Skip to content

Commit 3e14128

Browse files
VannTenVannTen
committed
clusterauth: rework tests
This align clusterauth_test with the expected behavior modified by the previous commit, and is more in line with the way Kubernetes service account secrets are handled by the token controller. Signed-off-by: Max Gautier <mg@max.gautier.name>
1 parent 8871321 commit 3e14128

1 file changed

Lines changed: 51 additions & 13 deletions

File tree

util/clusterauth/clusterauth_test.go

Lines changed: 51 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -104,13 +104,36 @@ func TestCreateServiceAccount(t *testing.T) {
104104
})
105105
}
106106

107+
func _MockK8STokenController(objects kubetesting.ObjectTracker) kubetesting.ReactionFunc {
108+
return (func(action kubetesting.Action) (bool, runtime.Object, error) {
109+
secret, ok := action.(kubetesting.CreateAction).GetObject().(*corev1.Secret)
110+
if !ok {
111+
return false, nil, nil
112+
}
113+
_, err := objects.Get(schema.GroupVersionResource{Version: "v1", Resource: "serviceaccounts"},
114+
secret.Namespace,
115+
secret.ObjectMeta.Annotations[corev1.ServiceAccountNameKey],
116+
metav1.GetOptions{})
117+
if err != nil {
118+
return false, nil, nil
119+
}
120+
if secret.Data == nil {
121+
secret.Data = map[string][]byte{}
122+
}
123+
if secret.Data[corev1.ServiceAccountTokenKey] == nil {
124+
secret.Data[corev1.ServiceAccountTokenKey] = []byte(testToken)
125+
}
126+
return false, secret, nil
127+
})
128+
}
129+
107130
func TestInstallClusterManagerRBAC(t *testing.T) {
108131
ns := &corev1.Namespace{
109132
ObjectMeta: metav1.ObjectMeta{
110133
Name: "test",
111134
},
112135
}
113-
secret := &corev1.Secret{
136+
legacyAutoSecret := &corev1.Secret{
114137
ObjectMeta: metav1.ObjectMeta{
115138
Name: "sa-secret",
116139
Namespace: "test",
@@ -127,25 +150,39 @@ func TestInstallClusterManagerRBAC(t *testing.T) {
127150
},
128151
Secrets: []corev1.ObjectReference{
129152
{
130-
Kind: secret.GetObjectKind().GroupVersionKind().Kind,
131-
APIVersion: secret.APIVersion,
132-
Name: secret.GetName(),
133-
Namespace: secret.GetNamespace(),
134-
UID: secret.GetUID(),
135-
ResourceVersion: secret.GetResourceVersion(),
153+
Kind: legacyAutoSecret.GetObjectKind().GroupVersionKind().Kind,
154+
APIVersion: legacyAutoSecret.APIVersion,
155+
Name: legacyAutoSecret.GetName(),
156+
Namespace: legacyAutoSecret.GetNamespace(),
157+
UID: legacyAutoSecret.GetUID(),
158+
ResourceVersion: legacyAutoSecret.GetResourceVersion(),
136159
},
137160
},
138161
}
162+
longLivedSecret := &corev1.Secret{
163+
ObjectMeta: metav1.ObjectMeta{
164+
Name: sa.Name + SATokenSecretSuffix,
165+
Namespace: "test",
166+
Annotations: map[string]string{
167+
corev1.ServiceAccountNameKey: sa.Name,
168+
},
169+
},
170+
Type: corev1.SecretTypeServiceAccountToken,
171+
Data: map[string][]byte{
172+
"token": []byte("barfoo"),
173+
},
174+
}
139175

140176
t.Run("Cluster Scope - Success", func(t *testing.T) {
141-
cs := fake.NewClientset(ns, secret, sa)
177+
cs := fake.NewClientset(ns, legacyAutoSecret, sa)
178+
cs.PrependReactor("create", "secrets", _MockK8STokenController(cs.Tracker()))
142179
token, err := InstallClusterManagerRBAC(cs, "test", nil, testBearerTokenTimeout)
143180
require.NoError(t, err)
144-
assert.Equal(t, "foobar", token)
181+
assert.Equal(t, testToken, token)
145182
})
146183

147184
t.Run("Cluster Scope - Missing data in secret", func(t *testing.T) {
148-
nsecret := secret.DeepCopy()
185+
nsecret := legacyAutoSecret.DeepCopy()
149186
nsecret.Data = make(map[string][]byte)
150187
cs := fake.NewClientset(ns, nsecret, sa)
151188
token, err := InstallClusterManagerRBAC(cs, "test", nil, testBearerTokenTimeout)
@@ -154,14 +191,15 @@ func TestInstallClusterManagerRBAC(t *testing.T) {
154191
})
155192

156193
t.Run("Namespace Scope - Success", func(t *testing.T) {
157-
cs := fake.NewClientset(ns, secret, sa)
194+
cs := fake.NewClientset(ns, sa, longLivedSecret)
195+
cs.PrependReactor("create", "secrets", _MockK8STokenController(cs.Tracker()))
158196
token, err := InstallClusterManagerRBAC(cs, "test", []string{"nsa"}, testBearerTokenTimeout)
159197
require.NoError(t, err)
160-
assert.Equal(t, "foobar", token)
198+
assert.Equal(t, "barfoo", token)
161199
})
162200

163201
t.Run("Namespace Scope - Missing data in secret", func(t *testing.T) {
164-
nsecret := secret.DeepCopy()
202+
nsecret := legacyAutoSecret.DeepCopy()
165203
nsecret.Data = make(map[string][]byte)
166204
cs := fake.NewClientset(ns, nsecret, sa)
167205
token, err := InstallClusterManagerRBAC(cs, "test", []string{"nsa"}, testBearerTokenTimeout)

0 commit comments

Comments
 (0)