Skip to content

tests: Refactor custom certificate management for kuttl tests #1654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Oct 23, 2025
Merged

tests: Refactor custom certificate management for kuttl tests #1654

openshift-merge-bot merged 1 commit into from
Oct 23, 2025

Conversation

@stuggi
Copy link
Contributor

@stuggi stuggi commented Oct 13, 2025
edited
Loading

Replace hardcoded certificate placeholders with dynamic certificate injection using ConfigMaps and kustomize replacements.

Key Changes:

Certificate Management:

  • Update osp_check_route_cert.sh to fetch certificates dynamically from secrets instead of using hardcoded values
  • Add verify_route_override_certs.sh to validate OpenStackControlPlane certificate overrides match secret content
  • Add prepare_placement_certs.sh to create ConfigMap from certificate secrets for kustomize replacements

Kustomize Integration:

  • Update kustomization.yaml to use ConfigMap as a resource for replacements
  • Remove hardcoded namespace from replacement sources (fixes KUTTL test execution)
  • Generate placement-cert-data.yaml file for kustomize to reference
  • Configure replacements to inject certificate data from ConfigMap into OpenStackControlPlane spec
  • Add placement-cert-data.yaml to .gitignore (generated at runtime)
  • Remove hardcoded certificate placeholders (CERT123, KEY123, CACERT123) from assertion files

Test Flow:

  • Step 01: Deploy initial OpenStackControlPlane with TLS enabled
  • Step 02: Create custom route secrets and generate ConfigMap file
  • Step 02-assert: Verify secrets and ConfigMap exist (declarative checks)
  • Step 03: Apply kustomize patch with custom certificates
  • Step 03-assert: Verify OpenStackControlPlane is ready
  • Step 04-assert: Validate route certificates match custom certs

Benefits:

  • Tests use actual cert-manager generated certificates
  • No maintenance of hardcoded certificate values
  • Kustomize can reference ConfigMap from generated file
  • Multi-level validation (secret → route, secret → override)
  • Proper test sequencing (certificates checked after patching)
  • Reusable scripts work for any service
  • Cleaner, consolidated documentation

Jira: https://issues.redhat.com/browse/OSPRH-8984

AssistedBy: cloude-4-sonnet

@openshift-ci openshift-ci bot requested review from olliewalsh and slagle October 13, 2025 12:06
@stuggi stuggi force-pushed the kuttl_custom_cert branch from b2dd602 to 1a84536 Compare October 13, 2025 14:29
@stuggi stuggi force-pushed the kuttl_custom_cert branch from 1a84536 to d102b5d Compare October 20, 2025 16:14
@stuggi
Copy link
Contributor Author

stuggi commented Oct 21, 2025

/retest

@stuggi stuggi force-pushed the kuttl_custom_cert branch from d102b5d to 2a57186 Compare October 22, 2025 09:59
@stuggi stuggi requested review from Deydra71 and olliewalsh October 22, 2025 13:06
@stuggi stuggi force-pushed the kuttl_custom_cert branch from 2a57186 to d325807 Compare October 23, 2025 06:46
@stuggi
tests: Refactor custom certificate management for kuttl tests
97cfb4e 
Replace hardcoded certificate placeholders with dynamic certificate
injection using ConfigMaps and kustomize replacements.

Key Changes:

Certificate Management:
- Update osp_check_route_cert.sh to fetch certificates dynamically
  from secrets instead of using hardcoded values
- Add verify_route_override_certs.sh to validate OpenStackControlPlane
  certificate overrides match secret content
- Add prepare_placement_certs.sh to create ConfigMap from certificate
  secrets for kustomize replacements

Kustomize Integration:
- Update kustomization.yaml to use ConfigMap as a resource for replacements
- Remove hardcoded namespace from replacement sources (fixes KUTTL test execution)
- Generate placement-cert-data.yaml file for kustomize to reference
- Configure replacements to inject certificate data from ConfigMap
  into OpenStackControlPlane spec
- Add placement-cert-data.yaml to .gitignore (generated at runtime)
- Remove hardcoded certificate placeholders (CERT123, KEY123, CACERT123)
  from assertion files

Test Flow:
- Step 01: Deploy initial OpenStackControlPlane with TLS enabled
- Step 02: Create custom route secrets and generate ConfigMap file
- Step 02-assert: Verify secrets and ConfigMap exist (declarative checks)
- Step 03: Apply kustomize patch with custom certificates
- Step 03-assert: Verify OpenStackControlPlane is ready
- Step 04-assert: Validate route certificates match custom certs

Benefits:
- Tests use actual cert-manager generated certificates
- No maintenance of hardcoded certificate values
- Kustomize can reference ConfigMap from generated file
- Multi-level validation (secret → route, secret → override)
- Proper test sequencing (certificates checked after patching)
- Reusable scripts work for any service
- Cleaner, consolidated documentation

Jira: https://issues.redhat.com/browse/OSPRH-8984

AssistedBy: cloude-4-sonnet
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>
@stuggi stuggi force-pushed the kuttl_custom_cert branch from d325807 to 97cfb4e Compare October 23, 2025 07:09
@stuggi
Copy link
Contributor Author

stuggi commented Oct 23, 2025

/retest

1 similar comment
@stuggi
Copy link
Contributor Author

stuggi commented Oct 23, 2025

/retest

@openshift-ci openshift-ci bot added the lgtm label Oct 23, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 23, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 89bc9f2 into openstack-k8s-operators:main Oct 23, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Deydra71 Deydra71 Deydra71 approved these changes

@olliewalsh olliewalsh Awaiting requested review from olliewalsh

Assignees

@Deydra71 Deydra71

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stuggi @Deydra71