From 33878a8ffcc64c383a6379c61aa48b08b75ac8e3 Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Thu, 20 Jul 2023 21:04:44 -0700 Subject: [PATCH] Use new virtual time for TestController_RotateCertificates (#5285) Use a virtual time in the future. This is because certutil.NewSelfSignedCACert uses real wall-clock time to generate the root certificate, and there is a possibility that the NotBefore field for the CA certificate is after the "now" virtual time. This can in turn cause certificate validation to fail and the unit test to fail. Signed-off-by: Antonin Bas --- .../ipsec_certificate_controller_test.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/agent/controller/ipseccertificate/ipsec_certificate_controller_test.go b/pkg/agent/controller/ipseccertificate/ipsec_certificate_controller_test.go index 0bfb948c3cb..c837799edb7 100644 --- a/pkg/agent/controller/ipseccertificate/ipsec_certificate_controller_test.go +++ b/pkg/agent/controller/ipseccertificate/ipsec_certificate_controller_test.go @@ -272,7 +272,10 @@ func TestController_RotateCertificates(t *testing.T) { // It is important to truncate to the second, because the accuracy of notAfter in the // certificate is at the second level. If we don't, the certificate may actually be rotated // before 7s. - now := time.Now().Truncate(time.Second) + // We use a time in the future (1 hour), because newFakeController will create self-signed + // root certificates using the wall-clock time. We want to make sure that the root + // certificates are valid for this virtual time. + now := time.Now().Add(1 * time.Hour).Truncate(time.Second) fakeClock := testingclock.NewFakeClock(now) fakeController := newFakeController(t, fakeClock) defer fakeController.mockController.Finish() @@ -314,12 +317,17 @@ func TestController_RotateCertificates(t *testing.T) { fakeClock.SetTime(now.Add(time.Millisecond * 6999)) select { case <-signCh: - t.Error("CSR should not be signed before the rotation deadline") + t.Fatal("CSR should not be signed before the rotation deadline") case <-time.After(2 * time.Second): } fakeClock.SetTime(now.Add(time.Second * 9)) // wait for the signer to finish signing two CSRs. - <-signCh + select { + case <-signCh: + break + case <-time.After(5 * time.Second): + t.Fatal("Timeout while waiting for second CSR to be signed") + } list, err := fakeController.kubeClient.CertificatesV1().CertificateSigningRequests().List(context.TODO(), metav1.ListOptions{}) assert.NoError(t, err) assert.Len(t, list.Items, 2)