mirror of
https://github.com/1Password/onepassword-operator.git
synced 2025-10-21 15:08:06 +00:00
cabc020cc6
* Add missing improvements from Operator SDK 1.34.1 These were not mentioned in the upgrade documentation for version 1.34.x (https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.34.0/), but I've found them by compating the release with the previous one (https://github.com/operator-framework/operator-sdk/compare/v1.33.0...v1.34.1). * Upgrade to Operator SDK 1.36.0 Source of upgrade steps: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.36.0/ Key differences: - Go packages `k8s.io/*` are already at a version higher than the one in the upgrade. - `ENVTEST_K8S_VERSION` is at a version higher than the one in the upgrade - We didn't have the golangci-lint make command before, thus we only needed to add things. * Upgrade to Operator SDK 1.38.0 Source of upgrade steps: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.38.0/ * Upgrade to Operator SDK 1.39.0 Source of upgrade steps: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.39.0/ * Upgrade to Operator SDK 1.40.0 Source of upgrade steps: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.40.0/ I didn't do the "Add app.kubernetes.io/name label to your manifests" since it seems that we have it already, and it's customized. * Address lint errors * Update golangci-lint version used to support Go 1.24 * Improve workflows - Make workflow targets more specific. - Make build workflow only build (i.e. remove test part of it). - Rearrange steps and improve naming for build workflow. * Add back deleted test Initially the test has been removed due to lint saying that it was duplicate code, but it falsely errored since the values are different. * Improve code and add missing upgrade pieces * Upgrade to Operator SDK 1.41.1 Source of upgrade steps: https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.41.0/ Upgrading to 1.41.1 from 1.40.0 doesn't have any migration steps. Key elements: - Upgrade to golangci-lint v2 - Made the manifests using the updated controller tools * Address linter errors golanci-lint v2 seems to be more robust than the previous one, which is beneficial. Thus, we address the linter errors thrown by v2 and improve our code even further. * Add Makefile improvements These were brought in by comparing the Makefile of a freshly created operator using the latest operator-sdk with ours. * Add missing default kustomization for 1.40.0 upgrade * Bring default kustomization to latest version This is done by putting the file's content from a newly-generated operator. * Switch metrics-bind-address default value back to 8080 This ensures that the upgrade is backwards-compatible. * Add webhook-related scaffolding This enables us to easily add support for webhooks by running `operator-sdk create webhook` whenever we want to add them. * Fix typo
391 lines
11 KiB
Go
391 lines
11 KiB
Go
package controller
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
. "github.com/onsi/ginkgo/v2"
|
|
. "github.com/onsi/gomega"
|
|
|
|
appsv1 "k8s.io/api/apps/v1"
|
|
v1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
|
|
onepasswordv1 "github.com/1Password/onepassword-operator/api/v1"
|
|
op "github.com/1Password/onepassword-operator/pkg/onepassword"
|
|
)
|
|
|
|
const (
|
|
deploymentKind = "Deployment"
|
|
deploymentAPIVersion = "v1"
|
|
deploymentName = "test-deployment"
|
|
)
|
|
|
|
var _ = Describe("Deployment controller", func() {
|
|
ctx := context.Background()
|
|
var deploymentKey types.NamespacedName
|
|
var secretKey types.NamespacedName
|
|
var deploymentResource *appsv1.Deployment
|
|
createdSecret := &v1.Secret{}
|
|
|
|
makeDeployment := func() {
|
|
|
|
deploymentKey = types.NamespacedName{
|
|
Name: deploymentName,
|
|
Namespace: namespace,
|
|
}
|
|
|
|
secretKey = types.NamespacedName{
|
|
Name: item1.Name,
|
|
Namespace: namespace,
|
|
}
|
|
|
|
By("Deploying a pod with proper annotations successfully")
|
|
deploymentResource = &appsv1.Deployment{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: deploymentKind,
|
|
APIVersion: deploymentAPIVersion,
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: deploymentKey.Name,
|
|
Namespace: deploymentKey.Namespace,
|
|
Annotations: map[string]string{
|
|
op.ItemPathAnnotation: item1.Path,
|
|
op.NameAnnotation: item1.Name,
|
|
},
|
|
},
|
|
Spec: appsv1.DeploymentSpec{
|
|
Template: v1.PodTemplateSpec{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Labels: map[string]string{"app": deploymentName},
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: deploymentName,
|
|
Image: "eu.gcr.io/kyma-project/example/http-db-service:0.0.6",
|
|
ImagePullPolicy: "IfNotPresent",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{"app": deploymentName},
|
|
},
|
|
},
|
|
}
|
|
Expect(k8sClient.Create(ctx, deploymentResource)).Should(Succeed())
|
|
|
|
By("Creating the K8s secret successfully")
|
|
time.Sleep(time.Millisecond * 100)
|
|
Eventually(func() bool {
|
|
err := k8sClient.Get(ctx, secretKey, createdSecret)
|
|
return err == nil
|
|
}, timeout, interval).Should(BeTrue())
|
|
Expect(createdSecret.Data).Should(Equal(item1.SecretData))
|
|
}
|
|
|
|
cleanK8sResources := func() {
|
|
// failed test runs that don't clean up leave resources behind.
