Merge pull request #305 from vmware-tanzu/quiet-secrets-controllers
Sync Secret-watching controller less often by adjusting their filters to be more specific
This commit is contained in:
commit
546b8b5d25
@ -237,7 +237,9 @@ func startControllers(
|
|||||||
pinnipedClient,
|
pinnipedClient,
|
||||||
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
|
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
|
||||||
secretInformer,
|
secretInformer,
|
||||||
klogr.New()),
|
klogr.New(),
|
||||||
|
controllerlib.WithInformer,
|
||||||
|
),
|
||||||
singletonWorker)
|
singletonWorker)
|
||||||
|
|
||||||
kubeInformers.Start(ctx.Done())
|
kubeInformers.Start(ctx.Done())
|
||||||
|
@ -24,10 +24,6 @@ import (
|
|||||||
"go.pinniped.dev/internal/plog"
|
"go.pinniped.dev/internal/plog"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
|
||||||
federationDomainKind = "FederationDomain"
|
|
||||||
)
|
|
||||||
|
|
||||||
type federationDomainSecretsController struct {
|
type federationDomainSecretsController struct {
|
||||||
secretHelper SecretHelper
|
secretHelper SecretHelper
|
||||||
secretRefFunc func(domain *configv1alpha1.FederationDomain) *corev1.LocalObjectReference
|
secretRefFunc func(domain *configv1alpha1.FederationDomain) *corev1.LocalObjectReference
|
||||||
@ -65,16 +61,7 @@ func NewFederationDomainSecretsController(
|
|||||||
// should get notified via the corresponding FederationDomain key.
|
// should get notified via the corresponding FederationDomain key.
|
||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
pinnipedcontroller.SimpleFilter(isFederationDomainControllee, func(obj metav1.Object) controllerlib.Key {
|
pinnipedcontroller.SimpleFilter(secretHelper.Handles, pinnipedcontroller.SecretIsControlledByParentFunc(secretHelper.Handles)),
|
||||||
if isFederationDomainControllee(obj) {
|
|
||||||
controller := metav1.GetControllerOf(obj)
|
|
||||||
return controllerlib.Key{
|
|
||||||
Name: controller.Name,
|
|
||||||
Namespace: obj.GetNamespace(),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return controllerlib.Key{}
|
|
||||||
}),
|
|
||||||
controllerlib.InformerOption{},
|
controllerlib.InformerOption{},
|
||||||
),
|
),
|
||||||
// We want to be notified when anything happens to an FederationDomain.
|
// We want to be notified when anything happens to an FederationDomain.
|
||||||
@ -240,11 +227,3 @@ func (c *federationDomainSecretsController) updateFederationDomain(
|
|||||||
return err
|
return err
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// isFederationDomainControllee returns whether the provided obj is controlled by an FederationDomain.
|
|
||||||
func isFederationDomainControllee(obj metav1.Object) bool {
|
|
||||||
controller := metav1.GetControllerOf(obj)
|
|
||||||
return controller != nil &&
|
|
||||||
controller.APIVersion == configv1alpha1.SchemeGroupVersion.String() &&
|
|
||||||
controller.Kind == federationDomainKind
|
|
||||||
}
|
|
||||||
|
@ -5,6 +5,7 @@ package generator
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/rand"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"sync"
|
"sync"
|
||||||
@ -35,7 +36,7 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
secret corev1.Secret
|
secret metav1.Object
|
||||||
wantAdd bool
|
wantAdd bool
|
||||||
wantUpdate bool
|
wantUpdate bool
|
||||||
wantDelete bool
|
wantDelete bool
|
||||||
@ -43,13 +44,15 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "no owner reference",
|
name: "no owner reference",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{},
|
ObjectMeta: metav1.ObjectMeta{},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without correct APIVersion",
|
name: "owner reference without correct APIVersion",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -64,7 +67,8 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without correct Kind",
|
name: "owner reference without correct Kind",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -79,7 +83,8 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without controller set to true",
|
name: "owner reference without controller set to true",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -94,7 +99,8 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "correct owner reference",
|
name: "correct owner reference",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -114,7 +120,8 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "multiple owner references",
|
name: "multiple owner references",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-token-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -135,16 +142,44 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
wantDelete: true,
|
wantDelete: true,
|
||||||
wantParent: controllerlib.Key{Namespace: "some-namespace", Name: "some-name"},
|
wantParent: controllerlib.Key{Namespace: "some-namespace", Name: "some-name"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "correct owner reference but wrong secret type",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/this-is-the-wrong-type",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: "some-namespace",
|
||||||
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
|
{
|
||||||
|
APIVersion: configv1alpha1.SchemeGroupVersion.String(),
|
||||||
|
Kind: "FederationDomain",
|
||||||
|
Name: "some-name",
|
||||||
|
Controller: boolPtr(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "resource of wrong data type",
|
||||||
|
secret: &corev1.Namespace{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "some-namespace",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
test := test
|
test := test
|
||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
secretHelper := NewSymmetricSecretHelper(
|
||||||
t.Cleanup(ctrl.Finish)
|
"some-name",
|
||||||
secretHelper := mocksecrethelper.NewMockSecretHelper(ctrl)
|
