fix: force insecure: false with additionalTrustBundle

dkoshkin · dkoshkin · commit 0d6a9b13e2ab · 2024-04-04T12:15:24.000-07:00
diff --git a/pkg/handlers/nutanix/mutation/prismcentralendpoint/inject.go b/pkg/handlers/nutanix/mutation/prismcentralendpoint/inject.go
@@ -122,6 +122,13 @@ func (h *nutanixPrismCentralEndpoint) Mutate(
 				}
 			}
 
+			// Always force insecure to false if additional trust bundle is provided.
+			// This ensures that the trust bundle is actually used to validate the connection.
+			if additionalTrustBundle != "" && prismCentral.Insecure {
+				log.Info("AdditionalTrustBundle is provided, setting insecure to false")
+				prismCentral.Insecure = false
+			}
+
 			obj.Spec.Template.Spec.PrismCentral = prismCentral
 
 			return nil
diff --git a/pkg/handlers/nutanix/mutation/prismcentralendpoint/tests/generate_patches.go b/pkg/handlers/nutanix/mutation/prismcentralendpoint/tests/generate_patches.go
@@ -34,14 +34,48 @@ func TestGeneratePatches(
 			Name: "unset variable",
 		},
 		capitest.PatchTestDef{
-			Name: "all fields set",
+			Name: "all required fields set",
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					variableName,
 					v1alpha1.NutanixPrismCentralEndpointSpec{
 						Host:     "prism-central.nutanix.com",
 						Port:     9441,
-						Insecure: false,
+						Insecure: true,
+						Credentials: corev1.LocalObjectReference{
+							Name: "credentials",
+						},
+					},
+					variablePath...,
+				),
+			},
+			RequestItem: request.NewNutanixClusterTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "replace",
+					Path:      "/spec/template/spec/prismCentral",
+					ValueMatcher: gomega.SatisfyAll(
+						gomega.HaveKeyWithValue(
+							"address",
+							gomega.BeEquivalentTo("prism-central.nutanix.com"),
+						),
+						gomega.HaveKeyWithValue("port", gomega.BeEquivalentTo(9441)),
+						gomega.HaveKeyWithValue("insecure", true),
+						gomega.HaveKey("credentialRef"),
+						gomega.Not(gomega.HaveKey("additionalTrustBundle")),
+					),
+				},
+			},
+		},
+		capitest.PatchTestDef{
+			Name: "additional trust bundle is set",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					variableName,
+					v1alpha1.NutanixPrismCentralEndpointSpec{
+						Host:     "prism-central.nutanix.com",
+						Port:     9441,
+						Insecure: true,
 						Credentials: corev1.LocalObjectReference{
 							Name: "credentials",
 						},
@@ -61,6 +95,7 @@ func TestGeneratePatches(
 							gomega.BeEquivalentTo("prism-central.nutanix.com"),
 						),
 						gomega.HaveKeyWithValue("port", gomega.BeEquivalentTo(9441)),
+						// Assert the insecure field was set to false as the additional trust bundle is set
 						gomega.HaveKeyWithValue("insecure", false),
 						gomega.HaveKey("credentialRef"),
 						gomega.HaveKey("additionalTrustBundle"),

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,13 @@ func (h *nutanixPrismCentralEndpoint) Mutate(`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`
	`125`	`+ // Always force insecure to false if additional trust bundle is provided.`
	`126`	`+ // This ensures that the trust bundle is actually used to validate the connection.`
	`127`	`+ if additionalTrustBundle != "" && prismCentral.Insecure {`
	`128`	`+ log.Info("AdditionalTrustBundle is provided, setting insecure to false")`
	`129`	`+ prismCentral.Insecure = false`
	`130`	`+ }`
	`131`	`+`
`125`	`132`	`obj.Spec.Template.Spec.PrismCentral = prismCentral`
`126`	`133`
`127`	`134`	`return nil`