karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ut] add ut for secret.go, serviceaccount.go, rbac.go 

Signed-off-by: yingjinhui <yingjinhui@didiglobal.com>
This commit is contained in:
yingjinhui 2022-10-21 22:14:11 +08:00
parent 12d2a2998d
commit ee73db8b6c
6 changed files with 1404 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
pkg/util/clusterrole_test.go Normal file
View File

@ -0,0 +1,189 @@
package util
import (
"reflect"
"testing"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
)
func TestEnsureClusterRoleBindingExist(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRoleBinding *rbacv1.ClusterRoleBinding
dryRun bool
}
tests := []struct {
name string
args args
want *rbacv1.ClusterRoleBinding
wantErr bool
}{
{
name: "dry run",
args: args{
client: fake.NewSimpleClientset(),
clusterRoleBinding: makeClusterRoleBinding("test"),
dryRun: true,
},
want: makeClusterRoleBinding("test"),
wantErr: false,
},
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRoleBinding("test")),
clusterRoleBinding: makeClusterRoleBinding("test"),
dryRun: false,
},
want: makeClusterRoleBinding("test"),
wantErr: false,
},
{
name: "not exist",
args: args{
client: fake.NewSimpleClientset(),
clusterRoleBinding: makeClusterRoleBinding("test"),
dryRun: false,
},
want: makeClusterRoleBinding("test"),
wantErr: false,
},
{
name: "get error",
args: args{
client: alwaysErrorKubeClient,
clusterRoleBinding: makeClusterRoleBinding("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", errorAction)
return c
}(),
clusterRoleBinding: makeClusterRoleBinding("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := EnsureClusterRoleBindingExist(tt.args.client, tt.args.clusterRoleBinding, tt.args.dryRun)
if (err != nil) != tt.wantErr {
t.Errorf("EnsureClusterRoleBindingExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("EnsureClusterRoleBindingExist() got = %v, want %v", got, tt.want)
}
})
}
}
func TestEnsureClusterRoleExist(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRole *rbacv1.ClusterRole
dryRun bool
}
tests := []struct {
name string
args args
want *rbacv1.ClusterRole
wantErr bool
}{
{
name: "dry run",
args: args{
client: fake.NewSimpleClientset(),
clusterRole: makeClusterRole("test"),
dryRun: true,
},
want: makeClusterRole("test"),
wantErr: false,
},
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
clusterRole: makeClusterRole("test"),
dryRun: false,
},
want: makeClusterRole("test"),
wantErr: false,
},
{
name: "not exist",
args: args{
client: fake.NewSimpleClientset(),
clusterRole: makeClusterRole("test"),
dryRun: false,
},
want: makeClusterRole("test"),
wantErr: false,
},
{
name: "get error",
args: args{
client: alwaysErrorKubeClient,
clusterRole: makeClusterRole("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", errorAction)
return c
}(),
clusterRole: makeClusterRole("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := EnsureClusterRoleExist(tt.args.client, tt.args.clusterRole, tt.args.dryRun)
if (err != nil) != tt.wantErr {
t.Errorf("EnsureClusterRoleExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("EnsureClusterRoleExist() got = %v, want %v", got, tt.want)
}
})
}
}
func makeClusterRole(name string) *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
}
}
func makeClusterRoleBinding(name string) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
}
}

4
pkg/util/rbac.go
View File

@ -163,7 +163,7 @@ func GenerateImpersonationRules(allSubjects []rbacv1.Subject) []rbacv1.PolicyRul
} }
// CreateOrUpdateClusterRole creates a ClusterRole if the target resource doesn't exist. If the resource exists already, this function will update the resource instead. // CreateOrUpdateClusterRole creates a ClusterRole if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
func CreateOrUpdateClusterRole(client *kubeclient.Clientset, clusterRole *rbacv1.ClusterRole) error { func CreateOrUpdateClusterRole(client kubeclient.Interface, clusterRole *rbacv1.ClusterRole) error {
if _, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}); err != nil { if _, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{}); err != nil {
if !apierrors.IsAlreadyExists(err) { if !apierrors.IsAlreadyExists(err) {
return fmt.Errorf("unable to create RBAC clusterrole: %v", err) return fmt.Errorf("unable to create RBAC clusterrole: %v", err)
@ -179,7 +179,7 @@ func CreateOrUpdateClusterRole(client *kubeclient.Clientset, clusterRole *rbacv1
} }
// CreateOrUpdateClusterRoleBinding creates a ClusterRoleBinding if the target resource doesn't exist. If the resource exists already, this function will update the resource instead. // CreateOrUpdateClusterRoleBinding creates a ClusterRoleBinding if the target resource doesn't exist. If the resource exists already, this function will update the resource instead.
