Third round of comments

Author: MadalinaPatrichi

pkg/oci/load_balancer.go

@@ -203,14 +203,14 @@ func (cp *CloudProvider) readSSLSecret(ns, name string) (*certificateData, error
 	}
 	var ok bool
 	var cacert, cert, key, pass []byte
-	cacert, _ = secret.Data[SSLCAFileName]
+	cacert = secret.Data[SSLCAFileName]
 	if cert, ok = secret.Data[SSLCertificateFileName]; !ok {
 		return nil, errors.Errorf("%s not found in secret %s/%s", SSLCertificateFileName, ns, name)
 	}
 	if key, ok = secret.Data[SSLPrivateKeyFileName]; !ok {
 		return nil, errors.Errorf("%s not found in secret %s/%s", SSLPrivateKeyFileName, ns, name)
 	}
-	pass, _ = secret.Data[SSLPassphrase]
+	pass = secret.Data[SSLPassphrase]
 	return &certificateData{CACert: cacert, PublicCert: cert, PrivateKey: key, Passphrase: pass}, nil
 }
 
@@ -323,8 +323,8 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 		if err != nil {
 			return nil, err
 		}
-		secretListenerString, _ := service.Annotations[ServiceAnnotationLoadBalancerTLSSecret]
-		secretBackendSetString, _ := service.Annotations[ServiceAnnotationLoadBalancerBackendSetSecret]
+		secretListenerString := service.Annotations[ServiceAnnotationLoadBalancerTLSSecret]
+		secretBackendSetString := service.Annotations[ServiceAnnotationLoadBalancerBackendSetSecret]
 		sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, ports, cp)
 	}
 	subnets := []string{cp.config.LoadBalancer.Subnet1, cp.config.LoadBalancer.Subnet2}

pkg/oci/load_balancer_spec.go

@@ -178,9 +178,6 @@ func (s *LBSpec) Certificates() (map[string]loadbalancer.CertificateDetails, err
 	if err != nil {
 		return nil, errors.Wrap(err, "reading SSL Listener Secret")
 	}
-	if len(sslSecret.PublicCert) == 0 || len(sslSecret.PrivateKey) == 0 {
-		return certs, nil
-	}
 
 	certs[s.SSLConfig.ListenerSSLSecretName] = loadbalancer.CertificateDetails{
 		CertificateName:   &s.SSLConfig.ListenerSSLSecretName,
@@ -192,9 +189,6 @@ func (s *LBSpec) Certificates() (map[string]loadbalancer.CertificateDetails, err
 	if err != nil {
 		return nil, errors.Wrap(err, "reading SSL BackendSet Secret")
 	}
-	if len(sslSecret.PublicCert) == 0 || len(sslSecret.PrivateKey) == 0 {
-		return certs, nil
-	}
 
 	certs[s.SSLConfig.BackendSetSSLSecretName] = loadbalancer.CertificateDetails{
 		CertificateName:   &s.SSLConfig.BackendSetSSLSecretName,
@@ -280,20 +274,11 @@ func getBackendSets(svc *v1.Service, nodes []*v1.Node, sslCfg *SSLConfig) map[st
 		if sslCfg != nil {
 			secretName = sslCfg.BackendSetSSLSecretName
 		}
-		sslConfig := getSSLConfiguration(sslCfg, secretName, port)
-		if sslConfig != nil {
-			backendSets[name] = loadbalancer.BackendSetDetails{
-				Policy:           common.String(DefaultLoadBalancerPolicy),
-				Backends:         getBackends(nodes, servicePort.NodePort),
-				HealthChecker:    getHealthChecker(sslCfg, port, svc),
-				SslConfiguration: sslConfig,
-			}
-		} else {
-			backendSets[name] = loadbalancer.BackendSetDetails{
-				Policy:        common.String(DefaultLoadBalancerPolicy),
-				Backends:      getBackends(nodes, servicePort.NodePort),
-				HealthChecker: getHealthChecker(sslCfg, port, svc),
-			}
+		backendSets[name] = loadbalancer.BackendSetDetails{
+			Policy:           common.String(DefaultLoadBalancerPolicy),
+			Backends:         getBackends(nodes, servicePort.NodePort),
+			HealthChecker:    getHealthChecker(sslCfg, port, svc),
+			SslConfiguration: getSSLConfiguration(sslCfg, secretName, port),
 		}
 	}
 	return backendSets

