fix: skip kubeadm CA file when Secret doesn't have a CA (#752)

**What problem does this PR solve?**:
Found a bug when testing with a mirror registry where it doesn't have
the CA key set in the Secret.
The handler incorrectly generated a patch to add `/etc/certs/...` file
with a Secret source and key `ca.crt`, however its possible that the
Secret does not have that key set.
Example of an incorrect file:
```
  - contentFrom:
      secret:
        key: ca.crt
        name: e2e-aws-ag-cc-test-1719374309-image-registry-mirror-credentials
    path: /etc/certs/999867407951.dkr.ecr.us-west-2.amazonaws.com-e2e-aws-ag-cc-test-1719374309.pem
    permissions: "0600"
```
This led to CAPI failing because `ca.crt` did not exist in the Secret.

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->
The first commit contains a failing unit tests to cover this scenario.

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: dkoshkin

pkg/handlers/generic/mutation/mirrors/containerd_files.go

@@ -19,7 +19,7 @@ import (
 
 const (
 	containerdHostsConfigurationOnRemote = "/etc/containerd/certs.d/_default/hosts.toml"
-	secretKeyForMirrorCACert             = "ca.crt"
+	secretKeyForCACert                   = "ca.crt"
 )
 
 var (
@@ -159,7 +159,7 @@ func generateRegistryCACertFiles(
 			ContentFrom: &cabpkv1.FileSource{
 				Secret: cabpkv1.SecretFileSource{
 					Name: config.CASecretName,
-					Key:  secretKeyForMirrorCACert,
+					Key:  secretKeyForCACert,
 				},
 			},
 		})

pkg/handlers/generic/mutation/mirrors/inject.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -193,9 +194,9 @@ func containerdConfigFromGlobalMirror(
 		)
 	}
 
-	if secret != nil {
+	if secretHasCACert(secret) {
 		configWithOptionalCACert.CASecretName = secret.Name
-		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])
+		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])
 	}
 
 	return configWithOptionalCACert, nil
@@ -225,9 +226,9 @@ func containerdConfigFromImageRegistry(
 		)
 	}
 
-	if secret != nil {
+	if secretHasCACert(secret) {
 		configWithOptionalCACert.CASecretName = secret.Name
-		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])
+		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])
 	}
 
 	return configWithOptionalCACert, nil
@@ -271,3 +272,12 @@ func needContainerdConfiguration(configs []containerdConfig) bool {
 
 	return false
 }
+
+func secretHasCACert(secret *corev1.Secret) bool {
+	if secret == nil {
+		return false
+	}
+
+	_, ok := secret.Data[secretKeyForCACert]
+	return ok
+}

pkg/handlers/generic/mutation/mirrors/inject_test.go

@@ -22,11 +22,8 @@ import (
 )
 
 const (
-	validMirrorCASecretName = "myregistry-mirror-cacert"
-	//nolint:gosec // Does not contain hard coded credentials.
-	cpRegistryAsMirrorCreds = "kubeadmControlPlaneRegistryAsMirrorCreds"
-	//nolint:gosec // Does not contain hard coded credentials.
-	workerRegistryAsMirrorCreds = "kubeadmConfigTemplateRegistryAsMirrorCreds"
+	validMirrorCASecretName   = "myregistry-mirror-cacert"
+	validMirrorNoCASecretName = "myregistry-mirror-no-cacert"
 )
 