map[string]string{},
|
||||||
secretHelper.EXPECT().NamePrefix().Times(1).Return("some-name")
|
rand.Reader,
|
||||||
|
SecretUsageTokenSigningKey,
|
||||||
|
func(cacheKey string, cacheValue []byte) {},
|
||||||
|
)
|
||||||
|
|
||||||
secretInformer := kubeinformers.NewSharedInformerFactory(
|
secretInformer := kubeinformers.NewSharedInformerFactory(
|
||||||
kubernetesfake.NewSimpleClientset(),
|
kubernetesfake.NewSimpleClientset(),
|
||||||
@ -167,11 +202,11 @@ func TestFederationDomainControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
unrelated := corev1.Secret{}
|
unrelated := corev1.Secret{}
|
||||||
filter := withInformer.GetFilterForInformer(secretInformer)
|
filter := withInformer.GetFilterForInformer(secretInformer)
|
||||||
require.Equal(t, test.wantAdd, filter.Add(&test.secret))
|
require.Equal(t, test.wantAdd, filter.Add(test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, &test.secret))
|
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&test.secret, &unrelated))
|
require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated))
|
||||||
require.Equal(t, test.wantDelete, filter.Delete(&test.secret))
|
require.Equal(t, test.wantDelete, filter.Delete(test.secret))
|
||||||
require.Equal(t, test.wantParent, filter.Parent(&test.secret))
|
require.Equal(t, test.wantParent, filter.Parent(test.secret))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -201,10 +236,13 @@ func TestNewFederationDomainSecretsControllerFilterFederationDomain(t *testing.T
|
|||||||
t.Run(test.name, func(t *testing.T) {
|
t.Run(test.name, func(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
ctrl := gomock.NewController(t)
|
secretHelper := NewSymmetricSecretHelper(
|
||||||
t.Cleanup(ctrl.Finish)
|
"some-name",
|
||||||
secretHelper := mocksecrethelper.NewMockSecretHelper(ctrl)
|
map[string]string{},
|
||||||
secretHelper.EXPECT().NamePrefix().Times(1).Return("some-name")
|
rand.Reader,
|
||||||
|
SecretUsageTokenSigningKey,
|
||||||
|
func(cacheKey string, cacheValue []byte) {},
|
||||||
|
)
|
||||||
|
|
||||||
secretInformer := kubeinformers.NewSharedInformerFactory(
|
secretInformer := kubeinformers.NewSharedInformerFactory(
|
||||||
kubernetesfake.NewSimpleClientset(),
|
kubernetesfake.NewSimpleClientset(),
|
||||||
@ -635,6 +673,7 @@ func TestFederationDomainSecretsControllerSync(t *testing.T) {
|
|||||||
if test.secretHelper != nil {
|
if test.secretHelper != nil {
|
||||||
test.secretHelper(secretHelper)
|
test.secretHelper(secretHelper)
|
||||||
}
|
}
|
||||||
|
secretHelper.EXPECT().Handles(gomock.Any()).AnyTimes().Return(true)
|
||||||
|
|
||||||
c := NewFederationDomainSecretsController(
|
c := NewFederationDomainSecretsController(
|
||||||
secretHelper,
|
secretHelper,
|
||||||
|
@ -23,6 +23,7 @@ type SecretHelper interface {
|
|||||||
Generate(*configv1alpha1.FederationDomain) (*corev1.Secret, error)
|
Generate(*configv1alpha1.FederationDomain) (*corev1.Secret, error)
|
||||||
IsValid(*configv1alpha1.FederationDomain, *corev1.Secret) bool
|
IsValid(*configv1alpha1.FederationDomain, *corev1.Secret) bool
|
||||||
ObserveActiveSecretAndUpdateParentFederationDomain(*configv1alpha1.FederationDomain, *corev1.Secret) *configv1alpha1.FederationDomain
|
ObserveActiveSecretAndUpdateParentFederationDomain(*configv1alpha1.FederationDomain, *corev1.Secret) *configv1alpha1.FederationDomain
|
||||||
|
Handles(metav1.Object) bool
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -38,6 +39,8 @@ const (
|
|||||||
// FederationDomainStateEncryptionKeyType for the Secret storing the FederationDomain state encryption key.
|
// FederationDomainStateEncryptionKeyType for the Secret storing the FederationDomain state encryption key.
|
||||||
FederationDomainStateEncryptionKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-encryption-key"
|
FederationDomainStateEncryptionKeyType corev1.SecretType = "secrets.pinniped.dev/federation-domain-state-encryption-key"
|
||||||
|
|
||||||
|
federationDomainKind = "FederationDomain"
|
||||||
|
|
||||||
// symmetricSecretDataKey is the corev1.Secret.Data key for the symmetric key value generated by this helper.
|
// symmetricSecretDataKey is the corev1.Secret.Data key for the symmetric key value generated by this helper.
|
||||||
symmetricSecretDataKey = "key"
|
symmetricSecretDataKey = "key"
|
||||||
|
|
||||||
@ -101,7 +104,7 @@ func (s *symmetricSecretHelper) Generate(parent *configv1alpha1.FederationDomain
|
|||||||
*metav1.NewControllerRef(parent, schema.GroupVersionKind{
|
*metav1.NewControllerRef(parent, schema.GroupVersionKind{
|
||||||
Group: configv1alpha1.SchemeGroupVersion.Group,
|
Group: configv1alpha1.SchemeGroupVersion.Group,
|
||||||
Version: configv1alpha1.SchemeGroupVersion.Version,
|
Version: configv1alpha1.SchemeGroupVersion.Version,
|
||||||
Kind: "FederationDomain",
|
Kind: federationDomainKind,
|
||||||
}),
|
}),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -166,3 +169,26 @@ func (s *symmetricSecretHelper) secretType() corev1.SecretType {
|
|||||||
panic(fmt.Sprintf("unknown secret usage enum value: %d", s.secretUsage))
|
panic(fmt.Sprintf("unknown secret usage enum value: %d", s.secretUsage))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *symmetricSecretHelper) Handles(obj metav1.Object) bool {
|
||||||
|
return IsFederationDomainSecretOfType(obj, s.secretType())
|
||||||
|
}
|
||||||
|
|
||||||
|
func IsFederationDomainSecretOfType(obj metav1.Object, secretType corev1.SecretType) bool {
|
||||||
|
secret, ok := obj.(*corev1.Secret)
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if secret.Type != secretType {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return isFederationDomainControllee(secret)
|
||||||
|
}
|
||||||
|
|
||||||
|
// isFederationDomainControllee returns whether the provided obj is controlled by an FederationDomain.