|
|
err := k8sClient.DeleteAllOf(ctx, &onepasswordv1.OnePasswordItem{}, client.InNamespace(namespace))
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = k8sClient.DeleteAllOf(ctx, &v1.Secret{}, client.InNamespace(namespace))
|
|
Expect(err).ToNot(HaveOccurred())
|
|
|
|
err = k8sClient.DeleteAllOf(ctx, &appsv1.Deployment{}, client.InNamespace(namespace))
|
|
Expect(err).ToNot(HaveOccurred())
|
|
}
|
|
|
|
mockGetItemFunc := func() {
|
|
// mock GetItemByID to return test item 'item1'
|
|
mockGetItemByIDFunc.Return(item1.ToModel(), nil)
|
|
}
|
|
|
|
BeforeEach(func() {
|
|
cleanK8sResources()
|
|
mockGetItemFunc()
|
|
time.Sleep(time.Second) // TODO: can we achieve that with ginkgo?
|
|
makeDeployment()
|
|
})
|
|
|
|
Context("Deployment with secrets from 1Password", func() {
|
|
It("Should delete secret if deployment is deleted", func() {
|
|
By("Deleting the pod")
|
|
Eventually(func() error {
|
|
f := &appsv1.Deployment{}
|
|
err := k8sClient.Get(ctx, deploymentKey, f)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return k8sClient.Delete(ctx, f)
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
Eventually(func() error {
|
|
f := &appsv1.Deployment{}
|
|
return k8sClient.Get(ctx, deploymentKey, f)
|
|
}, timeout, interval).ShouldNot(Succeed())
|
|
|
|
Eventually(func() error {
|
|
f := &v1.Secret{}
|
|
return k8sClient.Get(ctx, secretKey, f)
|
|
}, timeout, interval).ShouldNot(Succeed())
|
|
})
|
|
|
|
It("Should update existing K8s Secret using deployment", func() {
|
|
By("Updating secret")
|
|
|
|
// mock GetItemByID to return test item 'item2'
|
|
mockGetItemByIDFunc.Return(item2.ToModel(), nil)
|
|
|
|
Eventually(func() error {
|
|
updatedDeployment := &appsv1.Deployment{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: deploymentKind,
|
|
APIVersion: deploymentAPIVersion,
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: deploymentKey.Name,
|
|
Namespace: deploymentKey.Namespace,
|
|
Annotations: map[string]string{
|
|
op.ItemPathAnnotation: item2.Path,
|
|
op.NameAnnotation: item1.Name,
|
|
},
|
|
},
|
|
Spec: appsv1.DeploymentSpec{
|
|
Template: v1.PodTemplateSpec{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Labels: map[string]string{"app": deploymentName},
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: deploymentName,
|
|
Image: "eu.gcr.io/kyma-project/example/http-db-service:0.0.6",
|
|
ImagePullPolicy: "IfNotPresent",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{"app": deploymentName},
|
|
},
|
|
},
|
|
}
|
|
err := k8sClient.Update(ctx, updatedDeployment)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
// TODO: can we achieve the same without sleep?
|
|
time.Sleep(time.Millisecond * 10)
|
|
By("Reading updated K8s secret")
|
|
updatedSecret := &v1.Secret{}
|
|
Eventually(func() bool {
|
|
err := k8sClient.Get(ctx, secretKey, updatedSecret)
|
|
return err == nil
|
|
}, timeout, interval).Should(BeTrue())
|
|
Expect(updatedSecret.Data).Should(Equal(item2.SecretData))
|
|
})
|
|
|
|
It("Should not update secret if Annotations have not changed", func() {
|
|
By("Updating secret without changing annotations")
|
|
Eventually(func() error {
|
|
updatedDeployment := &appsv1.Deployment{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: deploymentKind,
|
|
APIVersion: deploymentAPIVersion,
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: deploymentKey.Name,
|
|
Namespace: deploymentKey.Namespace,
|
|
Annotations: map[string]string{
|
|
op.ItemPathAnnotation: item1.Path,
|
|
op.NameAnnotation: item1.Name,
|
|
},
|
|
},
|
|
Spec: appsv1.DeploymentSpec{
|
|
Template: v1.PodTemplateSpec{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Labels: map[string]string{"app": deploymentName},
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: deploymentName,
|
|
Image: "eu.gcr.io/kyma-project/example/http-db-service:0.0.6",
|
|
ImagePullPolicy: "IfNotPresent",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{"app": deploymentName},
|
|
},
|
|
},
|
|
}
|
|
err := k8sClient.Update(ctx, updatedDeployment)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
// TODO: can we achieve the same without sleep?
