encryptionconfig/controller: run unit tests faster

Signed-off-by: Monis Khan <mok@microsoft.com>
2025-08-04 18:00:08 +00:00 · 2023-10-31 11:59:37 -04:00 · 2023-10-31 11:59:37 -04:00 · 6ac7da1da8
commit 6ac7da1da8
parent 74fefd877f
2 changed files with 27 additions and 21 deletions
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/controller/controller.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/controller/controller.go
@ -38,8 +38,8 @@ const workqueueKey = "key"
 // EncryptionConfigFileChangePollDuration is exposed so that integration tests can crank up the reload speed.
 var EncryptionConfigFileChangePollDuration = time.Minute

-// DynamicKMSEncryptionConfigContent which can dynamically handle changes in encryption config file.
-type DynamicKMSEncryptionConfigContent struct {
+// DynamicEncryptionConfigContent which can dynamically handle changes in encryption config file.
+type DynamicEncryptionConfigContent struct {
 	name string

 	// filePath is the path of the file to read.
@ -72,8 +72,8 @@ func NewDynamicEncryptionConfiguration(
 	dynamicTransformers *encryptionconfig.DynamicTransformers,
 	configContentHash string,
 	apiServerID string,
-) *DynamicKMSEncryptionConfigContent {
-	encryptionConfig := &DynamicKMSEncryptionConfigContent{
+) *DynamicEncryptionConfigContent {
+	return &DynamicEncryptionConfigContent{
 		name:                           name,
 		filePath:                       filePath,
 		lastLoadedEncryptionConfigHash: configContentHash,
@ -85,13 +85,10 @@ func NewDynamicEncryptionConfiguration(
 		},
 		loadEncryptionConfig: encryptionconfig.LoadEncryptionConfig,
 	}
-	encryptionConfig.queue.Add(workqueueKey) // to avoid missing any file changes that occur in between the initial load and Run
-
-	return encryptionConfig
 }

 // Run starts the controller and blocks until ctx is canceled.
-func (d *DynamicKMSEncryptionConfigContent) Run(ctx context.Context) {
+func (d *DynamicEncryptionConfigContent) Run(ctx context.Context) {
 	defer utilruntime.HandleCrash()

 	klog.InfoS("Starting controller", "name", d.name)
@ -134,13 +131,13 @@ func (d *DynamicKMSEncryptionConfigContent) Run(ctx context.Context) {
 }

 // runWorker to process file content
-func (d *DynamicKMSEncryptionConfigContent) runWorker(ctx context.Context) {
+func (d *DynamicEncryptionConfigContent) runWorker(ctx context.Context) {
 	for d.processNextWorkItem(ctx) {
 	}
 }

 // processNextWorkItem processes file content when there is a message in the queue.
-func (d *DynamicKMSEncryptionConfigContent) processNextWorkItem(serverCtx context.Context) bool {
+func (d *DynamicEncryptionConfigContent) processNextWorkItem(serverCtx context.Context) bool {
 	// key here is dummy item in the queue to trigger file content processing.
 	key, quit := d.queue.Get()
 	if quit {
@ -153,7 +150,7 @@ func (d *DynamicKMSEncryptionConfigContent) processNextWorkItem(serverCtx contex
 	return true
 }

-func (d *DynamicKMSEncryptionConfigContent) processWorkItem(serverCtx context.Context, workqueueKey interface{}) {
+func (d *DynamicEncryptionConfigContent) processWorkItem(serverCtx context.Context, workqueueKey interface{}) {
 	var (
 		updatedEffectiveConfig  bool
 		err                     error
@ -219,7 +216,7 @@ func (d *DynamicKMSEncryptionConfigContent) processWorkItem(serverCtx context.Co
 }

 // loadEncryptionConfig processes the next set of content from the file.
-func (d *DynamicKMSEncryptionConfigContent) processEncryptionConfig(ctx context.Context) (
+func (d *DynamicEncryptionConfigContent) processEncryptionConfig(ctx context.Context) (
 	_ *encryptionconfig.EncryptionConfiguration,
 	configChanged bool,
 	_ error,
@ -250,7 +247,10 @@ func (d *DynamicKMSEncryptionConfigContent) processEncryptionConfig(ctx context.
 	return encryptionConfiguration, true, nil
 }

