Add VPA admission-controller certificate reload e2e test

Author: Nuckal777

vertical-pod-autoscaler/deploy/admission-controller-deployment.yaml

@@ -27,6 +27,7 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          args: ["--v=4", "--stderrthreshold=info", "--reload-cert"]
           volumeMounts:
             - name: tls-certs
               mountPath: "/etc/tls-certs"

vertical-pod-autoscaler/e2e/v1/admission_controller.go

@@ -19,6 +19,8 @@ package autoscaling
 import (
 	"context"
 	"fmt"
+	"io"
+	"strings"
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -852,6 +854,60 @@ var _ = AdmissionControllerE2eDescribe("Admission-controller", func() {
 		gomega.Expect(err2.Error()).To(gomega.MatchRegexp(`.*admission webhook .*vpa.* denied the request: .*`))
 	})
 
+	ginkgo.It("reloads the webhook certificate", func(ctx ginkgo.SpecContext) {
+		ginkgo.By("Retrieving alternative certificate")
+		c := f.ClientSet
+		e2eCertsSecret, err := c.CoreV1().Secrets(metav1.NamespaceSystem).Get(ctx, "vpa-e2e-certs", metav1.GetOptions{})
+		gomega.Expect(err).To(gomega.Succeed(), "Failed to get vpa-e2e-certs secret")
+		actualCertsSecret, err := c.CoreV1().Secrets(metav1.NamespaceSystem).Get(ctx, "vpa-tls-certs", metav1.GetOptions{})
+		gomega.Expect(err).To(gomega.Succeed(), "Failed to get vpa-tls-certs secret")
+		actualCertsSecret.Data["serverKey.pem"] = e2eCertsSecret.Data["e2eKey.pem"]
+		actualCertsSecret.Data["serverCert.pem"] = e2eCertsSecret.Data["e2eCert.pem"]
+		_, err = c.CoreV1().Secrets(metav1.NamespaceSystem).Update(ctx, actualCertsSecret, metav1.UpdateOptions{})
+		gomega.Expect(err).To(gomega.Succeed(), "Failed to update vpa-tls-certs secret with e2e rotation certs")
+
+		ginkgo.By("Waiting for certificate reload")
+		pods, err := c.CoreV1().Pods(metav1.NamespaceSystem).List(ctx, metav1.ListOptions{})
+		gomega.Expect(err).To(gomega.Succeed())
+
+		var admissionController apiv1.Pod
+		for _, p := range pods.Items {
+			if strings.HasPrefix(p.Name, "vpa-admission-controller") {
+				admissionController = p
+			}
+		}
+		gomega.Expect(admissionController.Name).ToNot(gomega.BeEmpty())
+
+		gomega.Eventually(func(g gomega.Gomega) string {
+			reader, err := c.CoreV1().Pods(metav1.NamespaceSystem).GetLogs(admissionController.Name, &apiv1.PodLogOptions{}).Stream(ctx)
+			g.Expect(err).To(gomega.Succeed())
+			logs, err := io.ReadAll(reader)
+			g.Expect(err).To(gomega.Succeed())
+			return string(logs)
+		}).Should(gomega.ContainSubstring("New certificate found, reloading"))
+
+		ginkgo.By("Setting up invalid VPA object")
+		// there is an invalid "requests" field.
+		invalidVPA := []byte(`{
+			"kind": "VerticalPodAutoscaler",
+			"apiVersion": "autoscaling.k8s.io/v1",
+			"metadata": {"name": "cert-vpa-invalid"},
+			"spec": {
+				"targetRef": {
+					"apiVersion": "apps/v1",
+					"kind": "Deployment",
+					"name":"hamster"
+				},
+		   	"resourcePolicy": {
+		  		"containerPolicies": [{"containerName": "*", "minAllowed":{"requests":{"cpu":"50m"}}}]
+		  	}
+		  }
+		}`)
+		err = InstallRawVPA(f, invalidVPA)
+		gomega.Expect(err).To(gomega.HaveOccurred(), "Invalid VPA object accepted")
+		gomega.Expect(err.Error()).To(gomega.MatchRegexp(`.*admission webhook .*vpa.* denied the request: .*`), "Admission controller did not inspect the object")
+	})
+
 })
 
 func startDeploymentPods(f *framework.Framework, deployment *appsv1.Deployment) *apiv1.PodList {

vertical-pod-autoscaler/hack/deploy-for-e2e.sh

@@ -68,7 +68,7 @@ gcloud auth configure-docker -q
 
 for i in ${COMPONENTS}; do
   if [ $i == admission-controller ] ; then
-    (cd ${SCRIPT_ROOT}/pkg/${i} && bash ./gencerts.sh || true)
+    (cd ${SCRIPT_ROOT}/pkg/${i} && bash ./gencerts.sh e2e || true)
   fi
   ALL_ARCHITECTURES=amd64 make --directory ${SCRIPT_ROOT}/pkg/${i} release
 done

vertical-pod-autoscaler/pkg/admission-controller/gencerts.sh

@@ -57,6 +57,14 @@ openssl x509 -req -in ${TMP_DIR}/server.csr -CA ${TMP_DIR}/caCert.pem -CAkey ${T
 echo "Uploading certs to the cluster."
 kubectl create secret --namespace=kube-system generic vpa-tls-certs --from-file=${TMP_DIR}/caKey.pem --from-file=${TMP_DIR}/caCert.pem --from-file=${TMP_DIR}/serverKey.pem --from-file=${TMP_DIR}/serverCert.pem
 
+if [ "${1:-unset}" = "e2e" ]; then
+  openssl genrsa -out ${TMP_DIR}/e2eKey.pem 2048
+  openssl req -new -key ${TMP_DIR}/e2eKey.pem -out ${TMP_DIR}/e2e.csr -subj "/CN=vpa-webhook.kube-system.svc" -config ${TMP_DIR}/server.conf
+  openssl x509 -req -in ${TMP_DIR}/e2e.csr -CA ${TMP_DIR}/caCert.pem -CAkey ${TMP_DIR}/caKey.pem -CAcreateserial -out ${TMP_DIR}/e2eCert.pem -days 100000 -extensions SAN -extensions v3_req -extfile ${TMP_DIR}/server.conf
+  echo "Uploading rotation e2e test certs to the cluster."
+  kubectl create secret --namespace=kube-system generic vpa-e2e-certs --from-file=${TMP_DIR}/e2eKey.pem --from-file=${TMP_DIR}/e2eCert.pem
+fi
+
 # Clean up after we're done.
 echo "Deleting ${TMP_DIR}."
 rm -rf ${TMP_DIR}

vertical-pod-autoscaler/pkg/admission-controller/rmcerts.sh

@@ -21,3 +21,4 @@ set -e
 
 echo "Deleting VPA Admission Controller certs."
 kubectl delete secret --namespace=kube-system vpa-tls-certs
+kubectl delete secret --namespace=kube-system --ignore-not-found=true vpa-e2e-certs