github.com/verrazzano/verrazzano@v1.7.0/cluster-operator/internal/operatorinit/update_webhooks_test.go (about) 1 // Copyright (c) 2022, Oracle and/or its affiliates. 2 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 package operatorinit 5 6 import ( 7 "bytes" 8 "context" 9 "testing" 10 11 "github.com/stretchr/testify/assert" 12 "github.com/verrazzano/verrazzano/cluster-operator/internal/certificate" 13 adminv1 "k8s.io/api/admissionregistration/v1" 14 v1 "k8s.io/api/core/v1" 15 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 16 "k8s.io/client-go/kubernetes/fake" 17 ) 18 19 // TestUpdateValidatingnWebhookConfiguration tests that the CA Bundle is updated in the verrazzano-cluster-operator 20 // validatingWebhookConfiguration resource. 21 // GIVEN a validatingWebhookConfiguration resource with the CA Bundle set 22 // 23 // WHEN I call updateValidatingWebhookConfiguration 24 // THEN the validatingWebhookConfiguration resource set the CA Bundle as expected 25 func TestUpdateValidatingnWebhookConfiguration(t *testing.T) { 26 asserts := assert.New(t) 27 28 kubeClient := fake.NewSimpleClientset() 29 30 _, caCert, err := createExpectedCASecret(kubeClient) 31 asserts.Nilf(err, "Unexpected error creating expected CA secret", err) 32 33 wh, err := createExpectedValidatingWebhook(kubeClient, certificate.WebhookName) 34 asserts.Nilf(err, "error should not be returned creating validation webhook configuration: %v", err) 35 asserts.NotEmpty(wh) 36 37 err = updateValidatingWebhookConfiguration(kubeClient, certificate.WebhookName) 38 asserts.Nilf(err, "error should not be returned updating validation webhook configuration: %v", err) 39 40 updatedWebhook, _ := kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), "verrazzano-cluster-operator-webhook", metav1.GetOptions{}) 41 asserts.Equal(caCert.Bytes(), updatedWebhook.Webhooks[0].ClientConfig.CABundle, "Expected CA bundle name did not match") 42 } 43 44 // TestUpdateValidatingnWebhookConfigurationFail tests that the CA Bundle is not updated in the 45 // verrazzano-cluster-operator validatingWebhookConfiguration resource. 46 // GIVEN an invalid validatingWebhookConfiguration resource with the CA Bundle set 47 // 48 // WHEN I call updateValidatingWebhookConfiguration 49 // THEN the validatingWebhookConfiguration resource will fail to be updated 50 func TestUpdateValidatingnWebhookConfigurationFail(t *testing.T) { 51 asserts := assert.New(t) 52 53 kubeClient := fake.NewSimpleClientset() 54 55 _, _, err := createExpectedCASecret(kubeClient) 56 asserts.Nilf(err, "Unexpected error creating expected CA secret", err) 57 58 _, err = createInvalidExpectedValidatingWebhook(kubeClient, certificate.WebhookName) 59 asserts.Nil(err, "error should not be returned creating validation webhook configuration") 60 61 err = updateValidatingWebhookConfiguration(kubeClient, certificate.WebhookName) 62 asserts.Error(err, "error should be returned updating validation webhook configuration") 63 } 64 65 func createExpectedCASecret(kubeClient *fake.Clientset) (*v1.Secret, bytes.Buffer, error) { 66 var caCert bytes.Buffer 67 caCert.WriteString("Fake CABundle") 68 69 caSecret := v1.Secret{} 70 caSecret.Name = certificate.OperatorCA 71 caSecret.Type = v1.SecretTypeTLS 72 caSecret.Namespace = certificate.WebhookNamespace 73 caSecret.Data = make(map[string][]byte) 74 caSecret.Data[certificate.CertKey] = caCert.Bytes() 75 caSecret.Data[certificate.PrivKey] = caCert.Bytes() 76 77 newSecret, err := kubeClient.CoreV1().Secrets(certificate.WebhookNamespace).Create(context.TODO(), &caSecret, metav1.CreateOptions{}) 78 return newSecret, caCert, err 79 } 80 81 func createExpectedValidatingWebhook(kubeClient *fake.Clientset, whName string) (*adminv1.ValidatingWebhookConfiguration, error) { 82 pathInstall := "/validate-clusters-verrazzano-io-v1alpha1-verrazzanomanagedcluster" 83 serviceInstall := adminv1.ServiceReference{ 84 Name: whName, 85 Namespace: certificate.WebhookNamespace, 86 Path: &pathInstall, 87 } 88 89 webhook := adminv1.ValidatingWebhookConfiguration{ 90 TypeMeta: metav1.TypeMeta{}, 91 ObjectMeta: metav1.ObjectMeta{ 92 Name: whName, 93 }, 94 Webhooks: []adminv1.ValidatingWebhook{ 95 { 96 Name: "install.verrazzano.io", 97 ClientConfig: adminv1.WebhookClientConfig{ 98 Service: &serviceInstall, 99 }, 100 }, 101 { 102 Name: "install.verrazzano.io.v1beta", 103 ClientConfig: adminv1.WebhookClientConfig{ 104 Service: &serviceInstall, 105 }, 106 }, 107 }, 108 } 109 return kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &webhook, metav1.CreateOptions{}) 110 } 111 112 func createInvalidExpectedValidatingWebhook(kubeClient *fake.Clientset, whName string) (*adminv1.ValidatingWebhookConfiguration, error) { 113 path := "/validate-clusters-verrazzano-io-v1alpha1-verrazzanomanagedcluster" 114 service := adminv1.ServiceReference{ 115 Name: whName, 116 Namespace: certificate.WebhookNamespace, 117 Path: &path, 118 } 119 webhook := adminv1.ValidatingWebhookConfiguration{ 120 TypeMeta: metav1.TypeMeta{}, 121 ObjectMeta: metav1.ObjectMeta{ 122 Name: "InvalidName", 123 }, 124 Webhooks: []adminv1.ValidatingWebhook{ 125 { 126 Name: "install.verrazzano.io", 127 ClientConfig: adminv1.WebhookClientConfig{ 128 Service: &service, 129 }, 130 }, 131 }, 132 } 133 return kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.TODO(), &webhook, metav1.CreateOptions{}) 134 }