Merge pull request #97 from kluctl/feat-tests

Add controller tests and CI

Author: codablock

.github/workflows/tests.yml

@@ -0,0 +1,91 @@
+name: tests
+
+on:
+  push:
+    branches:
+      - main
+      - release-v*
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  generate-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: generate-check-go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            generate-check-go-${{ runner.os }}-
+      - name: Verify generated source is up-to-date
+        run: |
+          make generate
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "make generate must be invoked and the result committed"
+            git status
+            git diff
+            exit 1
+          fi
+      - name: Verify generated manifests are up-to-date
+        run: |
+          make manifests
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "make manifests must be invoked and the result committed"
+            git status
+            git diff
+            exit 1
+          fi
+      - name: Verify generated api-docs are up-to-date
+        run: |
+          make api-docs
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "make api-docs must be invoked and the result committed"
+            git status
+            git diff
+            exit 1
+          fi
+      - name: Verify go.mod and go.sum are clean
+        run: |
+          go mod tidy
+          if [ ! -z "$(git status --porcelain)" ]; then
+            echo "go mod tidy must be invoked and the result committed"
+            git status
+            git diff
+            exit 1
+          fi
+
+  tests:
+    runs-on: ubuntu-22.04
+    name: tests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: tests-go-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            tests-go-${{ runner.os }}-
+      - name: Run tests
+        shell: bash
+        run: |
+          make test

Makefile

@@ -56,7 +56,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out --ginkgo.v
 
 ##@ Build
 

api/v1alpha1/objecttemplate_types.go

@@ -50,7 +50,7 @@ type ObjectTemplateSpec struct {
 
 	// Matrix specifies the input matrix
 	// +required
-	Matrix []*MatrixEntry `json:"matrix"`
+	Matrix []MatrixEntry `json:"matrix"`
 
 	// Templates specifies a list of templates to render and deploy
 	// +required

api/v1alpha1/texttemplate_types.go

@@ -33,7 +33,7 @@ type TextTemplateSpec struct {
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
 	// +optional
-	Inputs []*TextTemplateInput `json:"inputs,omitempty"`
+	Inputs []TextTemplateInput `json:"inputs,omitempty"`
 
 	// +optional
 	Template *string `json:"template,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: githubcomments.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_githubcomments.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: gitlabcomments.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_gitlabcomments.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: gitprojectors.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_gitprojectors.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: listgithubpullrequests.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_listgithubpullrequests.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: listgitlabmergerequests.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_listgitlabmergerequests.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: objecttemplates.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_objecttemplates.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: texttemplates.templates.kluctl.io
 spec:
   group: templates.kluctl.io

config/crd/bases/templates.kluctl.io_texttemplates.yaml

@@ -11,7 +11,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -33,10 +32,7 @@ type BaseTemplateReconciler struct {
 }
 
 func (r *BaseTemplateReconciler) getClientForObjects(serviceAccountName string, objNamespace string) (client.Client, error) {
-	restConfig, err := config.GetConfig()
-	if err != nil {
-		return nil, err
-	}
+	restConfig := rest.CopyConfig(r.Manager.GetConfig())
 
