Add tests for reconcile delete

Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2022-07-25 10:29:26 +01:00 · 2022-07-25 10:29:26 +01:00 · 25b88256ef
parent eb40efea1c
commit 25b88256ef
7 changed files with 967 additions and 185 deletions
--- a/controllers/ocirepository_controller_test.go
+++ b/controllers/ocirepository_controller_test.go
@ -45,7 +45,9 @@ import (
 	"github.com/fluxcd/pkg/runtime/patch"
 	"github.com/fluxcd/pkg/untar"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
+	serror "github.com/fluxcd/source-controller/internal/error"
 	sreconcile "github.com/fluxcd/source-controller/internal/reconcile"
+	"github.com/fluxcd/source-controller/pkg/git"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/registry"
@ -57,18 +59,20 @@ import (
 	kstatus "sigs.k8s.io/cli-utils/pkg/kstatus/status"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )

 func TestOCIRepository_Reconcile(t *testing.T) {
 	g := NewWithT(t)

 	// Registry server with public images
-	regServer, err := setupRegistryServer(ctx, registryOptions{})
+	tmpDir := t.TempDir()
+	regServer, err := setupRegistryServer(ctx, tmpDir, registryOptions{})
 	if err != nil {
 		g.Expect(err).ToNot(HaveOccurred())
 	}

-	podinfoVersions, err := pushMultiplePodinfoImage(regServer.registryHost, []string{"6.1.4", "6.1.5", "6.1.6"})
+	podinfoVersions, err := pushMultiplePodinfoImages(regServer.registryHost, "6.1.4", "6.1.5", "6.1.6")

 	tests := []struct {
 		name           string
@ -374,7 +378,7 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 			name: "HTTPS with valid certfile",
 			want: sreconcile.ResultSuccess,
 			registryOpts: registryOptions{
-				withTlS: true,
+				withTLS: true,
 			},
 			craneOpts: []crane.Option{crane.WithTransport(&http.Transport{
 				TLSClientConfig: &tls.Config{
@ -400,7 +404,7 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 			want:    sreconcile.ResultEmpty,
 			wantErr: true,
 			registryOpts: registryOptions{
-				withTlS: true,
+				withTLS: true,
 			},
 			craneOpts: []crane.Option{crane.WithTransport(&http.Transport{
 				TLSClientConfig: &tls.Config{
@ -417,7 +421,7 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 			want:    sreconcile.ResultEmpty,
 			wantErr: true,
 			registryOpts: registryOptions{
-				withTlS: true,
+				withTLS: true,
 			},
 			craneOpts: []crane.Option{crane.WithTransport(&http.Transport{
 				TLSClientConfig: &tls.Config{
@ -455,7 +459,9 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 				},
 			}

-			server, err := setupRegistryServer(ctx, tt.registryOpts)
+			workspaceDir := t.TempDir()
+			server, err := setupRegistryServer(ctx, workspaceDir, tt.registryOpts)
+
 			g.Expect(err).NotTo(HaveOccurred())

 			img, err := createPodinfoImageFromTar("podinfo-6.1.6.tar", "6.1.6", server.registryHost, tt.craneOpts...)
@ -521,7 +527,6 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {

 			tmpDir := t.TempDir()
 			got, err := r.reconcileSource(ctx, obj, &sourcev1.Artifact{}, tmpDir)
-
 			if tt.wantErr {
 				g.Expect(err).ToNot(BeNil())
 			} else {
@ -534,13 +539,163 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 	}
 }