|
||||||
|
func isFederationDomainControllee(obj metav1.Object) bool {
|
||||||
|
controller := metav1.GetControllerOf(obj)
|
||||||
|
return controller != nil &&
|
||||||
|
controller.APIVersion == configv1alpha1.SchemeGroupVersion.String() &&
|
||||||
|
controller.Kind == federationDomainKind
|
||||||
|
}
|
||||||
|
@ -108,6 +108,14 @@ func TestSymmetricSecretHelper(t *testing.T) {
|
|||||||
require.Equal(t, parent.Spec.Issuer, federationDomainIssuerValue)
|
require.Equal(t, parent.Spec.Issuer, federationDomainIssuerValue)
|
||||||
require.Equal(t, child.Name, test.wantSetFederationDomainField(parent))
|
require.Equal(t, child.Name, test.wantSetFederationDomainField(parent))
|
||||||
require.Equal(t, child.Data["key"], symmetricKeyValue)
|
require.Equal(t, child.Data["key"], symmetricKeyValue)
|
||||||
|
|
||||||
|
require.True(t, h.Handles(child))
|
||||||
|
wrongTypedChild := child.DeepCopy()
|
||||||
|
wrongTypedChild.Type = "the-wrong-type"
|
||||||
|
require.False(t, h.Handles(wrongTypedChild))
|
||||||
|
wrongOwnerKindChild := child.DeepCopy()
|
||||||
|
wrongOwnerKindChild.OwnerReferences[0].Kind = "WrongKind"
|
||||||
|
require.False(t, h.Handles(wrongOwnerKindChild))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -58,8 +58,15 @@ func NewSupervisorSecretsController(
|
|||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool {
|
pinnipedcontroller.SimpleFilter(func(obj metav1.Object) bool {
|
||||||
ownerReferences := obj.GetOwnerReferences()
|
secret, ok := obj.(*corev1.Secret)
|
||||||
for i := range obj.GetOwnerReferences() {
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if secret.Type != SupervisorCSRFSigningKeySecretType {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
ownerReferences := secret.GetOwnerReferences()
|
||||||
|
for i := range secret.GetOwnerReferences() {
|
||||||
if ownerReferences[i].UID == owner.GetUID() {
|
if ownerReferences[i].UID == owner.GetUID() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
@ -51,14 +51,15 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
secret corev1.Secret
|
secret metav1.Object
|
||||||
wantAdd bool
|
wantAdd bool
|
||||||
wantUpdate bool
|
wantUpdate bool
|
||||||
wantDelete bool
|
wantDelete bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "owner reference is missing",
|
name: "owner reference is missing",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
},
|
},
|
||||||
@ -66,7 +67,8 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference with incorrect `APIVersion`",
|
name: "owner reference with incorrect `APIVersion`",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -84,7 +86,8 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference with incorrect `Kind`",
|
name: "owner reference with incorrect `Kind`",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -101,23 +104,10 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
wantUpdate: true,
|
wantUpdate: true,
|
||||||
wantDelete: true,
|
wantDelete: true,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "owner reference with `Controller`: true",
|
|
||||||
secret: corev1.Secret{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Namespace: "some-namespace",
|
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
|
||||||
*metav1.NewControllerRef(owner, ownerGVK),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
wantAdd: true,
|
|
||||||
wantUpdate: true,
|
|
||||||
wantDelete: true,
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "expected owner reference with incorrect `UID`",
|
name: "expected owner reference with incorrect `UID`",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -132,11 +122,15 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "expected owner reference - where `Controller`: false",
|
name: "multiple owner references (expected owner reference, and one more)",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
|
{
|
||||||
|
Kind: "UnrelatedKind",
|
||||||
|
},
|
||||||
{
|
{
|
||||||
APIVersion: ownerGVK.String(),
|
APIVersion: ownerGVK.String(),
|
||||||
Name: owner.GetName(),
|
Name: owner.GetName(),
|
||||||
@ -151,14 +145,48 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
wantDelete: true,
|
wantDelete: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "multiple owner references (expected owner reference, and one more)",
|
name: "otherwise happy secret but has the wrong Secret type",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/this-is-not-supervisor-csrf-signing-key-type",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
{
|
{
|
||||||
Kind: "UnrelatedKind",
|
APIVersion: ownerGVK.String(),
|
||||||
|
Name: owner.GetName(),
|
||||||
|
Kind: ownerGVK.Kind,
|
||||||
|
UID: owner.GetUID(),
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "not a secret",
|
||||||
|
secret: &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "some-namespace"}},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "owner reference with `Controller`: true",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: "some-namespace",
|
||||||
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
|
*metav1.NewControllerRef(owner, ownerGVK),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantAdd: true,
|
||||||
|
wantUpdate: true,
|
||||||
|
wantDelete: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "expected owner reference - where `Controller`: false",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/supervisor-csrf-signing-key",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: "some-namespace",
|
||||||
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
{
|
{
|
||||||
APIVersion: ownerGVK.String(),
|
APIVersion: ownerGVK.String(),
|
||||||
Name: owner.GetName(),
|
Name: owner.GetName(),
|
||||||
@ -195,10 +223,10 @@ func TestSupervisorSecretsControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
unrelated := corev1.Secret{}
|
unrelated := corev1.Secret{}
|
||||||
filter := withInformer.GetFilterForInformer(secretInformer)
|
filter := withInformer.GetFilterForInformer(secretInformer)
|
||||||
require.Equal(t, test.wantAdd, filter.Add(&test.secret))
|
