Skip to content

Commit f4047f6

Browse files
AlinsRanCopilot
AlinsRan
and
Copilot
committed
fix(e2e): fix UPDATE path webhook tests
- Add expectUpdateDenied helper: UPDATE denials leave the resource intact so the resource-not-found check in expectAdmissionDenied is wrong for update scenarios - Use expectUpdateDenied in all four UPDATE It blocks - Redesign ApisixTls UPDATE test: change the secret reference in the spec instead of swapping secret content; spec must actually change to trigger the UPDATE admission webhook Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 4c1ec6b commit f4047f6

5 files changed

Lines changed: 49 additions & 40 deletions

File tree

test/e2e/webhook/apisixconsumer.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,7 @@ spec:
198198

199199
By("updating ApisixConsumer with invalid jwt-auth algorithm")
200200
err = s.CreateResourceFromString(invalidConsumer)
201-
expectAdmissionDenied(s, "apisixconsumer", consumerName, err)
201+
expectUpdateDenied(err)
202202

203203
By("updating ApisixConsumer with corrected config")
204204
err = s.CreateResourceFromString(validConsumer)

test/e2e/webhook/apisixroute.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,7 @@ spec:
259259

260260
By("updating ApisixRoute with invalid plugin config")
261261
err = s.CreateResourceFromString(invalidRouteYAML)
262-
expectAdmissionDenied(s, "apisixroute", routeName, err)
262+
expectUpdateDenied(err)
263263

264264
By("updating ApisixRoute with corrected config")
265265
err = s.CreateResourceFromString(validRouteYAML)

test/e2e/webhook/apisixtls.go

Lines changed: 38 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -155,16 +155,32 @@ spec:
155155
Skip("ADC validation requires apisix-standalone backend")
156156
}
157157

158-
serverSecret := "update-server-tls"
158+
validSecret := "update-valid-tls"
159+
invalidSecret := "update-invalid-tls"
159160
tlsName := "webhook-apisixtls-update"
160161
host := "update-webhook.example.com"
161162

162163
By("creating a valid TLS secret")
163164
serverCert, serverKey := s.GenerateCert(GinkgoT(), []string{host})
164-
err := s.NewKubeTlsSecret(serverSecret, serverCert.String(), serverKey.String())
165-
Expect(err).NotTo(HaveOccurred(), "creating initial valid server TLS secret")
165+
err := s.NewKubeTlsSecret(validSecret, serverCert.String(), serverKey.String())
166+
Expect(err).NotTo(HaveOccurred(), "creating valid server TLS secret")
166167

167-
tlsYAML := fmt.Sprintf(`
168+
By("creating an invalid TLS secret with bad certificate material")
169+
invalidSecretYAML := fmt.Sprintf(`
170+
apiVersion: v1
171+
kind: Secret
172+
metadata:
173+
name: %s
174+
namespace: %s
175+
type: kubernetes.io/tls
176+
stringData:
177+
tls.crt: not-a-cert
178+
tls.key: not-a-key
179+
`, invalidSecret, s.Namespace())
180+
err = s.CreateResourceFromString(invalidSecretYAML)
181+
Expect(err).NotTo(HaveOccurred(), "creating invalid server TLS secret")
182+
183+
validTLSYAML := fmt.Sprintf(`
168184
apiVersion: apisix.apache.org/v2
169185
kind: ApisixTls
170186
metadata:
@@ -177,48 +193,33 @@ spec:
177193
secret:
178194
name: %s
179195
namespace: %s
180-
`, tlsName, s.Namespace(), s.Namespace(), host, serverSecret, s.Namespace())
196+
`, tlsName, s.Namespace(), s.Namespace(), host, validSecret, s.Namespace())
181197

182198
By("creating valid ApisixTls")
183-
err = s.CreateResourceFromString(tlsYAML)
199+
err = s.CreateResourceFromString(validTLSYAML)
184200
Expect(err).NotTo(HaveOccurred(), "creating initial valid ApisixTls")
185201