+func TestOCIRepository_CertSecret(t *testing.T) {
+	g := NewWithT(t)
+
+	srv, rootCertPEM, clientCertPEM, clientKeyPEM, clientTLSCert, err := createTLSServer()
+	g.Expect(err).ToNot(HaveOccurred())
+
+	srv.StartTLS()
+	defer srv.Close()
+
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{},
+	}
+	// Use the server cert as a CA cert, so the client trusts the
+	// server cert. (Only works because the server uses the same
+	// cert in both roles).
+	pool := x509.NewCertPool()
+	pool.AddCert(srv.Certificate())
+	transport.TLSClientConfig.RootCAs = pool
+	transport.TLSClientConfig.Certificates = []tls.Certificate{clientTLSCert}
+
+	srv.Client().Transport = transport
+	pi, err := createPodinfoImageFromTar("podinfo-6.1.5.tar", "6.1.5", srv.URL, []crane.Option{
+		crane.WithTransport(srv.Client().Transport),
+	}...)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	tlsSecretClientCert := corev1.Secret{
+		StringData: map[string]string{
+			CACert:     string(rootCertPEM),
+			ClientCert: string(clientCertPEM),
+			ClientKey:  string(clientKeyPEM),
+		},
+	}
+
+	tests := []struct {
+		name                  string
+		url                   string
+		digest                gcrv1.Hash
+		certSecret            *corev1.Secret
+		expectreadyconition   bool
+		expectedstatusmessage string
+	}{
+		{
+			name:                  "test connection with CACert, Client Cert and Private Key",
+			url:                   pi.url,
+			digest:                pi.digest,
+			certSecret:            &tlsSecretClientCert,
+			expectreadyconition:   true,
+			expectedstatusmessage: fmt.Sprintf("stored artifact for digest '%s'", pi.digest.Hex),
+		},
+		{
+			name:                  "test connection with no secret",
+			url:                   pi.url,
+			digest:                pi.digest,
+			expectreadyconition:   false,
+			expectedstatusmessage: "unexpected status code 400 Bad Request: Client sent an HTTP request to an HTTPS server",
+		},
+		{
+			name:   "test connection with with incorrect private key",
+			url:    pi.url,
+			digest: pi.digest,
+			certSecret: &corev1.Secret{
+				StringData: map[string]string{
+					CACert:     string(rootCertPEM),
+					ClientCert: string(clientCertPEM),
+					ClientKey:  string("invalid-key"),
+				},
+			},
+			expectreadyconition:   false,
+			expectedstatusmessage: "failed to generate transport for '<url>': tls: failed to find any PEM data in key input",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			ns, err := testEnv.CreateNamespace(ctx, "ocirepository-test")
+			g.Expect(err).ToNot(HaveOccurred())
+			defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
+
+			obj := &sourcev1.OCIRepository{
+				ObjectMeta: metav1.ObjectMeta{
+					GenerateName: "ocirepository-test-resource",
+					Namespace:    ns.Name,
+				},
+				Spec: sourcev1.OCIRepositorySpec{
+					URL:       tt.url,
+					Interval:  metav1.Duration{Duration: 60 * time.Minute},
+					Reference: &sourcev1.OCIRepositoryRef{Digest: tt.digest.String()},
+				},
+			}
+
+			if tt.certSecret != nil {
+				tt.certSecret.ObjectMeta = metav1.ObjectMeta{
+					GenerateName: "cert-secretref",
+					Namespace:    ns.Name,
+				}
+
+				g.Expect(testEnv.CreateAndWait(ctx, tt.certSecret)).To(Succeed())
+				defer func() { g.Expect(testEnv.Delete(ctx, tt.certSecret)).To(Succeed()) }()
+
+				obj.Spec.CertSecretRef = &meta.LocalObjectReference{Name: tt.certSecret.Name}
+			}
+
+			g.Expect(testEnv.Create(ctx, obj)).To(Succeed())
+
+			key := client.ObjectKey{Name: obj.Name, Namespace: obj.Namespace}
+
+			resultobj := sourcev1.OCIRepository{}
+
+			// Wait for the finalizer to be set
+			g.Eventually(func() bool {
+				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
+					return false
+				}
+				return len(resultobj.Finalizers) > 0
+			}, timeout).Should(BeTrue())
+
+			// Wait for the object to fail
+			g.Eventually(func() bool {
+				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
+					return false
+				}
+				readyCondition := conditions.Get(&resultobj, meta.ReadyCondition)
+				if readyCondition == nil {
+					return false
+				}
+				return obj.Generation == readyCondition.ObservedGeneration &&
+					conditions.IsReady(&resultobj) == tt.expectreadyconition
+			}, timeout).Should(BeTrue())
+
+			tt.expectedstatusmessage = strings.ReplaceAll(tt.expectedstatusmessage, "<url>", pi.url)
+
+			readyCondition := conditions.Get(&resultobj, meta.ReadyCondition)
+			g.Expect(readyCondition.Message).Should(ContainSubstring(tt.expectedstatusmessage))
+
+			// Wait for the object to be deleted
+			g.Expect(testEnv.Delete(ctx, &resultobj)).To(Succeed())
+			g.Eventually(func() bool {
+				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
+					return apierrors.IsNotFound(err)
+				}
+				return false
+			}, timeout).Should(BeTrue())
+		})
+	}
+}
+
 func TestOCIRepository_reconcileSource_remoteReference(t *testing.T) {
 	g := NewWithT(t)

