add test

inteon · inteon · commit 561de088e224 · 2023-01-09T18:06:07.000+01:00
Signed-off-by: Tim Ramlot &lt;42113979+inteon@users.noreply.github.com&gt;
diff --git a/pkg/bundle/cache/cache.go b/pkg/bundle/cache/cache.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package internal
+package cache
 
 import (
 	"context"
@@ -85,13 +85,23 @@ func (b *multiScopedCache) GetInformer(ctx context.Context, obj client.Object) (
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return nil, err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).GetInformer(ctx, obj)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return nil, err
+	}
+	return cache.GetInformer(ctx, obj)
 }
 
 // GetInformerForKind returns the underlying cache's GetInformerForKind based
 // on resource type.
 func (b *multiScopedCache) GetInformerForKind(ctx context.Context, gvk schema.GroupVersionKind) (cache.Informer, error) {
-	return b.cacheFromGVK(gvk).GetInformerForKind(ctx, gvk)
+
+	cache, err := b.cacheFromGVK(gvk)
+	if err != nil {
+		return nil, err
+	}
+	return cache.GetInformerForKind(ctx, gvk)
 }
 
 // Start starts both the cluster and namespaced caches. Returned is an
@@ -137,38 +147,53 @@ func (b *multiScopedCache) IndexField(ctx context.Context, obj client.Object, fi
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).IndexField(ctx, obj, field, extractValue)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.IndexField(ctx, obj, field, extractValue)
 }
 
 // Get returns the underlying cache's Get based on resource type.
 func (b *multiScopedCache) Get(ctx context.Context, key client.ObjectKey, obj client.Object) error {
 	if err := setGroupVersionKind(b.scheme, obj); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind()).Get(ctx, key, obj)
+
+	cache, err := b.cacheFromGVK(obj.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.Get(ctx, key, obj)
 }
 
 // List returns the underlying cache's List based on resource type.
 func (b *multiScopedCache) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
 	if err := setGroupVersionKind(b.scheme, list); err != nil {
 		return err
 	}
-	return b.cacheFromGVK(list.GetObjectKind().GroupVersionKind()).List(ctx, list, opts...)
+
+	cache, err := b.cacheFromGVK(list.GetObjectKind().GroupVersionKind())
+	if err != nil {
+		return err
+	}
+	return cache.List(ctx, list, opts...)
 }
 
 // cacheFromGVK returns either the cluster or namespaced cache, based on the
 // resource type given.
-func (b *multiScopedCache) cacheFromGVK(gvk schema.GroupVersionKind) cache.Cache {
+func (b *multiScopedCache) cacheFromGVK(gvk schema.GroupVersionKind) (cache.Cache, error) {
 	if gvk.Group == "" && gvk.Kind == "" {
-		panic("The Group and/or Kind must be set")
+		return nil, fmt.Errorf("the Group and/or Kind must be set")
 	}
 
 	for _, namespacedInformer := range b.namespacedInformers {
 		if namespacedInformer.Group == gvk.Group && namespacedInformer.Kind == gvk.Kind {
-			return b.namespacedCache
+			return b.namespacedCache, nil
 		}
 	}
-	return b.clusterCache
+	return b.clusterCache, nil
 }
 
 // setGroupVersionKind populates the Group and Kind fields of obj using the
diff --git a/pkg/bundle/controller.go b/pkg/bundle/controller.go
@@ -38,7 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
-	"github.com/cert-manager/trust-manager/pkg/bundle/internal"
+	multiscopedcache "github.com/cert-manager/trust-manager/pkg/bundle/cache"
 	"github.com/cert-manager/trust-manager/pkg/fspkg"
 )
 
