From 69c60424b5bda4d4c89742d019578d1ad79b4a22 Mon Sep 17 00:00:00 2001 From: Raymond Kroeker Date: Thu, 16 Apr 2026 15:13:34 -0700 Subject: [PATCH 1/5] fix(install) for #15025 The install process did not apply the '--set' command line options onto internal values state before attempting to initialize the issuer credentials. * The change applies the overrides to the values before initialize. * Add test code to cover initializeIssuerCredentials. * Track unit test run history in 'go-test.json' in the root directory when running in the justfile. * Ignore 'go-test.json.' * Add testify assertions as a go module. --- .gitignore | 1 + cli/cmd/install.go | 12 +++ cli/cmd/install_test.go | 215 ++++++++++++++++++++++++++++++++++++++++ go.mod | 1 + justfile | 2 +- 5 files changed, 230 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 31b2b6d218508..ed1354fa1b347 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ web/app/yarn-error.log vendor **/*.swp **/charts/**/charts +go-test.json package-lock.json .vscode **/coverage* diff --git a/cli/cmd/install.go b/cli/cmd/install.go index e66d02a91f55f..00ecdc27239ed 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -303,6 +303,18 @@ func installControlPlane(ctx context.Context, k8sAPI *k8s.KubernetesAPI, w io.Wr } } + // in order to correctly initialize the issuer credentials the overrides + // (from above) need to be set/applied to the values themselves + // specifically identity issuer scheme, and trust values + data, err := yaml.Marshal(valuesOverrides) + if err != nil { + return err + } + err = yaml.Unmarshal(data, values) + if err != nil { + return err + } + err = initializeIssuerCredentials(ctx, k8sAPI, values) if err != nil { return err diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 1aa1d57c2f647..0099c98785ea5 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -6,16 +6,20 @@ import ( "fmt" "io" "os" + "path" "path/filepath" "strings" "testing" + "github.com/go-openapi/testify/v2/assert" "github.com/linkerd/linkerd2/cli/flag" charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" "github.com/linkerd/linkerd2/pkg/k8s" "github.com/linkerd/linkerd2/pkg/tls" "helm.sh/helm/v3/pkg/cli/values" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) const ( @@ -314,6 +318,213 @@ func TestRender(t *testing.T) { } } +// TestOverrideIssuer calls install control plane with the goal of testing +// options overrides for initialize issuer credentials. +func TestOverrideIssuer(t *testing.T) { + removeIssuerCrt := func() (*charts.Values, error) { + t.Helper() + values, err := testInstallOptionsFakeCerts() + if err != nil { + return nil, err + } + values.Identity.Issuer.TLS.CrtPEM = "" + return values, nil + } + removeIssuerKey := func() (*charts.Values, error) { + t.Helper() + values, err := testInstallOptionsFakeCerts() + if err != nil { + return nil, err + } + values.Identity.Issuer.TLS.KeyPEM = "" + return values, nil + } + removeTrustAnchor := func() (*charts.Values, error) { + t.Helper() + values, err := testInstallOptionsFakeCerts() + if err != nil { + return nil, err + } + values.IdentityTrustAnchorsPEM = "" + return values, nil + } + assert := assert.New(t) + read := func(filename string) []byte { + t.Helper() + data, err := os.ReadFile(path.Join("testdata", filename)) + if assert.NoError(err, "cannot read-file filename=%s", filename) { + return data + } + return nil + } + // newK8S returns a test implementation of the k8s API; after setting the + // issuer trust anchor and tls crt+key as a secret. + newK8S := func(opts values.Options) *k8s.KubernetesAPI { + t.Helper() + buf := &bytes.Buffer{} + err := renderCRDs(context.Background(), nil, buf, opts, "yaml") + assert.NoError(err, "cannot render-crds for new-k8s-api opts=%+v", opts) + api, err := k8s.NewFakeAPIFromManifests([]io.Reader{buf}) + if