extend tests

chiragkyal · chiragkyal · commit 4cc2a788f322 · 2026-04-07T21:44:08.000+05:30
Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;
diff --git a/test/e2e/trustmanager_bundle_test.go b/test/e2e/trustmanager_bundle_test.go
@@ -16,13 +16,15 @@
 //   - Bundle deletion → target cleanup
 //   - Negative: Secret target without SecretTargets enabled
 //   - Negative: useDefaultCAs without DefaultCAPackage enabled
-//   - Negative: ConfigMap source outside trust namespace not synced
+//   - Negative: ConfigMap + Secret sources outside trust namespace not synced
 //
 // Group 2 — SecretTargets enabled:
 //   - Inline source → Secret target
 //   - Inline source → ConfigMap + Secret dual targets
 //   - ConfigMap source → Secret target
+//   - Secret target data drift reconciliation (tamper → restore)
 //   - Negative: Bundle name not in authorizedSecrets list
+//   - Transition: Enabled → Disabled → existing synced Bundle reports SecretTargetsDisabled
 //
 // Group 3 — DefaultCAPackage enabled:
 //   - useDefaultCAs → ConfigMap target
@@ -33,14 +35,20 @@
 //
 // Group 5 — Custom TrustNamespace:
 //   - ConfigMap source in custom trust namespace → ConfigMap target
-//   - Negative: ConfigMap source in default namespace not synced when custom trust namespace is configured
+//   - Secret source in custom trust namespace → ConfigMap target
+//   - Negative: ConfigMap + Secret sources in default namespace not synced when custom trust namespace is configured
+//
+// Group 6 — FilterExpiredCertificates enabled:
+//   - ConfigMap source with valid + expired certs → only valid cert in ConfigMap target
+//   - Transition to Disabled → same Bundle re-syncs with both certs in target
 package e2e
 
 import (
 	"context"
 	"crypto/x509"
 	"fmt"
 	"strings"
+	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -65,8 +73,8 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 	ctx := context.TODO()
 
 	var (
-		testNS                     *corev1.Namespace
-		testCertPEM1, testCertPEM2 string
+		testNS                                     *corev1.Namespace
+		testCertPEM1, testCertPEM2, expiredCertPEM string
 	)
 
 	BeforeAll(func() {
@@ -89,6 +97,14 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 		testCertPEM1 = testutils.GenerateCertificate("e2e-test-ca-1", []string{"cert-manager-operator-e2e"}, caTweak)
 		testCertPEM2 = testutils.GenerateCertificate("e2e-test-ca-2", []string{"cert-manager-operator-e2e"}, caTweak)
 
+		expiredCATweak := func(cert *x509.Certificate) {
+			cert.IsCA = true
+			cert.KeyUsage |= x509.KeyUsageCertSign
+			cert.NotBefore = time.Now().Add(-48 * time.Hour)
+			cert.NotAfter = time.Now().Add(-24 * time.Hour)
+		}
+		expiredCertPEM = testutils.GenerateCertificate("e2e-expired-ca", []string{"cert-manager-operator-e2e"}, expiredCATweak)
+
 		By("creating test namespace for target verification")
 		testNS = createNamespaceWithCleanup(ctx, "bundle-e2e-", map[string]string{bundleTestNamespaceLabel: "true"})
 	})
@@ -330,21 +346,24 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 			verifyBundleNeverSynced(ctx, bundleName)
 		})
 
-		It("should not sync ConfigMap source that exists outside the trust namespace", func() {
+		It("should not sync sources that exist outside the trust namespace", func() {
 			bundleName := "bundle-wrong-ns-" + randomStr(5)
 			sourceCMName := "src-wrong-ns-" + randomStr(5)
+			sourceSecretName := "src-secret-wrong-ns-" + randomStr(5)
 
-			By(fmt.Sprintf("creating source ConfigMap in test namespace %q instead of trust namespace %q", testNS.Name, trustManagerNamespace))
+			By(fmt.Sprintf("creating source ConfigMap and Secret in test namespace %q instead of trust namespace %q", testNS.Name, trustManagerNamespace))
 			createSourceConfigMap(ctx, testNS.Name, sourceCMName, bundleSourceKey, testCertPEM1)
+			createSourceSecret(ctx, testNS.Name, sourceSecretName, bundleSourceKey, testCertPEM2)
 
 			bundle := newBundle(bundleName).
 				WithConfigMapSource(sourceCMName, bundleSourceKey).
+				WithSecretSource(sourceSecretName, bundleSourceKey).
 				WithConfigMapTarget(bundleTargetKey).
 				Build()
 
 			createBundleWithCleanup(ctx, bundle)
 