-	server, err := setupRegistryServer(ctx, registryOptions{})
+	tmpDir := t.TempDir()
+	server, err := setupRegistryServer(ctx, tmpDir, registryOptions{})
 	g.Expect(err).ToNot(HaveOccurred())

-	podinfoVersions, err := pushMultiplePodinfoImage(server.registryHost, []string{"6.1.4", "6.1.5", "6.1.6"})
+	podinfoVersions, err := pushMultiplePodinfoImages(server.registryHost, "6.1.4", "6.1.5", "6.1.6")
 	img6 := podinfoVersions["6.1.6"]
 	img5 := podinfoVersions["6.1.5"]

@ -700,13 +855,132 @@ func TestOCIRepository_reconcileSource_remoteReference(t *testing.T) {
 	}
 }

+func TestOCIRepository_reconcileArtifact(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name             string
+		targetPath       string
+		artifact         *sourcev1.Artifact
+		beforeFunc       func(obj *sourcev1.OCIRepository)
+		want             sreconcile.Result
+		wantErr          bool
+		assertArtifact   *sourcev1.Artifact
+		assertPaths      []string
+		assertConditions []metav1.Condition
+	}{
+		{
+			name:       "Archiving Artifact creates correct files and condition",
+			targetPath: "testdata/oci/repository",
+			artifact: &sourcev1.Artifact{
+				Revision: "revision",
+			},
+			beforeFunc: func(obj *sourcev1.OCIRepository) {
+				conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", "new digest")
+			},
+			want: sreconcile.ResultSuccess,
+			assertPaths: []string{
+				"latest.tar.gz",
+			},
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.ArtifactInStorageCondition, meta.SucceededReason, "stored artifact for digest"),
+			},
+		},
+		{
+			name: "No status changes if artifact is already present",
+			artifact: &sourcev1.Artifact{
+				Revision: "revision",
+			},
+			targetPath: "testdata/oci/repository",
+			want:       sreconcile.ResultSuccess,
+			beforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{
+					Revision: "revision",
+				}
+			},
+			assertArtifact: &sourcev1.Artifact{
+				Revision: "revision",
+			},
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.ArtifactInStorageCondition, meta.SucceededReason, "stored artifact for digest"),
+			},
+		},
+		{
+			name:       "target path doesn't exist",
+			targetPath: "testdata/oci/non-existent",
+			want:       sreconcile.ResultEmpty,
+			wantErr:    true,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.StorageOperationFailedCondition, sourcev1.StatOperationFailedReason, "failed to stat source path: "),
+			},
+		},
+		{
+			name:       "target path is a file",
+			targetPath: "testdata/oci/repository/foo.txt",
+			want:       sreconcile.ResultEmpty,
+			wantErr:    true,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.StorageOperationFailedCondition, sourcev1.InvalidPathReason, "source path 'testdata/oci/repository/foo.txt' is not a directory"),
+			},
+		},
+	}
+
+	builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
+
+	r := &OCIRepositoryReconciler{
+		Client:        builder.Build(),
+		EventRecorder: record.NewFakeRecorder(32),
+		Storage:       testStorage,
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+
+			obj := &sourcev1.OCIRepository{
+				ObjectMeta: metav1.ObjectMeta{
+					GenerateName: "reconcile-artifact-",
+				},
+			}
+			if tt.beforeFunc != nil {
+				tt.beforeFunc(obj)
+			}
+
+			artifact := &sourcev1.Artifact{}
+			if tt.artifact != nil {
+				artifact = tt.artifact
+			}
+			got, err := r.reconcileArtifact(ctx, obj, artifact, tt.targetPath)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+
+			g.Expect(got).To(Equal(tt.want))
+			g.Expect(obj.Status.Conditions).To(conditions.MatchConditions(tt.assertConditions))
+
+			if tt.assertArtifact != nil {
+				g.Expect(obj.Status.Artifact).To(MatchArtifact(tt.artifact))
+			}
+
+			for _, path := range tt.assertPaths {
+				localPath := testStorage.LocalPath(*obj.GetArtifact())
+				path = filepath.Join(filepath.Dir(localPath), path)
+				_, err := os.Lstat(path)
+				g.Expect(err).ToNot(HaveOccurred())
+			}
+		})
+	}
+}
+
 func TestOCIRepository_getArtifactURL(t *testing.T) {
 	g := NewWithT(t)