 	name := "default"
 	if serviceAccountName != "" {

controllers/base_template_reconciler.go

@@ -0,0 +1,158 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+import (
+	"fmt"
+	v1 "k8s.io/api/core/v1"
+	"math/rand/v2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"time"
+
+	templatesv1alpha1 "github.com/kluctl/template-controller/api/v1alpha1"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = Describe("ObjectTemplate controller", func() {
+	const (
+		timeout  = time.Second * 1000
+		duration = time.Second * 10
+		interval = time.Millisecond * 250
+	)
+
+	Context("Template without permissions to write object", func() {
+		ns := fmt.Sprintf("test-%d", rand.Int64())
+
+		key := client.ObjectKey{Name: "t1", Namespace: ns}
+		cmKey := client.ObjectKey{Name: "cm1", Namespace: ns}
+
+		t := buildObjectTemplate(key.Name, key.Namespace,
+			[]templatesv1alpha1.MatrixEntry{buildMatrixListEntry("m1")},
+			[]templatesv1alpha1.Template{
+				{Object: buildTestConfigMap(cmKey.Name, cmKey.Namespace, map[string]string{
+					"k1": `{{ matrix.m1.k1 + matrix.m1.k2 }}`,
+				})},
+			})
+
+		It("Should fail initially", func() {
+			createNamespace(ns)
+			createServiceAccount("default", ns)
+
+			Expect(k8sClient.Create(ctx, t)).Should(Succeed())
+			waitUntiReconciled(key, timeout)
+
+			Consistently(func() error {
+				return k8sClient.Get(ctx, cmKey, &v1.ConfigMap{})
+			}, "2s").Should(MatchError("configmaps \"cm1\" not found"))
+
+			assertFailedConfigMaps(key, cmKey)
+		})
+		It("Should succeed when RBAC is added", func() {
+			createRoleWithBinding("default", ns, []string{"configmaps"})
+
+			triggerReconcile(key)
+			waitUntiReconciled(key, timeout)
+
+			assertAppliedConfigMaps(key, cmKey)
+
+			var cm v1.ConfigMap
+			err := k8sClient.Get(ctx, cmKey, &cm)
+			Expect(err).To(Succeed())
+
+			Expect(cm.Data).To(Equal(map[string]string{
+				"k1": "3",
+			}))
+		})
+		It("Should fail with non-existing SA", func() {
+			updateObjectTemplate(key, func(t *templatesv1alpha1.ObjectTemplate) {
+				t.Spec.ServiceAccountName = "non-existent"
+			})
+			waitUntiReconciled(key, timeout)
+
+			assertFailedConfigMap(key, cmKey, "configmaps \"cm1\" is forbidden")
+		})
+		It("Should succeed after the SA is being created", func() {
+			createServiceAccount("non-existent", ns)
+			createRoleWithBinding("non-existent", ns, []string{"configmaps"})
+			triggerReconcile(key)
+			waitUntiReconciled(key, timeout)
+			assertAppliedConfigMaps(key, cmKey)
+		})
+	})
+	Context("Template without permissions to read matrix object", func() {
+		ns := fmt.Sprintf("test-%d", rand.Int64())
+
+		key := client.ObjectKey{Name: "t1", Namespace: ns}
+		cmKey := client.ObjectKey{Name: "cm1", Namespace: ns}
+
+		It("Should fail initially", func() {
+			createNamespace(ns)
+			createServiceAccount("default", ns)
+			createRoleWithBinding("default", ns, []string{"configmaps"})
+
+			t := buildObjectTemplate(key.Name, key.Namespace,
+				[]templatesv1alpha1.MatrixEntry{
+					buildMatrixObjectEntry("m1", "m1", ns, "Secret", "", false),
+				},
+				[]templatesv1alpha1.Template{
+					{Object: buildTestConfigMap(cmKey.Name, cmKey.Namespace, map[string]string{
+						"k1": `{{ matrix.m1.k1 + matrix.m1.k2 }}`,
+					})},
+				})
+
+			err := k8sClient.Create(ctx, buildTestSecret("m1", ns, map[string]string{
+				"k1": "1",
+				"k2": "2",
+			}))
+			Expect(err).To(Succeed())
+
+			Expect(k8sClient.Create(ctx, t)).Should(Succeed())
+			waitUntiReconciled(key, timeout)
+
+			t2 := getObjectTemplate(key)
+			c := getReadyCondition(t2.GetConditions())
+			Expect(c.Status).To(Equal(metav1.ConditionFalse))
+			Expect(c.Message).To(ContainSubstring("secrets \"m1\" is forbidden"))
+		})
+		It("Should succeed when RBAC is created", func() {
+			createRoleWithBinding("default", ns, []string{"secrets"})
+			triggerReconcile(key)
+			waitUntiReconciled(key, timeout)
+			assertAppliedConfigMaps(key, cmKey)
+		})
+		It("Should fail with non-existing SA", func() {
+			updateObjectTemplate(key, func(t *templatesv1alpha1.ObjectTemplate) {
+				t.Spec.ServiceAccountName = "non-existent"
+			})
+			waitUntiReconciled(key, timeout)
+
+			t2 := getObjectTemplate(key)
+			c := getReadyCondition(t2.GetConditions())
+			Expect(c.Status).To(Equal(metav1.ConditionFalse))
+			Expect(c.Message).To(ContainSubstring("secrets \"m1\" is forbidden"))
+		})
+		It("Should succeed after the SA is being created", func() {
+			createServiceAccount("non-existent", ns)
+			createRoleWithBinding("non-existent", ns, []string{"configmaps"})
+			triggerReconcile(key)
+			waitUntiReconciled(key, timeout)
+			assertAppliedConfigMaps(key, cmKey)
+		})
+	})
+})