|
|
time.Sleep(time.Millisecond * 10)
|
|
By("Reading updated K8s secret")
|
|
updatedSecret := &v1.Secret{}
|
|
Eventually(func() bool {
|
|
err := k8sClient.Get(ctx, secretKey, updatedSecret)
|
|
return err == nil
|
|
}, timeout, interval).Should(BeTrue())
|
|
Expect(updatedSecret.Data).Should(Equal(item1.SecretData))
|
|
})
|
|
|
|
It("Should not delete secret created via deployment if it's used in another container", func() {
|
|
By("Creating another POD with created secret")
|
|
anotherDeploymentKey := types.NamespacedName{
|
|
Name: "other-deployment",
|
|
Namespace: namespace,
|
|
}
|
|
Eventually(func() error {
|
|
anotherDeployment := &appsv1.Deployment{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: deploymentKind,
|
|
APIVersion: deploymentAPIVersion,
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: anotherDeploymentKey.Name,
|
|
Namespace: anotherDeploymentKey.Namespace,
|
|
},
|
|
Spec: appsv1.DeploymentSpec{
|
|
Template: v1.PodTemplateSpec{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Labels: map[string]string{"app": anotherDeploymentKey.Name},
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: anotherDeploymentKey.Name,
|
|
Image: "eu.gcr.io/kyma-project/example/http-db-service:0.0.6",
|
|
ImagePullPolicy: "IfNotPresent",
|
|
Env: []v1.EnvVar{
|
|
{
|
|
Name: anotherDeploymentKey.Name,
|
|
ValueFrom: &v1.EnvVarSource{
|
|
SecretKeyRef: &v1.SecretKeySelector{
|
|
LocalObjectReference: v1.LocalObjectReference{
|
|
Name: secretKey.Name,
|
|
},
|
|
Key: "password",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{"app": anotherDeploymentKey.Name},
|
|
},
|
|
},
|
|
}
|
|
err := k8sClient.Create(ctx, anotherDeployment)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
By("Deleting the pod")
|
|
Eventually(func() error {
|
|
f := &appsv1.Deployment{}
|
|
err := k8sClient.Get(ctx, deploymentKey, f)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return k8sClient.Delete(ctx, f)
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
Eventually(func() error {
|
|
f := &v1.Secret{}
|
|
return k8sClient.Get(ctx, secretKey, f)
|
|
}, timeout, interval).Should(Succeed())
|
|
})
|
|
|
|
It("Should not delete secret created via deployment if it's used in another volume", func() {
|
|
By("Creating another POD with created secret")
|
|
anotherDeploymentKey := types.NamespacedName{
|
|
Name: "other-deployment",
|
|
Namespace: namespace,
|
|
}
|
|
Eventually(func() error {
|
|
anotherDeployment := &appsv1.Deployment{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: deploymentKind,
|
|
APIVersion: deploymentAPIVersion,
|
|
},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: anotherDeploymentKey.Name,
|
|
Namespace: anotherDeploymentKey.Namespace,
|
|
},
|
|
Spec: appsv1.DeploymentSpec{
|
|
Template: v1.PodTemplateSpec{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Labels: map[string]string{"app": anotherDeploymentKey.Name},
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: anotherDeploymentKey.Name,
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: secretKey.Name,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: anotherDeploymentKey.Name,
|
|
Image: "eu.gcr.io/kyma-project/example/http-db-service:0.0.6",
|
|
ImagePullPolicy: "IfNotPresent",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{"app": anotherDeploymentKey.Name},
|
|
},
|
|
},
|
|
}
|
|
err := k8sClient.Create(ctx, anotherDeployment)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
By("Deleting the pod")
|
|
Eventually(func() error {
|
|
f := &appsv1.Deployment{}
|
|
err := k8sClient.Get(ctx, deploymentKey, f)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return k8sClient.Delete(ctx, f)
|
|
}, timeout, interval).Should(Succeed())
|
|
|
|
Eventually(func() error {
|
|
f := &v1.Secret{}
|
|
return k8sClient.Get(ctx, secretKey, f)
|
|
}, timeout, interval).Should(Succeed())
|
|
})
|
|
})
|
|
})
|