304 lines
7.4 KiB
Go
304 lines
7.4 KiB
Go
package tests_test
|
|
|
|
import (
|
|
"sigs.k8s.io/kustomize/v3/k8sdeps/kunstruct"
|
|
"sigs.k8s.io/kustomize/v3/k8sdeps/transformer"
|
|
"sigs.k8s.io/kustomize/v3/pkg/fs"
|
|
"sigs.k8s.io/kustomize/v3/pkg/loader"
|
|
"sigs.k8s.io/kustomize/v3/pkg/plugins"
|
|
"sigs.k8s.io/kustomize/v3/pkg/resmap"
|
|
"sigs.k8s.io/kustomize/v3/pkg/resource"
|
|
"sigs.k8s.io/kustomize/v3/pkg/target"
|
|
"sigs.k8s.io/kustomize/v3/pkg/validators"
|
|
"testing"
|
|
)
|
|
|
|
func writeWebhookBase(th *KustTestHarness) {
|
|
th.writeF("/manifests/admission-webhook/webhook/base/cluster-role-binding.yaml", `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: cluster-role-binding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: service-account
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/cluster-role.yaml", `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: cluster-role
|
|
rules:
|
|
- apiGroups:
|
|
- kubeflow.org
|
|
resources:
|
|
- poddefaults
|
|
verbs:
|
|
- get
|
|
- watch
|
|
- list
|
|
- update
|
|
- create
|
|
- patch
|
|
- delete
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kubeflow-poddefaults-admin
|
|
labels:
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true"
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true"
|
|
rules: null
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kubeflow-poddefaults-edit
|
|
labels:
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true"
|
|
aggregationRule:
|
|
clusterRoleSelectors:
|
|
- matchLabels:
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true"
|
|
rules: null
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: kubeflow-poddefaults-view
|
|
labels:
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true"
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true"
|
|
rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true"
|
|
rules:
|
|
- apiGroups:
|
|
- kubeflow.org
|
|
resources:
|
|
- poddefaults
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/deployment.yaml", `
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: deployment
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- image: gcr.io/kubeflow-images-public/admission-webhook:v20190520-v0-139-gcee39dbc-dirty-0d8f4c
|
|
name: admission-webhook
|
|
volumeMounts:
|
|
- mountPath: /etc/webhook/certs
|
|
name: webhook-cert
|
|
readOnly: true
|
|
volumes:
|
|
- name: webhook-cert
|
|
secret:
|
|
secretName: webhook-certs
|
|
serviceAccountName: service-account
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/mutating-webhook-configuration.yaml", `
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: MutatingWebhookConfiguration
|
|
metadata:
|
|
name: mutating-webhook-configuration
|
|
webhooks:
|
|
- clientConfig:
|
|
caBundle: ""
|
|
service:
|
|
name: $(serviceName)
|
|
namespace: $(namespace)
|
|
path: /apply-poddefault
|
|
name: $(deploymentName).kubeflow.org
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
resources:
|
|
- pods
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/service-account.yaml", `
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: service-account
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/service.yaml", `
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: service
|
|
spec:
|
|
ports:
|
|
- port: 443
|
|
targetPort: 443
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/crd.yaml", `
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: poddefaults.kubeflow.org
|
|
spec:
|
|
