diff --git a/internal/controller/supervisorconfig/generator/supervisor_secrets.go b/internal/controller/supervisorconfig/generator/supervisor_secrets.go index b7325648..dae032b3 100644 --- a/internal/controller/supervisorconfig/generator/supervisor_secrets.go +++ b/internal/controller/supervisorconfig/generator/supervisor_secrets.go @@ -58,8 +58,15 @@ func NewSupervisorSecretsController( withInformer( secretInformer, pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool { - ownerReferences := obj.GetOwnerReferences() - for i := range obj.GetOwnerReferences() { + secret, ok := obj.(*corev1.Secret) + if !ok { + return false + } + if secret.Type != SupervisorCSRFSigningKeySecretType { + return false + } + ownerReferences := secret.GetOwnerReferences() + for i := range secret.GetOwnerReferences() { if ownerReferences[i].UID == owner.GetUID() { return true } diff --git a/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go b/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go index f0b75f7c..f2844c7d 100644 --- a/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go +++ b/internal/controller/supervisorconfig/generator/supervisor_secrets_test.go @@ -51,14 +51,15 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { tests := []struct { name string - secret corev1.Secret + secret metav1.Object wantAdd bool wantUpdate bool wantDelete bool }{ { name: "owner reference is missing", - secret: corev1.Secret{ + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", }, @@ -66,7 +67,8 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { }, { name: "owner reference with incorrect `APIVersion`", - secret: corev1.Secret{ + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", OwnerReferences: []metav1.OwnerReference{ @@ -84,7 +86,8 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { }, { name: "owner reference with incorrect `Kind`", - secret: corev1.Secret{ + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", OwnerReferences: []metav1.OwnerReference{ @@ -101,23 +104,10 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { wantUpdate: true, wantDelete: true, }, - { - name: "owner reference with `Controller`: true", - secret: corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "some-namespace", - OwnerReferences: []metav1.OwnerReference{ - *metav1.NewControllerRef(owner, ownerGVK), - }, - }, - }, - wantAdd: true, - wantUpdate: true, - wantDelete: true, - }, { name: "expected owner reference with incorrect `UID`", - secret: corev1.Secret{ + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", OwnerReferences: []metav1.OwnerReference{ @@ -132,11 +122,15 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { }, }, { - name: "expected owner reference - where `Controller`: false", - secret: corev1.Secret{ + name: "multiple owner references (expected owner reference, and one more)", + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", OwnerReferences: []metav1.OwnerReference{ + { + Kind: "UnrelatedKind", + }, { APIVersion: ownerGVK.String(), Name: owner.GetName(), @@ -151,14 +145,48 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { wantDelete: true, }, { - name: "multiple owner references (expected owner reference, and one more)", - secret: corev1.Secret{ + name: "otherwise happy secret but has the wrong Secret type", + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/this-is-not-supervisor-csrf-signing-key-type", ObjectMeta: metav1.ObjectMeta{ Namespace: "some-namespace", OwnerReferences: []metav1.OwnerReference{ { - Kind: "UnrelatedKind", + APIVersion: ownerGVK.String(), + Name: owner.GetName(), + Kind: ownerGVK.Kind, + UID: owner.GetUID(), }, + }, + }, + }, + }, + { + name: "not a secret", + secret: &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "some-namespace"}}, + }, + { + name: "owner reference with `Controller`: true", + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", + ObjectMeta: metav1.ObjectMeta{ + Namespace: "some-namespace", + OwnerReferences: []metav1.OwnerReference{ + *metav1.NewControllerRef(owner, ownerGVK), + }, + }, + }, + wantAdd: true, + wantUpdate: true, + wantDelete: true, + }, + { + name: "expected owner reference - where `Controller`: false", + secret: &corev1.Secret{ + Type: "secrets.pinniped.dev/supervisor-csrf-signing-key", + ObjectMeta: metav1.ObjectMeta{ + Namespace: "some-namespace", + OwnerReferences: []metav1.OwnerReference{ { APIVersion: ownerGVK.String(), Name: owner.GetName(), @@ -195,10 +223,10 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) { unrelated := corev1.Secret{} filter := withInformer.GetFilterForInformer(secretInformer) - require.Equal(t, test.wantAdd, filter.Add(&test.secret)) - require.Equal(t, test.wantUpdate, filter.Update(&unrelated, &test.secret)) - require.Equal(t, test.wantUpdate, filter.Update(&test.secret, &unrelated)) - require.Equal(t, test.wantDelete, filter.Delete(&test.secret)) + require.Equal(t, test.wantAdd, filter.Add(test.secret)) + require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret)) + require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated)) + require.Equal(t, test.wantDelete, filter.Delete(test.secret)) }) } }