-	server, err := setupRegistryServer(ctx, registryOptions{})
+	tmpDir := t.TempDir()
+	server, err := setupRegistryServer(ctx, tmpDir, registryOptions{})
 	g.Expect(err).ToNot(HaveOccurred())

-	imgs, err := pushMultiplePodinfoImage(server.registryHost, []string{"6.1.4", "6.1.5", "6.1.6"})
+	imgs, err := pushMultiplePodinfoImages(server.registryHost, "6.1.4", "6.1.5", "6.1.6")
 	g.Expect(err).ToNot(HaveOccurred())

 	tests := []struct {
@ -890,14 +1164,16 @@ func TestOCIRepository_reconcileStorage(t *testing.T) {
 		},
 	}

+	builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
+	r := &OCIRepositoryReconciler{
+		Client:        builder.Build(),
+		EventRecorder: record.NewFakeRecorder(32),
+		Storage:       testStorage,
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			builder := fakeclient.NewClientBuilder().WithScheme(testEnv.GetScheme())
-			r := &OCIRepositoryReconciler{
-				Client:        builder.Build(),
-				EventRecorder: record.NewFakeRecorder(32),
-				Storage:       testStorage,
-			}
+
 			obj := &sourcev1.OCIRepository{
 				ObjectMeta: metav1.ObjectMeta{
 					GenerateName: "test-",
@ -933,153 +1209,151 @@ func TestOCIRepository_reconcileStorage(t *testing.T) {
 	}
 }

-func TestOCIRepository_CertSecret(t *testing.T) {
+func TestOCIRepository_ReconcileDelete(t *testing.T) {
 	g := NewWithT(t)

-	srv, rootCertPEM, clientCertPEM, clientKeyPEM, clientTLSCert, err := createTLSServer()
-	g.Expect(err).ToNot(HaveOccurred())
-
-	srv.StartTLS()
-	defer srv.Close()
-
-	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{},
+	r := &OCIRepositoryReconciler{
+		EventRecorder: record.NewFakeRecorder(32),
+		Storage:       testStorage,
 	}
-	// Use the server cert as a CA cert, so the client trusts the
-	// server cert. (Only works because the server uses the same
-	// cert in both roles).
-	pool := x509.NewCertPool()
-	pool.AddCert(srv.Certificate())
-	transport.TLSClientConfig.RootCAs = pool
-	transport.TLSClientConfig.Certificates = []tls.Certificate{clientTLSCert}

