2021-03-05 01:25:43 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-09-16 14:19:51 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-08-19 20:15:45 +00:00
|
|
|
|
|
|
|
package apicerts
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2020-08-28 15:19:52 +00:00
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
2020-08-19 20:15:45 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/x509"
|
|
|
|
"errors"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2021-07-28 13:26:19 +00:00
|
|
|
"k8s.io/apimachinery/pkg/types"
|
2020-08-19 20:15:45 +00:00
|
|
|
kubeinformers "k8s.io/client-go/informers"
|
|
|
|
kubernetesfake "k8s.io/client-go/kubernetes/fake"
|
|
|
|
kubetesting "k8s.io/client-go/testing"
|
|
|
|
|
2020-09-18 19:56:24 +00:00
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
|
|
"go.pinniped.dev/internal/testutil"
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestExpirerControllerFilters(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
const certsSecretResourceName = "some-resource-name"
|
|
|
|
|
2020-08-19 20:15:45 +00:00
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
namespace string
|
|
|
|
secret corev1.Secret
|
|
|
|
want bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "good name, good namespace",
|
|
|
|
namespace: "good-namespace",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
Name: certsSecretResourceName,
|
2020-08-19 20:15:45 +00:00
|
|
|
Namespace: "good-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "bad name, good namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "bad-name",
|
|
|
|
Namespace: "good-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "good name, bad namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
Name: certsSecretResourceName,
|
2020-08-19 20:15:45 +00:00
|
|
|
Namespace: "bad-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "bad name, bad namespace",
|
|
|
|
namespace: "good-namespacee",
|
|
|
|
secret: corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "bad-name",
|
|
|
|
Namespace: "bad-namespace",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
want: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
|
|
|
t.Run(test.name+"-"+test.namespace, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
secretsInformer := kubeinformers.NewSharedInformerFactory(
|
|
|
|
kubernetesfake.NewSimpleClientset(),
|
|
|
|
0,
|
|
|
|
).Core().V1().Secrets()
|
|
|
|
withInformer := testutil.NewObservableWithInformerOption()
|
|
|
|
_ = NewCertsExpirerController(
|
|
|
|
test.namespace,
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
certsSecretResourceName,
|
2020-08-19 20:15:45 +00:00
|
|
|
nil, // k8sClient, not needed
|
|
|
|
secretsInformer,
|
|
|
|
withInformer.WithInformer,
|
2021-03-10 18:30:06 +00:00
|
|
|
0, // renewBefore, not needed
|
|
|
|
"", // not needed
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
unrelated := corev1.Secret{}
|
|
|
|
filter := withInformer.GetFilterForInformer(secretsInformer)
|
|
|
|
require.Equal(t, test.want, filter.Add(&test.secret))
|
|
|
|
require.Equal(t, test.want, filter.Update(&unrelated, &test.secret))
|
|
|
|
require.Equal(t, test.want, filter.Update(&test.secret, &unrelated))
|
|
|
|
require.Equal(t, test.want, filter.Delete(&test.secret))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestExpirerControllerSync(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
const certsSecretResourceName = "some-resource-name"
|
2021-03-10 18:30:06 +00:00
|
|
|
const fakeTestKey = "some-awesome-key"
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
|
2020-08-19 20:15:45 +00:00
|
|
|
tests := []struct {
|
|
|
|
name string
|
2020-08-20 19:17:18 +00:00
|
|
|
renewBefore time.Duration
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData func(*testing.T, map[string][]byte)
|
|
|
|
configKubeAPIClient func(*kubernetesfake.Clientset)
|
|
|
|
wantDelete bool
|
|
|
|
wantError string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "secret does not exist",
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "secret missing key",
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {},
|
|
|
|
wantDelete: false,
|
2021-03-10 18:30:06 +00:00
|
|
|
wantError: `failed to get cert bounds for secret "some-resource-name" with key "some-awesome-key": failed to find certificate`,
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "lifetime below threshold",
|
|
|
|
renewBefore: 7 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-10-23 19:34:25 +00:00
|
|
|
certPEM, _, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2021-03-10 18:30:06 +00:00
|
|
|
m[fakeTestKey] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: false,
|
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "lifetime above threshold",
|
|
|
|
renewBefore: 3 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-10-23 19:34:25 +00:00
|
|
|
certPEM, _, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2021-03-10 18:30:06 +00:00
|
|
|
m[fakeTestKey] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: true,
|
|
|
|
},
|
|
|
|
{
|
2020-08-20 19:17:18 +00:00
|
|
|
name: "cert expired",
|
|
|
|
renewBefore: 3 * time.Hour,
|
2020-08-19 20:15:45 +00:00
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-10-23 19:34:25 +00:00
|
|
|
certPEM, _, err := testutil.CreateCertificate(
|
2020-08-20 19:17:18 +00:00
|
|
|
time.Now().Add(-2*time.Hour),
|
|
|
|
time.Now().Add(-1*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2021-03-10 18:30:06 +00:00
|
|
|
m[fakeTestKey] = certPEM
|
2020-08-20 19:17:18 +00:00
|
|
|
},
|
|
|
|
wantDelete: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "delete failure",
|
|
|
|
renewBefore: 3 * time.Hour,
