Make TrustedCA.Key required if provided

dtantsur · dtantsur · commit 318c3929ad1c · 2026-03-20T16:03:59.000+01:00
Assisted-By: Claude Code (commercial license)
Signed-off-by: Dmitry Tantsur &lt;dtantsur@protonmail.com&gt;
diff --git a/pkg/ironic/ironic.go b/pkg/ironic/ironic.go
@@ -178,7 +178,7 @@ func removeIronicDeployment(cctx ControllerContext, ironic *metal3api.Ironic) er
 
 // EnsureIronic deploys Ironic either as a Deployment or as a DaemonSet.
 func EnsureIronic(cctx ControllerContext, resources Resources) (status Status, err error) {
-	if validationErr := ValidateIronic(&resources.Ironic.Spec, nil); validationErr != nil {
+	if validationErr := resources.Validate(); validationErr != nil {
 		status = Status{Fatal: validationErr}
 		return status, nil //nolint:nilerr // validation errors are reported in status, not as return error
 	}
diff --git a/pkg/ironic/validation.go b/pkg/ironic/validation.go
@@ -186,3 +186,42 @@ func validateCASettings(tls *metal3api.TLS) error {
 
 	return nil
 }
+
+// Validate all resources before using them. This method is a superset of
+// ValidateIronic with validations that require access to linked resources.
+func (resources *Resources) Validate() error {
+	if err := ValidateIronic(&resources.Ironic.Spec, nil); err != nil {
+		return err
+	}
+
+	if resources.Ironic.Spec.TLS.TrustedCA != nil {
+		key := resources.Ironic.Spec.TLS.TrustedCA.Key
+		if key != "" && !resources.hasTrustedCAKey(key) {
+			return fmt.Errorf("resources referenced in tls.trustedCA does not contain the required key %s", key)
+		}
+	}
+
+	return nil
+}
+
+func (resources *Resources) hasTrustedCAKey(key string) bool {
+	switch {
+	case resources.TrustedCASecret != nil:
+		for found := range resources.TrustedCASecret.Data {
+			if found == key {
+				return true
+			}
+		}
+	case resources.TrustedCAConfigMap != nil:
+		for found := range resources.TrustedCAConfigMap.Data {
+			if found == key {
+				return true
+			}
+		}
+	default:
+		// Cannot happen in reality but just in case
+		return true
+	}
+
+	return false
+}
diff --git a/pkg/ironic/validation_test.go b/pkg/ironic/validation_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
 
 	metal3api "github.com/metal3-io/ironic-standalone-operator/api/v1alpha1"
 )
@@ -493,3 +494,163 @@ func TestValidateCASettings(t *testing.T) {
 		})
 	}
 }
+
+func TestResourcesValidate(t *testing.T) {
+	testCases := []struct {
+		Scenario      string
+		Resources     Resources
+		ExpectedError string
+	}{
+		{
+			Scenario: "minimal valid resources",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{},
+			},
+		},
+		{
+			Scenario: "trustedCA secret with matching key",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindSecret,
+								},
+								Key: "ca.crt",
+							},
+						},
+					},
+				},
+				TrustedCASecret: &corev1.Secret{
+					Data: map[string][]byte{
+						"ca.crt": []byte("cert-data"),
+					},
+				},
+			},
+		},
+		{
+			Scenario: "trustedCA secret with missing key",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindSecret,
+								},
+								Key: "missing-key",
+							},
+						},
+					},
+				},
+				TrustedCASecret: &corev1.Secret{
+					Data: map[string][]byte{
+						"ca.crt": []byte("cert-data"),
+					},
+				},
+			},
+			ExpectedError: "does not contain the required key missing-key",
+		},
+		{
+			Scenario: "trustedCA configmap with matching key",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindConfigMap,
+								},
+								Key: "ca-bundle.crt",
+							},
+						},
+					},
+				},
+				TrustedCAConfigMap: &corev1.ConfigMap{
+					Data: map[string]string{
+						"ca-bundle.crt": "cert-data",
+					},
+				},
+			},
+		},
+		{
+			Scenario: "trustedCA configmap with missing key",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindConfigMap,
+								},
+								Key: "missing-key",
+							},
+						},
+					},
+				},
+				TrustedCAConfigMap: &corev1.ConfigMap{
+					Data: map[string]string{
+						"ca-bundle.crt": "cert-data",
+					},
+				},
+			},
+			ExpectedError: "does not contain the required key missing-key",
+		},
+		{
+			Scenario: "trustedCA with empty key skips key check",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindConfigMap,
+								},
+							},
+						},
+					},
+				},
+				TrustedCAConfigMap: &corev1.ConfigMap{
+					Data: map[string]string{
+						"ca-bundle.crt": "cert-data",
+					},
+				},
+			},
+		},
+		{
+			Scenario: "trustedCA without resource defaults to valid",
+			Resources: Resources{
+				Ironic: &metal3api.Ironic{
+					Spec: metal3api.IronicSpec{
+						TLS: metal3api.TLS{
+							TrustedCA: &metal3api.ResourceReferenceWithKey{
+								ResourceReference: metal3api.ResourceReference{
+									Name: "my-ca",
+									Kind: metal3api.ResourceKindConfigMap,
+								},
+								Key: "ca.crt",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Scenario, func(t *testing.T) {
+			err := tc.Resources.Validate()
+			if tc.ExpectedError == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.ErrorContains(t, err, tc.ExpectedError)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,7 @@ func removeIronicDeployment(cctx ControllerContext, ironic *metal3api.Ironic) er`
`178`	`178`
`179`	`179`	`// EnsureIronic deploys Ironic either as a Deployment or as a DaemonSet.`
`180`	`180`	`func EnsureIronic(cctx ControllerContext, resources Resources) (status Status, err error) {`
`181`		`- if validationErr := ValidateIronic(&resources.Ironic.Spec, nil); validationErr != nil {`
	`181`	`+ if validationErr := resources.Validate(); validationErr != nil {`
`182`	`182`	`status = Status{Fatal: validationErr}`
`183`	`183`	`return status, nil //nolint:nilerr // validation errors are reported in status, not as return error`
`184`	`184`	`}`