-
Notifications
You must be signed in to change notification settings - Fork 579
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5233 from mzazrivec/support_for_service_accounts_…
…in_rosa_hcp ✨ ROSA: Support for OCM service account credentials
- Loading branch information
Showing
3 changed files
with
267 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
package rosa | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"testing" | ||
|
||
. "github.com/onsi/gomega" | ||
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/klog/v2" | ||
"sigs.k8s.io/controller-runtime/pkg/client/fake" | ||
|
||
rosacontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/rosa/api/v1beta2" | ||
"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope" | ||
"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/logger" | ||
"sigs.k8s.io/cluster-api-provider-aws/v2/util/system" | ||
) | ||
|
||
func createROSAControlPlaneScopeWithSecrets(cp *rosacontrolplanev1.ROSAControlPlane, secrets ...*corev1.Secret) *scope.ROSAControlPlaneScope { | ||
// k8s mock (fake) client | ||
fakeClientBuilder := fake.NewClientBuilder() | ||
for _, sec := range secrets { | ||
fakeClientBuilder.WithObjects(sec) | ||
} | ||
|
||
fakeClient := fakeClientBuilder.Build() | ||
|
||
// ROSA Control Plane Scope | ||
rcpScope := &scope.ROSAControlPlaneScope{ | ||
Client: fakeClient, | ||
ControlPlane: cp, | ||
Logger: *logger.NewLogger(klog.Background()), | ||
} | ||
|
||
return rcpScope | ||
} | ||
|
||
func createSecret(name, namespace, token, url, clientID, clientSecret string) *corev1.Secret { | ||
return &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: name, | ||
Namespace: namespace, | ||
}, | ||
Data: map[string][]byte{ | ||
"ocmToken": []byte(token), | ||
"ocmApiUrl": []byte(url), | ||
"ocmClientID": []byte(clientID), | ||
"ocmClientSecret": []byte(clientSecret), | ||
}, | ||
} | ||
} | ||
|
||
func createCP(namespace string) *rosacontrolplanev1.ROSAControlPlane { | ||
return &rosacontrolplanev1.ROSAControlPlane{ | ||
Spec: rosacontrolplanev1.RosaControlPlaneSpec{ | ||
CredentialsSecretRef: &corev1.LocalObjectReference{ | ||
Name: "rosa-creds-secret", | ||
}, | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: namespace, | ||
}, | ||
} | ||
} | ||
|
||
func TestOcmCredentials(t *testing.T) { | ||
g := NewWithT(t) | ||
|
||
wlSecret := createSecret("rosa-creds-secret", "default", "", "url", "client-id", "client-secret") | ||
mgrSecret := createSecret("rosa-creds-secret", system.GetManagerNamespace(), "", "url", "global-client-id", "global-client-secret") | ||
|
||
cp := createCP("default") | ||
|
||
// Test that ocmCredentials() prefers workload secret to global and environment secrets | ||
os.Setenv("OCM_API_URL", "env-url") | ||
os.Setenv("OCM_TOKEN", "env-token") | ||
rcpScope := createROSAControlPlaneScopeWithSecrets(cp, wlSecret, mgrSecret) | ||
token, url, clientID, clientSecret, err := ocmCredentials(context.Background(), rcpScope) | ||
|
||
g.Expect(err).NotTo(HaveOccurred()) | ||
g.Expect(token).To(Equal(string(wlSecret.Data["ocmToken"]))) | ||
g.Expect(url).To(Equal(string(wlSecret.Data["ocmApiUrl"]))) | ||
g.Expect(clientID).To(Equal(string(wlSecret.Data["ocmClientID"]))) | ||
g.Expect(clientSecret).To(Equal(string(wlSecret.Data["ocmClientSecret"]))) | ||
|
||
// Test that ocmCredentials() prefers global manager secret to environment secret in case workload secret is not specified | ||
cp.Spec = rosacontrolplanev1.RosaControlPlaneSpec{} | ||
rcpScope = createROSAControlPlaneScopeWithSecrets(cp, mgrSecret) | ||
token, url, clientID, clientSecret, err = ocmCredentials(context.Background(), rcpScope) | ||
|
||
g.Expect(err).NotTo(HaveOccurred()) | ||
g.Expect(token).To(Equal(string(mgrSecret.Data["ocmToken"]))) | ||
g.Expect(url).To(Equal(string(mgrSecret.Data["ocmApiUrl"]))) | ||
g.Expect(clientID).To(Equal(string(mgrSecret.Data["ocmClientID"]))) | ||
g.Expect(clientSecret).To(Equal(string(mgrSecret.Data["ocmClientSecret"]))) | ||
|
||
// Test that ocmCredentials() returns environment secret in case workload and manager secret are not specified | ||
cp.Spec = rosacontrolplanev1.RosaControlPlaneSpec{} | ||
rcpScope = createROSAControlPlaneScopeWithSecrets(cp) | ||
token, url, clientID, clientSecret, err = ocmCredentials(context.Background(), rcpScope) | ||
|
||
g.Expect(err).NotTo(HaveOccurred()) | ||
g.Expect(token).To(Equal(os.Getenv("OCM_TOKEN"))) | ||
g.Expect(url).To(Equal(os.Getenv("OCM_API_URL"))) | ||
g.Expect(clientID).To(Equal("")) | ||
g.Expect(clientSecret).To(Equal("")) | ||
|
||
// Test that ocmCredentials() returns error in case none of the secrets has been provided | ||
os.Unsetenv("OCM_API_URL") | ||
os.Unsetenv("OCM_TOKEN") | ||
token, url, clientID, clientSecret, err = ocmCredentials(context.Background(), rcpScope) | ||
|
||
g.Expect(err).To(HaveOccurred()) | ||
g.Expect(token).To(Equal("")) | ||
g.Expect(url).To(Equal("")) | ||
g.Expect(clientID).To(Equal("")) | ||
g.Expect(clientSecret).To(Equal("")) | ||
} |