-			By("verifying Bundle does not reach Synced=True because source is not in trust namespace")
+			By("verifying Bundle does not reach Synced=True because sources are not in trust namespace")
 			verifyBundleNeverSynced(ctx, bundleName)
 
 			By("verifying no target ConfigMap is created in test namespace")
@@ -359,12 +378,14 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 			bundleSecretTarget     = "bundle-secret-tgt"
 			bundleDualTarget       = "bundle-dual-tgt"
 			bundleCMToSecretTarget = "bundle-cm-to-secret"
+			bundleSecretDrift      = "bundle-secret-drift"
+			bundleSecretDisable    = "bundle-secret-disable"
 		)
 
 		BeforeAll(func() {
 			createTrustManager(ctx, newTrustManagerCR().WithSecretTargets(
 				v1alpha1.SecretTargetsPolicyCustom,
-				[]string{bundleSecretTarget, bundleDualTarget, bundleCMToSecretTarget},
+				[]string{bundleSecretTarget, bundleDualTarget, bundleCMToSecretTarget, bundleSecretDrift, bundleSecretDisable},
 			))
 		})
 		AfterAll(func() { deleteTrustManager(ctx) })
@@ -422,6 +443,30 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 			verifyBundleSynced(ctx, bundleCMToSecretTarget)
 		})
 
+		It("should restore Secret target when tampered", func() {
+			bundle := newBundle(bundleSecretDrift).
+				WithInLineSource(testCertPEM1).
+				WithSecretTarget(bundleTargetKey).
+				Build()
+
+			createBundleWithCleanup(ctx, bundle)
+
+			By("verifying Secret target is synced")
+			err := waitForSecretTarget(ctx, bundleClient, bundleSecretDrift, testNS.Name, bundleTargetKey, testCertPEM1, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("tampering with the target Secret data")
+			targetSecret, err := k8sClientSet.CoreV1().Secrets(testNS.Name).Get(ctx, bundleSecretDrift, metav1.GetOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+			targetSecret.Data[bundleTargetKey] = []byte("tampered-data")
+			_, err = k8sClientSet.CoreV1().Secrets(testNS.Name).Update(ctx, targetSecret, metav1.UpdateOptions{})
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("verifying trust-manager restores the target Secret")
+			err = waitForSecretTarget(ctx, bundleClient, bundleSecretDrift, testNS.Name, bundleTargetKey, testCertPEM1, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+		})
+
 		It("should not sync Secret when Bundle name is not in authorizedSecrets list", func() {
 			bundleName := "bundle-not-authorized"
 			bundle := newBundle(bundleName).
@@ -438,6 +483,39 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 			_, err := k8sClientSet.CoreV1().Secrets(testNS.Name).Get(ctx, bundleName, metav1.GetOptions{})
 			Expect(apierrors.IsNotFound(err)).Should(BeTrue())
 		})
+
+		It("should report SecretTargetsDisabled on existing synced Bundle after disabling secretTargets", func() {
+			bundle := newBundle(bundleSecretDisable).
+				WithInLineSource(testCertPEM1).
+				WithSecretTarget(bundleTargetKey).
+				Build()
+
+			createBundleWithCleanup(ctx, bundle)
+
+			By("verifying Secret target syncs while feature is enabled")
+			err := waitForSecretTarget(ctx, bundleClient, bundleSecretDisable, testNS.Name, bundleTargetKey, testCertPEM1, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+			verifyBundleSynced(ctx, bundleSecretDisable)
+
+			By("disabling secretTargets on TrustManager CR")
+			Eventually(func() error {
+				tm, err := trustManagerClient().Get(ctx, "cluster", metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				tm.Spec.TrustManagerConfig.SecretTargets = v1alpha1.SecretTargetsConfig{
+					Policy: v1alpha1.SecretTargetsPolicyDisabled,
+				}
+				_, err = trustManagerClient().Update(ctx, tm, metav1.UpdateOptions{})
+				return err
+			}, lowTimeout, fastPollInterval).Should(Succeed())
+
+			waitForTrustManagerReady(ctx)
+
+			By("verifying Bundle status transitions to Synced=False")
+			err = waitForBundleCondition(ctx, bundleClient, bundleSecretDisable, trustapi.BundleConditionSynced, metav1.ConditionFalse, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+		})
 	})
 