require.Equal(t, test.wantAdd, filter.Add(test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, &test.secret))
|
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&test.secret, &unrelated))
|
require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated))
|
||||||
require.Equal(t, test.wantDelete, filter.Delete(&test.secret))
|
require.Equal(t, test.wantDelete, filter.Delete(test.secret))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -52,7 +52,7 @@ func NewJWKSObserverController(
|
|||||||
},
|
},
|
||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
pinnipedcontroller.MatchAnythingFilter(nil),
|
pinnipedcontroller.MatchAnySecretOfTypeFilter(jwksSecretTypeValue, nil),
|
||||||
controllerlib.InformerOption{},
|
controllerlib.InformerOption{},
|
||||||
),
|
),
|
||||||
withInformer(
|
withInformer(
|
||||||
|
@ -52,23 +52,32 @@ func TestJWKSObserverControllerInformerFilters(t *testing.T) {
|
|||||||
when("watching Secret objects", func() {
|
when("watching Secret objects", func() {
|
||||||
var (
|
var (
|
||||||
subject controllerlib.Filter
|
subject controllerlib.Filter
|
||||||
secret, otherSecret *corev1.Secret
|
secret, otherTypeSecret *corev1.Secret
|
||||||
)
|
)
|
||||||
|
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
subject = secretsInformerFilter
|
subject = secretsInformerFilter
|
||||||
secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}}
|
secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}, Type: "secrets.pinniped.dev/federation-domain-jwks"}
|
||||||
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}}
|
otherTypeSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}, Type: "other"}
|
||||||
})
|
})
|
||||||
|
|
||||||
when("any Secret changes", func() {
|
when("any Secret of the JWKS type changes", func() {
|
||||||
it("returns true to trigger the sync method", func() {
|
it("returns true to trigger the sync method", func() {
|
||||||
r.True(subject.Add(secret))
|
r.True(subject.Add(secret))
|
||||||
r.True(subject.Update(secret, otherSecret))
|
r.True(subject.Update(secret, otherTypeSecret))
|
||||||
r.True(subject.Update(otherSecret, secret))
|
r.True(subject.Update(otherTypeSecret, secret))
|
||||||
r.True(subject.Delete(secret))
|
r.True(subject.Delete(secret))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("any Secret of some other type changes", func() {
|
||||||
|
it("returns false to skip the sync method", func() {
|
||||||
|
r.False(subject.Add(otherTypeSecret))
|
||||||
|
r.False(subject.Update(otherTypeSecret, otherTypeSecret))
|
||||||
|
r.False(subject.Update(otherTypeSecret, otherTypeSecret))
|
||||||
|
r.False(subject.Delete(otherTypeSecret))
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
when("watching FederationDomain objects", func() {
|
when("watching FederationDomain objects", func() {
|
||||||
|
@ -26,6 +26,7 @@ import (
|
|||||||
pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
|
||||||
configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
|
configinformers "go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
|
||||||
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
||||||
|
"go.pinniped.dev/internal/controller/supervisorconfig/generator"
|
||||||
"go.pinniped.dev/internal/controllerlib"
|
"go.pinniped.dev/internal/controllerlib"
|
||||||
"go.pinniped.dev/internal/plog"
|
"go.pinniped.dev/internal/plog"
|
||||||
)
|
)
|
||||||
@ -76,6 +77,10 @@ func NewJWKSWriterController(
|
|||||||
federationDomainInformer configinformers.FederationDomainInformer,
|
federationDomainInformer configinformers.FederationDomainInformer,
|
||||||
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
||||||
) controllerlib.Controller {
|
) controllerlib.Controller {
|
||||||
|
isSecretToSync := func(obj metav1.Object) bool {
|
||||||
|
return generator.IsFederationDomainSecretOfType(obj, jwksSecretTypeValue)
|
||||||
|
}
|
||||||
|
|
||||||
return controllerlib.New(
|
return controllerlib.New(
|
||||||
controllerlib.Config{
|
controllerlib.Config{
|
||||||
Name: "JWKSController",
|
Name: "JWKSController",
|
||||||
@ -91,23 +96,7 @@ func NewJWKSWriterController(
|
|||||||
// should get notified via the corresponding FederationDomain key.
|
// should get notified via the corresponding FederationDomain key.
|
||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
controllerlib.FilterFuncs{
|
pinnipedcontroller.SimpleFilter(isSecretToSync, pinnipedcontroller.SecretIsControlledByParentFunc(isSecretToSync)),
|
||||||
ParentFunc: func(obj metav1.Object) controllerlib.Key {
|
|
||||||
if isFederationDomainControllee(obj) {
|
|
||||||
controller := metav1.GetControllerOf(obj)
|
|
||||||
return controllerlib.Key{
|
|
||||||
Name: controller.Name,
|
|
||||||
Namespace: obj.GetNamespace(),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return controllerlib.Key{}
|
|
||||||
},
|
|
||||||
AddFunc: isFederationDomainControllee,
|
|
||||||
UpdateFunc: func(oldObj, newObj metav1.Object) bool {
|
|
||||||
return isFederationDomainControllee(oldObj) || isFederationDomainControllee(newObj)
|
|
||||||
},
|
|
||||||
DeleteFunc: isFederationDomainControllee,
|
|
||||||
},
|
|
||||||
controllerlib.InformerOption{},
|
controllerlib.InformerOption{},
|
||||||
),
|
),
|
||||||
// We want to be notified when anything happens to an FederationDomain.
|
// We want to be notified when anything happens to an FederationDomain.
|
||||||
@ -316,14 +305,6 @@ func (c *jwksWriterController) updateFederationDomain(
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// isFederationDomainControlle returns whether the provided obj is controlled by a FederationDomain.
|
|
||||||
func isFederationDomainControllee(obj metav1.Object) bool {
|
|
||||||
controller := metav1.GetControllerOf(obj)
|
|
||||||
return controller != nil &&
|
|
||||||
controller.APIVersion == configv1alpha1.SchemeGroupVersion.String() &&
|
|
||||||
controller.Kind == federationDomainKind
|
|
||||||
}
|
|
||||||
|
|
||||||
// isValid returns whether the provided secret contains a valid active JWK and verification JWKS.
|
// isValid returns whether the provided secret contains a valid active JWK and verification JWKS.
