From 6f6cec53ea6cd795605d9b6a8a5c1fa0efea2e2c Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Thu, 9 Oct 2025 17:47:43 +0800 Subject: [PATCH 1/3] Update service handler to use `certificateAuthorityCertSecretRef` --- app/handlers/handlers_services.py | 11 ++-- app/handlers/tests/test_handlers_services.py | 55 +++++--------------- 2 files changed, 16 insertions(+), 50 deletions(-) diff --git a/app/handlers/handlers_services.py b/app/handlers/handlers_services.py index 6d5e7951..e0eb774d 100644 --- a/app/handlers/handlers_services.py +++ b/app/handlers/handlers_services.py @@ -8,7 +8,6 @@ from app.crds import ResourceType from app.utils import to_bool -from app.utils_k8s import get_ca_cert, k8s_get_secret def k8s_get_twingate_resource( @@ -93,11 +92,6 @@ def service_to_twingate_resource(service_body: Body, namespace: str) -> dict: f"{TLS_OBJECT_ANNOTATION} annotation is not provided." ) - if not (secret := k8s_get_secret(namespace, secret_name)): - raise kopf.PermanentError( - f"Kubernetes Secret object: {secret_name} is missing." - ) - result["spec"] |= { "address": "kubernetes.default.svc.cluster.local", "proxy": { @@ -106,7 +100,10 @@ def service_to_twingate_resource(service_body: Body, namespace: str) -> dict: if spec["type"] == ServiceType.LOAD_BALANCER else f"{service_name}.{namespace}.svc.cluster.local" ), - "certificateAuthorityCert": get_ca_cert(secret), + "certificateAuthorityCertSecretRef": { + "name": tls_secret_name, + "namespace": namespace, + }, }, } diff --git a/app/handlers/tests/test_handlers_services.py b/app/handlers/tests/test_handlers_services.py index ca2d5979..cec1ad4b 100644 --- a/app/handlers/tests/test_handlers_services.py +++ b/app/handlers/tests/test_handlers_services.py @@ -6,7 +6,6 @@ import yaml from kopf._core.intents.causes import Reason -from app.api.tests.factories import BASE64_OF_VALID_CA_CERT from app.crds import ResourceType from app.handlers.handlers_services import ( ALLOWED_EXTRA_ANNOTATIONS, @@ -15,7 +14,6 @@ service_to_twingate_resource, twingate_service_create, ) -from app.utils_k8s import get_ca_cert # Ignore the fact we use _cogs here @@ -173,25 +171,13 @@ def test_with_extra_annotation( assert result == expected def test_kubernetes_resource_type_annotation( - self, - example_cluster_ip_gateway_service_body, - k8s_core_client_mock, - k8s_secret_mock, + self, example_cluster_ip_gateway_service_body ): tls_object_name = "gateway-tls" namespace = "custom-namespace" - k8s_core_client_mock.read_namespaced_secret.return_value = k8s_secret_mock - - with patch( - "app.handlers.handlers_services.get_ca_cert", wraps=get_ca_cert - ) as get_ca_cert_mock: - result = service_to_twingate_resource( - example_cluster_ip_gateway_service_body, namespace - ) - get_ca_cert_mock.assert_called_once_with(k8s_secret_mock) - k8s_core_client_mock.read_namespaced_secret.assert_called_once_with( - namespace=namespace, name=tls_object_name + result = service_to_twingate_resource( + example_cluster_ip_gateway_service_body, namespace ) assert result["spec"] == { @@ -200,7 +186,10 @@ def test_kubernetes_resource_type_annotation( "alias": "alias.int", "proxy": { "address": "kubernetes-gateway.custom-namespace.svc.cluster.local", - "certificateAuthorityCert": BASE64_OF_VALID_CA_CERT, + "certificateAuthorityCertSecretRef": { + "name": tls_object_name, + "namespace": namespace, + }, }, "protocols": { "allowIcmp": False, @@ -231,19 +220,6 @@ def test_kubernetes_resource_type_annotation_without_tls_secret_annotation( example_cluster_ip_gateway_service_body, "default" ) - def