-	srv.Client().Transport = transport
-	pi2, err := createPodinfoImageFromTar("podinfo-6.1.5.tar", "6.1.5", srv.URL, []crane.Option{
-		crane.WithTransport(srv.Client().Transport),
-	}...)
-	g.Expect(err).NotTo(HaveOccurred())
-
-	tlsSecretClientCert := corev1.Secret{
-		StringData: map[string]string{
-			CACert:     string(rootCertPEM),
-			ClientCert: string(clientCertPEM),
-			ClientKey:  string(clientKeyPEM),
+	obj := &sourcev1.OCIRepository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:              "reconcile-delete-",
+			DeletionTimestamp: &metav1.Time{Time: time.Now()},
+			Finalizers: []string{
+				sourcev1.SourceFinalizer,
+			},
 		},
+		Status: sourcev1.OCIRepositoryStatus{},
 	}

+	artifact := testStorage.NewArtifactFor(sourcev1.OCIRepositoryKind, obj.GetObjectMeta(), "revision", "foo.txt")
+	obj.Status.Artifact = &artifact
+
+	got, err := r.reconcileDelete(ctx, obj)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(got).To(Equal(sreconcile.ResultEmpty))
+	g.Expect(controllerutil.ContainsFinalizer(obj, sourcev1.SourceFinalizer)).To(BeFalse())
+	g.Expect(obj.Status.Artifact).To(BeNil())
+}
+
+func TestOCIRepositoryReconciler_notify(t *testing.T) {
+
+	noopErr := serror.NewGeneric(fmt.Errorf("some no-op error"), "NoOpReason")
+	noopErr.Ignore = true
+
 	tests := []struct {
-		name                  string
-		url                   string
-		tag                   string
-		digest                gcrv1.Hash
-		certSecret            *corev1.Secret
-		expectreadyconition   bool
-		expectedstatusmessage string
+		name             string
+		res              sreconcile.Result
+		resErr           error
+		oldObjBeforeFunc func(obj *sourcev1.OCIRepository)
+		newObjBeforeFunc func(obj *sourcev1.OCIRepository)
+		commit           git.Commit
+		wantEvent        string
 	}{
 		{
-			name:                  "test connection with CACert, Client Cert and Private Key",
-			url:                   pi2.url,
-			tag:                   pi2.tag,
-			digest:                pi2.digest,
-			certSecret:            &tlsSecretClientCert,
-			expectreadyconition:   true,
-			expectedstatusmessage: fmt.Sprintf("stored artifact for digest '%s'", pi2.digest.Hex),
+			name:   "error - no event",
+			res:    sreconcile.ResultEmpty,
+			resErr: errors.New("some error"),
 		},
 		{
-			name:                  "test connection with with no secret",
-			url:                   pi2.url,
-			tag:                   pi2.tag,
-			digest:                pi2.digest,
-			expectreadyconition:   false,
-			expectedstatusmessage: "failed to pull artifact",
-		},
-		{
-			name:   "test connection with with incorrect private key",
-			url:    pi2.url,
-			tag:    pi2.tag,
-			digest: pi2.digest,
-			certSecret: &corev1.Secret{
-				StringData: map[string]string{
-					CACert:     string(rootCertPEM),
-					ClientCert: string(clientCertPEM),
-					ClientKey:  string("invalid-key"),
-				},
+			name:   "new artifact",
+			res:    sreconcile.ResultSuccess,
+			resErr: nil,
+			newObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Spec.URL = "oci://newurl.io"
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+			},
+			wantEvent: "Normal NewArtifact stored artifact with digest 'xxx' from 'oci://newurl.io'",
+		},
+		{
+			name:   "recovery from failure",
+			res:    sreconcile.ResultSuccess,
+			resErr: nil,
+			oldObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.OCIOperationFailedReason, "fail")
+				conditions.MarkFalse(obj, meta.ReadyCondition, meta.FailedReason, "foo")
+			},
+			newObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Spec.URL = "oci://newurl.io"
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "ready")
+			},
+			wantEvent: "Normal Succeeded stored artifact with digest 'xxx' from 'oci://newurl.io'",
+		},
+		{
+			name:   "recovery and new artifact",
+			res:    sreconcile.ResultSuccess,
+			resErr: nil,
+			oldObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.OCIOperationFailedReason, "fail")
+				conditions.MarkFalse(obj, meta.ReadyCondition, meta.FailedReason, "foo")
+			},
+			newObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Spec.URL = "oci://newurl.io"
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "aaa", Checksum: "bbb"}
+				conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "ready")
+			},
+			wantEvent: "Normal NewArtifact stored artifact with digest 'aaa' from 'oci://newurl.io'",
+		},
+		{
+			name:   "no updates",
+			res:    sreconcile.ResultSuccess,
+			resErr: nil,
+			oldObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "ready")
+			},
+			newObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, meta.ReadyCondition, meta.SucceededReason, "ready")
+			},
+		},
+		{
+			name:   "no updates on requeue",
+			res:    sreconcile.ResultRequeue,
+			resErr: nil,
+			oldObjBeforeFunc: func(obj *sourcev1.OCIRepository) {
+				obj.Status.Artifact = &sourcev1.Artifact{Revision: "xxx", Checksum: "yyy"}
+				conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.URLInvalidReason, "ready")
 			},
-			expectreadyconition:   false,
-			expectedstatusmessage: "failed to generate transport",
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
+			recorder := record.NewFakeRecorder(32)

