add test

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Author: inteon

cmd/app/app.go

@@ -60,13 +60,12 @@ func NewCommand() *cobra.Command {
 			eventBroadcaster.StartLogging(func(format string, args ...interface{}) { mlog.V(3).Info(fmt.Sprintf(format, args...)) })
 			eventBroadcaster.StartRecordingToSink(&clientv1.EventSinkImpl{Interface: cl.CoreV1().Events("")})
 
-			scheme := trustapi.GlobalScheme
 			mgr, err := ctrl.NewManager(opts.RestConfig, ctrl.Options{
-				Scheme:                        scheme,
+				Scheme:                        trustapi.GlobalScheme,
 				EventBroadcaster:              eventBroadcaster,
 				LeaderElection:                true,
 				LeaderElectionNamespace:       opts.Bundle.Namespace,
-				NewCache:                      bundle.NewCacheFunc(scheme, opts.Bundle),
+				NewCache:                      bundle.NewCacheFunc(opts.Bundle),
 				LeaderElectionID:              "trust-manager-leader-election",
 				LeaderElectionReleaseOnCancel: true,
 				ReadinessEndpointName:         opts.ReadyzPath,

pkg/bundle/internal/cache.go pkg/bundle/cache/cache.gopkg/bundle/internal/cache.go renamed to pkg/bundle/cache/cache.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package internal
+package cache
 
 import (
 	"context"
@@ -56,7 +56,7 @@ type multiScopedCache struct {
 // resources in the given namespace. namespacedInformers is the set of resource
 // types which should only be watched in the given namespace.
 // namespacedInformers expects Namespaced resource types.
-func NewMultiScopedCache(scheme *runtime.Scheme, namespace string, namespacedInformers []schema.GroupKind) cache.NewCacheFunc {
+func NewMultiScopedCache(namespace string, namespacedInformers []schema.GroupKind) cache.NewCacheFunc {
 	return func(config *rest.Config, opts cache.Options) (cache.Cache, error) {
 		namespacedOpts := opts
 		namespacedOpts.Namespace = namespace
@@ -71,8 +71,9 @@ func NewMultiScopedCache(scheme *runtime.Scheme, namespace string, namespacedInf
 		if err != nil {
 			return nil, err
 		}
+
 		return &multiScopedCache{
-			scheme:              scheme,
+			scheme:              opts.Scheme,
 			namespacedCache:     namespacedCache,
 			clusterCache:        clusterCache,
 			namespacedInformers: namespacedInformers,
@@ -85,13 +86,23 @@ func (b *multiScopedCache) GetInformer(ctx context.Context, obj client.Object) (
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return nil, err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).GetInformer(ctx, obj)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return nil, err
+	}
+	return cache.GetInformer(ctx, obj)
 }
 
 // GetInformerForKind returns the underlying cache's GetInformerForKind based
 // on resource type.
 func (b *multiScopedCache) GetInformerForKind(ctx context.Context, gvk schema.GroupVersionKind) (cache.Informer, error) {
-	return b.cacheFromGVK(gvk).GetInformerForKind(ctx, gvk)
+
+	cache, err := b.cacheFromGVK(gvk)
+	if err != nil {
+		return nil, err
+	}
+	return cache.GetInformerForKind(ctx, gvk)
 }
 
 // Start starts both the cluster and namespaced caches. Returned is an
@@ -137,46 +148,61 @@ func (b *multiScopedCache) IndexField(ctx context.Context, obj client.Object, fi
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).IndexField(ctx, obj, field, extractValue)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.IndexField(ctx, obj, field, extractValue)
 }
 
 // Get returns the underlying cache's Get based on resource type.
 func (b *multiScopedCache) Get(ctx context.Context, key client.ObjectKey, obj client.Object) error {
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).Get(ctx, key, obj)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.Get(ctx, key, obj)
 }
 
 // List returns the underlying cache's List based on resource type.
 func (b *multiScopedCache) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
 	if err := setGroupVersionKind(b.scheme, list); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(list.GetObjectKind().GroupVersionKind()).List(ctx, list, opts...)
+
+	cache, err := b.cacheFromGVK(list.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.List(ctx, list, opts...)
 }
 
 // cacheFromGVK returns either the cluster or namespaced cache, based on the
 // resource type given.
-func (b *multiScopedCache) cacheFromGVK(gvk schema.GroupVersionKind) cache.Cache {
+func (b *multiScopedCache) cacheFromGVK(gvk schema.GroupVersionKind) (cache.Cache, error) {
 	if gvk.Group == "" && gvk.Kind == "" {
-		panic("The Group and/or Kind must be set")
+		return nil, fmt.Errorf("the Group and/or Kind must be set")
 	}
 
 	for _, namespacedInformer := range b.namespacedInformers {
 		if namespacedInformer.Group == gvk.Group && namespacedInformer.Kind == gvk.Kind {
-			return b.namespacedCache
+			return b.namespacedCache, nil
 		}
 	}
-	return b.clusterCache
+	return b.clusterCache, nil
 }
 
