1use linkerd_policy_controller_k8s_api::{
2 self as api,
3 policy::{MeshTLSAuthentication, MeshTLSAuthenticationSpec, NamespacedTargetRef},
4};
5use linkerd_policy_test::admission;
6
7#[tokio::test(flavor = "current_thread")]
8async fn accepts_valid_ref() {
9 admission::accepts(|ns| MeshTLSAuthentication {
10 metadata: api::ObjectMeta {
11 namespace: Some(ns),
12 name: Some("test".to_string()),
13 ..Default::default()
14 },
15 spec: MeshTLSAuthenticationSpec {
16 identity_refs: Some(vec![NamespacedTargetRef {
17 group: None,
18 kind: "ServiceAccount".to_string(),
19 name: "default".to_string(),
20 namespace: None,
21 }]),
22 ..Default::default()
23 },
24 })
25 .await;
26}
27
28#[tokio::test(flavor = "current_thread")]
29async fn accepts_ns_ref() {
30 admission::accepts(|ns| MeshTLSAuthentication {
31 metadata: api::ObjectMeta {
32 namespace: Some(ns),
33 name: Some("test".to_string()),
34 ..Default::default()
35 },
36 spec: MeshTLSAuthenticationSpec {
37 identity_refs: Some(vec![NamespacedTargetRef {
38 group: None,
39 kind: "Namespace".to_string(),
40 name: "default".to_string(),
41 namespace: None,
42 }]),
43 ..Default::default()
44 },
45 })
46 .await;
47}
48
49#[tokio::test(flavor = "current_thread")]
50async fn rejects_namespaced_namespace() {
51 admission::rejects(|ns| MeshTLSAuthentication {
52 metadata: api::ObjectMeta {
53 namespace: Some(ns),
54 name: Some("test".to_string()),
55 ..Default::default()
56 },
57 spec: MeshTLSAuthenticationSpec {
58 identity_refs: Some(vec![NamespacedTargetRef {
59 group: None,
60 kind: "Namespace".to_string(),
61 name: "default".to_string(),
62 namespace: Some("default".to_string()),
63 }]),
64 ..Default::default()
65 },
66 })
67 .await;
68}
69
70#[tokio::test(flavor = "current_thread")]
71async fn accepts_strings() {
72 admission::accepts(|ns| MeshTLSAuthentication {
73 metadata: api::ObjectMeta {
74 namespace: Some(ns),
75 name: Some("test".to_string()),
76 ..Default::default()
77 },
78 spec: MeshTLSAuthenticationSpec {
79 identities: Some(vec!["example.id".to_string()]),
80 ..Default::default()
81 },
82 })
83 .await;
84}
85
86#[tokio::test(flavor = "current_thread")]
87async fn rejects_empty() {
88 admission::rejects(|ns| MeshTLSAuthentication {
89 metadata: api::ObjectMeta {
90 namespace: Some(ns),
91 name: Some("test".to_string()),
92 ..Default::default()
93 },
94 spec: MeshTLSAuthenticationSpec::default(),
95 })
96 .await;
97}
98
99#[tokio::test(flavor = "current_thread")]
100async fn rejects_both_refs_and_strings() {
101 admission::rejects(|ns| MeshTLSAuthentication {
102 metadata: api::ObjectMeta {
103 namespace: Some(ns),
104 name: Some("test".to_string()),
105 ..Default::default()
106 },
107 spec: MeshTLSAuthenticationSpec {
108 identities: Some(vec!["example.id".to_string()]),
109 identity_refs: Some(vec![NamespacedTargetRef {
110 group: None,
111 kind: "ServiceAccount".to_string(),
112 name: "default".to_string(),
113 namespace: None,
114 }]),
115 },
116 })
117 .await;
118}
View as plain text