From eb75bdf4b05cfb5dd44e126ed52756ef7f8a0f69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Nussbaumer?= Date: Tue, 21 May 2024 07:24:49 +0200 Subject: [PATCH] test: add testcase covering issue #253 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.com/postfinance/kubelet-csr-approver/issues/253 Signed-off-by: Clément Nussbaumer --- internal/controller/csr_controller_test.go | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/internal/controller/csr_controller_test.go b/internal/controller/csr_controller_test.go index d3e6597..1b577ee 100644 --- a/internal/controller/csr_controller_test.go +++ b/internal/controller/csr_controller_test.go @@ -235,6 +235,30 @@ func TestSANCheckedEvenWithDNSResolutionBypassed(t *testing.T) { assert.False(t, denied) } +func TestX509CRIPAddressesWithDNSBypass(t *testing.T) { // reproduces issue #253 + csrParams := CsrParams{ + csrName: "dns-bypass-regex-check-with-x509-cr-san-ips", + nodeName: testNodeName, + dnsName: testNodeName + "-unresolved.test.ch", + ipAddresses: []net.IP{{1, 2, 3, 4}}, + } + csr := createCsr(t, csrParams) + _, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"}) + + csrController.BypassDNSResolution = true + defer func() { csrController.BypassDNSResolution = false }() + + _, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create( + testContext, &csr, metav1.CreateOptions{}) + require.Nil(t, err, "Could not create the CSR.") + + approved, denied, reason, err := waitCsrApprovalStatus(csr.Name) + t.Log(reason) + require.Nil(t, err, "Could not retrieve the CSR to check its approval status") + assert.True(t, approved) + assert.False(t, denied) +} + func TestBypassDNSResolution(t *testing.T) { csrParams := CsrParams{ csrName: "dns-bypass",