@@ -1056,6 +1056,118 @@ var _ = Describe("External Secrets Operator End-to-End test scenarios", Ordered,
10561056
10571057 })
10581058
1059+ Context ("Managed Label Restoration" , Label ("Platform:Generic" ), func () {
1060+ const (
1061+ managedLabelKey = "app"
1062+ managedLabelValue = "external-secrets"
1063+ )
1064+
1065+ It ("should restore the app=external-secrets label on a ServiceAccount after external removal" , func () {
1066+ saName := "external-secrets"
1067+
1068+ By ("Verifying ServiceAccount has the managed label initially" )
1069+ Eventually (func (g Gomega ) {
1070+ sa , err := clientset .CoreV1 ().ServiceAccounts (operandNamespace ).Get (ctx , saName , metav1.GetOptions {})
1071+ g .Expect (err ).NotTo (HaveOccurred ())
1072+ g .Expect (sa .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ))
1073+ }, time .Minute , 5 * time .Second ).Should (Succeed ())
1074+
1075+ By ("Removing the managed label from the ServiceAccount" )
1076+ Expect (retry .RetryOnConflict (retry .DefaultRetry , func () error {
1077+ sa , err := clientset .CoreV1 ().ServiceAccounts (operandNamespace ).Get (ctx , saName , metav1.GetOptions {})
1078+ if err != nil {
1079+ return err
1080+ }
1081+ delete (sa .Labels , managedLabelKey )
1082+ _ , err = clientset .CoreV1 ().ServiceAccounts (operandNamespace ).Update (ctx , sa , metav1.UpdateOptions {})
1083+ return err
1084+ })).To (Succeed (), "should remove the managed label" )
1085+
1086+ By ("Waiting for operator to restore the managed label" )
1087+ Eventually (func (g Gomega ) {
1088+ sa , err := clientset .CoreV1 ().ServiceAccounts (operandNamespace ).Get (ctx , saName , metav1.GetOptions {})
1089+ g .Expect (err ).NotTo (HaveOccurred ())
1090+ g .Expect (sa .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ),
1091+ "operator should restore app=external-secrets on ServiceAccount %s" , saName )
1092+ }, 2 * time .Minute , 5 * time .Second ).Should (Succeed ())
1093+ })
1094+
1095+ It ("should restore the app=external-secrets label on a Role after external removal" , func () {
1096+ roleName := "external-secrets"
1097+
1098+ By ("Verifying Role has the managed label initially" )
1099+ Eventually (func (g Gomega ) {
1100+ role , err := clientset .RbacV1 ().Roles (operandNamespace ).Get (ctx , roleName , metav1.GetOptions {})
1101+ g .Expect (err ).NotTo (HaveOccurred ())
1102+ g .Expect (role .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ))
1103+ }, time .Minute , 5 * time .Second ).Should (Succeed ())
1104+
1105+ By ("Removing the managed label from the Role" )
1106+ Expect (retry .RetryOnConflict (retry .DefaultRetry , func () error {
1107+ role , err := clientset .RbacV1 ().Roles (operandNamespace ).Get (ctx , roleName , metav1.GetOptions {})
1108+ if err != nil {
1109+ return err
1110+ }
1111+ delete (role .Labels , managedLabelKey )
1112+ _ , err = clientset .RbacV1 ().Roles (operandNamespace ).Update (ctx , role , metav1.UpdateOptions {})
1113+ return err
1114+ })).To (Succeed (), "should remove the managed label" )
1115+
1116+ By ("Waiting for operator to restore the managed label" )
1117+ Eventually (func (g Gomega ) {
1118+ role , err := clientset .RbacV1 ().Roles (operandNamespace ).Get (ctx , roleName , metav1.GetOptions {})
1119+ g .Expect (err ).NotTo (HaveOccurred ())
1120+ g .Expect (role .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ),
1121+ "operator should restore app=external-secrets on Role %s" , roleName )
1122+ }, 2 * time .Minute , 5 * time .Second ).Should (Succeed ())
1123+ })
1124+
1125+ It ("should restore the app=external-secrets label on a Deployment after external removal" , func () {
1126+ depName := "external-secrets"
1127+
1128+ By ("Verifying Deployment has the managed label initially" )
1129+ Eventually (func (g Gomega ) {
1130+ dep , err := clientset .AppsV1 ().Deployments (operandNamespace ).Get (ctx , depName , metav1.GetOptions {})
1131+ g .Expect (err ).NotTo (HaveOccurred ())
1132+ g .Expect (dep .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ))
1133+ }, time .Minute , 5 * time .Second ).Should (Succeed ())
1134+
1135+ By ("Removing the managed label from the Deployment" )
1136+ Expect (retry .RetryOnConflict (retry .DefaultRetry , func () error {
1137+ dep , err := clientset .AppsV1 ().Deployments (operandNamespace ).Get (ctx , depName , metav1.GetOptions {})
1138+ if err != nil {
1139+ return err
1140+ }
1141+ delete (dep .Labels , managedLabelKey )
1142+ _ , err = clientset .AppsV1 ().Deployments (operandNamespace ).Update (ctx , dep , metav1.UpdateOptions {})
1143+ return err
1144+ })).To (Succeed (), "should remove the managed label" )
1145+
1146+ By ("Waiting for operator to restore the managed label" )
1147+ Eventually (func (g Gomega ) {
1148+ dep , err := clientset .AppsV1 ().Deployments (operandNamespace ).Get (ctx , depName , metav1.GetOptions {})
1149+ g .Expect (err ).NotTo (HaveOccurred ())
1150+ g .Expect (dep .Labels ).To (HaveKeyWithValue (managedLabelKey , managedLabelValue ),
1151+ "operator should restore app=external-secrets on Deployment %s" , depName )
1152+ }, 2 * time .Minute , 5 * time .Second ).Should (Succeed ())
1153+ })
1154+
1155+ It ("should keep ExternalSecretsConfig in Ready state after label restoration" , func () {
1156+ By ("Verifying ExternalSecretsConfig is Ready and not Degraded" )
1157+ Expect (utils .WaitForExternalSecretsConfigReady (ctx , dynamicClient , "cluster" , 2 * time .Minute )).To (Succeed (),
1158+ "ExternalSecretsConfig should remain Ready after label tampering and restoration" )
1159+ })
1160+
1161+ It ("should keep operand pods running after label restoration" , func () {
1162+ By ("Verifying operand pods are still ready" )
1163+ Expect (utils .VerifyPodsReadyByPrefix (ctx , clientset , operandNamespace , []string {
1164+ operandCoreControllerPodPrefix ,
1165+ operandCertControllerPodPrefix ,
1166+ operandWebhookPodPrefix ,
1167+ })).To (Succeed (), "operand pods should still be running after label restoration" )
1168+ })
1169+ })
1170+
10591171 AfterAll (func () {
10601172 By ("Deleting the externalsecrets.openshift.operator.io/cluster CR" )
10611173 loader .DeleteFromFile (testassets .ReadFile , externalSecretsFile , "" )
0 commit comments