-			ns, err := testEnv.CreateNamespace(ctx, "ocirepository-test")
-			g.Expect(err).ToNot(HaveOccurred())
-			defer func() { g.Expect(testEnv.Delete(ctx, ns)).To(Succeed()) }()
+			oldObj := &sourcev1.OCIRepository{}
+			newObj := oldObj.DeepCopy()

-			obj := &sourcev1.OCIRepository{
-				ObjectMeta: metav1.ObjectMeta{
-					GenerateName: "ocirepository-test-resource",
-					Namespace:    ns.Name,
-				},
-				Spec: sourcev1.OCIRepositorySpec{
-					URL:       tt.url,
-					Interval:  metav1.Duration{Duration: 60 * time.Minute},
-					Reference: &sourcev1.OCIRepositoryRef{Digest: tt.digest.String()},
-				},
+			if tt.oldObjBeforeFunc != nil {
+				tt.oldObjBeforeFunc(oldObj)
+			}
+			if tt.newObjBeforeFunc != nil {
+				tt.newObjBeforeFunc(newObj)
 			}

-			if tt.certSecret != nil {
-				tt.certSecret.ObjectMeta = metav1.ObjectMeta{
-					GenerateName: "cert-secretref",
-					Namespace:    ns.Name,
-				}
-
-				g.Expect(testEnv.CreateAndWait(ctx, tt.certSecret)).To(Succeed())
-				defer func() { g.Expect(testEnv.Delete(ctx, tt.certSecret)).To(Succeed()) }()
-
-				obj.Spec.CertSecretRef = &meta.LocalObjectReference{Name: tt.certSecret.Name}
+			reconciler := &OCIRepositoryReconciler{
+				EventRecorder: recorder,
 			}
+			reconciler.notify(ctx, oldObj, newObj, tt.res, tt.resErr)

