Merge pull request #456 from ericpromislow/46189-deal-with-downstream…

…-tls-mode Stop testing the 'ok' part of a map access.
rancher · Aug 6, 2024 · 7da1900 · 7da1900
2 parents 3cb0caa + 18168f4
commit 7da1900
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/pkg/resources/management.cattle.io/v3/setting/validator.go b/pkg/resources/management.cattle.io/v3/setting/validator.go
@@ -135,7 +135,7 @@ func (a *admitter) validateAgentTLSMode(oldSetting, newSetting v3.Setting) error
 		return nil
 	}
 	if effectiveValue(oldSetting) == "system-store" && effectiveValue(newSetting) == "strict" {
-		if _, force := newSetting.Annotations["cattle.io/force"]; force {
+		if force := newSetting.Annotations["cattle.io/force"]; force == "true" {
 			return nil
 		}
 		clusters, err := a.clusterCache.List(labels.NewSelector())

diff --git a/pkg/resources/management.cattle.io/v3/setting/validator_test.go b/pkg/resources/management.cattle.io/v3/setting/validator_test.go
@@ -312,6 +312,40 @@ func TestValidateAgentTLSMode(t *testing.T) {
 			operation: v1.Update,
 			allowed:   true,
 		},
+		"update forbidden without cluster status and non-true force annotation": {
+			oldSetting: v3.Setting{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "agent-tls-mode",
+				},
+				Default: "system-store",
+			},
+			newSetting: v3.Setting{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "agent-tls-mode",
+					Annotations: map[string]string{
+						"cattle.io/force": "false",
+					},
+				},
+				Default: "strict",
+			},
+			clusters: []*v3.Cluster{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "cluster-1",
+					},
+					Status: v3.ClusterStatus{
+						Conditions: []v3.ClusterCondition{
+							{
+								Type:   "AgentTlsStrictCheck",
+								Status: "False",
+							},
+						},
+					},
+				},
+			},
+			operation: v1.Update,
+			allowed:   false,
+		},
 		"update allowed with cluster status and force annotation": {
 			oldSetting: v3.Setting{
 				ObjectMeta: metav1.ObjectMeta{
@@ -582,8 +616,8 @@ func TestValidateAgentTLSMode(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
 			clusterCache := fake.NewMockNonNamespacedCacheInterface[*v3.Cluster](ctrl)
-			_, force := tc.newSetting.Annotations["cattle.io/force"]
-			if tc.operation == v1.Update && !force && len(tc.clusters) > 0 {
+			force := tc.newSetting.Annotations["cattle.io/force"]
+			if tc.operation == v1.Update && force != "true" && len(tc.clusters) > 0 {
 				clusterCache.EXPECT().List(gomock.Any()).Return(tc.clusters, nil)
 			}
 			if tc.clusterListerFails {