func CreateOrUpdateClusterRoleBinding(client *kubeclient.Clientset, clusterRoleBinding *rbacv1.ClusterRoleBinding) error { func CreateOrUpdateClusterRoleBinding(client kubeclient.Interface, clusterRoleBinding *rbacv1.ClusterRoleBinding) error {
if _, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}); err != nil { if _, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{}); err != nil {
if !apierrors.IsAlreadyExists(err) { if !apierrors.IsAlreadyExists(err) {
return fmt.Errorf("unable to create RBAC clusterrolebinding: %v", err) return fmt.Errorf("unable to create RBAC clusterrolebinding: %v", err)

622
pkg/util/rbac_test.go Normal file
View File

@ -0,0 +1,622 @@
package util
import (
"reflect"
"testing"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
)
func TestCreateClusterRole(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRoleObj *rbacv1.ClusterRole
}
tests := []struct {
name string
args args
want *rbacv1.ClusterRole
wantErr bool
}{
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
clusterRoleObj: makeClusterRole("test"),
},
want: makeClusterRole("test"),
wantErr: false,
},
{
name: "create error",
args: args{
client: alwaysErrorKubeClient,
clusterRoleObj: makeClusterRole("test"),
},
want: nil,
wantErr: true,
},
{
name: "create success",
args: args{
client: fake.NewSimpleClientset(),
clusterRoleObj: makeClusterRole("test"),
},
want: makeClusterRole("test"),
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := CreateClusterRole(tt.args.client, tt.args.clusterRoleObj)
if (err != nil) != tt.wantErr {
t.Errorf("CreateClusterRole() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("CreateClusterRole() got = %v, want %v", got, tt.want)
}
})
}
}
func TestCreateClusterRoleBinding(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRoleBindingObj *rbacv1.ClusterRoleBinding
}
tests := []struct {
name string
args args
want *rbacv1.ClusterRoleBinding
wantErr bool
}{
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRoleBinding("test")),
clusterRoleBindingObj: makeClusterRoleBinding("test"),
},
want: makeClusterRoleBinding("test"),
wantErr: false,
},
{
name: "create success",
args: args{
client: fake.NewSimpleClientset(),
clusterRoleBindingObj: makeClusterRoleBinding("test"),
},
want: makeClusterRoleBinding("test"),
wantErr: false,
},
{
name: "create error",
args: args{
client: alwaysErrorKubeClient,
clusterRoleBindingObj: makeClusterRoleBinding("test"),
},
want: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := CreateClusterRoleBinding(tt.args.client, tt.args.clusterRoleBindingObj)
if (err != nil) != tt.wantErr {
t.Errorf("CreateClusterRoleBinding() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("CreateClusterRoleBinding() got = %v, want %v", got, tt.want)
}
})
}
}
func TestCreateOrUpdateClusterRole(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRole *rbacv1.ClusterRole
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not exist and create",
args: args{
client: fake.NewSimpleClientset(),
clusterRole: makeClusterRole("test"),
},
wantErr: false,
},
{
name: "already exist and update",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
clusterRole: makeClusterRole("test"),
},
wantErr: false,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", errorAction)
return c
}(),
clusterRole: makeClusterRole("test"),
},
wantErr: true,
},
{
name: "update error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset(makeClusterRole("test"))
c.PrependReactor("update", "*", errorAction)
return c
}(),
clusterRole: makeClusterRole("test"),
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := CreateOrUpdateClusterRole(tt.args.client, tt.args.clusterRole); (err != nil) != tt.wantErr {
t.Errorf("CreateOrUpdateClusterRole() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestCreateOrUpdateClusterRoleBinding(t *testing.T) {
type args struct {
client kubernetes.Interface
clusterRoleBinding *rbacv1.ClusterRoleBinding
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not exist and create",
args: args{
client: fake.NewSimpleClientset(),
clusterRoleBinding: makeClusterRoleBinding("test"),
},
wantErr: false,
},
{
name: "already exist and update",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
clusterRoleBinding: makeClusterRoleBinding("test"),
},
