certificate_manager_test.go
+++ b/util/certificate/certificate_manager_test.go
@@ -60,23 +60,6 @@ iQIgZX08DA8VfvcA5/Xj1Zjdey9FVY6POLXen6RPiabE97UCICp6eUW7ht+2jjar
 e35EltCRCjoejRHTuN9TC0uCoVipAiAXaJIx/Q47vGwiw6Y8KXsNU6y54gTbOSxX
 54LzHNk/+Q==
 -----END RSA PRIVATE KEY-----`)
-var expiredStoreCertData = newCertificateData(`-----BEGIN CERTIFICATE-----
-MIIBFzCBwgIJALhygXnxXmN1MA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCGhv
-c3QtMTIzMB4XDTE4MTEwNDIzNTc1NFoXDTE4MTEwNTIzNTc1NFowEzERMA8GA1UE
-AwwIaG9zdC0xMjMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtBMa7NWpv3BVlKTC
-PGO/LEsguKqWHBtKzweMY2CVtAL1rQm913huhxF9w+ai76KQ3MHK5IVnLJjYYA5M
-zP2H5QIDAQABMA0GCSqGSIb3DQEBCwUAA0EAN2DPFUtCzqnidL+5nh+46Sk6dkMI
-T5DD11UuuIjZusKvThsHKVCIsyJ2bDo7cTbI+/nklLRP+FcC2wESFUgXbA==
-----END CERTIFICATE-----`, `-----BEGIN RSA PRIVATE KEY-----
-MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAtBMa7NWpv3BVlKTC
-PGO/LEsguKqWHBtKzweMY2CVtAL1rQm913huhxF9w+ai76KQ3MHK5IVnLJjYYA5M
-zP2H5QIDAQABAkAS9BfXab3OKpK3bIgNNyp+DQJKrZnTJ4Q+OjsqkpXvNltPJosf
-G8GsiKu/vAt4HGqI3eU77NvRI+mL4MnHRmXBAiEA3qM4FAtKSRBbcJzPxxLEUSwg
-XSCcosCktbkXvpYrS30CIQDPDxgqlwDEJQ0uKuHkZI38/SPWWqfUmkecwlbpXABK
-iQIgZX08DA8VfvcA5/Xj1Zjdey9FVY6POLXen6RPiabE97UCICp6eUW7ht+2jjar
-e35EltCRCjoejRHTuN9TC0uCoVipAiAXaJIx/Q47vGwiw6Y8KXsNU6y54gTbOSxX
-54LzHNk/+Q==
-----END RSA PRIVATE KEY-----`)
 var bootstrapCertData = newCertificateData(
 	`-----BEGIN CERTIFICATE-----
 MIICRzCCAfGgAwIBAgIJANXr+UzRFq4TMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
@@ -405,8 +388,8 @@ func TestRotateCertCreateCSRError(t *testing.T) {
 		},
 		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
 		usages:      []certificates.KeyUsage{},
-		clientFn: func(_ *tls.Certificate) (certificatesclient.CertificateSigningRequestInterface, error) {
-			return fakeClient{failureType: createError}, nil
+		certSigningRequestClient: fakeClient{
+			failureType: createError,
 		},
 	}

@@ -428,8 +411,8 @@ func TestRotateCertWaitingForResultError(t *testing.T) {
 		},
 		getTemplate: func() *x509.CertificateRequest { return &x509.CertificateRequest{} },
 		usages:      []certificates.KeyUsage{},
-		clientFn: func(_ *tls.Certificate) (certificatesclient.CertificateSigningRequestInterface, error) {
-			return fakeClient{failureType: watchError}, nil
+		certSigningRequestClient: fakeClient{
+			failureType: watchError,
 		},
 	}