assert.NoError(err, "cannot create k8s api from manifests") { + _, err = api.CoreV1().Secrets(controlPlaneNamespace).Create(context.Background(), + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: k8s.IdentityIssuerSecretName, + Namespace: controlPlaneNamespace, + }, + Data: map[string][]byte{ + k8s.IdentityIssuerTrustAnchorsNameExternal: read("valid-trust-anchors.pem"), + corev1.TLSCertKey: read("valid-crt.pem"), + corev1.TLSPrivateKeyKey: read("valid-key.pem"), + }}, v1.CreateOptions{}) + if assert.NoError(err, "cannot create secrets for new-k8s-api") { + return api + } + } + return nil + } + controlPlaneNamespace = defaultLinkerdNamespace + for i, test := range []struct { + options values.Options + values func() (*charts.Values, error) + k8sAPI *k8s.KubernetesAPI + expErr string + expIdentityTrustAnchor bool + expIssuerCrt bool + expIssuerKey bool + expIssuerName string + }{ + { + // no options; no certs in values -> generated anchor; key + crt + options: values.Options{}, + values: testInstallValuesNoCertsNoHA, + k8sAPI: nil, + expIdentityTrustAnchor: true, + expIssuerKey: true, + expIssuerCrt: true, + expIssuerName: fmt.Sprintf("identity.%s.%s", + controlPlaneNamespace, "test-override-issuer"), + }, + { + // no options; fake certs in values -> fake certs untouched + options: values.Options{}, + values: testInstallOptionsFakeCerts, + k8sAPI: nil, + expIdentityTrustAnchor: true, + expIssuerKey: true, + expIssuerCrt: true, + expIssuerName: "identity.linkerd.cluster.local", + }, + { + // issuer scheme in options; no certs in values; nil k8s api -> + // error trying to call k8s + options: values.Options{ + Values: []string{"identity.issuer.scheme=kubernetes.io/tls"}, + }, + values: testInstallValuesNoCertsNoHA, + k8sAPI: nil, + expErr: "--ignore-cluster is not supported when --identity-external-issuer=true", + expIdentityTrustAnchor: false, + expIssuerKey: false, + expIssuerCrt: false, + expIssuerName: "", + }, + { + // issuer scheme in options; no certs in values; fake k8s api -> + // trust anchor is set + options: values.Options{ + Values: []string{"identity.issuer.scheme=kubernetes.io/tls"}, + }, + values: testInstallValuesNoCertsNoHA, + k8sAPI: newK8S(values.Options{}), + expErr: "", + expIdentityTrustAnchor: true, + expIssuerKey: false, + expIssuerCrt: false, + expIssuerName: "identity.linkerd.cluster.local", + }, + { + // no options; fake certs in values; remove trust anchor -> err + options: values.Options{}, + values: removeTrustAnchor, + k8sAPI: nil, + expErr: "a trust anchors file must be specified if other credentials are provided", + expIdentityTrustAnchor: false, + expIssuerCrt: true, + expIssuerKey: true, + expIssuerName: "identity.linkerd.cluster.local", + }, + { + // no options; fake certs in values; remove issuer crt -> err + options: values.Options{}, + values: removeIssuerCrt, + k8sAPI: nil, + expErr: "a certificate file must be specified if other credentials are provided", + expIdentityTrustAnchor: true, + expIssuerCrt: false, + expIssuerName: "identity.linkerd.cluster.local", + expIssuerKey: true, + }, + { + // no options; fake certs in values; remove issuer key -> err + options: values.Options{}, + values: removeIssuerKey, + k8sAPI: nil, + expErr: "a private key file must be specified if other credentials are provided", + expIdentityTrustAnchor: true, + expIssuerCrt: true, + expIssuerName: "identity.linkerd.cluster.local", + expIssuerKey: false, + }, + } { + values, err := test.values() + assert.NoError(err, "%02d/test install options failed with an error", i) + values.IdentityTrustDomain = "test-override-issuer" + // ensure the install options created above meet expectations (we are + // testing the override not the values) + assert.Equal(k8s.IdentityIssuerSchemeLinkerd, values.Identity.Issuer.Scheme) + var buf bytes.Buffer + err = installControlPlane(context.Background(), test.k8sAPI, &buf, values, nil, test.options, "yaml") + if test.expErr != "" { + assert.EqualError(err, test.expErr, "%02d/install control plane returned incorrect error", i) + } else { + assert.NoError(err, "%02d/install control plane failed with an error", i) + } + if test.expIdentityTrustAnchor { + assert.NotEmpty(t, values.IdentityTrustAnchorsPEM, "%02d/identity trust anchor is not set", i) + crt, err := tls.DecodePEMCrt(values.IdentityTrustAnchorsPEM) + assert.NoError(err, "%02d/generated identity-trust-anchors-pem cannot be decoded", i) + assert.NotNil(crt, "%02d/generated identity-trust-anchors-pem cannot be decoded (nil)", i) + assert.NotNil(crt.Certificate, "%02d/generated identity-trust-anchors-pem certificate is invalid", i) + assert.Equal( + test.expIssuerName, + crt.Certificate.Issuer.CommonName, + "%02/generated identity-trust-anchors-pem certificate common-name is incorrect", i) + } else { + assert.Empty(values.IdentityTrustAnchorsPEM, "%02d/identity was incorrectly set", i) + } + if test.expIssuerCrt { + assert.NotEmpty(values.Identity.Issuer.TLS.CrtPEM, "%02d/identity issuer crt is not set", i) + assert.NotEmpty(values.Identity.Issuer.TLS.CrtPEM, "%02d/generated identity-issuer-tls-crt-pem is empty", i) + crt, err := tls.DecodePEMCrt(values.Identity.Issuer.TLS.CrtPEM) + assert.NoError(err, "%02d/generated identity-issuer-tls-crt-pem cannot be decoded", i) + assert.NotNil(crt, "%02d/generated identity-issuer-tls-crt-pem cannot be decoded (nil)", i) + assert.NotNil(crt.Certificate, "%02d/generated identity-issuer-tls-crt-pem certificate is invalid", i) + } else { + assert.Empty(values.Identity.Issuer.TLS.CrtPEM, "%02d/identity issuer crt was incorrectly set", i) + } + if test.expIssuerKey { + assert.NotEmpty(values.Identity.Issuer.TLS.KeyPEM, "%02d/identity issuer tls key is not set", i) + assert.NotEmpty(values.Identity.Issuer.TLS.KeyPEM, "%02d/generated identity-issuer-tls-key-pem is empty", i) + key, err := tls.DecodePEMKey(values.Identity.Issuer.TLS.KeyPEM) + assert.NoError(err, "%02d/generated identity-issuer-tls-key-pem cannot be decoded", i) + assert.NotNil(key, "%02d/generated identity-issuer-tls-key-pem cannot be decoded (nil)", i) + } else { + assert.Empty(values.Identity.Issuer.TLS.KeyPEM, "%02d/identity issuer tls key was incorrectly set", i) + } + } +} + func TestIgnoreCluster(t *testing.T) { defaultValues, err := testInstallOptions() if err != nil { @@ -550,6 +761,10 @@ func testInstallOptionsNoCerts(ha bool) (*charts.Values, error) { return values, nil } +func testInstallValuesNoCertsNoHA() (*charts.Values, error) { + return testInstallOptionsNoCerts(false) +} + func testInstallValues() (*charts.Values, error) { values, err := charts.NewValues() if err != nil { diff --git a/go.mod b/go.mod index dadf2061be77e..1233436a016c7 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/fatih/color v1.19.0 github.com/fsnotify/fsnotify v1.9.0 github.com/go-openapi/spec v0.22.4 + github.com/go-openapi/testify/v2 v2.4.0 github.com/go-test/deep v1.1.1 github.com/golang/protobuf v1.5.4 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 diff --git a/justfile b/justfile index e558f07502e8c..c93f99d5b2b89 100644 --- a/justfile +++ b/justfile @@ -20,7 +20,7 @@ go-lint *flags: golangci-lint run {{ flags }} go-test: - LINKERD_TEST_PRETTY_DIFF=1 gotestsum -- -race -v -mod=readonly --timeout 10m ./... + LINKERD_TEST_PRETTY_DIFF=1 gotestsum --jsonfile go-test.json -- -race -v -mod=readonly --timeout 10m ./... ## ## Rust From 19659bcf435fe80c1f8439d6ef58f6732d149f28 Mon Sep 17 00:00:00 2001 From: Raymond Kroeker Date: Fri, 17 Apr 2026 10:40:25 -0700 Subject: [PATCH 2/5] Deduplicate import. --- cli/cmd/install_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 0099c98785ea5..07c689b1db41f 