Resolve conflict

Author: clement0010

CHANGELOG.md

@@ -1,6 +1,76 @@
 # CHANGELOG
 
 
+## v0.26.4 (2025-10-14)
+
+### Chores
+
+- Bump cryptography from 45.0.7 to 46.0.1
+  ([#791](https://github.com/Twingate/kubernetes-operator/pull/791),
+  [`4ba9d0a`](https://github.com/Twingate/kubernetes-operator/commit/4ba9d0ac40eaa283846d535fa58ac740157d6999))
+
+- Bump cryptography from 46.0.1 to 46.0.2
+  ([#801](https://github.com/Twingate/kubernetes-operator/pull/801),
+  [`fc8fdd8`](https://github.com/Twingate/kubernetes-operator/commit/fc8fdd8398f1eb674c4db59e4cbaaf44745407ee))
+
+- Bump hadolint/hadolint-action from 3.2.0 to 3.3.0
+  ([#796](https://github.com/Twingate/kubernetes-operator/pull/796),
+  [`cbd7460`](https://github.com/Twingate/kubernetes-operator/commit/cbd74606486bffd377376ba5513de90801aa9408))
+
+- Bump kubernetes from 33.1.0 to 34.1.0
+  ([#800](https://github.com/Twingate/kubernetes-operator/pull/800),
+  [`47b7329`](https://github.com/Twingate/kubernetes-operator/commit/47b73299b271b20b2e307542b9c7069d6e38a229))
+
+- Bump kubernetes-access-gateway from 0.10.0 to 0.10.1 in /deploy/twingate-operator
+  ([#811](https://github.com/Twingate/kubernetes-operator/pull/811),
+  [`01728e5`](https://github.com/Twingate/kubernetes-operator/commit/01728e561ff2d60f9825d78642046e2d5e47a45b))
+
+- Bump mypy from 1.18.1 to 1.18.2 ([#794](https://github.com/Twingate/kubernetes-operator/pull/794),
+  [`4846803`](https://github.com/Twingate/kubernetes-operator/commit/4846803c76c3437bc1864f04927be320fffbe72d))
+
+- Bump pydantic from 2.11.10 to 2.12.0
+  ([#805](https://github.com/Twingate/kubernetes-operator/pull/805),
+  [`a5699d6`](https://github.com/Twingate/kubernetes-operator/commit/a5699d65611c6dda427e72129c85685cf8be2ac0))
+
+- Bump pydantic from 2.11.9 to 2.11.10
+  ([#803](https://github.com/Twingate/kubernetes-operator/pull/803),
+  [`c714bdc`](https://github.com/Twingate/kubernetes-operator/commit/c714bdce7379398af23b2af88fade7c551952bea))
+
+- Bump pydantic from 2.12.0 to 2.12.1
+  ([#810](https://github.com/Twingate/kubernetes-operator/pull/810),
+  [`8c1b0c7`](https://github.com/Twingate/kubernetes-operator/commit/8c1b0c7d44438df14393754a7fa4231e94c77bca))
+
+- Bump pydantic from 2.12.1 to 2.12.2
+  ([#812](https://github.com/Twingate/kubernetes-operator/pull/812),
+  [`318d603`](https://github.com/Twingate/kubernetes-operator/commit/318d603f650c3cb6c33e1aa1a5af9f4716ce38ca))
+
+- Bump pydantic-settings from 2.10.1 to 2.11.0
+  ([#797](https://github.com/Twingate/kubernetes-operator/pull/797),
+  [`71a17c0`](https://github.com/Twingate/kubernetes-operator/commit/71a17c0eef97319a337e9ee759535de48680f363))
+
+- Bump pyupgrade from 3.20.0 to 3.21.0
+  ([#809](https://github.com/Twingate/kubernetes-operator/pull/809),
+  [`be5c327`](https://github.com/Twingate/kubernetes-operator/commit/be5c327b150499217c06ffa998461363ff2e3013))
+
+- Bump ruff from 0.13.0 to 0.13.1 ([#793](https://github.com/Twingate/kubernetes-operator/pull/793),
+  [`3877370`](https://github.com/Twingate/kubernetes-operator/commit/3877370f6c5e2c6463e47cf847d9c0c3c13ac8a3))
+
+- Bump ruff from 0.13.1 to 0.13.2 ([#798](https://github.com/Twingate/kubernetes-operator/pull/798),
+  [`65957fa`](https://github.com/Twingate/kubernetes-operator/commit/65957fa343390024e56b4dc1431c3d218ee1d48f))
+
+- Bump ruff from 0.13.2 to 0.13.3 ([#802](https://github.com/Twingate/kubernetes-operator/pull/802),
+  [`88331fe`](https://github.com/Twingate/kubernetes-operator/commit/88331fe3685a772c9d88aeb5263a83ce4e66dbf8))
+
+- Bump ruff from 0.13.3 to 0.14.0 ([#806](https://github.com/Twingate/kubernetes-operator/pull/806),
+  [`8542681`](https://github.com/Twingate/kubernetes-operator/commit/854268163d9955df5844f9bb0753fa148c58b3b1))
+
+- Bump syrupy from 4.9.1 to 5.0.0 ([#799](https://github.com/Twingate/kubernetes-operator/pull/799),
+  [`c639ac1`](https://github.com/Twingate/kubernetes-operator/commit/c639ac1328b024ec3b8697b7eb83502be7563e7d))
+
+- Upgrade Poetry to 2.2.1 ([#804](https://github.com/Twingate/kubernetes-operator/pull/804),
+  [`96098a7`](https://github.com/Twingate/kubernetes-operator/commit/96098a776f2159d4a8150456c5fe3061d56f4d5f))
+
+
 ## v0.26.3 (2025-09-17)
 