@@ -615,14 +598,6 @@ func TestInitializeCertificateSigningRequestClient(t *testing.T) {
 			expectedCertBeforeStart: storeCertData,
 			expectedCertAfterStart:  storeCertData,
 		},
-		{
-			description:             "Current certificate expired, no bootstrap certificate",
-			storeCert:               expiredStoreCertData,
-			bootstrapCert:           nilCertificate,
-			apiCert:                 apiServerCertData,
-			expectedCertBeforeStart: nil,
-			expectedCertAfterStart:  apiServerCertData,
-		},
 	}

 	for _, tc := range testCases {
@@ -646,25 +621,19 @@ func TestInitializeCertificateSigningRequestClient(t *testing.T) {
 				CertificateStore:        certificateStore,
 				BootstrapCertificatePEM: tc.bootstrapCert.certificatePEM,
 				BootstrapKeyPEM:         tc.bootstrapCert.keyPEM,
-				ClientFn: func(_ *tls.Certificate) (certificatesclient.CertificateSigningRequestInterface, error) {
-					return &fakeClient{
-						certificatePEM: tc.apiCert.certificatePEM,
-					}, nil
-				},
 			})
 			if err != nil {
 				t.Errorf("Got %v, wanted no error.", err)
 			}

 			certificate := certificateManager.Current()
-			if tc.expectedCertBeforeStart == nil {
-				if certificate != nil {
-					t.Errorf("Expected certificate to be nil, was %s", certificate.Leaf.NotAfter)
-				}
-			} else {
-				if !certificatesEqual(certificate, tc.expectedCertBeforeStart.certificate) {
-					t.Errorf("Got %v, wanted %v", certificateString(certificate), certificateString(tc.expectedCertBeforeStart.certificate))
-				}
+			if !certificatesEqual(certificate, tc.expectedCertBeforeStart.certificate) {
+				t.Errorf("Got %v, wanted %v", certificateString(certificate), certificateString(tc.expectedCertBeforeStart.certificate))
+			}
+			if err := certificateManager.SetCertificateSigningRequestClient(&fakeClient{
+				certificatePEM: tc.apiCert.certificatePEM,
+			}); err != nil {
+				t.Errorf("Got error %v, expected none.", err)
 			}

 			if m, ok := certificateManager.(*manager); !ok {
@@ -680,12 +649,6 @@ func TestInitializeCertificateSigningRequestClient(t *testing.T) {
 			}

 			certificate = certificateManager.Current()
-			if tc.expectedCertAfterStart == nil {
-				if certificate != nil {
-					t.Errorf("Expected certificate to be nil, was %s", certificate.Leaf.NotAfter)
-				}
-				return
-			}
 			if !certificatesEqual(certificate, tc.expectedCertAfterStart.certificate) {
 				t.Errorf("Got %v, wanted %v", certificateString(certificate), certificateString(tc.expectedCertAfterStart.certificate))
 			}
@@ -758,10 +721,8 @@ func TestInitializeOtherRESTClients(t *testing.T) {
 				CertificateStore:        certificateStore,
 				BootstrapCertificatePEM: tc.bootstrapCert.certificatePEM,
 				BootstrapKeyPEM:         tc.bootstrapCert.keyPEM,
-				ClientFn: func(_ *tls.Certificate) (certificatesclient.CertificateSigningRequestInterface, error) {
-					return &fakeClient{
-						certificatePEM: tc.apiCert.certificatePEM,
-					}, nil
+				CertificateSigningRequestClient: &fakeClient{
+					certificatePEM: tc.apiCert.certificatePEM,
 				},
 			})
 			if err != nil {
@@ -912,12 +873,10 @@ func TestServerHealth(t *testing.T) {
 				CertificateStore:        certificateStore,
 				BootstrapCertificatePEM: tc.bootstrapCert.certificatePEM,
 				BootstrapKeyPEM:         tc.bootstrapCert.keyPEM,
-				ClientFn: func(_ *tls.Certificate) (certificatesclient.CertificateSigningRequestInterface, error) {
-					return &fakeClient{
-						certificatePEM: tc.apiCert.certificatePEM,
-						failureType:    tc.failureType,
-						err:            tc.clientErr,
-					}, nil
+				CertificateSigningRequestClient: &fakeClient{
+					certificatePEM: tc.apiCert.certificatePEM,
+					failureType:    tc.failureType,
+					err:            tc.clientErr,
 				},
 			})
 			if err != nil {