|
||||||
func isValid(secret *corev1.Secret) bool {
|
func isValid(secret *corev1.Secret) bool {
|
||||||
if secret.Type != jwksSecretTypeValue {
|
if secret.Type != jwksSecretTypeValue {
|
||||||
|
@ -35,7 +35,7 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
secret corev1.Secret
|
secret metav1.Object
|
||||||
wantAdd bool
|
wantAdd bool
|
||||||
wantUpdate bool
|
wantUpdate bool
|
||||||
wantDelete bool
|
wantDelete bool
|
||||||
@ -43,13 +43,15 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "no owner reference",
|
name: "no owner reference",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{},
|
ObjectMeta: metav1.ObjectMeta{},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without correct APIVersion",
|
name: "owner reference without correct APIVersion",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -64,7 +66,8 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without correct Kind",
|
name: "owner reference without correct Kind",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -79,7 +82,8 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "owner reference without controller set to true",
|
name: "owner reference without controller set to true",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -94,7 +98,8 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "correct owner reference",
|
name: "correct owner reference",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -114,7 +119,8 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "multiple owner references",
|
name: "multiple owner references",
|
||||||
secret: corev1.Secret{
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/federation-domain-jwks",
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: "some-namespace",
|
Namespace: "some-namespace",
|
||||||
OwnerReferences: []metav1.OwnerReference{
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
@ -135,6 +141,31 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
wantDelete: true,
|
wantDelete: true,
|
||||||
wantParent: controllerlib.Key{Namespace: "some-namespace", Name: "some-name"},
|
wantParent: controllerlib.Key{Namespace: "some-namespace", Name: "some-name"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "correct owner reference but wrong type",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/some-other-type",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Namespace: "some-namespace",
|
||||||
|
OwnerReferences: []metav1.OwnerReference{
|
||||||
|
{
|
||||||
|
APIVersion: configv1alpha1.SchemeGroupVersion.String(),
|
||||||
|
Kind: "FederationDomain",
|
||||||
|
Name: "some-name",
|
||||||
|
Controller: boolPtr(true),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "resource of wrong data type",
|
||||||
|
secret: &corev1.Namespace{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "some-namespace",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
test := test
|
test := test
|
||||||
@ -161,11 +192,11 @@ func TestJWKSWriterControllerFilterSecret(t *testing.T) {
|
|||||||
|
|
||||||
unrelated := corev1.Secret{}
|
unrelated := corev1.Secret{}
|
||||||
filter := withInformer.GetFilterForInformer(secretInformer)
|
filter := withInformer.GetFilterForInformer(secretInformer)
|
||||||
require.Equal(t, test.wantAdd, filter.Add(&test.secret))
|
require.Equal(t, test.wantAdd, filter.Add(test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, &test.secret))
|
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret))
|
||||||
require.Equal(t, test.wantUpdate, filter.Update(&test.secret, &unrelated))
|
require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated))
|
||||||
require.Equal(t, test.wantDelete, filter.Delete(&test.secret))
|
require.Equal(t, test.wantDelete, filter.Delete(test.secret))
|
||||||
require.Equal(t, test.wantParent, filter.Parent(&test.secret))
|
require.Equal(t, test.wantParent, filter.Parent(test.secret))
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -9,6 +9,7 @@ import (
|
|||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
corev1informers "k8s.io/client-go/informers/core/v1"
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
||||||
|
|
||||||
@ -49,7 +50,7 @@ func NewTLSCertObserverController(
|
|||||||
},
|
},
|
||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
pinnipedcontroller.MatchAnythingFilter(nil),
|
pinnipedcontroller.MatchAnySecretOfTypeFilter(v1.SecretTypeTLS, nil),
|
||||||
controllerlib.InformerOption{},
|
controllerlib.InformerOption{},
|
||||||
),
|
),
|
||||||
withInformer(
|
withInformer(
|
||||||
|
@ -59,11 +59,11 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) {
|
|||||||
|
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
subject = secretsInformerFilter
|
subject = secretsInformerFilter
|
||||||
secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}}
|
secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}, Type: corev1.SecretTypeTLS}
|
||||||
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}}
|
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}, Type: "other type"}
|
||||||
})
|
})
|
||||||
|
|
||||||
when("any Secret changes", func() {
|
when("any Secret of type TLS changes", func() {
|
||||||
it("returns true to trigger the sync method", func() {
|
it("returns true to trigger the sync method", func() {
|
||||||
r.True(subject.Add(secret))
|
r.True(subject.Add(secret))
|
||||||
r.True(subject.Update(secret, otherSecret))
|
r.True(subject.Update(secret, otherSecret))
|
||||||
@ -71,6 +71,14 @@ func TestTLSCertObserverControllerInformerFilters(t *testing.T) {
|
|||||||
r.True(subject.Delete(secret))
|
r.True(subject.Delete(secret))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
when("any Secret that is not of type TLS changes", func() {
|
||||||
|
it("returns false to avoid triggering the sync method", func() {
|
||||||
|
r.False(subject.Add(otherSecret))
|
||||||
|
r.False(subject.Update(otherSecret, otherSecret))
|
||||||
|
r.False(subject.Delete(otherSecret))
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
when("watching FederationDomain objects", func() {
|
when("watching FederationDomain objects", func() {
|
||||||
|
@ -117,6 +117,7 @@ func New(
|
|||||||
oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer,
|
oidcIdentityProviderInformer idpinformers.OIDCIdentityProviderInformer,
|
||||||
secretInformer corev1informers.SecretInformer,
|
secretInformer corev1informers.SecretInformer,
|
||||||
log logr.Logger,
|
log logr.Logger,
|
||||||
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
||||||
) controllerlib.Controller {
|
) controllerlib.Controller {
|
||||||
c := controller{
|
c := controller{
|
||||||
cache: idpCache,
|
cache: idpCache,
|
||||||
@ -126,11 +127,18 @@ func New(
|
|||||||
secretInformer: secretInformer,
|
secretInformer: secretInformer,
|
||||||
validatorCache: &lruValidatorCache{cache: cache.NewExpiring()},
|
validatorCache: &lruValidatorCache{cache: cache.NewExpiring()},
|
||||||
}
|
}
|
