test: add unit tests for external CA support

Add 13 new tests covering reconcileExternalCA, buildExternalCAHTTPClient,
and external CA phase acceptance in the certificate controller.

- testutil_test.go: add caOption type with withExternal, withExternalCASecret,
  withExternalTLSSecret, withExternalInsecureSkipVerify options
- certificateauthority_controller_test.go: 6 tests for external CA reconciler
  (basic flow, custom CA secret, missing secret, missing key, no PVC/Job, no Config)
- certificate_controller_test.go: 1 test for External phase acceptance
- certificate_signing_test.go: 6 tests for buildExternalCAHTTPClient
  (minimal, insecure skip verify, CA secret, missing secret, mTLS, missing key)

Author: slauger

internal/controller/certificate_controller_test.go

@@ -129,3 +129,35 @@ func TestCertReconcile_PhasePending(t *testing.T) {
 		t.Errorf("expected phase %q, got %q", openvoxv1alpha1.CertificatePhasePending, updated.Status.Phase)
 	}
 }
+
+func TestCertReconcile_CAExternalPhase_Accepted(t *testing.T) {
+	cert := newCertificate("my-cert", "ext-ca", "")
+	ca := newCertificateAuthority("ext-ca", withExternal("https://puppet-ca.example.com:8140"))
+	ca.Status.Phase = openvoxv1alpha1.CertificateAuthorityPhaseExternal
+	// Pre-create the TLS secret so reconcile completes without HTTP calls
+	tlsSecret := newSecret("my-cert-tls", map[string][]byte{
+		"cert.pem": []byte("signed-cert"),
+		"key.pem":  []byte("private-key"),
+	})
+
+	c := setupTestClient(cert, ca, tlsSecret)
+	r := newCertificateReconciler(c)
+
+	res, err := r.Reconcile(testCtx(), testRequest("my-cert"))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	// Should NOT requeue with 10s (that would mean CA was treated as not-ready)
+	if res.RequeueAfter == 10*time.Second {
+		t.Error("certificate should not wait for CA when phase is External")
+	}
+
+	updated := &openvoxv1alpha1.Certificate{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "my-cert", Namespace: testNamespace}, updated); err != nil {
+		t.Fatalf("failed to get Certificate: %v", err)
+	}
+	if updated.Status.Phase != openvoxv1alpha1.CertificatePhaseSigned {
+		t.Errorf("expected phase %q, got %q", openvoxv1alpha1.CertificatePhaseSigned, updated.Status.Phase)
+	}
+}

internal/controller/certificate_signing_test.go

@@ -1,8 +1,17 @@
 package controller
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net/http"
 	"testing"
 	"time"
+
+	openvoxv1alpha1 "github.com/slauger/openvox-operator/api/v1alpha1"
 )
 