wantErr: false,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", errorAction)
return c
}(),
clusterRoleBinding: makeClusterRoleBinding("test"),
},
wantErr: true,
},
{
name: "update error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset(makeClusterRoleBinding("test"))
c.PrependReactor("update", "*", errorAction)
return c
}(),
clusterRoleBinding: makeClusterRoleBinding("test"),
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := CreateOrUpdateClusterRoleBinding(tt.args.client, tt.args.clusterRoleBinding); (err != nil) != tt.wantErr {
t.Errorf("CreateOrUpdateClusterRoleBinding() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestDeleteClusterRole(t *testing.T) {
type args struct {
client kubernetes.Interface
name string
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
name: "test",
},
wantErr: false,
},
{
name: "existed and deleted",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
name: "test",
},
wantErr: false,
},
{
name: "delete error",
args: args{
client: alwaysErrorKubeClient,
name: "test",
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := DeleteClusterRole(tt.args.client, tt.args.name); (err != nil) != tt.wantErr {
t.Errorf("DeleteClusterRole() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestDeleteClusterRoleBinding(t *testing.T) {
type args struct {
client kubernetes.Interface
name string
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
name: "test",
},
wantErr: false,
},
{
name: "existed and deleted",
args: args{
client: fake.NewSimpleClientset(makeClusterRoleBinding("test")),
name: "test",
},
wantErr: false,
},
{
name: "delete error",
args: args{
client: alwaysErrorKubeClient,
name: "test",
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := DeleteClusterRoleBinding(tt.args.client, tt.args.name); (err != nil) != tt.wantErr {
t.Errorf("DeleteClusterRoleBinding() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestGenerateImpersonationRules(t *testing.T) {
type args struct {
allSubjects []rbacv1.Subject
}
tests := []struct {
name string
args args
want []rbacv1.PolicyRule
}{
{
name: "empty",
args: args{
allSubjects: nil,
},
want: nil,
},
{
name: "generate success",
args: args{
allSubjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "user1"},
{Kind: rbacv1.UserKind, Name: "user2"},
{Kind: rbacv1.ServiceAccountKind, Name: "sa1"},
{Kind: rbacv1.ServiceAccountKind, Name: "sa2"},
{Kind: rbacv1.GroupKind, Name: "group1"},
{Kind: rbacv1.GroupKind, Name: "group2"},
},
},
want: []rbacv1.PolicyRule{
{Verbs: []string{"impersonate"}, Resources: []string{"users"}, APIGroups: []string{""}, ResourceNames: []string{"user1", "user2"}},
{Verbs: []string{"impersonate"}, Resources: []string{"serviceaccounts"}, APIGroups: []string{""}, ResourceNames: []string{"sa1", "sa2"}},
{Verbs: []string{"impersonate"}, Resources: []string{"groups"}, APIGroups: []string{""}, ResourceNames: []string{"group1", "group2"}},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := GenerateImpersonationRules(tt.args.allSubjects); !reflect.DeepEqual(got, tt.want) {
t.Errorf("GenerateImpersonationRules() = %v, want %v", got, tt.want)
}
})
}
}
func TestIsClusterRoleBindingExist(t *testing.T) {
type args struct {
client kubernetes.Interface
name string
}
tests := []struct {
name string
args args
want bool
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
name: "test",
},
want: false,
wantErr: false,
},
{
name: "exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRoleBinding("test")),
name: "test",
},
want: true,
wantErr: false,
},
{
name: "get error",
args: args{
client: alwaysErrorKubeClient,
name: "test",
},
want: false,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := IsClusterRoleBindingExist(tt.args.client, tt.args.name)
if (err != nil) != tt.wantErr {
t.Errorf("IsClusterRoleBindingExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("IsClusterRoleBindingExist() got = %v, want %v", got, tt.want)
}
})
}
}
func TestIsClusterRoleExist(t *testing.T) {
type args struct {
client kubernetes.Interface
name string
}
tests := []struct {
name string
args args
want bool
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
name: "test",
},
want: false,
wantErr: false,
},
{
name: "exist",
args: args{
client: fake.NewSimpleClientset(makeClusterRole("test")),
name: "test",
},
want: true,
wantErr: false,
},
{