 ### Bug Fixes

app/crds.py

@@ -23,7 +23,8 @@
 from semantic_version import NpmSpec
 
 from app.settings import get_settings
-from app.utils_k8s import get_ca_cert, k8s_get_secret
+from app.utils import validate_pem_x509_certificate
+from app.utils_k8s import k8s_read_namespaced_secret
 from app.version_policy_providers import get_provider
 
 K8sObject = MutableMapping[Any, Any]
@@ -131,14 +132,34 @@ class ResourceProxy(BaseModel):
 
     def get_certificate_authority_cert(self) -> str | None:
         if secret_ref := self.certificate_authority_cert_secret_ref:
-            secret = k8s_get_secret(secret_ref.namespace, secret_ref.name)
-            if not secret:
-                return None
+            if secret := k8s_read_namespaced_secret(
+                secret_ref.namespace, secret_ref.name
+            ):
+                return self.read_certificate_authority_cert_from_secret(secret)
 
-            return base64.b64decode(get_ca_cert(secret)).decode()
+            return None
 
         return self.certificate_authority_cert
 
+    @staticmethod
+    def read_certificate_authority_cert_from_secret(
+        secret: kubernetes.client.V1Secret,
+    ) -> str:
+        secret_name = secret.metadata.name
+        if not (ca_cert := secret.data.get("ca.crt")):
+            raise kopf.PermanentError(
+                f"Kubernetes Secret object: {secret_name} is missing ca.crt."
+            )
+
+        try:
+            ca_cert = base64.b64decode(ca_cert).decode()
+            validate_pem_x509_certificate(ca_cert)
+            return ca_cert
+        except ValueError as ex:
+            raise kopf.PermanentError(
+                f"Kubernetes Secret object: {secret_name} ca.crt is invalid."
+            ) from ex
+
 
 class ResourceType(StrEnum):
     NETWORK = "Network"

app/tests/test_crds_resource.py

@@ -12,7 +12,6 @@
     TwingateResourceCRD,
     _KubernetesObjectRef,
 )
-from app.utils_k8s import get_ca_cert
 
 
 @pytest.fixture
@@ -304,9 +303,12 @@ def test_resource_proxy_get_certificate_authority_cert_with_secret_ref(
     )
     k8s_core_client_mock.read_namespaced_secret.return_value = k8s_secret_mock
 
-    with patch("app.crds.get_ca_cert", wraps=get_ca_cert) as get_ca_cert_mock:
+    with patch(
+        "app.crds.ResourceProxy.read_certificate_authority_cert_from_secret",
+        wraps=proxy.read_certificate_authority_cert_from_secret,
+    ) as read_ca_cert_mock:
         assert proxy.get_certificate_authority_cert() == VALID_CA_CERT
-        get_ca_cert_mock.assert_called_once_with(k8s_secret_mock)
+        read_ca_cert_mock.assert_called_once_with(k8s_secret_mock)
 
 
 def test_network_resource_spec_to_graphql_arguments(sample_network_resource_object):
@@ -410,3 +412,31 @@ def test_resource_proxy_certificate_authority_cert_should_trim_whitespace(
     )
 
     assert resource_spec.proxy.certificate_authority_cert == VALID_CA_CERT
+
+
+class TestResourceProxyReadCACertFromSecret:
+    def test_read_ca_cert_from_secret(self, k8s_secret_mock):
+        assert (
+            ResourceProxy.read_certificate_authority_cert_from_secret(k8s_secret_mock)
+            == VALID_CA_CERT
+        )
+
+    def test_read_ca_cert_from_secret_with_missing_ca_cert(self, k8s_secret_mock):
+        k8s_secret_mock.data = {}
+
+        with pytest.raises(
+            kopf.PermanentError,
+            match=r"Kubernetes Secret object: gateway-tls is missing ca.crt.",
+        ):
+            ResourceProxy.read_certificate_authority_cert_from_secret(k8s_secret_mock)
+
+    def test_read_ca_cert_from_secret_with_invalid_ca_cert(self, k8s_secret_mock):
+        k8s_secret_mock.data["ca.crt"] = (
+            "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tIE1JSUZmakNDQTJhZ0F3SUJBZ0lVQk50IC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="
+        )
+
+        with pytest.raises(
+            kopf.PermanentError,
+            match=r"Kubernetes Secret object: gateway-tls ca.crt is invalid.",
+        ):
+            ResourceProxy.read_certificate_authority_cert_from_secret(k8s_secret_mock)

app/tests/test_utils_k8s.py

@@ -1,14 +1,11 @@
-import kopf
 import kubernetes
 import pytest
 
-from app.api.tests.factories import BASE64_OF_VALID_CA_CERT
 from app.utils_k8s import (
-    get_ca_cert,
     k8s_delete_pod,
-    k8s_get_secret,
     k8s_read_namespaced_deployment,
     k8s_read_namespaced_pod,
+    k8s_read_namespaced_secret,
 )
 