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -19,7 +19,6 @@ import ( "helm.sh/helm/v3/pkg/cli/values" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) const ( @@ -376,7 +375,7 @@ func TestOverrideIssuer(t *testing.T) { k8s.IdentityIssuerTrustAnchorsNameExternal: read("valid-trust-anchors.pem"), corev1.TLSCertKey: read("valid-crt.pem"), corev1.TLSPrivateKeyKey: read("valid-key.pem"), - }}, v1.CreateOptions{}) + }}, metav1.CreateOptions{}) if assert.NoError(err, "cannot create secrets for new-k8s-api") { return api } From 049b9b2feb213517e1e5ff08737b302c998620f0 Mon Sep 17 00:00:00 2001 From: Raymond Kroeker Date: Fri, 17 Apr 2026 12:58:07 -0700 Subject: [PATCH 3/5] Add comment articulating nuance in marshal+unmarshal overrides. --- cli/cmd/install.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cli/cmd/install.go b/cli/cmd/install.go index 00ecdc27239ed..bf90f78f60ba5 100644 --- a/cli/cmd/install.go +++ b/cli/cmd/install.go @@ -306,6 +306,9 @@ func installControlPlane(ctx context.Context, k8sAPI *k8s.KubernetesAPI, w io.Wr // in order to correctly initialize the issuer credentials the overrides // (from above) need to be set/applied to the values themselves // specifically identity issuer scheme, and trust values + // + // marshal+unmarshal here will only apply specific overrides to values and + // will not wipe out values that are not set. data, err := yaml.Marshal(valuesOverrides) if err != nil { return err From e26d83d6f362f920e6ae48bc7ca03cafc56f41fa Mon Sep 17 00:00:00 2001 From: Raymond Kroeker Date: Fri, 17 Apr 2026 13:35:17 -0700 Subject: [PATCH 4/5] Code Review Feedback * Drop testify as a dependency. * Add comment articulating nuanced umarshal behaviour. --- cli/cmd/install_test.go | 130 +++++++++++++++++++++++++--------------- go.mod | 1 - 2 files changed, 81 insertions(+), 50 deletions(-) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index 07c689b1db41f..a3b92f0142be8 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -11,7 +11,6 @@ import ( "strings" "testing" - "github.com/go-openapi/testify/v2/assert" "github.com/linkerd/linkerd2/cli/flag" charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" "github.com/linkerd/linkerd2/pkg/k8s" @@ -347,14 +346,13 @@ func TestOverrideIssuer(t *testing.T) { values.IdentityTrustAnchorsPEM = "" return values, nil } - assert := assert.New(t) read := func(filename string) []byte { t.Helper() data, err := os.ReadFile(path.Join("testdata", filename)) - if assert.NoError(err, "cannot read-file filename=%s", filename) { - return data + if err != nil { + t.Fatalf("cannot read filename=%s err=%v", filename, err) } - return nil + return data } // newK8S returns a test implementation of the k8s API; after setting the // issuer trust anchor and tls crt+key as a secret. @@ -362,25 +360,29 @@ func TestOverrideIssuer(t *testing.T) { t.Helper() buf := &bytes.Buffer{} err := renderCRDs(context.Background(), nil, buf, opts, "yaml") - assert.NoError(err, "cannot render-crds for new-k8s-api opts=%+v", opts) + if err != nil { + t.Fatalf("cannot render-crds for new-k8s-api opts=%+v err=%v", + opts, err) + } api, err := k8s.NewFakeAPIFromManifests([]io.Reader{buf}) - if assert.NoError(err, "cannot create k8s api from manifests") { - _, err = api.CoreV1().Secrets(controlPlaneNamespace).Create(context.Background(), - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: k8s.IdentityIssuerSecretName, - Namespace: controlPlaneNamespace, - }, - Data: map[string][]byte{ - k8s.IdentityIssuerTrustAnchorsNameExternal: read("valid-trust-anchors.pem"), - corev1.TLSCertKey: read("valid-crt.pem"), - corev1.TLSPrivateKeyKey: read("valid-key.pem"), - }}, metav1.CreateOptions{}) - if assert.NoError(err, "cannot create secrets for new-k8s-api") { - return api - } + if err != nil { + t.Fatalf("cannot create new fake-api from