package bannerctl import ( "fmt" "testing" "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta" "edge-infra.dev/pkg/lib/gcp/iam/roles" "edge-infra.dev/pkg/lib/uuid" iamAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1" resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1" "github.com/stretchr/testify/assert" ) func TestCreateClusterControllerIAMSA(t *testing.T) { r := &BannerReconciler{} b := getTestBanner() hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash() clusterctlSAName := fmt.Sprintf("cctl-%s", hash) clusterctlIAMSA := r.createClusterControllerIAMSA(b, clusterctlSAName) assert.True(t, isOwnedByBanner(clusterctlIAMSA, b.Name)) assert.Equal(t, meta.DeletionPolicyAbandon, clusterctlIAMSA.Annotations[meta.DeletionPolicyAnnotation]) assert.Equal(t, clusterctlSAName, clusterctlIAMSA.Name) assert.Equal(t, b.Name, clusterctlIAMSA.Namespace) assert.Equal(t, clusterctlSAName, *clusterctlIAMSA.Spec.DisplayName) } func TestClusterControllerIAMMembers(t *testing.T) { r := &BannerReconciler{} b := getTestBanner() hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash() clusterctlSAName := fmt.Sprintf("cctl-%s", hash) clusterctlIAMPolicies := r.createClusterControllerIAMMembers(b, clusterctlSAName) assert.Len(t, clusterctlIAMPolicies, 3) secretManagerAdmin := clusterctlIAMPolicies[0] assert.True(t, isOwnedByBanner(secretManagerAdmin, b.Name)) assert.Equal(t, meta.DeletionPolicyAbandon, secretManagerAdmin.Annotations[meta.DeletionPolicyAnnotation]) assert.Equal(t, fmt.Sprintf("%s-secretadmin", clusterctlSAName), secretManagerAdmin.Name) assert.Equal(t, b.Name, secretManagerAdmin.Namespace) sa := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", clusterctlSAName, b.Spec.GCP.ProjectID) assert.Equal(t, sa, *secretManagerAdmin.Spec.Member) assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), secretManagerAdmin.Spec.ResourceRef.APIVersion) assert.Equal(t, resourceAPI.ProjectGVK.Kind, secretManagerAdmin.Spec.ResourceRef.Kind) assert.Equal(t, b.Spec.GCP.ProjectID, secretManagerAdmin.Spec.ResourceRef.External) assert.Equal(t, roles.SecretAdmin, secretManagerAdmin.Spec.Role) containerAdmin := clusterctlIAMPolicies[1] assert.True(t, isOwnedByBanner(containerAdmin, b.Name)) assert.Equal(t, meta.DeletionPolicyAbandon, containerAdmin.Annotations[meta.DeletionPolicyAnnotation]) assert.Equal(t, fmt.Sprintf("%s-gke-admin", clusterctlSAName), containerAdmin.Name) assert.Equal(t, b.Name, containerAdmin.Namespace) assert.Equal(t, sa, *containerAdmin.Spec.Member) assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), containerAdmin.Spec.ResourceRef.APIVersion) assert.Equal(t, resourceAPI.ProjectGVK.Kind, containerAdmin.Spec.ResourceRef.Kind) assert.Equal(t, b.Spec.GCP.ProjectID, containerAdmin.Spec.ResourceRef.External) assert.Equal(t, roles.GKEAdmin, containerAdmin.Spec.Role) wiMember := clusterctlIAMPolicies[2] assert.True(t, isOwnedByBanner(wiMember, b.Name)) assert.Equal(t, meta.DeletionPolicyAbandon, wiMember.Annotations[meta.DeletionPolicyAnnotation]) assert.Equal(t, fmt.Sprintf("%s-workload-identity-user", clusterctlSAName), wiMember.Name) assert.Equal(t, b.Name, wiMember.Namespace) sa = fmt.Sprintf("serviceAccount:%s.svc.id.goog[clusterctl/clusterctl]", b.Spec.GCP.ProjectID) assert.Equal(t, sa, *wiMember.Spec.Member) assert.Equal(t, iamAPI.SchemeGroupVersion.String(), wiMember.Spec.ResourceRef.APIVersion) assert.Equal(t, iamAPI.IAMServiceAccountGVK.Kind, wiMember.Spec.ResourceRef.Kind) assert.Equal(t, clusterctlSAName, wiMember.Spec.ResourceRef.Name) assert.Equal(t, roles.WorkloadIdentityUser, wiMember.Spec.Role) } func TestClusterControllerSAResources(t *testing.T) { r := &BannerReconciler{} b := getTestBanner() hash := uuid.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash() clusterctlSAName := fmt.Sprintf("cctl-%s", hash) objs := r.createClusterControllerSAResources(b, clusterctlSAName) assert.Len(t, objs, 4) }