 func TestMirrorsPatch(t *testing.T) {
@@ -50,7 +47,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 
 	testDefs := []capitest.PatchTestDef{
 		{
-			Name: "files added in KubeadmControlPlaneTemplate for registry with mirror without CA Certificate",
+			Name: "files added in KubeadmControlPlaneTemplate for registry with mirror without CA Certificate secret",
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
@@ -65,7 +62,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
 						gomega.HaveKeyWithValue(
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
@@ -92,12 +89,12 @@ var _ = Describe("Generate Global mirror patches", func() {
 					v1alpha1.GlobalMirrorVariableName,
 				),
 			},
-			RequestItem: request.NewKubeadmControlPlaneTemplateRequest("", cpRegistryAsMirrorCreds),
+			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
 			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
 						gomega.HaveKeyWithValue(
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
@@ -112,7 +109,74 @@ var _ = Describe("Generate Global mirror patches", func() {
 			},
 		},
 		{
-			Name: "files added in KubeadmConfigTemplate for registry mirror wihthout CA certificate",
+			Name: "files added in KubeadmControlPlaneTemplate for registry mirror with secret but missing CA certificate key",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					v1alpha1.ClusterConfigVariableName,
+					v1alpha1.GlobalImageRegistryMirror{
+						URL: "https://registry.example.com",
+						Credentials: &v1alpha1.RegistryCredentials{
+							SecretRef: &v1alpha1.LocalObjectReference{
+								Name: validMirrorNoCASecretName,
+							},
+						},
+					},
+					v1alpha1.GlobalMirrorVariableName,
+				),
+			},
+			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", "/etc/containerd/certs.d/_default/hosts.toml",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/caren/containerd/patches/registry-config.toml",
+						),
+					),
+				},
+			},
+		},
+		{
+			Name: "files added in KubeadmControlPlaneTemplate for image registry with CA Certificate secret",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					v1alpha1.ClusterConfigVariableName,
+					[]v1alpha1.ImageRegistry{{
+						URL: "https://registry.example.com",
+						Credentials: &v1alpha1.RegistryCredentials{
+							SecretRef: &v1alpha1.LocalObjectReference{
+								Name: validMirrorCASecretName,
+							},
+						},
+					}},
+					v1alpha1.ImageRegistriesVariableName,
+				),
+			},
+			RequestItem: request.NewKubeadmControlPlaneTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", "/etc/containerd/certs.d/_default/hosts.toml",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/certs/registry.example.com.pem",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/caren/containerd/patches/registry-config.toml",
+						),
+					),
+				},
+			},
+		},
+		{
+			Name: "files added in KubeadmConfigTemplate for registry mirror without CA certificate secret",
 			Vars: []runtimehooksv1.Variable{
 				capitest.VariableWithValue(
 					v1alpha1.ClusterConfigVariableName,
@@ -135,7 +199,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
 						gomega.HaveKeyWithValue(
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
@@ -170,12 +234,95 @@ var _ = Describe("Generate Global mirror patches", func() {
 					},
 				),
 			},
-			RequestItem: request.NewKubeadmConfigTemplateRequest("", workerRegistryAsMirrorCreds),
+			RequestItem: request.NewKubeadmConfigTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/files",
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", "/etc/containerd/certs.d/_default/hosts.toml",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/certs/registry.example.com.pem",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/caren/containerd/patches/registry-config.toml",
+						),
+					),
+				},
+			},
+		},
+		{
+			Name: "files added in KubeadmConfigTemplate for registry mirror with secret but missing CA certificate key",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					v1alpha1.ClusterConfigVariableName,
+					v1alpha1.GlobalImageRegistryMirror{
+						URL: "https://registry.example.com",
+						Credentials: &v1alpha1.RegistryCredentials{
+							SecretRef: &v1alpha1.LocalObjectReference{
+								Name: validMirrorNoCASecretName,
+							},
+						},
+					},
+					v1alpha1.GlobalMirrorVariableName,
+				),
+				capitest.VariableWithValue(
+					"builtin",
+					map[string]any{
+						"machineDeployment": map[string]any{
+							"class": names.SimpleNameGenerator.GenerateName("worker-"),
+						},
+					},
+				),
+			},
+			RequestItem: request.NewKubeadmConfigTemplateRequestItem(""),
 			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", "/etc/containerd/certs.d/_default/hosts.toml",
+						),
+						gomega.HaveKeyWithValue(
+							"path", "/etc/caren/containerd/patches/registry-config.toml",
+						),
+					),
+				},
+			},
+		},
+		{
+			Name: "files added in KubeadmConfigTemplate for image registry with secret for CA certificate",
+			Vars: []runtimehooksv1.Variable{
+				capitest.VariableWithValue(
+					v1alpha1.ClusterConfigVariableName,
+					[]v1alpha1.ImageRegistry{{
+						URL: "https://registry.example.com",
+						Credentials: &v1alpha1.RegistryCredentials{
+							SecretRef: &v1alpha1.LocalObjectReference{
+								Name: validMirrorCASecretName,
+							},
+						},
+					}},
+					v1alpha1.ImageRegistriesVariableName,
+				),
+				capitest.VariableWithValue(
+					"builtin",
+					map[string]any{
+						"machineDeployment": map[string]any{
+							"class": names.SimpleNameGenerator.GenerateName("worker-"),
+						},
+					},
+				),
+			},
+			RequestItem: request.NewKubeadmConfigTemplateRequestItem(""),
+			ExpectedPatchMatchers: []capitest.JSONPatchMatcher{
+				{
+					Operation: "add",
+					Path:      "/spec/template/spec/files",
+					ValueMatcher: gomega.HaveExactElements(
 						gomega.HaveKeyWithValue(
 							"path", "/etc/containerd/certs.d/_default/hosts.toml",
 						),
@@ -197,7 +344,11 @@ var _ = Describe("Generate Global mirror patches", func() {
 		gomega.Expect(err).To(gomega.BeNil())
 		gomega.Expect(client.Create(
 			ctx,
-			newMirrorSecret(validMirrorCASecretName, request.Namespace),
+			newMirrorSecretWithCA(validMirrorCASecretName, request.Namespace),
+		)).To(gomega.BeNil())
+		gomega.Expect(client.Create(
+			ctx,
+			newMirrorSecretWithoutCA(validMirrorNoCASecretName, request.Namespace),
 		)).To(gomega.BeNil())
 	})
 
@@ -207,7 +358,11 @@ var _ = Describe("Generate Global mirror patches", func() {
 		gomega.Expect(err).To(gomega.BeNil())
 		gomega.Expect(client.Delete(
 			ctx,
-			newMirrorSecret(validMirrorCASecretName, request.Namespace),
+			newMirrorSecretWithCA(validMirrorCASecretName, request.Namespace),
+		)).To(gomega.BeNil())
+		gomega.Expect(client.Delete(
+			ctx,
+			newMirrorSecretWithoutCA(validMirrorNoCASecretName, request.Namespace),
 		)).To(gomega.BeNil())
 	})
 
@@ -220,7 +375,7 @@ var _ = Describe("Generate Global mirror patches", func() {
 	}
 })
 
-func newMirrorSecret(name, namespace string) *corev1.Secret {
+func newMirrorSecretWithCA(name, namespace string) *corev1.Secret {
 	secretData := map[string][]byte{
 		"ca.crt": []byte("myCACert"),
 	}
@@ -238,6 +393,25 @@ func newMirrorSecret(name, namespace string) *corev1.Secret {
 	}
 }
 
+func newMirrorSecretWithoutCA(name, namespace string) *corev1.Secret {
+	secretData := map[string][]byte{
+		"username": []byte("user"),
+		"password": []byte("pass"),
+	}
+	return &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: secretData,
+		Type: corev1.SecretTypeOpaque,
+	}
+}
+
 func Test_needContainerdConfiguration(t *testing.T) {
 	t.Parallel()
 	tests := []struct {