Replace TestReconcileCerts owner reference test with Kuttl test

This creates a Kuttl test to verify proper owner references are
set on the root CA certificate secret which replaces the current
EnvTest implementation.

Issue: [sc-14269]

Author: tjmoore4

internal/controller/postgrescluster/pki_test.go

@@ -25,16 +25,13 @@ import (
 	"reflect"
 	"strings"
 	"testing"
-	"time"
 
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/crunchydata/postgres-operator/internal/naming"
@@ -43,6 +40,11 @@ import (
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
+// TestReconcileCerts tests the proper reconciliation of the root ca certificate
+// secret, leaf certificate secrets and the updates that occur when updates are
+// made to the cluster certificates generally. For the removal of ownership
+// references and deletion of the root CA cert secret, a separate Kuttl test is
+// used due to the need for proper garbage collection.
 func TestReconcileCerts(t *testing.T) {
 	// Garbage collector cleans up test resources before the test completes
 	if strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") {
@@ -137,38 +139,6 @@ func TestReconcileCerts(t *testing.T) {
 			}
 		})
 
-		t.Run("remove owner references after deleting first cluster", func(t *testing.T) {
-
-			if !strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") {
-				t.Skip("requires a running garbage collection controller")
-			}
-
-			err = tClient.Get(ctx, client.ObjectKeyFromObject(cluster1), cluster1)
-			assert.NilError(t, err)
-
-			err = tClient.Delete(ctx, cluster1)
-			assert.NilError(t, err)
-
-			err = wait.Poll(time.Second/2, Scale(time.Second*15), func() (bool, error) {
-				err := tClient.Get(ctx, client.ObjectKeyFromObject(rootSecret), rootSecret)
-				return len(rootSecret.ObjectMeta.OwnerReferences) == 1, err
-			})
-			assert.NilError(t, err)
-
-			assert.Check(t, len(rootSecret.ObjectMeta.OwnerReferences) == 1, "owner reference not removed")
-
-			expectedOR := metav1.OwnerReference{
-				APIVersion: "postgres-operator.crunchydata.com/v1beta1",
-				Kind:       "PostgresCluster",
-				Name:       "hippocluster2",
-				UID:        cluster2.UID,
-			}
-
-			if len(rootSecret.ObjectMeta.OwnerReferences) > 0 {
-				assert.Equal(t, rootSecret.ObjectMeta.OwnerReferences[0], expectedOR)
-			}
-		})
-
 		t.Run("root certificate is returned correctly", func(t *testing.T) {
 
 			fromSecret, err := getCertFromSecret(ctx, tClient, naming.RootCertSecret, namespace, "root.crt")
@@ -202,28 +172,6 @@ func TestReconcileCerts(t *testing.T) {
 			assert.DeepEqual(t, fromSecret, returnedRoot.Certificate)
 		})
 
-		t.Run("root CA secret is deleted after final cluster is deleted", func(t *testing.T) {
-
-			if !strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") {
-				t.Skip("requires a running garbage collection controller")
-			}
-
-			err = tClient.Get(ctx, client.ObjectKeyFromObject(cluster2), cluster2)
-			assert.NilError(t, err)
-
-			err = tClient.Delete(ctx, cluster2)
-			assert.NilError(t, err)
-
-			err = wait.Poll(time.Second/2, Scale(time.Second*15), func() (bool, error) {
-				if err := tClient.Get(ctx,
-					client.ObjectKeyFromObject(rootSecret), rootSecret); apierrors.ReasonForError(err) == metav1.StatusReasonNotFound {
-					return true, err
-				}
-				return false, nil
-			})
-			assert.Assert(t, apierrors.IsNotFound(err))
-		})
-
 	})
 
 	t.Run("check leaf certificate reconciliation", func(t *testing.T) {

testing/kuttl/e2e/root-cert-ownership/00--cluster.yaml

@@ -0,0 +1,35 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner1
+  labels: { postgres-operator-test: kuttl }
+spec:
+  postgresVersion: ${KUTTL_PG_VERSION}
+  instances:
+    - name: instance1
+      replicas: 1
+      dataVolumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+  backups:
+    pgbackrest:
+      repos:
+      - name: repo1
+        volume:
+          volumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner2
+  labels: { postgres-operator-test: kuttl }
+spec:
+  postgresVersion: ${KUTTL_PG_VERSION}
+  instances:
+    - name: instance1
+      replicas: 1
+      dataVolumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+  backups:
+    pgbackrest:
+      repos:
+      - name: repo1
+        volume:
+          volumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }

testing/kuttl/e2e/root-cert-ownership/00-assert.yaml

@@ -0,0 +1,26 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner1
+status:
+  instances:
+    - name: instance1
+      readyReplicas: 1
+      replicas: 1
+      updatedReplicas: 1
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner2
+status:
+  instances:
+    - name: instance1
+      readyReplicas: 1
+      replicas: 1
+      updatedReplicas: 1
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgo-root-cacert

testing/kuttl/e2e/root-cert-ownership/01-check-owners.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # Get a list of the current owners of the root ca cert secret and verify that
+  # both owners are listed.
+  - script: |
+      CURRENT_OWNERS=$(kubectl --namespace="${NAMESPACE}" get secret \
+        pgo-root-cacert -o jsonpath='{.metadata.ownerReferences[*].name}')
+      if [[ "$CURRENT_OWNERS" != *"owner1"* ]]; then
+          exit 1
+      fi
+      if [[ "$CURRENT_OWNERS" != *"owner2"* ]]; then
+          exit 1
+      fi

testing/kuttl/e2e/root-cert-ownership/02--delete-owner1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: postgres-operator.crunchydata.com/v1beta1
+  kind: PostgresCluster
+  name: owner1

testing/kuttl/e2e/root-cert-ownership/02-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner2
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgo-root-cacert

testing/kuttl/e2e/root-cert-ownership/02-errors.yaml

@@ -0,0 +1,4 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner1

testing/kuttl/e2e/root-cert-ownership/03-check-owners.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # Get a list of the current owners of the root ca cert secret and verify that
+  # owner1 is no longer listed and owner2 is found.
+  - script: |
+      sleep 2 # this sleep allows time for the owner reference list to be updated
+      CURRENT_OWNERS=$(kubectl --namespace="${NAMESPACE}" get secret \
+        pgo-root-cacert -o jsonpath='{.metadata.ownerReferences[*].name}')
+      if [[ "$CURRENT_OWNERS" == *"owner1"* ]]; then
+          exit 1
+      fi
+      if [[ "$CURRENT_OWNERS" != *"owner2"* ]]; then
+          exit 1
+      fi

testing/kuttl/e2e/root-cert-ownership/04--delete-owner2.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: postgres-operator.crunchydata.com/v1beta1
+  kind: PostgresCluster
+  name: owner2

testing/kuttl/e2e/root-cert-ownership/04-errors.yaml

@@ -0,0 +1,9 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner1
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: owner2

testing/kuttl/e2e/root-cert-ownership/05--check-secret.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # If there are other PostgresClusters in the namespace, ensure that 'owner2'
+  # and 'owner2' are not listed.
+  # If there are no other PostgresClusters in the namespace, the 'pgo-root-cacert'
+  # secret should be deleted.
+  - script: |
+      NUM_CLUSTERS=$(kubectl --namespace="${NAMESPACE}" get postgrescluster --output name | wc -l)
+      if [[ "$NUM_CLUSTERS" != 0 ]]; then
+          CURRENT_OWNERS=$(kubectl --namespace="${NAMESPACE}" get secret \
+            pgo-root-cacert -o jsonpath='{.metadata.ownerReferences[*].name}')
+          if [[ "$CURRENT_OWNERS" == *"owner1"* ]]; then
+              exit 1
+          fi
+          if [[ "$CURRENT_OWNERS" == *"owner2"* ]]; then
+              exit 1
+          fi
+      else
+          ROOT_SECRET=$(kubectl --namespace="${NAMESPACE}" get --ignore-not-found \
+            secret pgo-root-cacert --output name | wc -l)
+          if [[ "$ROOT_SECRET" != 0 ]]; then
+              exit 1
+          fi
+      fi

testing/kuttl/e2e/root-cert-ownership/README.md

@@ -0,0 +1,23 @@
+### Root Certificate Ownership Test
+
+This Kuttl routine runs through the following steps:
+
+#### Create two clusters and verify the root certificate secret ownership
+
+- 00: Creates the two clusters and verifies they and the root cert secret exist
+- 01: Check that the secret shows both clusters as owners
+
+#### Delete the first cluster and verify the root certificate secret ownership
+
+- 02: Delete the first cluster, assert that the second cluster and the root cert
+secret are still present and that the first cluster is not present
+- 03: Check that the secret shows the second cluster as an owner but does not show
+the first cluster as an owner
+
+#### Delete the second cluster and verify the root certificate secret ownership
+
+- 04: Delete the second cluster, assert that both clusters are not present
+- 05: Check the number of clusters in the namespace. If there are any remaining
+clusters, ensure that the secret shows neither the first nor second cluster as an
+owner. If there are no clusters remaining in the namespace, ensure the root cert
+secret has been deleted.