 	// ===== Group 3: DefaultCAPackage enabled =====
@@ -590,26 +668,122 @@ var _ = Describe("Bundle", Ordered, Label("Feature:TrustManager"), func() {
 			verifyBundleSynced(ctx, bundleName)
 		})
 
-		It("should not sync ConfigMap source from default namespace when custom trust namespace is configured", func() {
+		It("should sync Secret source from custom trust namespace to target", func() {
+			bundleName := "bundle-secret-custom-ns-" + randomStr(5)
+			sourceSecretName := "src-secret-custom-ns-" + randomStr(5)
+
+			By(fmt.Sprintf("creating source Secret in custom trust namespace %q", customTrustNS.Name))
+			createSourceSecret(ctx, customTrustNS.Name, sourceSecretName, bundleSourceKey, testCertPEM1)
+
+			bundle := newBundle(bundleName).
+				WithSecretSource(sourceSecretName, bundleSourceKey).
+				WithConfigMapTarget(bundleTargetKey).
+				Build()
+
+			createBundleWithCleanup(ctx, bundle)
+
+			By("verifying ConfigMap target is synced in test namespace")
+			err := waitForConfigMapTarget(ctx, bundleClient, bundleName, testNS.Name, bundleTargetKey, testCertPEM1, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+
+			verifyBundleSynced(ctx, bundleName)
+		})
+
+		It("should not sync sources from default namespace when custom trust namespace is configured", func() {
 			bundleName := "bundle-default-ns-miss-" + randomStr(5)
 			sourceCMName := "src-default-ns-miss-" + randomStr(5)
+			sourceSecretName := "src-secret-default-miss-" + randomStr(5)
 
-			By(fmt.Sprintf("creating source ConfigMap in default namespace %q (not the custom trust namespace %q)", trustManagerNamespace, customTrustNS.Name))
+			By(fmt.Sprintf("creating source ConfigMap and Secret in default namespace %q (not the custom trust namespace %q)", trustManagerNamespace, customTrustNS.Name))
 			createSourceConfigMap(ctx, trustManagerNamespace, sourceCMName, bundleSourceKey, testCertPEM1)
+			createSourceSecret(ctx, trustManagerNamespace, sourceSecretName, bundleSourceKey, testCertPEM2)
 
 			bundle := newBundle(bundleName).
 				WithConfigMapSource(sourceCMName, bundleSourceKey).
+				WithSecretSource(sourceSecretName, bundleSourceKey).
 				WithConfigMapTarget(bundleTargetKey).
 				Build()
 
 			createBundleWithCleanup(ctx, bundle)
 
-			By("verifying Bundle does not reach Synced=True because source is not in custom trust namespace")
+			By("verifying Bundle does not reach Synced=True because sources are not in custom trust namespace")
 			verifyBundleNeverSynced(ctx, bundleName)
 
