1 package bannerctl
2
3 import (
4 "fmt"
5 "testing"
6
7 bannerAPI "edge-infra.dev/pkg/edge/apis/banner/v1alpha1"
8 "edge-infra.dev/pkg/edge/gcpinfra"
9 "edge-infra.dev/pkg/k8s/konfigkonnector/apis/meta"
10 "edge-infra.dev/pkg/lib/gcp/iam/roles"
11 gcpProject "edge-infra.dev/pkg/lib/gcp/project"
12 edgeUUID "edge-infra.dev/pkg/lib/uuid"
13
14 iamAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/iam/v1beta1"
15 resourceAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/resourcemanager/v1beta1"
16 storageAPI "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/storage/v1beta1"
17 "github.com/google/uuid"
18 "github.com/stretchr/testify/assert"
19
20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
21 )
22
23 func TestCreateKCCIAMSA(t *testing.T) {
24 r := &BannerReconciler{}
25 b := getTestBanner()
26 hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
27 kccResourceName := fmt.Sprintf("kcc-%s", hash)
28
29 infraIAMSA := r.createKCCIAMSA(b, kccResourceName)
30 assert.True(t, isOwnedByBanner(infraIAMSA, b.Name))
31 assert.Equal(t, meta.DeletionPolicyAbandon, infraIAMSA.Annotations[meta.DeletionPolicyAnnotation])
32 assert.Equal(t, kccResourceName, infraIAMSA.Name)
33 assert.Equal(t, b.Name, infraIAMSA.Namespace)
34 displayName := fmt.Sprintf("k8s cfg connector for project %s", b.Spec.DisplayName)
35 assert.Equal(t, displayName, *infraIAMSA.Spec.DisplayName)
36 }
37
38 func TestCreateKCCIAMMembers(t *testing.T) {
39 r := &BannerReconciler{ForemanProjectID: "rest-test-foreman0"}
40 b := getTestBanner()
41 hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
42 kccResourceName := fmt.Sprintf("kcc-%s", hash)
43
44 infraIAMPolicies := r.createKCCIAMMembers(b, kccResourceName, TestProjectNumber)
45 assert.Len(t, infraIAMPolicies, 5)
46
47 projectOwner := infraIAMPolicies[0]
48 assert.True(t, isOwnedByBanner(projectOwner, b.Name))
49 assert.Equal(t, meta.DeletionPolicyAbandon, projectOwner.Annotations[meta.DeletionPolicyAnnotation])
50 assert.Equal(t, fmt.Sprintf("%s-owner", kccResourceName), projectOwner.Name)
51 assert.Equal(t, b.Name, projectOwner.Namespace)
52 sa := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", kccResourceName, b.Spec.GCP.ProjectID)
53 assert.Equal(t, sa, *projectOwner.Spec.Member)
54 assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), projectOwner.Spec.ResourceRef.APIVersion)
55 assert.Equal(t, resourceAPI.ProjectGVK.Kind, projectOwner.Spec.ResourceRef.Kind)
56 assert.Equal(t, b.Spec.GCP.ProjectID, projectOwner.Spec.ResourceRef.External)
57 assert.Equal(t, roles.Owner, projectOwner.Spec.Role)
58
59 logWriterPolicy := infraIAMPolicies[1]
60 assert.True(t, isOwnedByBanner(logWriterPolicy, b.Name))
61 assert.Equal(t, meta.DeletionPolicyAbandon, logWriterPolicy.Annotations[meta.DeletionPolicyAnnotation])
62 policyName := fmt.Sprintf("%s-logging-logwriter", kccResourceName)
63 assert.Equal(t, policyName, logWriterPolicy.Name)
64 assert.Equal(t, b.Name, logWriterPolicy.Namespace)
65 assert.Equal(t, sa, *logWriterPolicy.Spec.Member)
66 assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), logWriterPolicy.Spec.ResourceRef.APIVersion)
67 assert.Equal(t, resourceAPI.ProjectGVK.Kind, logWriterPolicy.Spec.ResourceRef.Kind)
68 assert.Equal(t, r.ForemanProjectID, logWriterPolicy.Spec.ResourceRef.External)
69 assert.Equal(t, roles.ProjectAdmin, logWriterPolicy.Spec.Role)
