Add tests for prometheus TLS config validation

hashicorp · Jun 28, 2022 · e46c6d7 · e46c6d7
1 parent db42f7c
commit e46c6d7
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 1 deletion.
diff --git a/control-plane/connect-inject/container_init.go b/control-plane/connect-inject/container_init.go
@@ -233,6 +233,19 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 		data.PrometheusKeyFile = raw
 	}
 
+	// Validate required Prometheus TLS config is present if set.
+	if data.PrometheusCertFile != "" || data.PrometheusKeyFile != "" || data.PrometheusCAFile != "" || data.PrometheusCAPath != "" {
+		if data.PrometheusCAFile == "" && data.PrometheusCAPath == "" {
+			return corev1.Container{}, fmt.Errorf("Must set one of %q or %q when providing prometheus TLS config", annotationPrometheusCAFile, annotationPrometheusCAPath)
+		}
+		if data.PrometheusCertFile == "" {
+			return corev1.Container{}, fmt.Errorf("Must set %q when providing prometheus TLS config", annotationPrometheusCertFile)
+		}
+		if data.PrometheusKeyFile == "" {
+			return corev1.Container{}, fmt.Errorf("Must set %q when providing prometheus TLS config", annotationPrometheusKeyFile)
+		}
+	}
+
 	// Render the command
 	var buf bytes.Buffer
 	tpl := template.Must(template.New("root").Parse(strings.TrimSpace(

diff --git a/control-plane/connect-inject/container_init_test.go b/control-plane/connect-inject/container_init_test.go
@@ -49,6 +49,7 @@ func TestHandlerContainerInit(t *testing.T) {
 		Webhook MeshWebhook
 		Cmd     string // Strings.Contains test
 		CmdNot  string // Not contains
+		ErrStr  string // Error contains
 	}{
 		// The first test checks the whole template. Subsequent tests check
 		// the parts that change.
@@ -70,6 +71,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 			"",
+			"",
 		},
 
 		{
@@ -99,6 +101,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -service-name="web" \
 `,
 			"",
+			"",
 		},
 		{
 			"When running the merged metrics server, configures consul connect envoy command",
@@ -136,6 +139,67 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -prometheus-key-file="/certs/key.pem" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 			"",
+			"",
+		},
+		{
+			"When providing Prometheus TLS config, missing CA gives an error",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				pod.Annotations[annotationEnableMetrics] = "true"
+				pod.Annotations[annotationEnableMetricsMerging] = "true"
+				pod.Annotations[annotationMergedMetricsPort] = "20100"
+				pod.Annotations[annotationPrometheusScrapePort] = "22222"
+				pod.Annotations[annotationPrometheusScrapePath] = "/scrape-path"
+				pod.Annotations[annotationPrometheusCertFile] = "/certs/server.crt"
+				pod.Annotations[annotationPrometheusKeyFile] = "/certs/key.pem"
+				return pod
+			},
+			MeshWebhook{
+				ConsulAPITimeout: 5 * time.Second,
+			},
+			"",
+			"",
+			fmt.Sprintf("Must set one of %q or %q", annotationPrometheusCAFile, annotationPrometheusCAPath),
+		},
+		{
+			"When providing Prometheus TLS config, missing cert gives an error",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				pod.Annotations[annotationEnableMetrics] = "true"
+				pod.Annotations[annotationEnableMetricsMerging] = "true"
+				pod.Annotations[annotationMergedMetricsPort] = "20100"
+				pod.Annotations[annotationPrometheusScrapePort] = "22222"
+				pod.Annotations[annotationPrometheusScrapePath] = "/scrape-path"
+				pod.Annotations[annotationPrometheusCAFile] = "/certs/ca.crt"
+				pod.Annotations[annotationPrometheusKeyFile] = "/certs/key.pem"
+				return pod
+			},
+			MeshWebhook{
+				ConsulAPITimeout: 5 * time.Second,
+			},
+			"",
+			"",
+			fmt.Sprintf("Must set %q", annotationPrometheusCertFile),
+		},
+		{
+			"When providing Prometheus TLS config, missing key gives an error",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				pod.Annotations[annotationEnableMetrics] = "true"
+				pod.Annotations[annotationEnableMetricsMerging] = "true"
+				pod.Annotations[annotationMergedMetricsPort] = "20100"
+				pod.Annotations[annotationPrometheusScrapePort] = "22222"
+				pod.Annotations[annotationPrometheusScrapePath] = "/scrape-path"
+				pod.Annotations[annotationPrometheusCAPath] = "/certs/ca/"
+				pod.Annotations[annotationPrometheusCertFile] = "/certs/server.crt"
+				return pod
+			},
+			MeshWebhook{
+				ConsulAPITimeout: 5 * time.Second,
+			},
+			"",
+			"",
+			fmt.Sprintf("Must set %q", annotationPrometheusKeyFile),
 		},
 	}
 
@@ -146,7 +210,11 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 			h := tt.Webhook
 			pod := *tt.Pod(minimal())
 			container, err := h.containerInit(testNS, pod, multiPortInfo{})
-			require.NoError(err)
+			if tt.ErrStr == "" {
+				require.NoError(err)
+			} else {
+				require.Contains(err.Error(), tt.ErrStr)
+			}
 			actual := strings.Join(container.Command, " ")
 			require.Contains(actual, tt.Cmd)
 			if tt.CmdNot != "" {