 			By("verifying no target ConfigMap is created in test namespace")
 			_, err := k8sClientSet.CoreV1().ConfigMaps(testNS.Name).Get(ctx, bundleName, metav1.GetOptions{})
 			Expect(apierrors.IsNotFound(err)).Should(BeTrue())
 		})
 	})
+
+	// ===== Group 6: FilterExpiredCertificates =====
+	Context("with FilterExpiredCertificates enabled", Ordered, func() {
+		var (
+			filterBundleName string
+			sourceCMName     string
+		)
+
+		BeforeAll(func() {
+			createTrustManager(ctx, newTrustManagerCR().
+				WithFilterExpiredCertificates(v1alpha1.FilterExpiredCertificatesPolicyEnabled))
+
+			sourceCMName = "filter-src-cm-" + randomStr(5)
+			combinedPEM := testCertPEM1 + expiredCertPEM
+
+			By("creating source ConfigMap with valid + expired certs in trust namespace")
+			createSourceConfigMap(ctx, trustManagerNamespace, sourceCMName, bundleSourceKey, combinedPEM)
+		})
+		AfterAll(func() { deleteTrustManager(ctx) })
+
+		It("should exclude expired certificates from ConfigMap target when using ConfigMap source", func() {
+			filterBundleName = "bundle-filter-expired-" + randomStr(5)
+
+			bundle := newBundle(filterBundleName).
+				WithConfigMapSource(sourceCMName, bundleSourceKey).
+				WithConfigMapTarget(bundleTargetKey).
+				Build()
+
+			createBundleWithCleanup(ctx, bundle)
+
+			By("verifying target contains the valid certificate")
+			err := waitForConfigMapTarget(ctx, bundleClient, filterBundleName, testNS.Name, bundleTargetKey, testCertPEM1, highTimeout)
+			Expect(err).ShouldNot(HaveOccurred())
+
+			By("verifying target does NOT contain the expired certificate")
+			Eventually(func(g Gomega) {
+				cm, err := k8sClientSet.CoreV1().ConfigMaps(testNS.Name).Get(ctx, filterBundleName, metav1.GetOptions{})
+				g.Expect(err).ShouldNot(HaveOccurred())
+				data := cm.Data[bundleTargetKey]
+				g.Expect(strings.Contains(data, strings.TrimSpace(testCertPEM1))).Should(BeTrue(), "should contain valid cert")
+				g.Expect(strings.Contains(data, strings.TrimSpace(expiredCertPEM))).Should(BeFalse(), "should not contain expired cert")
+			}, highTimeout, fastPollInterval).Should(Succeed())
+
+			verifyBundleSynced(ctx, filterBundleName)
+		})
+
+		It("should re-sync same Bundle with expired certs included after disabling filter", func() {
+			By("disabling filterExpiredCertificates on TrustManager CR")
+			Eventually(func() error {
+				tm, err := trustManagerClient().Get(ctx, "cluster", metav1.GetOptions{})
+				if err != nil {
+					return err
+				}
+				tm.Spec.TrustManagerConfig.FilterExpiredCertificates = v1alpha1.FilterExpiredCertificatesPolicyDisabled
+				_, err = trustManagerClient().Update(ctx, tm, metav1.UpdateOptions{})
+				return err
+			}, lowTimeout, fastPollInterval).Should(Succeed())
+
+			waitForTrustManagerReady(ctx)
+
+			By("verifying the same Bundle's target now includes the expired certificate")
+			Eventually(func(g Gomega) {
+				cm, err := k8sClientSet.CoreV1().ConfigMaps(testNS.Name).Get(ctx, filterBundleName, metav1.GetOptions{})
+				g.Expect(err).ShouldNot(HaveOccurred())
+				data := cm.Data[bundleTargetKey]
+				g.Expect(strings.Contains(data, strings.TrimSpace(testCertPEM1))).Should(BeTrue(), "should contain valid cert")
+				g.Expect(strings.Contains(data, strings.TrimSpace(expiredCertPEM))).Should(BeTrue(), "should contain expired cert after disabling filter")
+			}, highTimeout, fastPollInterval).Should(Succeed())
+
+			verifyBundleSynced(ctx, filterBundleName)
+		})
+	})
 })
diff --git a/test/e2e/trustmanager_helpers_test.go b/test/e2e/trustmanager_helpers_test.go
@@ -91,6 +91,11 @@ func (b *trustManagerCRBuilder) WithDefaultCAPackage(policy v1alpha1.DefaultCAPa
 	return b
 }
 
+func (b *trustManagerCRBuilder) WithFilterExpiredCertificates(policy v1alpha1.FilterExpiredCertificatesPolicy) *trustManagerCRBuilder {
+	b.tm.Spec.TrustManagerConfig.FilterExpiredCertificates = policy
+	return b
+}
+
 func (b *trustManagerCRBuilder) Build() *v1alpha1.TrustManager {
 	return b.tm
 }
diff --git a/test/e2e/trustmanager_test.go b/test/e2e/trustmanager_test.go

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,11 @@ func (b *trustManagerCRBuilder) WithDefaultCAPackage(policy v1alpha1.DefaultCAPa`
`91`	`91`	`return b`
`92`	`92`	`}`
`93`	`93`
	`94`	`+func (b trustManagerCRBuilder) WithFilterExpiredCertificates(policy v1alpha1.FilterExpiredCertificatesPolicy) trustManagerCRBuilder {`
	`95`	`+ b.tm.Spec.TrustManagerConfig.FilterExpiredCertificates = policy`
	`96`	`+ return b`
	`97`	`+}`
	`98`	`+`
`94`	`99`	`func (b trustManagerCRBuilder) Build() v1alpha1.TrustManager {`
`95`	`100`	`return b.tm`
`96`	`101`	`}`