 func TestCSRPollBackoff(t *testing.T) {
@@ -32,3 +41,145 @@ func TestCSRPollBackoff(t *testing.T) {
 		}
 	}
 }
+
+// generateTestCert creates a self-signed CA certificate and key pair for testing.
+// Returns PEM-encoded certificate, PEM-encoded private key.
+func generateTestCert(t *testing.T) ([]byte, []byte) {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("generating test key: %v", err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "test-ca"},
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(24 * time.Hour),
+		IsCA:         true,
+		KeyUsage:     x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("creating test certificate: %v", err)
+	}
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+	return certPEM, keyPEM
+}
+
+func TestBuildExternalCAHTTPClient_Minimal(t *testing.T) {
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL: "https://puppet-ca.example.com:8140",
+	}
+	c := setupTestClient()
+
+	httpClient, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if httpClient == nil {
+		t.Fatal("expected non-nil HTTP client")
+	}
+
+	transport := httpClient.Transport.(*http.Transport)
+	if transport.TLSClientConfig.InsecureSkipVerify {
+		t.Error("expected InsecureSkipVerify=false")
+	}
+	if transport.TLSClientConfig.RootCAs != nil {
+		t.Error("expected no custom RootCAs")
+	}
+}
+
+func TestBuildExternalCAHTTPClient_InsecureSkipVerify(t *testing.T) {
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL:                "https://puppet-ca.example.com:8140",
+		InsecureSkipVerify: true,
+	}
+	c := setupTestClient()
+
+	httpClient, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	transport := httpClient.Transport.(*http.Transport)
+	if !transport.TLSClientConfig.InsecureSkipVerify {
+		t.Error("expected InsecureSkipVerify=true")
+	}
+}
+
+func TestBuildExternalCAHTTPClient_WithCASecret(t *testing.T) {
+	certPEM, _ := generateTestCert(t)
+	caSecret := newSecret("ca-secret", map[string][]byte{
+		"ca_crt.pem": certPEM,
+	})
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL:         "https://puppet-ca.example.com:8140",
+		CASecretRef: "ca-secret",
+	}
+	c := setupTestClient(caSecret)
+
+	httpClient, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	transport := httpClient.Transport.(*http.Transport)
+	if transport.TLSClientConfig.RootCAs == nil {
+		t.Error("expected custom RootCAs pool")
+	}
+}
+
+func TestBuildExternalCAHTTPClient_CASecretNotFound(t *testing.T) {
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL:         "https://puppet-ca.example.com:8140",
+		CASecretRef: "missing-secret",
+	}
+	c := setupTestClient()
+
+	_, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err == nil {
+		t.Fatal("expected error when CA secret is missing")
+	}
+}
+
+func TestBuildExternalCAHTTPClient_WithTLSSecret(t *testing.T) {
+	certPEM, keyPEM := generateTestCert(t)
+	tlsSecret := newSecret("tls-secret", map[string][]byte{
+		"tls.crt": certPEM,
+		"tls.key": keyPEM,
+	})
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL:          "https://puppet-ca.example.com:8140",
+		TLSSecretRef: "tls-secret",
+	}
+	c := setupTestClient(tlsSecret)
+
+	httpClient, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	transport := httpClient.Transport.(*http.Transport)
+	if len(transport.TLSClientConfig.Certificates) != 1 {
+		t.Errorf("expected 1 client certificate, got %d", len(transport.TLSClientConfig.Certificates))
+	}
+}
+
+func TestBuildExternalCAHTTPClient_TLSSecretMissingKey(t *testing.T) {
+	certPEM, _ := generateTestCert(t)
+	// Secret has tls.crt but missing tls.key
+	tlsSecret := newSecret("tls-secret", map[string][]byte{
+		"tls.crt": certPEM,
+	})
+	ext := &openvoxv1alpha1.ExternalCASpec{
+		URL:          "https://puppet-ca.example.com:8140",
+		TLSSecretRef: "tls-secret",
+	}
+	c := setupTestClient(tlsSecret)
+
+	_, err := buildExternalCAHTTPClient(testCtx(), c, ext, testNamespace)
+	if err == nil {
+		t.Fatal("expected error when TLS secret is missing tls.key")
+	}
+}

