Summary
The e2e helpers editConfigMapCABundleInjectionData and editSecretCABundleInjectionData in test/e2e/e2e.go currently test the injector's exclusive-ownership contract by adding a foreign "foo" key and asserting it is removed. This verifies that the injector "stomps" the object back to a single controlled entry, but does not verify that a corrupted value for the injected key (api.InjectionDataKey / service-ca.crt) is also restored.
Desired change
Both helpers should be strengthened symmetrically to additionally overwrite secretCopy.Data[api.InjectionDataKey] (or cmCopy.Data[api.InjectionDataKey]) with a known-bad value and poll until it is reverted to the correct CA bundle. This would cover the scenario where the injected entry itself is tampered with.
The change should be made to both helpers in the same PR to keep the two resource types in sync:
editConfigMapCABundleInjectionData in test/e2e/e2e.goeditSecretCABundleInjectionData in test/e2e/e2e.go
Background
Discussed in PR #265 (adding Secret CA bundle injection support) at:
#265 (comment)
Requested by @mnencia.
Summary
The e2e helpers
editConfigMapCABundleInjectionDataandeditSecretCABundleInjectionDataintest/e2e/e2e.gocurrently test the injector's exclusive-ownership contract by adding a foreign"foo"key and asserting it is removed. This verifies that the injector "stomps" the object back to a single controlled entry, but does not verify that a corrupted value for the injected key (api.InjectionDataKey/service-ca.crt) is also restored.Desired change
Both helpers should be strengthened symmetrically to additionally overwrite
secretCopy.Data[api.InjectionDataKey](orcmCopy.Data[api.InjectionDataKey]) with a known-bad value and poll until it is reverted to the correct CA bundle. This would cover the scenario where the injected entry itself is tampered with.The change should be made to both helpers in the same PR to keep the two resource types in sync:
editConfigMapCABundleInjectionDataintest/e2e/e2e.goeditSecretCABundleInjectionDataintest/e2e/e2e.goBackground
Discussed in PR #265 (adding Secret CA bundle injection support) at:
#265 (comment)
Requested by @mnencia.