chore: refactor and add unit tests to watcher (#1253)

Signed-off-by: realanna <[email protected]>

.sonarcloud.properties

@@ -1,6 +1,6 @@
 sonar.projectKey=keptn_lifecycle-toolkit
 sonar.projectName=lifecycle-toolkit
-sonar.cpd.exclusions=**/test_*.go,\
+sonar.cpd.exclusions= **/*_test.go,\
   scheduler/test/e2e/fake/**/*.go,\
   operator/apis/lifecycle/v1alpha1/**/*.go,\
   operator/apis/lifecycle/v1alpha2/**/*.go,\

Makefile

@@ -33,10 +33,13 @@ $(HELMIFY): $(LOCALBIN)
 .PHONY: integration-test #these tests should run on a real cluster!
 integration-test:	# to run a single test by name use --test eg. --test=expose-keptn-metric
 	kubectl kuttl test --start-kind=false ./test/integration/ --config=kuttl-test.yaml
+	kubectl kuttl test --start-kind=false ./test/testcertificate/ --config=kuttl-test.yaml
+
 
 .PHONY: integration-test-local #these tests should run on a real cluster!
 integration-test-local: install-prometheus
 	kubectl kuttl test --start-kind=false ./test/integration/ --config=kuttl-test-local.yaml
+	kubectl kuttl test --start-kind=false ./test/testcertificate/ --config=kuttl-test-local.yaml
 
 .PHONY: load-test
 load-test:

metrics-operator/cmd/certificates/certificatehandler.go

@@ -0,0 +1,22 @@
+package certificates
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+)
+
+//go:generate moq -pkg fake -skip-ensure -out ./fake/certificatehandler_mock.go . ICertificateHandler
+type ICertificateHandler interface {
+	Decode(data []byte) (p *pem.Block, rest []byte)
+	Parse(der []byte) (*x509.Certificate, error)
+}
+
+type defaultCertificateHandler struct {
+}
+
+func (c defaultCertificateHandler) Decode(data []byte) (p *pem.Block, rest []byte) {
+	return pem.Decode(data)
+}
+func (c defaultCertificateHandler) Parse(der []byte) (*x509.Certificate, error) {
+	return x509.ParseCertificate(der)
+}

metrics-operator/cmd/certificates/watcher.go

@@ -3,8 +3,6 @@ package certificates
 import (
 	"bytes"
 	"context"
-	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -16,13 +14,13 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
 const (
 	certificateRenewalInterval = 6 * time.Hour
 	ServerKey                  = "tls.key"
 	ServerCert                 = "tls.crt"
+	CertThreshold              = 5 * time.Minute
 )
 
 type CertificateWatcher struct {
@@ -31,16 +29,20 @@ type CertificateWatcher struct {
 	certificateDirectory  string
 	namespace             string
 	certificateSecretName string
-	Log                   logr.Logger
+	certificateTreshold   time.Duration
+	ICertificateHandler
+	Log logr.Logger
 }
 
-func NewCertificateWatcher(mgr manager.Manager, namespace string, secretName string, log logr.Logger) *CertificateWatcher {
+func NewCertificateWatcher(reader client.Reader, certDir string, namespace string, secretName string, log logr.Logger) *CertificateWatcher {
 	return &CertificateWatcher{
-		apiReader:             mgr.GetAPIReader(),
+		apiReader:             reader,
 		fs:                    afero.NewOsFs(),
-		certificateDirectory:  mgr.GetWebhookServer().CertDir,
+		certificateDirectory:  certDir,
 		namespace:             namespace,
 		certificateSecretName: secretName,
+		ICertificateHandler:   defaultCertificateHandler{},
+		certificateTreshold:   CertThreshold,
 		Log:                   log,
 	}
 }
@@ -75,7 +77,7 @@ func (watcher *CertificateWatcher) updateCertificatesFromSecret() error {
 	}
 
 	for _, filename := range []string{ServerCert, ServerKey} {
-		if _, err = watcher.ensureCertificateFile(secret, filename); err != nil {
+		if err = watcher.ensureCertificateFile(secret, filename); err != nil {
 			return err
 		}
 	}
@@ -88,22 +90,18 @@ func (watcher *CertificateWatcher) updateCertificatesFromSecret() error {
 	return nil
 }
 
-func (watcher *CertificateWatcher) ensureCertificateFile(secret corev1.Secret, filename string) (bool, error) {
+func (watcher *CertificateWatcher) ensureCertificateFile(secret corev1.Secret, filename string) error {
 	f := filepath.Join(watcher.certificateDirectory, filename)
-
 	data, err := afero.ReadFile(watcher.fs, f)
 	if os.IsNotExist(err) || !bytes.Equal(data, secret.Data[filename]) {
-		if err := afero.WriteFile(watcher.fs, f, secret.Data[filename], 0666); err != nil {
-			return false, err
-		}
-	} else {
-		return false, err
+		return afero.WriteFile(watcher.fs, f, secret.Data[filename], 0666)
 	}
-	return true, nil
+	return err
+
 }
 
 func (watcher *CertificateWatcher) WaitForCertificates() {
-	for threshold := time.Now().Add(5 * time.Minute); time.Now().Before(threshold); {
+	for threshold := time.Now().Add(watcher.certificateTreshold); time.Now().Before(threshold); {
 
 		if err := watcher.updateCertificatesFromSecret(); err != nil {
 			if k8serrors.IsNotFound(err) {
@@ -120,10 +118,10 @@ func (watcher *CertificateWatcher) WaitForCertificates() {
 }
 
 func (watcher *CertificateWatcher) ValidateCertificateExpiration(certData []byte, renewalThreshold time.Duration, now time.Time) (bool, error) {
-	if block, _ := pem.Decode(certData); block == nil {
+	if block, _ := watcher.Decode(certData); block == nil {
 		watcher.Log.Error(errors.New("can't decode PEM file"), "failed to parse certificate")
 		return false, nil
-	} else if cert, err := x509.ParseCertificate(block.Bytes); err != nil {
+	} else if cert, err := watcher.Parse(block.Bytes); err != nil {
 		watcher.Log.Error(err, "failed to parse certificate")
 		return false, err
 	} else if now.After(cert.NotAfter.Add(-renewalThreshold)) {