talos/internal/app/machined/pkg/controllers/secrets/root_test.go

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

package secrets_test

import (
	"testing"
	"time"

	"github.com/cosi-project/runtime/pkg/resource"
	"github.com/cosi-project/runtime/pkg/resource/rtestutils"
	"github.com/siderolabs/crypto/x509"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/suite"

	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
	secretsctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/secrets"
	talosconfig "github.com/siderolabs/talos/pkg/machinery/config"
	"github.com/siderolabs/talos/pkg/machinery/config/generate"
	"github.com/siderolabs/talos/pkg/machinery/config/machine"
	"github.com/siderolabs/talos/pkg/machinery/resources/config"
	"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
)

func TestRootSuite(t *testing.T) {
	t.Parallel()

	suite.Run(t, &RootSuite{
		DefaultSuite: ctest.DefaultSuite{
			Timeout: 10 * time.Second,
			AfterSetup: func(suite *ctest.DefaultSuite) {
				suite.Require().NoError(suite.Runtime().RegisterController(secretsctrl.NewRootEtcdController()))
				suite.Require().NoError(suite.Runtime().RegisterController(secretsctrl.NewRootKubernetesController()))
				suite.Require().NoError(suite.Runtime().RegisterController(secretsctrl.NewRootOSController()))
			},
		},
	})
}

type RootSuite struct {
	ctest.DefaultSuite
}

func (suite *RootSuite) genConfig(controlplane bool) talosconfig.Config {
	input, err := generate.NewInput("test-cluster", "http://localhost:6443", "")
	suite.Require().NoError(err)

	var cfg talosconfig.Provider

	if controlplane {
		cfg, err = input.Config(machine.TypeControlPlane)
	} else {
		cfg, err = input.Config(machine.TypeWorker)
	}

	suite.Require().NoError(err)

	machineCfg := config.NewMachineConfig(cfg)
	suite.Require().NoError(suite.State().Create(suite.Ctx(), machineCfg))

	return cfg
}

func (suite *RootSuite) TestReconcileControlPlane() {
	cfg := suite.genConfig(true)

	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{secrets.EtcdRootID},
		func(res *secrets.EtcdRoot, asrt *assert.Assertions) {
			asrt.Equal(res.TypedSpec().EtcdCA, cfg.Cluster().Etcd().CA())
		},
	)
	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{secrets.KubernetesRootID},
		func(res *secrets.KubernetesRoot, asrt *assert.Assertions) {
			asrt.Equal(res.TypedSpec().IssuingCA, cfg.Cluster().IssuingCA())
			asrt.Equal(
				[]*x509.PEMEncodedCertificate{
					{
						Crt: cfg.Cluster().IssuingCA().Crt,
					},
				},
				res.TypedSpec().AcceptedCAs,
			)
		},
	)

	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{secrets.OSRootID},
		func(res *secrets.OSRoot, asrt *assert.Assertions) {
			asrt.Equal(res.TypedSpec().IssuingCA, cfg.Machine().Security().IssuingCA())
			asrt.Equal(
				[]*x509.PEMEncodedCertificate{
					{
						Crt: cfg.Machine().Security().IssuingCA().Crt,
					},
				},
				res.TypedSpec().AcceptedCAs,
			)
		},
	)
}

func (suite *RootSuite) TestReconcileWorker() {
	cfg := suite.genConfig(false)

	rtestutils.AssertResources(suite.Ctx(), suite.T(), suite.State(), []resource.ID{secrets.OSRootID},
		func(res *secrets.OSRoot, asrt *assert.Assertions) {
			asrt.Nil(res.TypedSpec().IssuingCA)
			asrt.Equal(
				[]*x509.PEMEncodedCertificate{
					{
						Crt: cfg.Machine().Security().IssuingCA().Crt,
					},
				},
				res.TypedSpec().AcceptedCAs,
			)
		},
	)

	rtestutils.AssertNoResource[*secrets.Etcd](suite.Ctx(), suite.T(), suite.State(), secrets.EtcdRootID)
	rtestutils.AssertNoResource[*secrets.Kubernetes](suite.Ctx(), suite.T(), suite.State(), secrets.KubernetesRootID)
}