||||||
filter := pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue())
|
|
||||||
return controllerlib.New(
|
return controllerlib.New(
|
||||||
controllerlib.Config{Name: controllerName, Syncer: &c},
|
controllerlib.Config{Name: controllerName, Syncer: &c},
|
||||||
controllerlib.WithInformer(oidcIdentityProviderInformer, filter, controllerlib.InformerOption{}),
|
withInformer(
|
||||||
controllerlib.WithInformer(secretInformer, filter, controllerlib.InformerOption{}),
|
oidcIdentityProviderInformer,
|
||||||
|
pinnipedcontroller.MatchAnythingFilter(pinnipedcontroller.SingletonQueue()),
|
||||||
|
controllerlib.InformerOption{},
|
||||||
|
),
|
||||||
|
withInformer(
|
||||||
|
secretInformer,
|
||||||
|
pinnipedcontroller.MatchAnySecretOfTypeFilter(oidcClientSecretType, pinnipedcontroller.SingletonQueue()),
|
||||||
|
controllerlib.InformerOption{},
|
||||||
|
),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,6 +31,76 @@ import (
|
|||||||
"go.pinniped.dev/internal/upstreamoidc"
|
"go.pinniped.dev/internal/upstreamoidc"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func TestControllerFilterSecret(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
secret metav1.Object
|
||||||
|
wantAdd bool
|
||||||
|
wantUpdate bool
|
||||||
|
wantDelete bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "a secret of the right type",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/oidc-client",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
|
||||||
|
},
|
||||||
|
wantAdd: true,
|
||||||
|
wantUpdate: true,
|
||||||
|
wantDelete: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "a secret of the wrong type",
|
||||||
|
secret: &corev1.Secret{
|
||||||
|
Type: "secrets.pinniped.dev/not-the-oidc-client-type",
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "resource of wrong data type",
|
||||||
|
secret: &corev1.Namespace{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "some-name", Namespace: "some-namespace"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, test := range tests {
|
||||||
|
test := test
|
||||||
|
t.Run(test.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
fakePinnipedClient := pinnipedfake.NewSimpleClientset()
|
||||||
|
pinnipedInformers := pinnipedinformers.NewSharedInformerFactory(fakePinnipedClient, 0)
|
||||||
|
fakeKubeClient := fake.NewSimpleClientset()
|
||||||
|
kubeInformers := informers.NewSharedInformerFactory(fakeKubeClient, 0)
|
||||||
|
testLog := testlogger.New(t)
|
||||||
|
cache := provider.NewDynamicUpstreamIDPProvider()
|
||||||
|
cache.SetIDPList([]provider.UpstreamOIDCIdentityProviderI{
|
||||||
|
&upstreamoidc.ProviderConfig{Name: "initial-entry"},
|
||||||
|
})
|
||||||
|
secretInformer := kubeInformers.Core().V1().Secrets()
|
||||||
|
withInformer := testutil.NewObservableWithInformerOption()
|
||||||
|
|
||||||
|
New(
|
||||||
|
cache,
|
||||||
|
nil,
|
||||||
|
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
|
||||||
|
secretInformer,
|
||||||
|
testLog,
|
||||||
|
withInformer.WithInformer,
|
||||||
|
)
|
||||||
|
|
||||||
|
unrelated := corev1.Secret{}
|
||||||
|
filter := withInformer.GetFilterForInformer(secretInformer)
|
||||||
|
require.Equal(t, test.wantAdd, filter.Add(test.secret))
|
||||||
|
require.Equal(t, test.wantUpdate, filter.Update(&unrelated, test.secret))
|
||||||
|
require.Equal(t, test.wantUpdate, filter.Update(test.secret, &unrelated))
|
||||||
|
require.Equal(t, test.wantDelete, filter.Delete(test.secret))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestController(t *testing.T) {
|
func TestController(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
now := metav1.NewTime(time.Now().UTC())
|
now := metav1.NewTime(time.Now().UTC())
|
||||||
@ -550,7 +620,9 @@ func TestController(t *testing.T) {
|
|||||||
fakePinnipedClient,
|
fakePinnipedClient,
|
||||||
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
|
pinnipedInformers.IDP().V1alpha1().OIDCIdentityProviders(),
|
||||||
kubeInformers.Core().V1().Secrets(),
|
kubeInformers.Core().V1().Secrets(),
|
||||||
testLog)
|
testLog,
|
||||||
|
controllerlib.WithInformer,
|
||||||
|
)
|
||||||
|
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
@ -34,6 +34,14 @@ func GarbageCollectorController(
|
|||||||
secretInformer corev1informers.SecretInformer,
|
secretInformer corev1informers.SecretInformer,
|
||||||
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
||||||
) controllerlib.Controller {
|
) controllerlib.Controller {
|
||||||
|
isSecretWithGCAnnotation := func(obj metav1.Object) bool {
|
||||||
|
secret, ok := obj.(*v1.Secret)
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
_, ok = secret.Annotations[crud.SecretLifetimeAnnotationKey]
|
||||||
|
return ok
|
||||||
|
}
|
||||||
return controllerlib.New(
|
return controllerlib.New(
|
||||||
controllerlib.Config{
|
controllerlib.Config{
|
||||||
Name: "garbage-collector-controller",
|
Name: "garbage-collector-controller",
|
||||||
@ -45,7 +53,14 @@ func GarbageCollectorController(
|
|||||||
},
|
},
|
||||||
withInformer(
|
withInformer(
|
||||||
secretInformer,
|
secretInformer,
|
||||||
pinnipedcontroller.MatchAnythingFilter(nil),
|
controllerlib.FilterFuncs{
|
||||||
|
AddFunc: isSecretWithGCAnnotation,
|
||||||
|
UpdateFunc: func(oldObj, newObj metav1.Object) bool {
|
||||||
|
return isSecretWithGCAnnotation(oldObj) || isSecretWithGCAnnotation(newObj)
|
||||||
|
},
|
||||||
|
DeleteFunc: func(obj metav1.Object) bool { return false }, // ignore all deletes
|
||||||
|
ParentFunc: nil,
|
||||||
|
},
|
||||||
controllerlib.InformerOption{},
|
controllerlib.InformerOption{},
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
|
@ -49,21 +49,46 @@ func TestGarbageCollectorControllerInformerFilters(t *testing.T) {
|
|||||||
when("watching Secret objects", func() {
|
when("watching Secret objects", func() {
|
||||||
var (
|
var (
|
||||||
subject controllerlib.Filter
|
subject controllerlib.Filter
|
||||||
secret, otherSecret *corev1.Secret
|
secretWithAnnotation, otherSecret *corev1.Secret
|
||||||
)
|
)
|
||||||
|
|
||||||
it.Before(func() {
|
it.Before(func() {
|
||||||
subject = secretsInformerFilter
|
subject = secretsInformerFilter
|
||||||
secret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace"}}
|
secretWithAnnotation = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace", Annotations: map[string]string{
|
||||||
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-other-namespace"}}
|
"storage.pinniped.dev/garbage-collect-after": "some timestamp",
|
||||||
|
}}}
|
||||||
|
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-namespace"}}
|
||||||
})
|
})
|
||||||
|
|
||||||
when("any Secret changes", func() {
|
when("any Secret with the required annotation is added or updated", func() {
|
||||||
it("returns true to trigger the sync function for all secrets", func() {
|
it("returns true to trigger the sync function", func() {
|
||||||
r.True(subject.Add(secret))