name: "get error",
args: args{
client: alwaysErrorKubeClient,
name: "test",
},
want: false,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := IsClusterRoleExist(tt.args.client, tt.args.name)
if (err != nil) != tt.wantErr {
t.Errorf("IsClusterRoleExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("IsClusterRoleExist() got = %v, want %v", got, tt.want)
}
})
}
}
func TestPolicyRuleAPIGroupMatches(t *testing.T) {
type args struct {
rule *rbacv1.PolicyRule
requestedGroup string
}
tests := []struct {
name string
args args
want bool
}{
{
name: "empty group",
args: args{
rule: &rbacv1.PolicyRule{},
requestedGroup: "test",
},
want: false,
},
{
name: "group all",
args: args{
rule: &rbacv1.PolicyRule{APIGroups: []string{rbacv1.APIGroupAll}},
requestedGroup: "test",
},
want: true,
},
{
name: "not matched",
args: args{
rule: &rbacv1.PolicyRule{APIGroups: []string{"foo", "bar"}},
requestedGroup: "test",
},
want: false,
},
{
name: "matched",
args: args{
rule: &rbacv1.PolicyRule{APIGroups: []string{"foo", "test"}},
requestedGroup: "test",
},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := PolicyRuleAPIGroupMatches(tt.args.rule, tt.args.requestedGroup); got != tt.want {
t.Errorf("PolicyRuleAPIGroupMatches() = %v, want %v", got, tt.want)
}
})
}
}
func TestPolicyRuleResourceMatches(t *testing.T) {
type args struct {
rule *rbacv1.PolicyRule
requestedResource string
}
tests := []struct {
name string
args args
want bool
}{
{
name: "empty resources",
args: args{
rule: &rbacv1.PolicyRule{},
requestedResource: "test",
},
want: false,
},
{
name: "group all",
args: args{
rule: &rbacv1.PolicyRule{Resources: []string{rbacv1.ResourceAll}},
requestedResource: "test",
},
want: true,
},
{
name: "not matched",
args: args{
rule: &rbacv1.PolicyRule{Resources: []string{"foo", "bar"}},
requestedResource: "test",
},
want: false,
},
{
name: "matched",
args: args{
rule: &rbacv1.PolicyRule{Resources: []string{"foo", "test"}},
requestedResource: "test",
},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := PolicyRuleResourceMatches(tt.args.rule, tt.args.requestedResource); got != tt.want {
t.Errorf("PolicyRuleResourceMatches() = %v, want %v", got, tt.want)
}
})
}
}
func TestPolicyRuleResourceNameMatches(t *testing.T) {
type args struct {
rule *rbacv1.PolicyRule
requestedName string
}
tests := []struct {
name string
args args
want bool
}{
{
name: "empty",
args: args{
rule: &rbacv1.PolicyRule{},
requestedName: "test",
},
want: true,
},
{
name: "not matched",
args: args{
rule: &rbacv1.PolicyRule{ResourceNames: []string{"foo", "bar"}},
requestedName: "test",
},
want: false,
},
{
name: "matched",
args: args{
rule: &rbacv1.PolicyRule{ResourceNames: []string{"foo", "test"}},
requestedName: "test",
},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := PolicyRuleResourceNameMatches(tt.args.rule, tt.args.requestedName); got != tt.want {
t.Errorf("PolicyRuleResourceNameMatches() = %v, want %v", got, tt.want)
}
})
}
}

38
pkg/util/secret.go
View File

@ -8,40 +8,11 @@ import (
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors" apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
kubeclient "k8s.io/client-go/kubernetes" kubeclient "k8s.io/client-go/kubernetes"
"k8s.io/klog/v2" "k8s.io/klog/v2"
) )
// GetTargetSecret will get secrets(type=targetType, namespace=targetNamespace) from a list of secret references.
func GetTargetSecret(client kubeclient.Interface, secretReferences []corev1.ObjectReference, targetType corev1.SecretType, targetNamespace string) (*corev1.Secret, error) {
if len(secretReferences) == 0 {
return nil, apierrors.NewNotFound(schema.GroupResource{Group: "", Resource: "secret"}, "")
}
var errNotFound error
for _, objectReference := range secretReferences {
klog.V(2).Infof("checking secret: %s/%s", targetNamespace, objectReference.Name)
secret, err := client.CoreV1().Secrets(targetNamespace).Get(context.TODO(), objectReference.Name, metav1.GetOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
errNotFound = err
continue
}
return nil, err
}
if secret.Type == targetType {
return secret, nil
}
}
if errNotFound == nil {
return nil, fmt.Errorf("no specific secret found in namespace: %s", targetNamespace)
}
return nil, errNotFound
}
// GetSecret just try to get the secret. // GetSecret just try to get the secret.