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-10-23 19:34:25 +00:00
|
|
|
certPEM, _, err := testutil.CreateCertificate(
|
2020-08-19 20:15:45 +00:00
|
|
|
time.Now().Add(-5*time.Hour),
|
|
|
|
time.Now().Add(5*time.Hour),
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2021-03-10 18:30:06 +00:00
|
|
|
m[fakeTestKey] = certPEM
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
configKubeAPIClient: func(c *kubernetesfake.Clientset) {
|
|
|
|
c.PrependReactor("delete", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
|
|
|
|
return true, nil, errors.New("delete failed: some delete error")
|
|
|
|
})
|
|
|
|
},
|
|
|
|
wantError: "delete failed: some delete error",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "parse cert failure",
|
|
|
|
fillSecretData: func(t *testing.T, m map[string][]byte) {
|
2020-08-28 15:19:52 +00:00
|
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
2020-08-19 20:15:45 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2021-03-10 18:30:06 +00:00
|
|
|
m[fakeTestKey], err = x509.MarshalPKCS8PrivateKey(privateKey)
|
2020-08-28 15:19:52 +00:00
|
|
|
require.NoError(t, err)
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
wantDelete: false,
|
2021-03-10 18:30:06 +00:00
|
|
|
wantError: `failed to get cert bounds for secret "some-resource-name" with key "some-awesome-key": failed to decode certificate PEM`,
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
2021-03-05 01:25:43 +00:00
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
2020-08-19 20:15:45 +00:00
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
kubeAPIClient := kubernetesfake.NewSimpleClientset()
|
|
|
|
if test.configKubeAPIClient != nil {
|
|
|
|
test.configKubeAPIClient(kubeAPIClient)
|
|
|
|
}
|
|
|
|
|
2021-07-28 13:26:19 +00:00
|
|
|
testRV := "rv_001"
|
|
|
|
testUID := types.UID("uid_002")
|
|
|
|
|
2020-08-19 20:15:45 +00:00
|
|
|
kubeInformerClient := kubernetesfake.NewSimpleClientset()
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
name := certsSecretResourceName
|
2020-08-19 20:15:45 +00:00
|
|
|
namespace := "some-namespace"
|
|
|
|
if test.fillSecretData != nil {
|
|
|
|
secret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2021-07-28 13:26:19 +00:00
|
|
|
Name: name,
|
|
|
|
Namespace: namespace,
|
|
|
|
ResourceVersion: testRV,
|
|
|
|
UID: testUID,
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
Data: map[string][]byte{},
|
|
|
|
}
|
|
|
|
test.fillSecretData(t, secret.Data)
|
|
|
|
|
|
|
|
require.NoError(t, kubeAPIClient.Tracker().Add(secret))
|
|
|
|
require.NoError(t, kubeInformerClient.Tracker().Add(secret))
|
|
|
|
}
|
|
|
|
|
|
|
|
kubeInformers := kubeinformers.NewSharedInformerFactory(
|
|
|
|
kubeInformerClient,
|
|
|
|
0,
|
|
|
|
)
|
|
|
|
|
|
|
|
c := NewCertsExpirerController(
|
|
|
|
namespace,
|
Rename many of resources that are created in Kubernetes by Pinniped
New resource naming conventions:
- Do not repeat the Kind in the name,
e.g. do not call it foo-cluster-role-binding, just call it foo
- Names will generally start with a prefix to identify our component,
so when a user lists all objects of that kind, they can tell to which
component it is related,
e.g. `kubectl get configmaps` would list one named "pinniped-config"
- It should be possible for an operator to make the word "pinniped"
mostly disappear if they choose, by specifying the app_name in
values.yaml, to the extent that is practical (but not from APIService
names because those are hardcoded in golang)
- Each role/clusterrole and its corresponding binding have the same name
- Pinniped resource names that must be known by the server golang code
are passed to the code at run time via ConfigMap, rather than
hardcoded in the golang code. This also allows them to be prepended
with the app_name from values.yaml while creating the ConfigMap.
- Since the CLI `get-kubeconfig` command cannot guess the name of the
CredentialIssuerConfig resource in advance anymore, it lists all
CredentialIssuerConfig in the app's namespace and returns an error
if there is not exactly one found, and then uses that one regardless
of its name
2020-09-18 22:56:50 +00:00
|
|
|
certsSecretResourceName,
|
2021-12-10 22:22:36 +00:00
|
|
|
kubeAPIClient,
|
2020-08-19 20:15:45 +00:00
|
|
|
kubeInformers.Core().V1().Secrets(),
|
2020-08-28 15:59:09 +00:00
|
|
|
controllerlib.WithInformer,
|
2020-08-20 19:17:18 +00:00
|
|
|
test.renewBefore,
|
2021-03-10 18:30:06 +00:00
|
|
|
fakeTestKey,
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Must start informers before calling TestRunSynchronously().
|
|
|
|
kubeInformers.Start(ctx.Done())
|
2020-08-28 15:59:09 +00:00
|
|
|
controllerlib.TestRunSynchronously(t, c)
|
2020-08-19 20:15:45 +00:00
|
|
|
|
2020-08-28 15:59:09 +00:00
|
|
|
err := controllerlib.TestSync(t, c, controllerlib.Context{
|
2020-08-19 20:15:45 +00:00
|
|
|
Context: ctx,
|
|
|
|
})
|
|
|
|
if test.wantError != "" {
|
|
|
|
require.EqualError(t, err, test.wantError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
exActions := []kubetesting.Action{}
|
|
|
|
if test.wantDelete {
|
|
|
|
exActions = append(
|
|
|
|
exActions,
|
2021-12-10 22:22:36 +00:00
|
|
|
kubetesting.NewDeleteActionWithOptions(
|
2020-08-19 20:15:45 +00:00
|
|
|
schema.GroupVersionResource{
|
|
|
|
Group: "",
|
|
|
|
Version: "v1",
|
|
|
|
Resource: "secrets",
|
|
|
|
},
|
|
|
|
namespace,
|
|
|
|
name,
|
2021-12-10 22:22:36 +00:00
|
|
|
testutil.NewPreconditions(testUID, testRV),
|
2020-08-19 20:15:45 +00:00
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
acActions := kubeAPIClient.Actions()
|
|
|
|
require.Equal(t, exActions, acActions)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|