group: kubeflow.org
|
|
names:
|
|
kind: PodDefault
|
|
plural: poddefaults
|
|
singular: poddefault
|
|
scope: Namespaced
|
|
version: v1alpha1
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
desc:
|
|
type: string
|
|
serviceAccountName:
|
|
type: string
|
|
env:
|
|
items:
|
|
type: object
|
|
type: array
|
|
envFrom:
|
|
items:
|
|
type: object
|
|
type: array
|
|
selector:
|
|
type: object
|
|
volumeMounts:
|
|
items:
|
|
type: object
|
|
type: array
|
|
volumes:
|
|
items:
|
|
type: object
|
|
type: array
|
|
required:
|
|
- selector
|
|
type: object
|
|
status:
|
|
type: object
|
|
type: object
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/params.yaml", `
|
|
varReference:
|
|
- path: webhooks/clientConfig/service/namespace
|
|
kind: MutatingWebhookConfiguration
|
|
- path: webhooks/clientConfig/service/name
|
|
kind: MutatingWebhookConfiguration
|
|
- path: webhooks/name
|
|
kind: MutatingWebhookConfiguration
|
|
`)
|
|
th.writeF("/manifests/admission-webhook/webhook/base/params.env", `
|
|
namespace=kubeflow
|
|
`)
|
|
th.writeK("/manifests/admission-webhook/webhook/base", `
|
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
resources:
|
|
- cluster-role-binding.yaml
|
|
- cluster-role.yaml
|
|
- deployment.yaml
|
|
- mutating-webhook-configuration.yaml
|
|
- service-account.yaml
|
|
- service.yaml
|
|
- crd.yaml
|
|
commonLabels:
|
|
kustomize.component: admission-webhook
|
|
app: admission-webhook
|
|
namePrefix: admission-webhook-
|
|
images:
|
|
- name: gcr.io/kubeflow-images-public/admission-webhook
|
|
newName: gcr.io/kubeflow-images-public/admission-webhook
|
|
newTag: v20190520-v0-139-gcee39dbc-dirty-0d8f4c
|
|
namespace: kubeflow
|
|
configMapGenerator:
|
|
- name: admission-webhook-parameters
|
|
env: params.env
|
|
generatorOptions:
|
|
disableNameSuffixHash: true
|
|
vars:
|
|
- name: namespace
|
|
objref:
|
|
kind: ConfigMap
|
|
name: admission-webhook-parameters
|
|
apiVersion: v1
|
|
fieldref:
|
|
fieldpath: data.namespace
|
|
- name: serviceName
|
|
objref:
|
|
kind: Service
|
|
name: service
|
|
apiVersion: v1
|
|
fieldref:
|
|
fieldpath: metadata.name
|
|
- name: deploymentName
|
|
objref:
|
|
kind: Deployment
|
|
name: deployment
|
|
apiVersion: apps/v1
|
|
fieldref:
|
|
fieldpath: metadata.name
|
|
configurations:
|
|
- params.yaml
|
|
`)
|
|
}
|
|
|
|
func TestWebhookBase(t *testing.T) {
|
|
th := NewKustTestHarness(t, "/manifests/admission-webhook/webhook/base")
|
|
writeWebhookBase(th)
|
|
m, err := th.makeKustTarget().MakeCustomizedResMap()
|
|
if err != nil {
|
|
t.Fatalf("Err: %v", err)
|
|
}
|
|
expected, err := m.AsYaml()
|
|
if err != nil {
|
|
t.Fatalf("Err: %v", err)
|
|
}
|
|
targetPath := "../admission-webhook/webhook/base"
|
|
fsys := fs.MakeRealFS()
|
|
lrc := loader.RestrictionRootOnly
|
|
_loader, loaderErr := loader.NewLoader(lrc, validators.MakeFakeValidator(), targetPath, fsys)
|
|
if loaderErr != nil {
|
|
t.Fatalf("could not load kustomize loader: %v", loaderErr)
|
|
}
|
|
rf := resmap.NewFactory(resource.NewFactory(kunstruct.NewKunstructuredFactoryImpl()), transformer.NewFactoryImpl())
|
|
pc := plugins.DefaultPluginConfig()
|
|
kt, err := target.NewKustTarget(_loader, rf, transformer.NewFactoryImpl(), plugins.NewLoader(pc, rf))
|
|
if err != nil {
|
|
th.t.Fatalf("Unexpected construction error %v", err)
|
|
}
|
|
actual, err := kt.MakeCustomizedResMap()
|
|
if err != nil {
|
|
t.Fatalf("Err: %v", err)
|
|
}
|
|
th.assertActualEqualsExpected(actual, string(expected))
|
|
}
|