Add e2es for configuring ACME solver pod resources via flags

Author: lunarwhite

test/e2e/certificates_test.go

@@ -13,6 +13,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	k8sresource "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 
@@ -30,6 +31,12 @@ const (
 	// letsEncryptStagingServerURL is the address for the Let's Encrypt staging environment server.
 	letsEncryptStagingServerURL = "https://acme-staging-v02.api.letsencrypt.org/directory"
 
+	// acmeSolverPodLabel is the label that cert-manager uses to identify ACME solver pods.
+	acmeSolverPodLabel = "acme.cert-manager.io/http01-solver"
+
+	// acmeSolverContainerName is the name of the container in the ACME solver pod.
+	acmeSolverContainerName = "acmesolver"
+
 	// TARGET_PLATFORM is the environment variable for IBM Cloud CIS test.
 	targetPlatformEnvironmentVar = "TARGET_PLATFORM"
 
@@ -693,11 +700,15 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 	})
 
 	Context("http-01 challenge using ingress", func() {
-		It("should obtain a valid LetsEncrypt certificate", func() {
+		var ingressHost string
+		var secretName string
 
-			By("creating a cluster issuer")
+		BeforeEach(func() {
 			clusterIssuerName := "letsencrypt-http01"
 			ingressClassName := "openshift-default"
+			secretName = "ingress-http01-secret"
+
+			By("creating a cluster issuer")
 			clusterIssuer := &certmanagerv1.ClusterIssuer{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: clusterIssuerName,
@@ -726,20 +737,16 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			}
 			_, err := certmanagerClient.CertmanagerV1().ClusterIssuers().Create(ctx, clusterIssuer, metav1.CreateOptions{})
 			Expect(err).NotTo(HaveOccurred())
-			defer certmanagerClient.CertmanagerV1().ClusterIssuers().Delete(ctx, clusterIssuerName, metav1.DeleteOptions{})
 
 			By("creating an hello-openshift deployment")
 			loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "acme", "deployment.yaml"), ns.Name)
-			defer loader.DeleteFromFile(testassets.ReadFile, filepath.Join("testdata", "acme", "deployment.yaml"), ns.Name)
 
 			By("creating a service for the deployment hello-openshift")
 			loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "acme", "service.yaml"), ns.Name)
-			defer loader.DeleteFromFile(testassets.ReadFile, filepath.Join("testdata", "acme", "service.yaml"), ns.Name)
 
 			By("creating an Ingress object")
-			ingressHost := fmt.Sprintf("ahi-%s.%s", randomStr(3), appsDomain) // acronym for "ACME http-01 Ingress"
+			ingressHost = fmt.Sprintf("ahi-%s.%s", randomStr(3), appsDomain) // acronym for "ACME http-01 Ingress"
 			pathType := networkingv1.PathTypePrefix
-			secretName := "ingress-http01-secret"
 			ingress := &networkingv1.Ingress{
 				TypeMeta: metav1.TypeMeta{
 					APIVersion: "networking.k8s.io/v1",
@@ -776,13 +783,18 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 					}},
 				},
 			}
-			ingress, err = loader.KubeClient.NetworkingV1().Ingresses(ingress.Namespace).Create(ctx, ingress, metav1.CreateOptions{})
+			ingress, err = loader.KubeClient.NetworkingV1().Ingresses(ns.Name).Create(ctx, ingress, metav1.CreateOptions{})
 			Expect(err).NotTo(HaveOccurred())
-			defer loader.KubeClient.NetworkingV1().Ingresses(ingress.Namespace).Delete(ctx, ingress.Name, metav1.DeleteOptions{})
 