186-
By("replacing secret with invalid certificate data")
187-
err = s.DeleteResource("Secret", serverSecret)
188-
Expect(err).NotTo(HaveOccurred(), "deleting valid server TLS secret")
189-
invalidSecretYAML := fmt.Sprintf(`
190-
apiVersion: v1
191-
kind: Secret
202+
invalidTLSYAML := fmt.Sprintf(`
203+
apiVersion: apisix.apache.org/v2
204+
kind: ApisixTls
192205
metadata:
193206
name: %s
194207
namespace: %s
195-
type: kubernetes.io/tls
196-
stringData:
197-
tls.crt: not-a-cert
198-
tls.key: not-a-key
199-
`, serverSecret, s.Namespace())
200-
err = s.CreateResourceFromString(invalidSecretYAML)
201-
Expect(err).NotTo(HaveOccurred(), "creating invalid server TLS secret")
202-
203-
// Wait for the webhook cache to reflect the replaced Secret.
204-
time.Sleep(2 * time.Second)
205-
206-
By("updating ApisixTls with secret now containing invalid certificate data")
207-
err = s.CreateResourceFromString(tlsYAML)
208-
expectAdmissionDenied(s, "apisixtls", tlsName, err)
209-
210-
By("replacing secret back with valid certificate data")
211-
err = s.DeleteResource("Secret", serverSecret)
212-
Expect(err).NotTo(HaveOccurred(), "deleting invalid server TLS secret")
213-
serverCert, serverKey = s.GenerateCert(GinkgoT(), []string{host})
214-
err = s.NewKubeTlsSecret(serverSecret, serverCert.String(), serverKey.String())
215-
Expect(err).NotTo(HaveOccurred(), "recreating valid server TLS secret")
208+
spec:
209+
ingressClassName: %s
210+
hosts:
211+
- %s
212+
secret:
213+
name: %s
214+
namespace: %s
215+
`, tlsName, s.Namespace(), s.Namespace(), host, invalidSecret, s.Namespace())
216216

217-
// Wait for the webhook cache to reflect the restored Secret.
218-
time.Sleep(2 * time.Second)
217+
By("updating ApisixTls to reference the invalid certificate secret")
218+
err = s.CreateResourceFromString(invalidTLSYAML)
219+
expectUpdateDenied(err)
219220

220-
By("updating ApisixTls with valid certificate data")
221-
err = s.CreateResourceFromString(tlsYAML)
221+
By("updating ApisixTls back to the valid certificate secret")
222+
err = s.CreateResourceFromString(validTLSYAML)
222223
Expect(err).NotTo(HaveOccurred(), "updating ApisixTls with valid certificate")
223224
})
224225
})

test/e2e/webhook/consumer.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -205,7 +205,7 @@ spec:
205205

206206
By("updating Consumer with an invalid jwt-auth algorithm")
207207
err = s.CreateResourceFromString(invalidConsumer)
208-
expectAdmissionDenied(s, "consumer", consumerName, err)
208+
expectUpdateDenied(err)
209209

210210
correctedConsumer := fmt.Sprintf(`
211211
apiVersion: apisix.apache.org/v1alpha1

test/e2e/webhook/helpers.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -244,3 +244,11 @@ func expectAdmissionDenied(s *scaffold.Scaffold, resourceType, resourceName stri
244244
Expect(getErr).To(HaveOccurred(), fmt.Sprintf("resource %s/%s should not exist after admission rejection", resourceType, resourceName))
245245
Expect(getErr.Error()).To(ContainSubstring("not found"), fmt.Sprintf("expected NotFound error for %s/%s", resourceType, resourceName))
246246
}
247+
248+
// expectUpdateDenied verifies that an UPDATE admission was rejected. Unlike
249+
// expectAdmissionDenied it does not check resource non-existence, because the
250+
// resource remains in its previous valid state after a denied update.
251+
func expectUpdateDenied(err error) {
252+
Expect(err).To(HaveOccurred(), "expecting update to be rejected by admission webhook")
253+
Expect(err.Error()).To(ContainSubstring("denied the request"))
254+
}

0 commit comments

Comments
 (0)