70 assert.Equal(t, "kcc_delegated_foreman_roles", logWriterPolicy.Spec.Condition.Title)
71 assert.Equal(t, "KCC delegated roles on foreman", *logWriterPolicy.Spec.Condition.Description)
72 assert.Equal(t, KccDelegatedRolesExpression, logWriterPolicy.Spec.Condition.Expression)
73
74 pubSubAdminPolicy := infraIAMPolicies[2]
75 assert.True(t, isOwnedByBanner(pubSubAdminPolicy, b.Name))
76 assert.Equal(t, meta.DeletionPolicyAbandon, pubSubAdminPolicy.Annotations[meta.DeletionPolicyAnnotation])
77 policyName = fmt.Sprintf("%s-pubsub-admin", kccResourceName)
78 assert.Equal(t, policyName, pubSubAdminPolicy.Name)
79 assert.Equal(t, b.Name, pubSubAdminPolicy.Namespace)
80 assert.Equal(t, sa, *pubSubAdminPolicy.Spec.Member)
81 assert.Equal(t, resourceAPI.SchemeGroupVersion.String(), pubSubAdminPolicy.Spec.ResourceRef.APIVersion)
82 assert.Equal(t, resourceAPI.ProjectGVK.Kind, pubSubAdminPolicy.Spec.ResourceRef.Kind)
83 assert.Equal(t, r.ForemanProjectID, pubSubAdminPolicy.Spec.ResourceRef.External)
84 assert.Equal(t, roles.PubsubAdmin, pubSubAdminPolicy.Spec.Role)
85 assert.Nil(t, pubSubAdminPolicy.Spec.Condition)
86
87 wiMember := infraIAMPolicies[3]
88 assert.True(t, isOwnedByBanner(wiMember, b.Name))
89 assert.Equal(t, meta.DeletionPolicyAbandon, wiMember.Annotations[meta.DeletionPolicyAnnotation])
90 assert.Equal(t, fmt.Sprintf("%s-workload-id", kccResourceName), wiMember.Name)
91 assert.Equal(t, b.Name, wiMember.Namespace)
92 sa = fmt.Sprintf("serviceAccount:%s.svc.id.goog[cnrm-system/cnrm-controller-manager]", b.Spec.GCP.ProjectID)
93 assert.Equal(t, sa, *wiMember.Spec.Member)
94 assert.Equal(t, iamAPI.SchemeGroupVersion.String(), wiMember.Spec.ResourceRef.APIVersion)
95 assert.Equal(t, iamAPI.IAMServiceAccountGVK.Kind, wiMember.Spec.ResourceRef.Kind)
96 assert.Equal(t, kccResourceName, wiMember.Spec.ResourceRef.Name)
97 assert.Equal(t, roles.WorkloadIdentityUser, wiMember.Spec.Role)
98
99 siemPolicy := infraIAMPolicies[4]
100 assert.True(t, isOwnedByBanner(siemPolicy, b.Name))
101 assert.Equal(t, fmt.Sprintf("serviceAccount:service-%s@gcp-sa-logging.iam.gserviceaccount.com", TestProjectNumber), *siemPolicy.Spec.Member)
102 assert.Equal(t, storageAPI.SchemeGroupVersion.String(), siemPolicy.Spec.ResourceRef.APIVersion)
103 assert.Equal(t, storageAPI.StorageBucketGVK.Kind, siemPolicy.Spec.ResourceRef.Kind)
104 assert.Equal(t, fmt.Sprintf("%s-siem", r.ForemanProjectID), siemPolicy.Spec.ResourceRef.External)
105 assert.Equal(t, roles.StorageObjectCreator, siemPolicy.Spec.Role)
106 }
107
108 func TestCreateClusterInfraKCCResources(t *testing.T) {
109 r := &BannerReconciler{}
110 b := getTestBanner()
111 hash := edgeUUID.FromUUID(b.Status.ClusterInfraClusterEdgeID).Hash()
112 kccResourceName := fmt.Sprintf("kcc-%s", hash)
113
114 objs := r.createClusterInfraKCCResources(b, kccResourceName, TestProjectNumber)
115 assert.Len(t, objs, 6)
116 }
117
118 func getTestBanner() *bannerAPI.Banner {
119 bannerGUID := uuid.New().String()
120 generatedProjID := fmt.Sprintf("%s-%s", gcpinfra.ProjectIDPrefix, gcpProject.RandAN(29-(len(gcpinfra.ProjectIDPrefix))))
121 return &bannerAPI.Banner{
122 ObjectMeta: metav1.ObjectMeta{
123 Name: bannerGUID,
124 },
125 Spec: bannerAPI.BannerSpec{
126 DisplayName: "Test Banner",
127 GCP: bannerAPI.GCPConfig{
128 ProjectID: generatedProjID,
129 },
130 },
131 }
132 }
133
View as plain text