-			g.Expect(testEnv.Create(ctx, obj)).To(Succeed())
-
-			key := client.ObjectKey{Name: obj.Name, Namespace: obj.Namespace}
-
-			resultobj := sourcev1.OCIRepository{}
-
-			// Wait for the finalizer to be set
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
-					return false
+			select {
+			case x, ok := <-recorder.Events:
+				g.Expect(ok).To(Equal(tt.wantEvent != ""), "unexpected event received")
+				if tt.wantEvent != "" {
+					g.Expect(x).To(ContainSubstring(tt.wantEvent))
 				}
-				return len(resultobj.Finalizers) > 0
-			}, timeout).Should(BeTrue())
-
-			// Wait for the object to fail
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
-					return false
+			default:
+				if tt.wantEvent != "" {
+					t.Errorf("expected some event to be emitted")
 				}
-				readyCondition := conditions.Get(&resultobj, meta.ReadyCondition)
-				if readyCondition == nil {
-					return false
-				}
-				return obj.Generation == readyCondition.ObservedGeneration &&
-					conditions.IsReady(&resultobj) == tt.expectreadyconition
-			}, timeout).Should(BeTrue())
-
-			readyCondition := conditions.Get(&resultobj, meta.ReadyCondition)
-			g.Expect(readyCondition.Message).Should(ContainSubstring(tt.expectedstatusmessage))
-
-			// Wait for the object to be deleted
-			g.Expect(testEnv.Delete(ctx, &resultobj)).To(Succeed())
-			g.Eventually(func() bool {
-				if err := testEnv.Get(ctx, key, &resultobj); err != nil {
-					return apierrors.IsNotFound(err)
-				}
-				return false
-			}, timeout).Should(BeTrue())
+			}
 		})
 	}
 }
@ -1088,6 +1362,7 @@ type artifactFixture struct {
 	expectedPath     string
 	expectedChecksum string
 }
+
 type podinfoImage struct {
 	url    string
 	tag    string
@ -1139,7 +1414,7 @@ func createPodinfoImageFromTar(tarFileName, tag, registryURL string, opts ...cra
 	}, nil
 }

-func pushMultiplePodinfoImage(serverURL string, versions []string) (map[string]podinfoImage, error) {
+func pushMultiplePodinfoImages(serverURL string, versions ...string) (map[string]podinfoImage, error) {
 	podinfoVersions := make(map[string]podinfoImage)

 	for i := 0; i < len(versions); i++ {
--- a/controllers/suite_test.go
+++ b/controllers/suite_test.go
@ -119,30 +119,30 @@ type registryClientTestServer struct {

 type registryOptions struct {
 	withBasicAuth bool
-	withTlS       bool
+	withTLS       bool
 }

-func setupRegistryServer(ctx context.Context, opts registryOptions) (*registryClientTestServer, error) {
+func setupRegistryServer(ctx context.Context, workspaceDir string, opts registryOptions) (*registryClientTestServer, error) {
 	server := &registryClientTestServer{}

-	// Create a temporary workspace directory for the registry
-	workspaceDir, err := os.MkdirTemp("", "registry-test-")
-	if err != nil {
-		return nil, fmt.Errorf("failed to create workspace directory: %w", err)
+	if workspaceDir == "" {
+		return nil, fmt.Errorf("workspace directory cannot be an empty string")
 	}
+
 	server.workspaceDir = workspaceDir

 	var out bytes.Buffer
 	server.out = &out

 	// init test client
-	server.registryClient, err = helmreg.NewClient(
+	client, err := helmreg.NewClient(
 		helmreg.ClientOptDebug(true),
 		helmreg.ClientOptWriter(server.out),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create registry client: %s", err)
 	}
+	server.registryClient = client

 	config := &configuration.Configuration{}
 	port, err := freeport.GetFreePort()
@ -179,7 +179,7 @@ func setupRegistryServer(ctx context.Context, opts registryOptions) (*registryCl
 		}
 	}

-	if opts.withTlS {
+	if opts.withTLS {
 		config.HTTP.TLS.Certificate = "testdata/certs/server.pem"
 		config.HTTP.TLS.Key = "testdata/certs/server-key.pem"
 	}
@ -219,7 +219,11 @@ func TestMain(m *testing.M) {

 	testMetricsH = controller.MustMakeMetrics(testEnv)

