add test

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Author: inteon

pkg/bundle/internal/cache_test.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2021 The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internal_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/cert-manager/trust-manager/pkg/bundle/internal"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+)
+
+func TestCache(t *testing.T) {
+	env := &envtest.Environment{}
+
+	_, err := env.Start()
+	require.NoError(t, err)
+	defer func() {
+		err := env.Stop()
+		require.NoError(t, err)
+	}()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	namespace := "test-namespace"
+
+	// Create a service account that can only retrieve secrets in a single namespace.
+	var cacheRestConfig *rest.Config
+	{
+		godClient, err := client.New(env.Config, client.Options{})
+		require.NoError(t, err)
+
+		sa := &corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-sa",
+				Namespace: namespace,
+			},
+		}
+		err = godClient.Create(ctx, sa)
+		require.NoError(t, err)
+
+		role := &rbacv1.Role{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-role",
+				Namespace: namespace,
+			},
+			Rules: []rbacv1.PolicyRule{
+				{
+					Verbs:     []string{"get"},
+					APIGroups: []string{""},
+					Resources: []string{"secrets"},
+				},
+			},
+		}
+		err = godClient.Create(ctx, role)
+		require.NoError(t, err)
+
+		rolebinding := rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "cache-rolebinding",
+				Namespace: namespace,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     "cache-role",
+			},
+			Subjects: []rbacv1.Subject{
+				{
+					Kind:      "ServiceAccount",
+					Name:      "cache-sa",
+					Namespace: namespace,
+				},
+			},
+		}
+		err = godClient.Create(ctx, &rolebinding)
+		require.NoError(t, err)
+
+		// Create a config that uses the service account.
+		cacheRestConfig := rest.CopyConfig(env.Config)
+		cacheRestConfig.Impersonate.UserName = fmt.Sprintf("system:serviceaccount:%s:%s", namespace, "cache-sa")
+		cacheRestConfig.Impersonate.UID = string(sa.UID)
+
+		// Create a secret that the service account can access.
+		secret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-secret",
+				Namespace: namespace,
+			},
+			Data: map[string][]byte{
+				"test": []byte("test"),
+			},
+		}
+		err = godClient.Create(ctx, secret)
+		require.NoError(t, err)
+	}
+
+	scheme := runtime.NewScheme()
+	require.NoError(t, corev1.AddToScheme(scheme))
+	newCache := internal.NewMultiScopedCache(scheme, namespace, []schema.GroupKind{{Group: "", Kind: "Secret"}})
+
+	cache, err := newCache(cacheRestConfig, cache.Options{})
+	require.NoError(t, err)
+
+	secret := &corev1.Secret{}
+	err = cache.Get(ctx, client.ObjectKey{
+		Namespace: namespace,
+		Name:      "test-secret",
+	}, secret)
+	require.NoError(t, err)
+
+	require.Equal(t, []byte("test"), secret.Data["test"])
+}