1 package bannerctl
2
3 import (
4 "fmt"
5 "testing"
6
7 "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta"
8 "edge-infra.dev/pkg/lib/gcp/iam/roles"
9 "edge-infra.dev/pkg/lib/uuid"
10
11 iamAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1"
12 resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1"
13 "github.com/stretchr/testify/assert"
14 )
15
16 func TestCreateClusterControllerIAMSA(t *testing.T) {
17 r := &BannerReconciler{}
18 b := getTestBanner()
19 hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
20 clusterctlSAName := fmt.Sprintf("cctl-%s", hash)
21
22 clusterctlIAMSA := r.createClusterControllerIAMSA(b, clusterctlSAName)
23 assert.True(t, isOwnedByBanner(clusterctlIAMSA, b.Name))
24 assert.Equal(t, meta.DeletionPolicyAbandon, clusterctlIAMSA.Annotations[meta.DeletionPolicyAnnotation])
25 assert.Equal(t, clusterctlSAName, clusterctlIAMSA.Name)
26 assert.Equal(t, b.Name, clusterctlIAMSA.Namespace)
27 assert.Equal(t, clusterctlSAName, *clusterctlIAMSA.Spec.DisplayName)
28 }
29
30 func TestClusterControllerIAMMembers(t *testing.T) {
31 r := &BannerReconciler{}
32 b := getTestBanner()
33 hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
34 clusterctlSAName := fmt.Sprintf("cctl-%s", hash)
35
36 clusterctlIAMPolicies := r.createClusterControllerIAMMembers(b, clusterctlSAName)
37 assert.Len(t, clusterctlIAMPolicies, 3)
38
39 secretManagerAdmin := clusterctlIAMPolicies[0]
40 assert.True(t, isOwnedByBanner(secretManagerAdmin, b.Name))
41 assert.Equal(t, meta.DeletionPolicyAbandon, secretManagerAdmin.Annotations[meta.DeletionPolicyAnnotation])
42 assert.Equal(t, fmt.Sprintf("%s-secretadmin", clusterctlSAName), secretManagerAdmin.Name)
43 assert.Equal(t, b.Name, secretManagerAdmin.Namespace)
44 sa := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", clusterctlSAName, b.Spec.GCP.ProjectID)
45 assert.Equal(t, sa, *secretManagerAdmin.Spec.Member)
46 assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), secretManagerAdmin.Spec.ResourceRef.APIVersion)
47 assert.Equal(t, resourceAPI.ProjectGVK.Kind, secretManagerAdmin.Spec.ResourceRef.Kind)
48 assert.Equal(t, b.Spec.GCP.ProjectID, secretManagerAdmin.Spec.ResourceRef.External)
49 assert.Equal(t, roles.SecretAdmin, secretManagerAdmin.Spec.Role)
50
51 containerAdmin := clusterctlIAMPolicies[1]
52 assert.True(t, isOwnedByBanner(containerAdmin, b.Name))
53 assert.Equal(t, meta.DeletionPolicyAbandon, containerAdmin.Annotations[meta.DeletionPolicyAnnotation])
54 assert.Equal(t, fmt.Sprintf("%s-gke-admin", clusterctlSAName), containerAdmin.Name)
55 assert.Equal(t, b.Name, containerAdmin.Namespace)
56 assert.Equal(t, sa, *containerAdmin.Spec.Member)
57 assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), containerAdmin.Spec.ResourceRef.APIVersion)
58 assert.Equal(t, resourceAPI.ProjectGVK.Kind, containerAdmin.Spec.ResourceRef.Kind)
59 assert.Equal(t, b.Spec.GCP.ProjectID, containerAdmin.Spec.ResourceRef.External)
60 assert.Equal(t, roles.GKEAdmin, containerAdmin.Spec.Role)
61
62 wiMember := clusterctlIAMPolicies[2]
63 assert.True(t, isOwnedByBanner(wiMember, b.Name))
64 assert.Equal(t, meta.DeletionPolicyAbandon, wiMember.Annotations[meta.DeletionPolicyAnnotation])
65 assert.Equal(t, fmt.Sprintf("%s-workload-identity-user", clusterctlSAName), wiMember.Name)
66 assert.Equal(t, b.Name, wiMember.Namespace)
67 sa = fmt.Sprintf("serviceAccount:%s.svc.id.goog[clusterctl/clusterctl]", b.Spec.GCP.ProjectID)
68 assert.Equal(t, sa, *wiMember.Spec.Member)
69 assert.Equal(t, iamAPI.SchemeGroupVersion.String(), wiMember.Spec.ResourceRef.APIVersion)
70 assert.Equal(t, iamAPI.IAMServiceAccountGVK.Kind, wiMember.Spec.ResourceRef.Kind)
71 assert.Equal(t, clusterctlSAName, wiMember.Spec.ResourceRef.Name)
72 assert.Equal(t, roles.WorkloadIdentityUser, wiMember.Spec.Role)
73 }
74
75 func TestClusterControllerSAResources(t *testing.T) {
76 r := &BannerReconciler{}
77 b := getTestBanner()
78 hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
79 clusterctlSAName := fmt.Sprintf("cctl-%s", hash)
80
81 objs := r.createClusterControllerSAResources(b, clusterctlSAName)
82 assert.Len(t, objs, 4)
83 }
84
View as plain text