func GetSecret(client kubeclient.Interface, namespace, name string) (*corev1.Secret, error) { func GetSecret(client kubeclient.Interface, namespace, name string) (*corev1.Secret, error) {
return client.CoreV1().Secrets(namespace).Get(context.TODO(), name, metav1.GetOptions{}) return client.CoreV1().Secrets(namespace).Get(context.TODO(), name, metav1.GetOptions{})
@ -60,15 +31,6 @@ func CreateSecret(client kubeclient.Interface, secret *corev1.Secret) (*corev1.S
return st, nil return st, nil
} }
// DeleteSecret just try to delete the secret.
func DeleteSecret(client kubeclient.Interface, namespace, name string) error {
err := client.CoreV1().Secrets(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
if err != nil && !apierrors.IsNotFound(err) {
return err
}
return nil
}
// PatchSecret just try to patch the secret. // PatchSecret just try to patch the secret.
func PatchSecret(client kubeclient.Interface, namespace, name string, pt types.PatchType, patchSecretBody *corev1.Secret) error { func PatchSecret(client kubeclient.Interface, namespace, name string, pt types.PatchType, patchSecretBody *corev1.Secret) error {
patchSecretByte, err := json.Marshal(patchSecretBody) patchSecretByte, err := json.Marshal(patchSecretBody)

244
pkg/util/secret_test.go Normal file
View File

@ -0,0 +1,244 @@
package util
import (
"errors"
"reflect"
"testing"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
coretesting "k8s.io/client-go/testing"
)
func TestCreateOrUpdateSecret(t *testing.T) {
type args struct {
client kubernetes.Interface
secret *corev1.Secret
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "create success",
args: args{
client: fake.NewSimpleClientset(),
secret: makeSecret("test"),
},
wantErr: false,
},
{
name: "update success",
args: args{
client: fake.NewSimpleClientset(makeSecret("test")),
secret: makeSecret("test"),
},
wantErr: false,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
return true, nil, errors.New("create secret error")
})
return c
}(),
secret: makeSecret("test"),
},
wantErr: true,
},
{
name: "update error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset(makeSecret("test"))
c.PrependReactor("update", "*", func(action coretesting.Action) (handled bool, ret runtime.Object, err error) {
return true, nil, errors.New("update secret error")
})
return c
}(),
secret: makeSecret("test"),
},
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := CreateOrUpdateSecret(tt.args.client, tt.args.secret); (err != nil) != tt.wantErr {
t.Errorf("CreateOrUpdateSecret() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestCreateSecret(t *testing.T) {
type args struct {
client kubernetes.Interface
secret *corev1.Secret
}
tests := []struct {
name string
args args
want *corev1.Secret
wantErr bool
}{
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeSecret("test")),
secret: makeSecret("test"),
},
want: makeSecret("test"),
wantErr: false,
},
{
name: "create error",
args: args{
client: alwaysErrorKubeClient,
secret: makeSecret("test"),
},
want: nil,
wantErr: true,
},
{
name: "create success",
args: args{
client: fake.NewSimpleClientset(),
secret: makeSecret("test"),
},
want: makeSecret("test"),
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := CreateSecret(tt.args.client, tt.args.secret)
if (err != nil) != tt.wantErr {
t.Errorf("CreateSecret() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("CreateSecret() got = %v, want %v", got, tt.want)
}
})
}
}
func TestGetSecret(t *testing.T) {
type args struct {
client kubernetes.Interface
namespace string
name string
}
tests := []struct {
name string
args args
want *corev1.Secret
wantErr bool
}{
{
name: "not found error",
args: args{
client: fake.NewSimpleClientset(),
namespace: metav1.NamespaceDefault,
name: "test",
},
want: nil,
wantErr: true,
},
{
name: "get success",
args: args{
client: fake.NewSimpleClientset(makeSecret("test")),
namespace: metav1.NamespaceDefault,
name: "test",
},
want: makeSecret("test"),
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := GetSecret(tt.args.client, tt.args.namespace, tt.args.name)
if (err != nil) != tt.wantErr {