test_kubernetes_resource_type_annotation_without_k8s_secret_object( - self, example_cluster_ip_gateway_service_body, k8s_core_client_mock - ): - k8s_core_client_mock.read_namespaced_secret.return_value = None - - with pytest.raises( - kopf.PermanentError, - match=r"Kubernetes Secret object: gateway-tls is missing.", - ): - service_to_twingate_resource( - example_cluster_ip_gateway_service_body, "default" - ) - @pytest.mark.parametrize( ("status", "expected"), [ @@ -255,16 +231,10 @@ def test_kubernetes_resource_type_annotation_without_k8s_secret_object( ], ) def test_kubernetes_resource_with_load_balancer_service_type( - self, - example_load_balancer_gateway_service_body, - k8s_core_client_mock, - k8s_secret_mock, - status, - expected, + self, example_load_balancer_gateway_service_body, status, expected ): tls_object_name = "gateway-tls" namespace = "default" - k8s_core_client_mock.read_namespaced_secret.return_value = k8s_secret_mock with patch( "kopf._cogs.structs.bodies.Body.status", @@ -275,17 +245,16 @@ def test_kubernetes_resource_with_load_balancer_service_type( example_load_balancer_gateway_service_body, namespace ) - k8s_core_client_mock.read_namespaced_secret.assert_called_once_with( - namespace=namespace, name=tls_object_name - ) - assert result["spec"] == { "name": "kubernetes-gateway-resource", "address": "kubernetes.default.svc.cluster.local", "alias": "alias.int", "proxy": { "address": expected, - "certificateAuthorityCert": BASE64_OF_VALID_CA_CERT, + "certificateAuthorityCertSecretRef": { + "name": tls_object_name, + "namespace": namespace, + }, }, "protocols": { "allowIcmp": False, From 34fba0561214292bd3cd6a1e1ac2eed5a1632cd1 Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Fri, 10 Oct 2025 15:32:39 +0800 Subject: [PATCH 2/3] Update variable name --- app/handlers/handlers_services.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/handlers/handlers_services.py b/app/handlers/handlers_services.py index e0eb774d..e921098d 100644 --- a/app/handlers/handlers_services.py +++ b/app/handlers/handlers_services.py @@ -101,7 +101,7 @@ def service_to_twingate_resource(service_body: Body, namespace: str) -> dict: else f"{service_name}.{namespace}.svc.cluster.local" ), "certificateAuthorityCertSecretRef": { - "name": tls_secret_name, + "name": secret_name, "namespace": namespace, }, }, From 75ba9886bb8d04c1e58c9372a4f6b5403248a90f Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Tue, 21 Oct 2025 10:47:41 +0800 Subject: [PATCH 3/3] WIP on feat/support-ca-cert-secret-ref --- tests_integration/test_connector_flows.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests_integration/test_connector_flows.py b/tests_integration/test_connector_flows.py index 2acc9e41..47961131 100644 --- a/tests_integration/test_connector_flows.py +++ b/tests_integration/test_connector_flows.py @@ -119,7 +119,7 @@ def test_connector_flows_image_change(run_kopf, random_name_generator): assert secret["data"] == {"TWINGATE_ACCESS_TOKEN": ANY, "TWINGATE_REFRESH_TOKEN": ANY} # fmt: skip # Change image tag - # kubectl patch tc/test-connector-image-local -p '{"spec": {"image": {"tag": "1.78.0"}}}' --type=merge + # kubectl patch tc/test-connector-image-local -p '{"spec": {"image": {"tag": "1.63.0"}}}' --type=merge kubectl_patch(f"tc/{connector_name}", {"spec": {"image": {"tag": "1.78.0"}}}) time.sleep(5) wait_for_deployment() @@ -146,7 +146,7 @@ def test_connector_flows_deployment_gone_while_operator_down( name: {connector_name} hasStatusNotificationsEnabled: false image: - tag: "1.63.0" + tag: "1.77.0" """ wait_for_deployment = functools.partial(