Update service handler to use certificateAuthorityCertSecretRef

Author: clement0010

app/handlers/handlers_services.py

@@ -8,7 +8,6 @@
 
 from app.crds import ResourceType
 from app.utils import to_bool
-from app.utils_k8s import get_ca_cert, k8s_get_secret
 
 
 def k8s_get_twingate_resource(
@@ -93,11 +92,6 @@ def service_to_twingate_resource(service_body: Body, namespace: str) -> dict:
                 f"{TLS_OBJECT_ANNOTATION} annotation is not provided."
             )
 
-        if not (tls_secret := k8s_get_secret(namespace, tls_secret_name)):
-            raise kopf.PermanentError(
-                f"Kubernetes Secret object: {tls_secret_name} is missing."
-            )
-
         result["spec"] |= {
             "address": "kubernetes.default.svc.cluster.local",
             "proxy": {
@@ -106,7 +100,10 @@ def service_to_twingate_resource(service_body: Body, namespace: str) -> dict:
                     if spec["type"] == ServiceType.LOAD_BALANCER
                     else f"{service_name}.{namespace}.svc.cluster.local"
                 ),
-                "certificateAuthorityCert": get_ca_cert(tls_secret),
+                "certificateAuthorityCertSecretRef": {
+                    "name": tls_secret_name,
+                    "namespace": namespace,
+                },
             },
         }
 

app/handlers/tests/test_handlers_services.py

@@ -6,7 +6,6 @@
 import yaml
 from kopf._core.intents.causes import Reason
 
-from app.api.tests.factories import BASE64_OF_VALID_CA_CERT
 from app.crds import ResourceType
 from app.handlers.handlers_services import (
     ALLOWED_EXTRA_ANNOTATIONS,
@@ -15,7 +14,6 @@
     service_to_twingate_resource,
     twingate_service_create,
 )
-from app.utils_k8s import get_ca_cert
 
 # Ignore the fact we use _cogs here
 
@@ -173,25 +171,13 @@ def test_with_extra_annotation(
         assert result == expected
 
     def test_kubernetes_resource_type_annotation(
-        self,
-        example_cluster_ip_gateway_service_body,
-        k8s_core_client_mock,
-        k8s_secret_mock,
+        self, example_cluster_ip_gateway_service_body
     ):
         tls_object_name = "gateway-tls"
         namespace = "custom-namespace"
-        k8s_core_client_mock.read_namespaced_secret.return_value = k8s_secret_mock
-
-        with patch(
-            "app.handlers.handlers_services.get_ca_cert", wraps=get_ca_cert
-        ) as get_ca_cert_mock:
-            result = service_to_twingate_resource(
-                example_cluster_ip_gateway_service_body, namespace
-            )
 
-        get_ca_cert_mock.assert_called_once_with(k8s_secret_mock)
-        k8s_core_client_mock.read_namespaced_secret.assert_called_once_with(
-            namespace=namespace, name=tls_object_name
+        result = service_to_twingate_resource(
+            example_cluster_ip_gateway_service_body, namespace
         )
 
         assert result["spec"] == {
@@ -200,7 +186,10 @@ def test_kubernetes_resource_type_annotation(
             "alias": "alias.int",
             "proxy": {
                 "address": "kubernetes-gateway.custom-namespace.svc.cluster.local",
-                "certificateAuthorityCert": BASE64_OF_VALID_CA_CERT,
+                "certificateAuthorityCertSecretRef": {
+                    "name": tls_object_name,
+                    "namespace": namespace,
+                },
             },
             "protocols": {
                 "allowIcmp": False,
@@ -231,19 +220,6 @@ def test_kubernetes_resource_type_annotation_without_tls_secret_annotation(
                 example_cluster_ip_gateway_service_body, "default"
             )
 
-    def test_kubernetes_resource_type_annotation_without_k8s_secret_object(
-        self, example_cluster_ip_gateway_service_body, k8s_core_client_mock
-    ):
-        k8s_core_client_mock.read_namespaced_secret.return_value = None
-
-        with pytest.raises(
-            kopf.PermanentError,
-            match=r"Kubernetes Secret object: gateway-tls is missing.",
-        ):
-            service_to_twingate_resource(
-                example_cluster_ip_gateway_service_body, "default"
-            )
-
     @pytest.mark.parametrize(
         ("status", "expected"),
         [
@@ -255,16 +231,10 @@ def test_kubernetes_resource_type_annotation_without_k8s_secret_object(
         ],
     )
     def test_kubernetes_resource_with_load_balancer_service_type(
-        self,
-        example_load_balancer_gateway_service_body,
-        k8s_core_client_mock,
-        k8s_secret_mock,
-        status,
-        expected,
+        self, example_load_balancer_gateway_service_body, status, expected
     ):
         tls_object_name = "gateway-tls"
         namespace = "default"
-        k8s_core_client_mock.read_namespaced_secret.return_value = k8s_secret_mock
 
         with patch(
             "kopf._cogs.structs.bodies.Body.status",
@@ -275,17 +245,16 @@ def test_kubernetes_resource_with_load_balancer_service_type(
                 example_load_balancer_gateway_service_body, namespace
             )
 
-        k8s_core_client_mock.read_namespaced_secret.assert_called_once_with(
-            namespace=namespace, name=tls_object_name
-        )
-
         assert result["spec"] == {
             "name": "kubernetes-gateway-resource",
             "address": "kubernetes.default.svc.cluster.local",
             "alias": "alias.int",
             "proxy": {
                 "address": expected,
-                "certificateAuthorityCert": BASE64_OF_VALID_CA_CERT,
+                "certificateAuthorityCertSecretRef": {
+                    "name": tls_object_name,
+                    "namespace": namespace,
+                },
             },
             "protocols": {
                 "allowIcmp": False,