|
r.True(subject.Add(secretWithAnnotation))
|
||||||
r.True(subject.Update(secret, otherSecret))
|
r.True(subject.Update(secretWithAnnotation, otherSecret))
|
||||||
r.True(subject.Update(otherSecret, secret))
|
r.True(subject.Update(otherSecret, secretWithAnnotation))
|
||||||
r.True(subject.Delete(secret))
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
when("any Secret with the required annotation is deleted", func() {
|
||||||
|
it("returns false to skip the sync function because it does not need to worry about secrets that are already gone", func() {
|
||||||
|
r.False(subject.Delete(secretWithAnnotation))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
when("any Secret without the required annotation changes", func() {
|
||||||
|
it("returns false to skip the sync function", func() {
|
||||||
|
r.False(subject.Add(otherSecret))
|
||||||
|
r.False(subject.Update(otherSecret, otherSecret))
|
||||||
|
r.False(subject.Delete(otherSecret))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
when("any other type is passed", func() {
|
||||||
|
it("returns false to skip the sync function", func() {
|
||||||
|
wrongType := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "some-ns", Namespace: "some-ns"}}
|
||||||
|
|
||||||
|
r.False(subject.Add(wrongType))
|
||||||
|
r.False(subject.Update(wrongType, wrongType))
|
||||||
|
r.False(subject.Delete(wrongType))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
package controller
|
package controller
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/controllerlib"
|
"go.pinniped.dev/internal/controllerlib"
|
||||||
@ -32,6 +33,30 @@ func SimpleFilter(match func(metav1.Object) bool, parentFunc controllerlib.Paren
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func MatchAnySecretOfTypeFilter(secretType v1.SecretType, parentFunc controllerlib.ParentFunc) controllerlib.Filter {
|
||||||
|
isSecretOfType := func(obj metav1.Object) bool {
|
||||||
|
secret, ok := obj.(*v1.Secret)
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return secret.Type == secretType
|
||||||
|
}
|
||||||
|
return SimpleFilter(isSecretOfType, parentFunc)
|
||||||
|
}
|
||||||
|
|
||||||
|
func SecretIsControlledByParentFunc(matchFunc func(obj metav1.Object) bool) func(obj metav1.Object) controllerlib.Key {
|
||||||
|
return func(obj metav1.Object) controllerlib.Key {
|
||||||
|
if matchFunc(obj) {
|
||||||
|
controller := metav1.GetControllerOf(obj)
|
||||||
|
return controllerlib.Key{
|
||||||
|
Name: controller.Name,
|
||||||
|
Namespace: obj.GetNamespace(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return controllerlib.Key{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// SingletonQueue returns a parent func that treats all events as the same key.
|
// SingletonQueue returns a parent func that treats all events as the same key.
|
||||||
func SingletonQueue() controllerlib.ParentFunc {
|
func SingletonQueue() controllerlib.ParentFunc {
|
||||||
return func(_ metav1.Object) controllerlib.Key {
|
return func(_ metav1.Object) controllerlib.Key {
|
||||||
|
@ -9,12 +9,11 @@
|
|||||||
package mocksecrethelper
|
package mocksecrethelper
|
||||||
|
|
||||||
import (
|
import (
|
||||||
reflect "reflect"
|
|
||||||
|
|
||||||
gomock "github.com/golang/mock/gomock"
|
gomock "github.com/golang/mock/gomock"
|
||||||
v1 "k8s.io/api/core/v1"
|
|
||||||
|
|
||||||
v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
v1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
|
v10 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
reflect "reflect"
|
||||||
)
|
)
|
||||||
|
|
||||||
// MockSecretHelper is a mock of SecretHelper interface
|
// MockSecretHelper is a mock of SecretHelper interface
|
||||||
@ -55,6 +54,20 @@ func (mr *MockSecretHelperMockRecorder) Generate(arg0 interface{}) *gomock.Call
|
|||||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Generate", reflect.TypeOf((*MockSecretHelper)(nil).Generate), arg0)
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Generate", reflect.TypeOf((*MockSecretHelper)(nil).Generate), arg0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handles mocks base method
|
||||||
|
func (m *MockSecretHelper) Handles(arg0 v10.Object) bool {
|
||||||
|
m.ctrl.T.Helper()
|
||||||
|
ret := m.ctrl.Call(m, "Handles", arg0)
|
||||||
|
ret0, _ := ret[0].(bool)
|
||||||
|
return ret0
|
||||||
|
}
|
||||||
|
|
||||||
|
// Handles indicates an expected call of Handles
|
||||||
|
func (mr *MockSecretHelperMockRecorder) Handles(arg0 interface{}) *gomock.Call {
|
||||||
|
mr.mock.ctrl.T.Helper()
|
||||||
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Handles", reflect.TypeOf((*MockSecretHelper)(nil).Handles), arg0)
|
||||||
|
}
|
||||||
|
|
||||||
// IsValid mocks base method
|
// IsValid mocks base method
|
||||||
func (m *MockSecretHelper) IsValid(arg0 *v1alpha1.FederationDomain, arg1 *v1.Secret) bool {
|
func (m *MockSecretHelper) IsValid(arg0 *v1alpha1.FederationDomain, arg1 *v1.Secret) bool {
|
||||||
m.ctrl.T.Helper()
|
m.ctrl.T.Helper()
|
||||||
|
@ -20,6 +20,8 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
rbacv1 "k8s.io/api/rbac/v1"
|
rbacv1 "k8s.io/api/rbac/v1"
|
||||||
|
|
||||||
@ -84,7 +86,7 @@ func TestE2EFullIntegration(t *testing.T) {
|
|||||||
certSecret := library.CreateTestSecret(t,
|
certSecret := library.CreateTestSecret(t,
|
||||||
env.SupervisorNamespace,
|
env.SupervisorNamespace,
|
||||||
"oidc-provider-tls",
|
"oidc-provider-tls",
|
||||||
"kubernetes.io/tls",
|
v1.SecretTypeTLS,
|
||||||
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
|
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -287,6 +287,7 @@ func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, ho
|
|||||||
tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
|
tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
secret := corev1.Secret{
|
secret := corev1.Secret{
|
||||||
|
Type: corev1.SecretTypeTLS,
|
||||||
TypeMeta: metav1.TypeMeta{},
|
TypeMeta: metav1.TypeMeta{},
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: secretName,
|
Name: secretName,
|
||||||
|
@ -18,6 +18,8 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
v1 "k8s.io/api/core/v1"
|
||||||
|
|
||||||
coreosoidc "github.com/coreos/go-oidc"
|
coreosoidc "github.com/coreos/go-oidc"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
@ -95,7 +97,7 @@ func TestSupervisorLogin(t *testing.T) {
|
|||||||
certSecret := library.CreateTestSecret(t,
|
certSecret := library.CreateTestSecret(t,
|
||||||
env.SupervisorNamespace,
|
env.SupervisorNamespace,
|
||||||
"oidc-provider-tls",
|
"oidc-provider-tls",
|
||||||
"kubernetes.io/tls",
|
v1.SecretTypeTLS,
|
||||||
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
|
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -44,11 +44,12 @@ func TestStorageGarbageCollection(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Start a background goroutine which will end as soon as the test ends.