 
@@ -62,41 +59,16 @@ def test_reraises_non_404_exceptions(self, k8s_apps_client_mock):
             k8s_read_namespaced_deployment("default", "test")
 
 
-class TestK8sGetTLSSecret:
+class TestReadNamespacedSecret:
     def test_handles_404_returns_none(self, k8s_core_client_mock):
         k8s_core_client_mock.read_namespaced_secret.side_effect = (
             kubernetes.client.exceptions.ApiException(status=404)
         )
-        assert k8s_get_secret("default", "test") is None
+        assert k8s_read_namespaced_secret("default", "test") is None
 
     def test_reraises_non_404_exceptions(self, k8s_core_client_mock):
         k8s_core_client_mock.read_namespaced_secret.side_effect = (
             kubernetes.client.exceptions.ApiException(status=500)
         )
         with pytest.raises(kubernetes.client.exceptions.ApiException):
-            k8s_get_secret("default", "test")
-
-
-class TestGetCACert:
-    def test_get_ca_cert(self, k8s_secret_mock):
-        assert get_ca_cert(k8s_secret_mock) == BASE64_OF_VALID_CA_CERT
-
-    def test_get_ca_cert_with_missing_ca_cert(self, k8s_secret_mock):
-        k8s_secret_mock.data = {}
-
-        with pytest.raises(
-            kopf.PermanentError,
-            match=r"Kubernetes Secret object: gateway-tls is missing ca.crt.",
-        ):
-            get_ca_cert(k8s_secret_mock)
-
-    def test_get_ca_cert_with_invalid_ca_cert(self, k8s_secret_mock):
-        k8s_secret_mock.data["ca.crt"] = (
-            "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tIE1JSUZmakNDQTJhZ0F3SUJBZ0lVQk50IC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="
-        )
-
-        with pytest.raises(
-            kopf.PermanentError,
-            match=r"Kubernetes Secret object: gateway-tls ca.crt is invalid.",
-        ):
-            get_ca_cert(k8s_secret_mock)
+            k8s_read_namespaced_secret("default", "test")

app/utils_k8s.py

@@ -1,10 +1,5 @@
-import base64
-
-import kopf
 import kubernetes
 
-from app.utils import validate_pem_x509_certificate
-
 
 def k8s_read_namespaced_pod(
     namespace: str, name: str, kapi: kubernetes.client.CoreV1Api | None = None
@@ -47,30 +42,15 @@ def k8s_read_namespaced_deployment(
         raise
 
 
-def k8s_get_secret(namespace: str, name: str) -> kubernetes.client.V1Secret | None:
+def k8s_read_namespaced_secret(
+    namespace: str, name: str, kapi: kubernetes.client.CoreV1Api | None = None
+) -> kubernetes.client.V1Secret | None:
     try:
-        return kubernetes.client.CoreV1Api().read_namespaced_secret(
-            name=name, namespace=namespace
-        )
+        kapi = kapi or kubernetes.client.CoreV1Api()
+
+        return kapi.read_namespaced_secret(name=name, namespace=namespace)
     except kubernetes.client.exceptions.ApiException as ex:
         if ex.status == 404:
             return None
 
         raise
-
-
-def get_ca_cert(secret: kubernetes.client.V1Secret) -> str:
-    secret_name = secret.metadata.name
-    if not (ca_cert := secret.data.get("ca.crt")):
-        raise kopf.PermanentError(
-            f"Kubernetes Secret object: {secret_name} is missing ca.crt."
-        )
-
-    try:
-        validate_pem_x509_certificate(base64.b64decode(ca_cert).decode())
-    except ValueError as ex:
-        raise kopf.PermanentError(
-            f"Kubernetes Secret object: {secret_name} ca.crt is invalid."
-        ) from ex
-
-    return ca_cert

deploy/twingate-operator/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: kubernetes-access-gateway
   repository: oci://ghcr.io/twingate/helmcharts
-  version: 0.10.0
-digest: sha256:7819eee88fa4ff84b2310446b0f6631153895ac32ad448ec68f081d19df0d2bd
-generated: "2025-08-29T16:26:39.587394325Z"
+  version: 0.10.1
+digest: sha256:d1262910ff91cc3c7ec34a5e516aa6a37439c8b840d5c62e96e621997372a9c4
+generated: "2025-10-14T16:25:49.614357787Z"

deploy/twingate-operator/Chart.yaml

@@ -9,6 +9,6 @@ sources:
   - https://github.com/Twingate/kubernetes-operator
 dependencies:
   - name: kubernetes-access-gateway
-    version: 0.10.0
+    version: 0.10.1
     repository: "oci://ghcr.io/twingate/helmcharts"
     condition: kubernetes-access-gateway.enabled