manifests err=%v", err) + } + _, err = api.CoreV1().Secrets(controlPlaneNamespace).Create(context.Background(), + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: k8s.IdentityIssuerSecretName, + Namespace: controlPlaneNamespace, + }, + Data: map[string][]byte{ + k8s.IdentityIssuerTrustAnchorsNameExternal: read("valid-trust-anchors.pem"), + corev1.TLSCertKey: read("valid-crt.pem"), + corev1.TLSPrivateKeyKey: read("valid-key.pem"), + }}, metav1.CreateOptions{}) + if err != nil { + t.Fatalf("cannot create secret for new-k8s-api err=%v", err) } - return nil + return api } controlPlaneNamespace = defaultLinkerdNamespace for i, test := range []struct { @@ -477,49 +479,79 @@ func TestOverrideIssuer(t *testing.T) { }, } { values, err := test.values() - assert.NoError(err, "%02d/test install options failed with an error", i) + if err != nil { + t.Fatalf("%02d/test install options failed with an error err=%v", i, err) + } values.IdentityTrustDomain = "test-override-issuer" // ensure the install options created above meet expectations (we are // testing the override not the values) - assert.Equal(k8s.IdentityIssuerSchemeLinkerd, values.Identity.Issuer.Scheme) + if values.Identity.Issuer.Scheme != k8s.IdentityIssuerSchemeLinkerd { + t.Fatalf("%02d/identity issuer scheme is incorrect: %s != %s", i, + k8s.IdentityIssuerSchemeLinkerd, values.Identity.Issuer.Scheme) + } var buf bytes.Buffer err = installControlPlane(context.Background(), test.k8sAPI, &buf, values, nil, test.options, "yaml") if test.expErr != "" { - assert.EqualError(err, test.expErr, "%02d/install control plane returned incorrect error", i) + if test.expErr != err.Error() { + t.Fatalf("%02d/install control plane returned incorrect error %s<>%v", i, test.expErr, err) + } } else { - assert.NoError(err, "%02d/install control plane failed with an error", i) + if err != nil { + t.Fatalf("%02d/install control plane failed with an error=%v", i, err) + } } if test.expIdentityTrustAnchor { - assert.NotEmpty(t, values.IdentityTrustAnchorsPEM, "%02d/identity trust anchor is not set", i) + if values.IdentityTrustAnchorsPEM == "" { + t.Fatalf("%02d/identity trust-anchors-pem is empty", i) + } crt, err := tls.DecodePEMCrt(values.IdentityTrustAnchorsPEM) - assert.NoError(err, "%02d/generated identity-trust-anchors-pem cannot be decoded", i) - assert.NotNil(crt, "%02d/generated identity-trust-anchors-pem cannot be decoded (nil)", i) - assert.NotNil(crt.Certificate, "%02d/generated identity-trust-anchors-pem certificate is invalid", i) - assert.Equal( - test.expIssuerName, - crt.Certificate.Issuer.CommonName, - "%02/generated identity-trust-anchors-pem certificate common-name is incorrect", i) - } else { - assert.Empty(values.IdentityTrustAnchorsPEM, "%02d/identity was incorrectly set", i) + if err != nil { + t.Fatalf("%02d/generated identity-trust-anchors-pem cannot be decoded", i) + } + if crt == nil { + t.Fatalf("%02d/generated identity-trust-anchors-pem cannot be decoded (nil)", i) + } + if crt.Certificate == nil { + t.Fatalf("%02d/generated identity-trust-anchors-pem certificate is invalid", i) + } + if test.expIssuerName != crt.Certificate.Issuer.CommonName { + t.Fatalf("%02d/generated identity-trust-anchors-pem certificate common-name is incorrect %s<>%s", i, + test.expIssuerName, + crt.Certificate.Issuer.CommonName) + } + } else if values.IdentityTrustAnchorsPEM != "" { + t.Fatalf("%02d/identity was incorrectly set pem=%s", i, values.IdentityTrustAnchorsPEM) } if test.expIssuerCrt { - assert.NotEmpty(values.Identity.Issuer.TLS.CrtPEM, "%02d/identity issuer crt is not set", i) - assert.NotEmpty(values.Identity.Issuer.TLS.CrtPEM, "%02d/generated identity-issuer-tls-crt-pem is empty", i) + if values.Identity.Issuer.TLS.CrtPEM == "" { + t.Fatalf("%02d/generated identity-issuer-tls-crt-pem is empty", i) + } crt, err := tls.DecodePEMCrt(values.Identity.Issuer.TLS.CrtPEM) - assert.NoError(err, "%02d/generated identity-issuer-tls-crt-pem cannot be decoded", i) - assert.NotNil(crt, "%02d/generated identity-issuer-tls-crt-pem cannot be decoded (nil)", i) - assert.NotNil(crt.Certificate, "%02d/generated identity-issuer-tls-crt-pem certificate is invalid", i) - } else { - assert.Empty(values.Identity.Issuer.TLS.CrtPEM, "%02d/identity issuer crt was incorrectly set", i) + if err != nil { + t.Fatalf("%02d/generated identity-issuer-tls-crt-pem cannot be decoded err=%v", i, err) + } + if crt == nil { + t.Fatalf("%02d/generated identity-issuer-tls-crt-pem cannot be decoded (nil)", i) + } + if crt.Certificate == nil { + t.Fatalf("%02d/generated identity-issuer-tls-crt-pem certificate is invalid (nil)", i) + } + } else if values.Identity.Issuer.TLS.CrtPEM != "" { + t.Fatalf("%02d/identity issuer crt was incorrectly set pem=%s", i, values.Identity.Issuer.TLS.CrtPEM) } if test.expIssuerKey { - assert.NotEmpty(values.Identity.Issuer.TLS.KeyPEM, "%02d/identity issuer tls key is not set", i) - assert.NotEmpty(values.Identity.Issuer.TLS.KeyPEM, "%02d/generated identity-issuer-tls-key-pem is empty", i) + if values.Identity.Issuer.TLS.KeyPEM == "" { + t.Fatalf("%02d/generated identity-issuer-tls-key-pem is empty", i) + } key, err := tls.DecodePEMKey(values.Identity.Issuer.TLS.KeyPEM) - assert.NoError(err, "%02d/generated identity-issuer-tls-key-pem cannot be decoded", i) - assert.NotNil(key, "%02d/generated identity-issuer-tls-key-pem cannot be decoded (nil)", i) - } else { - assert.Empty(values.Identity.Issuer.TLS.KeyPEM, "%02d/identity issuer tls key was incorrectly set", i) + if err != nil { + t.Fatalf("%02d/generated identity-issuer-tls-key-pem cannot be decoded err=%v", i, err) + } + if key == nil { + t.Fatalf("%02d/generated identity-issuer-tls-key-pem cannot be decoded (nil)", i) + } + } else if values.Identity.Issuer.TLS.KeyPEM != "" { + t.Fatalf("%02d/identity issuer tls key was incorrectly set pem=%s", i, values.Identity.Issuer.TLS.KeyPEM) } } } diff --git a/go.mod b/go.mod index d624901e88542..57800eefffa2a 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,6 @@ require ( github.com/fatih/color v1.19.0 github.com/fsnotify/fsnotify v1.9.0 github.com/go-openapi/spec v0.22.4 - github.com/go-openapi/testify/v2 v2.4.0 github.com/go-test/deep v1.1.1 github.com/golang/protobuf v1.5.4 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 From 21db6d5a604ff2bd328a32caf09b870865f8ab03 Mon Sep 17 00:00:00 2001 From: Raymond Kroeker Date: Mon, 20 Apr 2026 11:00:06 -0700 Subject: [PATCH 5/5] Fix k8s setup in test case. --- cli/cmd/install_test.go | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/cli/cmd/install_test.go b/cli/cmd/install_test.go index a3b92f0142be8..5b24bee2a986b 100644 --- a/cli/cmd/install_test.go +++ b/cli/cmd/install_test.go @@ -356,15 +356,9 @@ func TestOverrideIssuer(t *testing.T) { } // newK8S returns a test implementation of the k8s API; after setting the // issuer trust anchor and tls crt+key as a secret. - newK8S := func(opts values.Options) *k8s.KubernetesAPI { + newK8S := func() *k8s.KubernetesAPI { t.Helper() - buf := &bytes.Buffer{} - err := renderCRDs(context.Background(), nil, buf, opts, "yaml") - if err != nil { - t.Fatalf("cannot render-crds for new-k8s-api opts=%+v err=%v", - opts, err) - } - api, err := k8s.NewFakeAPIFromManifests([]io.Reader{buf}) + api, err := k8s.NewFakeAPI() if err != nil { t.Fatalf("cannot create new fake-api from manifests err=%v", err) } @@ -437,7 +431,7 @@ func TestOverrideIssuer(t *testing.T) { Values: []string{"identity.issuer.scheme=kubernetes.io/tls"}, }, values: testInstallValuesNoCertsNoHA, - k8sAPI: newK8S(values.Options{}), + k8sAPI: newK8S(), expErr: "", expIdentityTrustAnchor: true, expIssuerKey: false,