test/e2e/framework/networking_util.go

@@ -104,8 +104,7 @@ func TestReachableHTTPWithContentTimeout(secure bool, ip string, port int, reque
 func TestReachableHTTPWithContentTimeoutWithRetriableErrorCodes(secure bool, ip string, port int, request string, expect string, content *bytes.Buffer, retriableErrCodes []int, timeout time.Duration) (bool, error) {
 
 	ipPort := net.JoinHostPort(ip, strconv.Itoa(port))
-	var url string
-	url = fmt.Sprintf("http://%s%s", ipPort, request)
+	url := fmt.Sprintf("http://%s%s", ipPort, request)
 	if secure {
 		url = fmt.Sprintf("https://%s%s", ipPort, request)
 	}

test/e2e/load_balancer.go

@@ -311,7 +311,6 @@ var _ = Describe("End to end TLS", func() {
 		ns := f.Namespace.Name
 
 		jig := framework.NewServiceTestJig(f.ClientSet, serviceName)
-		//nodeIP := framework.PickNodeIP(jig.Client) // for later
 
 		sslSecretName := "ssl-certificate-secret"
 		_, err := f.ClientSet.CoreV1().Secrets(ns).Create(&v1.Secret{
@@ -327,7 +326,6 @@ var _ = Describe("End to end TLS", func() {
 			},
 		})
 		framework.ExpectNoError(err)
-		//loadBalancerLagTimeout := framework.LoadBalancerLagTimeoutDefault
 		loadBalancerCreateTimeout := framework.LoadBalancerCreateTimeoutDefault
 		if nodes := framework.GetReadySchedulableNodesOrDie(f.ClientSet); len(nodes.Items) > framework.LargeClusterMinNodesNumber {
 			loadBalancerCreateTimeout = framework.LoadBalancerCreateTimeoutLarge
@@ -370,11 +368,87 @@ var _ = Describe("End to end TLS", func() {
 		tcpIngressIP := framework.GetIngressPoint(&tcpService.Status.LoadBalancer.Ingress[0])
 		framework.Logf("TCP load balancer: %s", tcpIngressIP)
 
-		// By("hitting the TCP service's NodePort")
-		// jig.TestReachableHTTP(true, nodeIP, tcpNodePort, framework.KubeProxyLagTimeout)
+		By("changing TCP service back to type=ClusterIP")
+		tcpService = jig.UpdateServiceOrFail(ns, tcpService.Name, func(s *v1.Service) {
+			s.Spec.Type = v1.ServiceTypeClusterIP
+			s.Spec.Ports[0].NodePort = 0
+			s.Spec.Ports[1].NodePort = 0
+		})
+
+		// Wait for the load balancer to be destroyed asynchronously
+		tcpService = jig.WaitForLoadBalancerDestroyOrFail(ns, tcpService.Name, tcpIngressIP, svcPort, loadBalancerCreateTimeout)
+		jig.SanityCheckService(tcpService, v1.ServiceTypeClusterIP)
+
+		err = f.ClientSet.CoreV1().Secrets(ns).Delete(sslSecretName, nil)
+		framework.ExpectNoError(err)
+	})
+})
+
+var _ = Describe("End to end TLS", func() {
+	f := framework.NewDefaultFramework("service")
+
+	It("should be possible to create and mutate a Service type:LoadBalancer [Canary]", func() {
+		serviceName := "e2e-tls-lb-test"
+		ns := f.Namespace.Name
 
