forked from gardener/gardener
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathadd_test.go
More file actions
127 lines (105 loc) · 4.55 KB
/
add_test.go
File metadata and controls
127 lines (105 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// SPDX-FileCopyrightText: SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package extensionclusterrole_test
import (
"context"
"github.com/go-logr/logr"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/predicate"
"sigs.k8s.io/controller-runtime/pkg/reconcile"
"github.com/gardener/gardener/pkg/client/kubernetes"
. "github.com/gardener/gardener/pkg/controllermanager/controller/controllerregistration/extensionclusterrole"
)
var _ = Describe("Add", func() {
var (
reconciler *Reconciler
serviceAccount *corev1.ServiceAccount
)
BeforeEach(func() {
reconciler = &Reconciler{}
serviceAccount = &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Namespace: "seed-foo",
Name: "baz",
Labels: map[string]string{"foo": "bar"},
},
}
})
Describe("ServiceAccountPredicate", func() {
var p predicate.Predicate
BeforeEach(func() {
p = reconciler.ServiceAccountPredicate()
})
tests := func(f func(obj client.Object) bool) {
It("should return false because object is no ServiceAccount", func() {
Expect(f(&corev1.ConfigMap{})).To(BeFalse())
})
It("should return false because namespace is not prefixed with 'seed-'", func() {
serviceAccount.Namespace = "foo"
Expect(f(serviceAccount)).To(BeFalse())
})
It("should return true because object matches all conditions", func() {
Expect(f(serviceAccount)).To(BeTrue())
})
}
Describe("#Create", func() {
tests(func(obj client.Object) bool { return p.Create(event.CreateEvent{Object: obj}) })
})
Describe("#Update", func() {
tests(func(obj client.Object) bool { return p.Update(event.UpdateEvent{ObjectNew: obj}) })
})
Describe("#Delete", func() {
tests(func(obj client.Object) bool { return p.Delete(event.DeleteEvent{Object: obj}) })
})
Describe("#Generic", func() {
tests(func(obj client.Object) bool { return p.Generic(event.GenericEvent{Object: obj}) })
})
})
Describe("#MapToMatchingClusterRoles", func() {
var (
ctx = context.Background()
log logr.Logger
fakeClient client.Client
clusterRole1, clusterRole2, clusterRole3 *rbacv1.ClusterRole
)
BeforeEach(func() {
log = logr.Discard()
fakeClient = fakeclient.NewClientBuilder().WithScheme(kubernetes.GardenScheme).Build()
reconciler.Client = fakeClient
clusterRole1 = &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{
Name: "clusterRole1",
Labels: map[string]string{"authorization.gardener.cloud/custom-extensions-permissions": "true"},
Annotations: map[string]string{"authorization.gardener.cloud/extensions-serviceaccount-selector": `{"matchLabels":{"foo":"bar"}}`},
}}
clusterRole2 = &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{
Name: "clusterRole2",
Labels: map[string]string{"authorization.gardener.cloud/custom-extensions-permissions": "true"},
Annotations: map[string]string{"authorization.gardener.cloud/extensions-serviceaccount-selector": `{"matchLabels":{"bar":"baz"}}`},
}}
clusterRole3 = &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "clusterRole3"}}
Expect(fakeClient.Create(ctx, clusterRole1)).To(Succeed())
Expect(fakeClient.Create(ctx, clusterRole2)).To(Succeed())
Expect(fakeClient.Create(ctx, clusterRole3)).To(Succeed())
})
It("should map to all matching cluster roles", func() {
Expect(reconciler.MapToMatchingClusterRoles(log)(ctx, serviceAccount)).To(HaveExactElements(reconcile.Request{NamespacedName: types.NamespacedName{Name: clusterRole1.Name}}))
})
It("should map to fail when a selector cannot be parsed", func() {
Expect(fakeClient.Create(ctx, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{
Name: "clusterRole4",
Labels: map[string]string{"authorization.gardener.cloud/custom-extensions-permissions": "true"},
Annotations: map[string]string{"authorization.gardener.cloud/extensions-serviceaccount-selector": `{cannot-parse-this`},
}})).To(Succeed())
Expect(reconciler.MapToMatchingClusterRoles(log)(ctx, serviceAccount)).To(HaveExactElements(reconcile.Request{NamespacedName: types.NamespacedName{Name: clusterRole1.Name}}))
})
})
})