+			DeferCleanup(func() {
+				certmanagerClient.CertmanagerV1().ClusterIssuers().Delete(ctx, clusterIssuerName, metav1.DeleteOptions{})
+			})
+		})
+
+		It("should obtain a valid LetsEncrypt certificate", func() {
 			By("checking TLS certificate contents")
-			err = wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
-				secret, err := loader.KubeClient.CoreV1().Secrets(ingress.Namespace).Get(ctx, secretName, metav1.GetOptions{})
+			err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
+				secret, err := loader.KubeClient.CoreV1().Secrets(ns.Name).Get(ctx, secretName, metav1.GetOptions{})
 				tlsConfig, isvalid := library.GetTLSConfig(secret)
 				if !isvalid {
 					return false, nil
@@ -800,6 +812,48 @@ var _ = Describe("ACME Certificate", Ordered, func() {
 			})
 			Expect(err).NotTo(HaveOccurred())
 		})
+
+		It("should create HTTP01 solver pods with custom resource limits and requests", func() {
+			By("monitoring for ACME HTTP01 solver pods with expected resource configuration")
+			// These values match what's configured in BeforeAll
+			expectedResources := corev1.ResourceRequirements{
+				Limits: corev1.ResourceList{
+					corev1.ResourceCPU:    k8sresource.MustParse("150m"),
+					corev1.ResourceMemory: k8sresource.MustParse("200Mi"),
+				},
+				Requests: corev1.ResourceList{
+					corev1.ResourceCPU:    k8sresource.MustParse("100m"),
+					corev1.ResourceMemory: k8sresource.MustParse("100Mi"),
+				},
+			}
+
+			err := wait.PollUntilContextTimeout(ctx, fastPollInterval, lowTimeout, true, func(ctx context.Context) (bool, error) {
+				pods, err := k8sClientSet.CoreV1().Pods("").List(ctx, metav1.ListOptions{
+					LabelSelector: acmeSolverPodLabel,
+				})
+				if err != nil {
+					return false, nil // Retry on transient errors
+				}
+
+				if len(pods.Items) == 0 {
+					return false, nil // Keep waiting for pods to appear
+				}
+
+				// Check if any pod matches the expected resource configuration
+				for _, pod := range pods.Items {
+					if err := VerifyContainerResources(pod, acmeSolverContainerName, expectedResources); err == nil {
+						return true, nil
+					}
+				}
+
+				return false, nil // No matching pods yet, keep waiting
+			})
+			Expect(err).NotTo(HaveOccurred(), "should find ACME HTTP01 solver pods with expected resource configuration")
+
+			By("waiting for certificate to get ready")
+			err = waitForCertificateReadiness(ctx, secretName, ns.Name)
+			Expect(err).NotTo(HaveOccurred())
+		})
 	})
 })
 

test/e2e/utils_test.go

@@ -764,3 +764,44 @@ func pollTillDeploymentAvailable(ctx context.Context, clientSet *kubernetes.Clie
 
 	return err
 }
+
+// VerifyContainerResources verifies that a container in a pod has resources matching the expected configuration.
+// If containerName is empty, it verifies the first container.
+func VerifyContainerResources(pod corev1.Pod, containerName string, expectedResources corev1.ResourceRequirements) error {
+	var targetContainer *corev1.Container
+
+	if containerName == "" {
+		// Default to first container when no specific container name is provided
+		targetContainer = &pod.Spec.Containers[0]
+	} else {
+		// Find the specific container by name
+		for i := range pod.Spec.Containers {
+			if pod.Spec.Containers[i].Name == containerName {
+				targetContainer = &pod.Spec.Containers[i]
+				break
+			}
+		}
+		if targetContainer == nil {
+			return fmt.Errorf("container '%s' not found in pod '%s'", containerName, pod.Name)
+		}
+	}
+
+	// Verify limits
+	if expectedResources.Limits != nil {
+		for resourceType, expectedValue := range expectedResources.Limits {
+			if actualValue := targetContainer.Resources.Limits[resourceType]; !actualValue.Equal(expectedValue) {
+				return fmt.Errorf("%s limit for container '%s' in pod '%s' is '%v' but expected '%v'", resourceType, targetContainer.Name, pod.Name, actualValue, expectedValue)
+			}
+		}
+	}
+
+	// Verify requests
+	if expectedResources.Requests != nil {
+		for resourceType, expectedValue := range expectedResources.Requests {
+			if actualValue := targetContainer.Resources.Requests[resourceType]; !actualValue.Equal(expectedValue) {
+				return fmt.Errorf("%s request for container '%s' in pod '%s' is '%v' but expected '%v'", resourceType, targetContainer.Name, pod.Name, actualValue, expectedValue)
+			}
+		}
+	}
+	return nil
+}