t.Errorf("GetSecret() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("GetSecret() got = %v, want %v", got, tt.want)
}
})
}
}
func TestPatchSecret(t *testing.T) {
type args struct {
client kubernetes.Interface
namespace string
name string
pt types.PatchType
patchSecretBody *corev1.Secret
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not found error",
args: args{
client: fake.NewSimpleClientset(),
namespace: metav1.NamespaceDefault,
name: "test",
pt: types.MergePatchType,
patchSecretBody: makeSecret("test"),
},
wantErr: true,
},
{
name: "patchType is not supported",
args: args{
client: fake.NewSimpleClientset(makeSecret("test")),
namespace: metav1.NamespaceDefault,
name: "test",
pt: "",
patchSecretBody: makeSecret("test"),
},
wantErr: true,
},
{
name: "patch success",
args: args{
client: fake.NewSimpleClientset(makeSecret("test")),
namespace: metav1.NamespaceDefault,
name: "test",
pt: types.MergePatchType,
patchSecretBody: makeSecret("test"),
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := PatchSecret(tt.args.client, tt.args.namespace, tt.args.name, tt.args.pt, tt.args.patchSecretBody); (err != nil) != tt.wantErr {
t.Errorf("PatchSecret() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func makeSecret(name string) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: metav1.NamespaceDefault,
Name: name,
},
}
}

347
pkg/util/serviceaccount_test.go Normal file
View File

@ -0,0 +1,347 @@
package util
import (
"fmt"
"reflect"
"testing"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
kubetesting "k8s.io/client-go/testing"
)
func TestCreateServiceAccount(t *testing.T) {
type args struct {
client kubernetes.Interface
sa *corev1.ServiceAccount
}
tests := []struct {
name string
args args
want *corev1.ServiceAccount
wantErr bool
}{
{
name: "already exist",
args: args{
client: fake.NewSimpleClientset(makeServiceAccount("test")),
sa: makeServiceAccount("test"),
},
want: makeServiceAccount("test"),
wantErr: false,
},
{
name: "create error",
args: args{
client: alwaysErrorKubeClient,
sa: makeServiceAccount("test"),
},
want: nil,
wantErr: true,
},
{
name: "create success",
args: args{
client: fake.NewSimpleClientset(),
sa: makeServiceAccount("test"),
},
want: makeServiceAccount("test"),
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := CreateServiceAccount(tt.args.client, tt.args.sa)
if (err != nil) != tt.wantErr {
t.Errorf("CreateServiceAccount() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("CreateServiceAccount() got = %v, want %v", got, tt.want)
}
})
}
}
func TestDeleteServiceAccount(t *testing.T) {
type args struct {
client kubernetes.Interface
namespace string
name string
}
tests := []struct {
name string
args args
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
namespace: metav1.NamespaceDefault,
name: "test",
},
wantErr: false,
},
{
name: "error",
args: args{
client: alwaysErrorKubeClient,
namespace: metav1.NamespaceDefault,
name: "test",
},
wantErr: true,
},
{
name: "success",
args: args{
client: fake.NewSimpleClientset(makeServiceAccount("test")),
namespace: metav1.NamespaceDefault,
name: "test",
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := DeleteServiceAccount(tt.args.client, tt.args.namespace, tt.args.name); (err != nil) != tt.wantErr {
t.Errorf("DeleteServiceAccount() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func TestEnsureServiceAccountExist(t *testing.T) {
type args struct {
client kubernetes.Interface
serviceAccountObj *corev1.ServiceAccount
dryRun bool
}
tests := []struct {
name string
args args
want *corev1.ServiceAccount
wantErr bool
}{
{
name: "dry run",
args: args{
client: fake.NewSimpleClientset(),
serviceAccountObj: makeServiceAccount("test"),
dryRun: true,
},
want: makeServiceAccount("test"),
wantErr: false,
},
{
name: "exist",
args: args{
client: fake.NewSimpleClientset(makeServiceAccount("test")),
serviceAccountObj: makeServiceAccount("test"),
dryRun: false,
},
want: makeServiceAccount("test"),
wantErr: false,
},
{
name: "not exist",
args: args{
client: fake.NewSimpleClientset(),
serviceAccountObj: makeServiceAccount("test"),
dryRun: false,
},