@@ -196,5 +196,5 @@ func (b *bundle) mustBundleList(ctx context.Context) *trustapi.BundleList {
 // NewCacheFunc will return a multi-scoped controller-runtime NewCacheFunc
 // where Secret resources will only be watched within the trust Namespace.
 func NewCacheFunc(scheme *runtime.Scheme, opts Options) cache.NewCacheFunc {
-	return internal.NewMultiScopedCache(scheme, opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})
+	return multiscopedcache.NewMultiScopedCache(scheme, opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})
 }
diff --git a/test/integration/bundle/cache_test.go b/test/integration/bundle/cache_test.go
@@ -0,0 +1,159 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+
+	multiscopedcache "github.com/cert-manager/trust-manager/pkg/bundle/cache"
+)
+
+func TestCache(t *testing.T) {
+	env := &envtest.Environment{}
+
+	_, err := env.Start()
+	require.NoError(t, err)
+	defer func() {
+		err := env.Stop()
+		require.NoError(t, err)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
+	defer cancel()
+
+	namespace := "test-namespace"
+
+	// Create a service account that can only retrieve secrets in a single namespace.
+	var cacheRestConfig *rest.Config
+	{
+		godClient, err := client.New(env.Config, client.Options{})
+		require.NoError(t, err)
+
+		ns := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: namespace,
+			},
+		}
+		err = godClient.Create(ctx, ns)
+		require.NoError(t, err)
+
+		sa := &corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-sa",
+				Namespace: namespace,
+			},
+		}
+		err = godClient.Create(ctx, sa)
+		require.NoError(t, err)
+
+		role := &rbacv1.Role{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-role",
+				Namespace: namespace,
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					Verbs:     []string{"list", "watch"},
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+				},
+			},
+		}
+		err = godClient.Create(ctx, role)
+		require.NoError(t, err)
+
+		rolebinding := rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-rolebinding",
+				Namespace: namespace,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     "cache-role",
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      "cache-sa",
+					Namespace: namespace,
+				},
+			},
+		}
+		err = godClient.Create(ctx, &rolebinding)
+		require.NoError(t, err)
+
+		// Create a config that uses the service account.
+		cacheRestConfig = rest.CopyConfig(env.Config)
+		cacheRestConfig.Impersonate.UserName = fmt.Sprintf("system:serviceaccount:%s:%s", namespace, "cache-sa")
+		cacheRestConfig.Impersonate.UID = string(sa.UID)
+
+		// Create a secret that the service account can access.
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-secret",
+				Namespace: namespace,
+			},
+			Data: map[string][]byte{
+				"test": []byte("test"),
+			},
+		}
+		err = godClient.Create(ctx, secret)
+		require.NoError(t, err)
+	}
+
+	scheme := runtime.NewScheme()
+	require.NoError(t, corev1.AddToScheme(scheme))
+	newCache := multiscopedcache.NewMultiScopedCache(scheme, namespace, []schema.GroupKind{{Group: "", Kind: "Secret"}})
+
+	cache, err := newCache(cacheRestConfig, cache.Options{})
+	require.NoError(t, err)
+
+	done := make(chan error)
+	go func() {
+		done <- cache.Start(ctx)
+	}()
+	defer func() {
+		require.NoError(t, <-done)
+	}()
+
+	assert.True(t, cache.WaitForCacheSync(ctx), "failed to sync cache")
+
+	secret := &corev1.Secret{}
+	err = cache.Get(ctx, client.ObjectKey{
+		Namespace: namespace,
+		Name:      "test-secret",
+	}, secret)
+	require.NoError(t, err)
+
+	require.Equal(t, []byte("test"), secret.Data["test"])
+}

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ import (`
`38`	`38`	`"sigs.k8s.io/controller-runtime/pkg/source"`
`39`	`39`
`40`	`40`	`trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"`
`41`		`- "github.com/cert-manager/trust-manager/pkg/bundle/internal"`
	`41`	`+ multiscopedcache "github.com/cert-manager/trust-manager/pkg/bundle/cache"`
`42`	`42`	`"github.com/cert-manager/trust-manager/pkg/fspkg"`
`43`	`43`	`)`
`44`	`44`
`@@ -196,5 +196,5 @@ func (b bundle) mustBundleList(ctx context.Context) trustapi.BundleList {`
`196`	`196`	`// NewCacheFunc will return a multi-scoped controller-runtime NewCacheFunc`
`197`	`197`	`// where Secret resources will only be watched within the trust Namespace.`
`198`	`198`	`func NewCacheFunc(scheme *runtime.Scheme, opts Options) cache.NewCacheFunc {`
`199`		`- return internal.NewMultiScopedCache(scheme, opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})`
	`199`	`+ return multiscopedcache.NewMultiScopedCache(scheme, opts.Namespace, []schema.GroupKind{{Kind: "Secret"}})`
`200`	`200`	`}`