internal/controller/certificateauthority_controller_test.go

@@ -351,3 +351,156 @@ func TestResolveCAJobResources_Custom(t *testing.T) {
 		t.Errorf("expected memory limit 2Gi, got %s", res.Limits.Memory().String())
 	}
 }
+
+// --- External CA tests ---
+
+func TestCAReconcile_ExternalCA_Basic(t *testing.T) {
+	ca := newCertificateAuthority("ext-ca", withExternal("https://puppet-ca.example.com:8140"))
+	ca.Status.Phase = "" // reset to trigger initial phase
+	c := setupTestClient(ca)
+	r := newCertificateAuthorityReconciler(c)
+
+	if _, err := r.Reconcile(testCtx(), testRequest("ext-ca")); err != nil {
+		t.Fatalf("reconcile error: %v", err)
+	}
+
+	updated := &openvoxv1alpha1.CertificateAuthority{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "ext-ca", Namespace: testNamespace}, updated); err != nil {
+		t.Fatalf("failed to get CA: %v", err)
+	}
+
+	if updated.Status.Phase != openvoxv1alpha1.CertificateAuthorityPhaseExternal {
+		t.Errorf("expected phase %q, got %q", openvoxv1alpha1.CertificateAuthorityPhaseExternal, updated.Status.Phase)
+	}
+	if updated.Status.CASecretName != "ext-ca-ca" {
+		t.Errorf("expected CASecretName %q, got %q", "ext-ca-ca", updated.Status.CASecretName)
+	}
+
+	// Verify CAReady condition with ExternalCA reason
+	found := false
+	for _, cond := range updated.Status.Conditions {
+		if cond.Type == openvoxv1alpha1.ConditionCAReady {
+			found = true
+			if cond.Status != "True" {
+				t.Errorf("expected condition status True, got %q", cond.Status)
+			}
+			if cond.Reason != "ExternalCA" {
+				t.Errorf("expected condition reason ExternalCA, got %q", cond.Reason)
+			}
+		}
+	}
+	if !found {
+		t.Error("CAReady condition not set")
+	}
+}
+
+func TestCAReconcile_ExternalCA_WithCASecretRef(t *testing.T) {
+	ca := newCertificateAuthority("ext-ca",
+		withExternal("https://puppet-ca.example.com:8140"),
+		withExternalCASecret("my-custom-ca-secret"),
+	)
+	ca.Status.Phase = ""
+	caSecret := newSecret("my-custom-ca-secret", map[string][]byte{
+		"ca_crt.pem": []byte("ca-cert-data"),
+	})
+	c := setupTestClient(ca, caSecret)
+	r := newCertificateAuthorityReconciler(c)
+
+	if _, err := r.Reconcile(testCtx(), testRequest("ext-ca")); err != nil {
+		t.Fatalf("reconcile error: %v", err)
+	}
+
+	updated := &openvoxv1alpha1.CertificateAuthority{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "ext-ca", Namespace: testNamespace}, updated); err != nil {
+		t.Fatalf("failed to get CA: %v", err)
+	}
+
+	if updated.Status.CASecretName != "my-custom-ca-secret" {
+		t.Errorf("expected CASecretName %q, got %q", "my-custom-ca-secret", updated.Status.CASecretName)
+	}
+}
+
+func TestCAReconcile_ExternalCA_CASecretNotFound(t *testing.T) {
+	ca := newCertificateAuthority("ext-ca",
+		withExternal("https://puppet-ca.example.com:8140"),
+		withExternalCASecret("missing-secret"),
+	)
+	ca.Status.Phase = ""
+	c := setupTestClient(ca)
+	r := newCertificateAuthorityReconciler(c)
+
+	res, err := r.Reconcile(testCtx(), testRequest("ext-ca"))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if res.RequeueAfter != 5*time.Second {
+		t.Errorf("expected requeue after 5s, got %v", res.RequeueAfter)
+	}
+}
+
+func TestCAReconcile_ExternalCA_CASecretMissingKey(t *testing.T) {
+	ca := newCertificateAuthority("ext-ca",
+		withExternal("https://puppet-ca.example.com:8140"),
+		withExternalCASecret("bad-secret"),
+	)
+	ca.Status.Phase = ""
+	// Secret exists but lacks the ca_crt.pem key
+	badSecret := newSecret("bad-secret", map[string][]byte{
+		"wrong-key": []byte("data"),
+	})
+	c := setupTestClient(ca, badSecret)
+	r := newCertificateAuthorityReconciler(c)
+
+	res, err := r.Reconcile(testCtx(), testRequest("ext-ca"))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if res.RequeueAfter != 5*time.Second {
+		t.Errorf("expected requeue after 5s, got %v", res.RequeueAfter)
+	}
+}
+
+func TestCAReconcile_ExternalCA_SkipsPVCAndJob(t *testing.T) {
+	ca := newCertificateAuthority("ext-ca", withExternal("https://puppet-ca.example.com:8140"))
+	ca.Status.Phase = ""
+	c := setupTestClient(ca)
+	r := newCertificateAuthorityReconciler(c)
+
+	if _, err := r.Reconcile(testCtx(), testRequest("ext-ca")); err != nil {
+		t.Fatalf("reconcile error: %v", err)
+	}
+
+	// No PVC should be created
+	pvc := &corev1.PersistentVolumeClaim{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "ext-ca-data", Namespace: testNamespace}, pvc); err == nil {
+		t.Error("expected no PVC for external CA, but one was created")
+	}
+
+	// No Job should be created
+	job := &batchv1.Job{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "ext-ca-ca-setup", Namespace: testNamespace}, job); err == nil {
+		t.Error("expected no Job for external CA, but one was created")
+	}
+}
+
+func TestCAReconcile_ExternalCA_NoConfigRequired(t *testing.T) {
+	// External CA should work without any Config object (unlike internal CA which requires it)
+	ca := newCertificateAuthority("ext-ca", withExternal("https://puppet-ca.example.com:8140"))
+	ca.Status.Phase = ""
+	c := setupTestClient(ca) // no Config object
+	r := newCertificateAuthorityReconciler(c)
+
+	if _, err := r.Reconcile(testCtx(), testRequest("ext-ca")); err != nil {
+		t.Fatalf("reconcile error: %v", err)
+	}
+
+	updated := &openvoxv1alpha1.CertificateAuthority{}
+	if err := c.Get(testCtx(), types.NamespacedName{Name: "ext-ca", Namespace: testNamespace}, updated); err != nil {
+		t.Fatalf("failed to get CA: %v", err)
+	}
+
+	// Should reach External phase without a Config
+	if updated.Status.Phase != openvoxv1alpha1.CertificateAuthorityPhaseExternal {
+		t.Errorf("expected phase %q, got %q", openvoxv1alpha1.CertificateAuthorityPhaseExternal, updated.Status.Phase)
+	}
+}