-		// By("hitting the TCP service's LoadBalancer")
-		// jig.TestReachableHTTP(true, tcpIngressIP, svcPort, loadBalancerLagTimeout)
+		jig := framework.NewServiceTestJig(f.ClientSet, serviceName)
+		//nodeIP := framework.PickNodeIP(jig.Client) // for later
+
+		sslSecretName := "ssl-certificate-secret"
+		_, err := f.ClientSet.CoreV1().Secrets(ns).Create(&v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      sslSecretName,
+			},
+			Data: map[string][]byte{
+				cloudprovider.SSLCAFileName:          []byte(framework.SSLCAData),
+				cloudprovider.SSLCertificateFileName: []byte(framework.SSLCertificateData),
+				cloudprovider.SSLPrivateKeyFileName:  []byte(framework.SSLPrivateData),
+				cloudprovider.SSLPassphrase:          []byte(framework.SSLPassphrase),
+			},
+		})
+		framework.ExpectNoError(err)
+		//loadBalancerLagTimeout := framework.LoadBalancerLagTimeoutDefault
+		loadBalancerCreateTimeout := framework.LoadBalancerCreateTimeoutDefault
+		if nodes := framework.GetReadySchedulableNodesOrDie(f.ClientSet); len(nodes.Items) > framework.LargeClusterMinNodesNumber {
+			loadBalancerCreateTimeout = framework.LoadBalancerCreateTimeoutLarge
+		}
+
+		// TODO(apryde): Test that LoadBalancers can receive static IP addresses
+		// (in a provider agnostic manner?). OCI does not currently
+		// support this.
+		requestedIP := ""
+
+		tcpService := jig.CreateTCPServiceOrFail(ns, func(s *v1.Service) {
+			s.Spec.Type = v1.ServiceTypeLoadBalancer
+			s.Spec.LoadBalancerIP = requestedIP
+			s.Spec.Ports = []v1.ServicePort{v1.ServicePort{Name: "http", Port: 80, TargetPort: intstr.FromInt(80)},
+				v1.ServicePort{Name: "https", Port: 443, TargetPort: intstr.FromInt(80)}}
+			s.ObjectMeta.Annotations = map[string]string{cloudprovider.ServiceAnnotationLoadBalancerSSLPorts: "443",
+				cloudprovider.ServiceAnnotationLoadBalancerBackendSetSecret: sslSecretName}
+
+		})
+
+		svcPort := int(tcpService.Spec.Ports[0].Port)
+
+		By("creating a pod to be part of the TCP service " + serviceName)
+		jig.RunOrFail(ns, nil)
+
+		// TODO(apryde): Test UDP service. OCI does not currently support this.
+
+		By("waiting for the TCP service to have a load balancer")
+		// Wait for the load balancer to be created asynchronously
+		tcpService = jig.WaitForLoadBalancerOrFail(ns, tcpService.Name, loadBalancerCreateTimeout)
+		jig.SanityCheckService(tcpService, v1.ServiceTypeLoadBalancer)
+
+		tcpNodePort := int(tcpService.Spec.Ports[0].NodePort)
+		framework.Logf("TCP node port: %d", tcpNodePort)
+
+		if requestedIP != "" && framework.GetIngressPoint(&tcpService.Status.LoadBalancer.Ingress[0]) != requestedIP {
+			framework.Failf("unexpected TCP Status.LoadBalancer.Ingress (expected %s, got %s)", requestedIP, framework.GetIngressPoint(&tcpService.Status.LoadBalancer.Ingress[0]))
+		}
+		tcpIngressIP := framework.GetIngressPoint(&tcpService.Status.LoadBalancer.Ingress[0])
+		framework.Logf("TCP load balancer: %s", tcpIngressIP)
 
 		By("changing TCP service back to type=ClusterIP")
 		tcpService = jig.UpdateServiceOrFail(ns, tcpService.Name, func(s *v1.Service) {
@@ -387,11 +461,6 @@ var _ = Describe("End to end TLS", func() {
 		tcpService = jig.WaitForLoadBalancerDestroyOrFail(ns, tcpService.Name, tcpIngressIP, svcPort, loadBalancerCreateTimeout)
 		jig.SanityCheckService(tcpService, v1.ServiceTypeClusterIP)
 
-		// By("checking the TCP NodePort is closed")
-		// jig.TestNotReachableHTTP(nodeIP, tcpNodePort, framework.KubeProxyLagTimeout)
-
-		// By("checking the TCP LoadBalancer is closed")
-		// jig.TestNotReachableHTTP(tcpIngressIP, svcPort, loadBalancerLagTimeout)
 		err = f.ClientSet.CoreV1().Secrets(ns).Delete(sslSecretName, nil)
 		framework.ExpectNoError(err)
 	})