want: makeServiceAccount("test"),
wantErr: false,
},
{
name: "get error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("get", "*", errorAction)
return c
}(),
serviceAccountObj: makeServiceAccount("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
{
name: "create error",
args: args{
client: func() kubernetes.Interface {
c := fake.NewSimpleClientset()
c.PrependReactor("create", "*", errorAction)
return c
}(),
serviceAccountObj: makeServiceAccount("test"),
dryRun: false,
},
want: nil,
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := EnsureServiceAccountExist(tt.args.client, tt.args.serviceAccountObj, tt.args.dryRun)
if (err != nil) != tt.wantErr {
t.Errorf("EnsureServiceAccountExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("EnsureServiceAccountExist() got = %v, want %v", got, tt.want)
}
})
}
}
func TestIsServiceAccountExist(t *testing.T) {
type args struct {
client kubernetes.Interface
namespace string
name string
}
tests := []struct {
name string
args args
want bool
wantErr bool
}{
{
name: "not found",
args: args{
client: fake.NewSimpleClientset(),
namespace: metav1.NamespaceDefault,
name: "test",
},
want: false,
wantErr: false,
},
{
name: "error",
args: args{
client: alwaysErrorKubeClient,
namespace: metav1.NamespaceDefault,
name: "test",
},
want: false,
wantErr: true,
},
{
name: "error",
args: args{
client: fake.NewSimpleClientset(makeServiceAccount("test")),
namespace: metav1.NamespaceDefault,
name: "test",
},
want: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := IsServiceAccountExist(tt.args.client, tt.args.namespace, tt.args.name)
if (err != nil) != tt.wantErr {
t.Errorf("IsServiceAccountExist() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("IsServiceAccountExist() got = %v, want %v", got, tt.want)
}
})
}
}
func TestWaitForServiceAccountSecretCreation(t *testing.T) {
sa := makeServiceAccount("test")
saVisitCount, secretVisitCount := 0, 0
// ROUND1: get serviceAccount returns not found
// ROUND2: get secret not found
// create secret
// token is empty
// ROUND3: token exist
injectSecretToken := func(client *fake.Clientset, secret *corev1.Secret) error {
secret = secret.DeepCopy()
secret.Data = map[string][]byte{
"token": []byte("test token"),
}
return client.Tracker().Update(schema.GroupVersionResource{Version: "v1", Resource: "secrets"}, secret, metav1.NamespaceDefault)
}
client := fake.NewSimpleClientset(makeServiceAccount("test"))
client.PrependReactor("get", "serviceaccounts", func(action kubetesting.Action) (bool, runtime.Object, error) {
saVisitCount++
if saVisitCount == 1 {
return true, nil, apierrors.NewNotFound(action.GetResource().GroupResource(), "test")
}
return false, nil, nil
})
client.PrependReactor("get", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
secretVisitCount++
if secretVisitCount == 2 {
s, err := client.Tracker().Get(action.GetResource(), action.GetNamespace(), "test")
if err != nil {
return true, nil, fmt.Errorf("secret shall be found: %v", err)
}
// We inject token here, so that next round will see the token
if err := injectSecretToken(client, s.(*corev1.Secret)); err != nil {
return true, nil, err
}
return true, s, nil
}
return false, nil, nil
})
got, err := WaitForServiceAccountSecretCreation(client, sa)
if err != nil {
t.Error(err)
return
}
want := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: sa.Namespace,
Name: sa.Name,
Annotations: map[string]string{
corev1.ServiceAccountNameKey: sa.Name,
},
},
Type: corev1.SecretTypeServiceAccountToken,
Data: map[string][]byte{
"token": []byte("test token"),
},
}
if !reflect.DeepEqual(got, want) {
t.Errorf("WaitForServiceAccountSecretCreation() got = %v, want %v", got, want)
}
}
var (
alwaysErrorKubeClient kubernetes.Interface
errorAction = func(kubetesting.Action) (handled bool, ret runtime.Object, err error) {
return true, nil, fmt.Errorf("always error")
}
)
func init() {
c := fake.NewSimpleClientset()
c.PrependReactor("*", "*", errorAction)
alwaysErrorKubeClient = c
}
func makeServiceAccount(name string) *corev1.ServiceAccount {
return &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: metav1.NamespaceDefault,
},
}
}