-func (d *DynamicKMSEncryptionConfigContent) validateNewTransformersHealth(
+// minKMSPluginCloseGracePeriod can be lowered in unit tests to make the health check poll faster
+var minKMSPluginCloseGracePeriod = 10 * time.Second
+
+func (d *DynamicEncryptionConfigContent) validateNewTransformersHealth(
 	ctx context.Context,
 	kmsPluginHealthzCheck healthz.HealthChecker,
 	kmsPluginCloseGracePeriod time.Duration,
@ -258,8 +258,8 @@ func (d *DynamicKMSEncryptionConfigContent) validateNewTransformersHealth(
 	// test if new transformers are healthy
 	var healthCheckError error

-	if kmsPluginCloseGracePeriod < 10*time.Second {
-		kmsPluginCloseGracePeriod = 10 * time.Second
+	if kmsPluginCloseGracePeriod < minKMSPluginCloseGracePeriod {
+		kmsPluginCloseGracePeriod = minKMSPluginCloseGracePeriod
 	}

 	// really make sure that the immediate check does not hang
--- a/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/controller/controller_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/controller/controller_test.go
@ -37,6 +37,10 @@ import (
 )

 func TestController(t *testing.T) {
+	origMinKMSPluginCloseGracePeriod := minKMSPluginCloseGracePeriod
+	t.Cleanup(func() { minKMSPluginCloseGracePeriod = origMinKMSPluginCloseGracePeriod })
+	minKMSPluginCloseGracePeriod = 300 * time.Millisecond
+
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.KMSv1, true)()

 	const expectedSuccessMetricValue = `
@ -141,7 +145,7 @@ apiserver_encryption_config_controller_automatic_reload_failures_total{apiserver
 							err:        fmt.Errorf("mockingly failing"),
 						},
 					},
-					KMSCloseGracePeriod:       time.Second,
+					KMSCloseGracePeriod:       0, // use minKMSPluginCloseGracePeriod
 					EncryptionFileContentHash: "anything different",
 				}, nil
 			},
@ -255,14 +259,16 @@ apiserver_encryption_config_controller_automatic_reload_failures_total{apiserver

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			serverCtx, closeServer := context.WithCancel(context.Background())
+			ctxServer, closeServer := context.WithCancel(context.Background())
+			ctxTransformers, closeTransformers := context.WithCancel(ctxServer)
 			t.Cleanup(closeServer)
+			t.Cleanup(closeTransformers)

 			legacyregistry.Reset()

 			// load initial encryption config
 			encryptionConfiguration, err := encryptionconfig.LoadEncryptionConfig(
-				serverCtx,
+				ctxTransformers,
 				"testdata/ec_config.yaml",
 				true,
 				"test-apiserver",
@ -277,8 +283,8 @@ apiserver_encryption_config_controller_automatic_reload_failures_total{apiserver
 				encryptionconfig.NewDynamicTransformers(
 					encryptionConfiguration.Transformers,
 					encryptionConfiguration.HealthChecks[0],
-					closeServer,
-					encryptionConfiguration.KMSCloseGracePeriod,
+					closeTransformers,
+					0, // set grace period to 0 so that the time.Sleep in DynamicTransformers.Set finishes quickly
 				),
 				encryptionConfiguration.EncryptionFileContentHash,
 				"test-apiserver",
@ -303,7 +309,7 @@ apiserver_encryption_config_controller_automatic_reload_failures_total{apiserver
 				return test.mockGetEncryptionConfigHash(ctx, filepath)
 			}

-			d.Run(serverCtx) // this should block and run exactly one iteration of the worker loop
+			d.Run(ctxServer) // this should block and run exactly one iteration of the worker loop

 			if test.wantECFileHash != d.lastLoadedEncryptionConfigHash {
 				t.Errorf("expected encryption config hash %q but got %q", test.wantECFileHash, d.lastLoadedEncryptionConfigHash)