-	testRegistryServer, err = setupRegistryServer(ctx, registryOptions{
+	testWorkspaceDir, err := os.MkdirTemp("", "registry-test-")
+	if err != nil {
+		panic(fmt.Sprintf("failed to create workspace directory: %v", err))
+	}
+	testRegistryServer, err = setupRegistryServer(ctx, testWorkspaceDir, registryOptions{
 		withBasicAuth: true,
 	})
 	if err != nil {
@ -319,7 +323,7 @@ func TestMain(m *testing.M) {
 		panic(fmt.Sprintf("Failed to remove storage server dir: %v", err))
 	}

-	if err := os.RemoveAll(testRegistryServer.workspaceDir); err != nil {
+	if err := os.RemoveAll(testWorkspaceDir); err != nil {
 		panic(fmt.Sprintf("Failed to remove registry workspace dir: %v", err))
 	}

--- a/controllers/testdata/oci/repository/foo.txt
+++ b/controllers/testdata/oci/repository/foo.txt
--- a/d.txt
+++ b/d.txt
@ -1 +0,0 @@
-d
--- a/go.mod
+++ b/go.mod
@ -69,6 +69,11 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )

+require (
+	github.com/google/go-containerregistry v0.10.0
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220712174516-ddd39fb9c385
+)
+
 // Fix CVE-2022-28948
 replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1

@ -82,8 +87,17 @@ require (
 	cloud.google.com/go v0.102.1 // indirect
 	cloud.google.com/go/compute v1.7.0 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 // indirect
 	github.com/BurntSushi/toml v1.0.0 // indirect
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
@ -91,19 +105,34 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Masterminds/squirrel v1.5.3 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.16.4 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.15.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.17.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.6 // indirect
+	github.com/aws/smithy-go v1.11.2 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.2 // indirect
 	github.com/bugsnag/bugsnag-go v2.1.2+incompatible // indirect
 	github.com/bugsnag/panicwrap v1.3.4 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220327082430-c57b701bfc08 // indirect
 	github.com/containerd/containerd v1.6.6 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.11.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker v20.10.17+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.6.4 // indirect
@ -112,7 +141,7 @@ require (
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
-	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
+	github.com/emicklei/go-restful v2.15.0+incompatible // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
@ -125,18 +154,20 @@ require (
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
 	github.com/go-logr/zapr v1.2.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/swag v0.21.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gomodule/redigo v1.8.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220523143934-b17c48b086b7 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
@ -145,26 +176,27 @@ require (
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/klauspost/compress v1.15.4 // indirect
 	github.com/klauspost/cpuid v1.3.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.10.6 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
@ -184,7 +216,7 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@ -194,13 +226,14 @@ require (
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/rs/xid v1.2.1 // indirect
 	github.com/rubenv/sql-migrate v1.1.2 // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
+	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/cobra v1.5.0 // indirect
 	github.com/stretchr/testify v1.7.4 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.1 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@ -216,9 +249,9 @@ require (
 	go.uber.org/zap v1.21.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
 	golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
@ -235,10 +268,10 @@ require (
 	k8s.io/cli-runtime v0.24.2 // indirect
 	k8s.io/component-base v0.24.2 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
+	k8s.io/kube-openapi v0.0.0-20220413171646-5e7f5fdc6da6 // indirect
 	k8s.io/kubectl v0.24.2 // indirect
 	oras.land/oras-go v1.2.0 // indirect
-	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124 // indirect
 	sigs.k8s.io/kustomize/api v0.11.4 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.6 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
--- a/go.sum
+++ b/go.sum
--- a/main.go
+++ b/main.go
@ -357,7 +357,6 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti
 		os.MkdirAll(path, 0o700)
 	}

-	fmt.Println("PARHHHH", path)
 	storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords)
 	if err != nil {
 		l.Error(err, "unable to initialise storage")