 // setGroupVersionKind populates the Group and Kind fields of obj using the
 // scheme type registry.
 // Inspired by https://github.com/kubernetes-sigs/controller-runtime/issues/1735#issuecomment-984763173
 func setGroupVersionKind(scheme *runtime.Scheme, obj runtime.Object) error {
 	gvk := obj.GetObjectKind().GroupVersionKind()
-	if gvk.Group != "" || gvk.Kind != "" {
+	if gvk.Group != "" || gvk.Kind != "" || scheme == nil {
 		return nil // eg. in case of PartialMetadata, we don't want to overwrite the Group/ Kind
 	}
 

pkg/bundle/controller.go

@@ -23,7 +23,6 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/clock"
@@ -38,7 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
-	"github.com/cert-manager/trust-manager/pkg/bundle/internal"
+	multiscopedcache "github.com/cert-manager/trust-manager/pkg/bundle/cache"
 	"github.com/cert-manager/trust-manager/pkg/fspkg"
 )
 
@@ -195,6 +194,6 @@ func (b *bundle) mustBundleList(ctx context.Context) *trustapi.BundleList {
 
 // NewCacheFunc will return a multi-scoped controller-runtime NewCacheFunc
 // where Secret resources will only be watched within the trust Namespace.
-func NewCacheFunc(scheme *runtime.Scheme, opts Options) cache.NewCacheFunc {
-	return internal.NewMultiScopedCache(scheme, opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})
+func NewCacheFunc(opts Options) cache.NewCacheFunc {
+	return multiscopedcache.NewMultiScopedCache(opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})
 }

test/integration/bundle/cache_test.go

@@ -0,0 +1,153 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	multiscopedcache "github.com/cert-manager/trust-manager/pkg/bundle/cache"
+)
+
+var _ = Describe("Integration test cache", func() {
+	It("should be possible to Get a resource without having cluster-wide List & Watch permissions", func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+		defer cancel()
+
+		namespace := "test-namespace"
+
+		// Create a service account that can only retrieve secrets in a single namespace.
+		var cacheRestConfig *rest.Config
+		{
+			godClient, err := client.New(env.Config, client.Options{})
+			Expect(err).NotTo(HaveOccurred())
+
+			ns := &corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: namespace,
+				},
+			}
+			err = godClient.Create(ctx, ns)
+			Expect(err).NotTo(HaveOccurred())
+
+			sa := &corev1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cache-sa",
+					Namespace: namespace,
+				},
+			}
+			err = godClient.Create(ctx, sa)
+			Expect(err).NotTo(HaveOccurred())
+
+			role := &rbacv1.Role{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cache-role",
+					Namespace: namespace,
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						Verbs:     []string{"list", "watch"},
+						APIGroups: []string{""},
+						Resources: []string{"secrets"},
+					},
+				},
+			}
+			err = godClient.Create(ctx, role)
+			Expect(err).NotTo(HaveOccurred())
+
+			rolebinding := rbacv1.RoleBinding{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cache-rolebinding",
+					Namespace: namespace,
+				},
+				RoleRef: rbacv1.RoleRef{
+					APIGroup: "rbac.authorization.k8s.io",
+					Kind:     "Role",
+					Name:     "cache-role",
+				},
+				Subjects: []rbacv1.Subject{
+					{
+						Kind:      "ServiceAccount",
+						Name:      "cache-sa",
+						Namespace: namespace,
+					},
+				},
+			}
+			err = godClient.Create(ctx, &rolebinding)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Create a config that uses the service account.
+			cacheRestConfig = rest.CopyConfig(env.Config)
+			cacheRestConfig.Impersonate.UserName = fmt.Sprintf("system:serviceaccount:%s:%s", namespace, "cache-sa")
+			cacheRestConfig.Impersonate.UID = string(sa.UID)
+
+			// Create a secret that the service account can access.
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret",
+					Namespace: namespace,
+				},
+				Data: map[string][]byte{
+					"test": []byte("test"),
+				},
+			}
+			err = godClient.Create(ctx, secret)
+			Expect(err).NotTo(HaveOccurred())
+		}
+
+		newCache := multiscopedcache.NewMultiScopedCache(namespace, []schema.GroupKind{{Group: "", Kind: "Secret"}})
+
+		scheme := runtime.NewScheme()
+		Expect(corev1.AddToScheme(scheme)).NotTo(HaveOccurred())
+		cache, err := newCache(cacheRestConfig, cache.Options{
+			Scheme: scheme,
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		done := make(chan error)
+		go func() {
+			done <- cache.Start(ctx)
+		}()
+		defer func() {
+			Expect(<-done).NotTo(HaveOccurred())
+		}()
+
+		Expect(cache.WaitForCacheSync(ctx)).To(BeTrue())
+
+		secret := &corev1.Secret{}
+		err = cache.Get(ctx, client.ObjectKey{
+			Namespace: namespace,
+			Name:      "test-secret",
+		}, secret)
+		Expect(err).NotTo(HaveOccurred())
+
+		Expect(secret.Data["test"]).To(Equal([]byte("test")))
+	})
+})

test/integration/bundle/suite.go

@@ -90,10 +90,9 @@ var _ = Describe("Integration", func() {
 			DefaultPackageLocation: tmpFileName,
 		}
 
-		scheme := trustapi.GlobalScheme
 		mgr, err = ctrl.NewManager(env.Config, ctrl.Options{
-			Scheme:   scheme,
-			NewCache: bundle.NewCacheFunc(scheme, opts),
+			Scheme:   trustapi.GlobalScheme,
+			NewCache: bundle.NewCacheFunc(opts),
 			// TODO: can we disable leader election here? The mgr goroutine prints extra output we probably don't need
 			// and it might not be valuable to enable leader election here
 			LeaderElection:                true,