|
// Start a background goroutine which will end as soon as the test ends.
|
||||||
// Keep updating a secret in the same namespace just to get the controller to respond faster.
|
// Keep updating a secret which has the "storage.pinniped.dev/garbage-collect-after" annotation
|
||||||
// This is just a performance optimization because otherwise this test has to wait
|
// in the same namespace just to get the controller to respond faster.
|
||||||
// ~3 minutes for the controller's next full-resync.
|
// This is just a performance optimization to make this test pass faster because otherwise
|
||||||
|
// this test has to wait ~3 minutes for the controller's next full-resync.
|
||||||
stopCh := make(chan bool, 1) // It is important that this channel be buffered.
|
stopCh := make(chan bool, 1) // It is important that this channel be buffered.
|
||||||
go createAndUpdateSecretEveryTwoSeconds(t, stopCh, secrets)
|
go updateSecretEveryTwoSeconds(t, stopCh, secrets, secretNotYetExpired)
|
||||||
t.Cleanup(func() {
|
t.Cleanup(func() {
|
||||||
stopCh <- true
|
stopCh <- true
|
||||||
})
|
})
|
||||||
@ -68,12 +69,10 @@ func TestStorageGarbageCollection(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func createAndUpdateSecretEveryTwoSeconds(t *testing.T, stopCh chan bool, secrets corev1client.SecretInterface) {
|
func updateSecretEveryTwoSeconds(t *testing.T, stopCh chan bool, secrets corev1client.SecretInterface, secret *v1.Secret) {
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
unrelatedSecret := createSecret(ctx, t, secrets, "unrelated-to-gc", time.Time{})
|
|
||||||
|
|
||||||
i := 0
|
i := 0
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
@ -87,9 +86,9 @@ func createAndUpdateSecretEveryTwoSeconds(t *testing.T, stopCh chan bool, secret
|
|||||||
time.Sleep(2 * time.Second)
|
time.Sleep(2 * time.Second)
|
||||||
|
|
||||||
i++
|
i++
|
||||||
unrelatedSecret.Data["foo"] = []byte(fmt.Sprintf("bar-%d", i))
|
secret.Data["foo"] = []byte(fmt.Sprintf("bar-%d", i))
|
||||||
var updateErr error
|
var updateErr error
|
||||||
unrelatedSecret, updateErr = secrets.Update(ctx, unrelatedSecret, metav1.UpdateOptions{})
|
secret, updateErr = secrets.Update(ctx, secret, metav1.UpdateOptions{})
|
||||||
require.NoError(t, updateErr)
|
require.NoError(t, updateErr)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -125,6 +124,6 @@ func newSecret(namePrefix string, expiresAt time.Time) *v1.Secret {
|
|||||||
Annotations: annotations,
|
Annotations: annotations,
|
||||||
},
|
},
|
||||||
Data: map[string][]byte{"some-key": []byte("fake-data")},
|
Data: map[string][]byte{"some-key": []byte("fake-data")},
|
||||||
Type: "storage.pinniped.dev/gc-test-integration-test",
|
Type: "storage.pinniped.dev/gc-test-integration-test", // the garbage collector controller doesn't care about the type
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -314,7 +314,7 @@ func RandHex(t *testing.T, numBytes int) string {
|
|||||||
return hex.EncodeToString(buf)
|
return hex.EncodeToString(buf)
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType string, stringData map[string]string) *corev1.Secret {
|
func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, stringData map[string]string) *corev1.Secret {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
client := NewClientset(t)
|
client := NewClientset(t)
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
||||||
@ -322,7 +322,7 @@ func CreateTestSecret(t *testing.T, namespace string, baseName string, secretTyp
|
|||||||
|
|
||||||
created, err := client.CoreV1().Secrets(namespace).Create(ctx, &corev1.Secret{
|
created, err := client.CoreV1().Secrets(namespace).Create(ctx, &corev1.Secret{
|
||||||
ObjectMeta: testObjectMeta(t, baseName),
|
ObjectMeta: testObjectMeta(t, baseName),
|
||||||
Type: corev1.SecretType(secretType),
|
Type: secretType,
|
||||||
StringData: stringData,
|
StringData: stringData,
|
||||||
}, metav1.CreateOptions{})
|
}, metav1.CreateOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
Loading…
Reference in New Issue
Block a user