-
Notifications
You must be signed in to change notification settings - Fork 82
/
serviceaccount_test.go
106 lines (95 loc) · 3.91 KB
/
serviceaccount_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package kuberneteshelper
import (
"context"
"testing"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
"github.com/Azure/azure-workload-identity/pkg/webhook"
)
const (
testNamespace = "test-namespace"
testServiceAccountName = "test-service-account"
)
func TestCreateOrUpdateServiceAccount(t *testing.T) {
// create fake client
k8sClient := fake.NewClientBuilder().Build()
if err := CreateOrUpdateServiceAccount(context.TODO(), k8sClient, testNamespace, testServiceAccountName, "client-id", "tenant-id", 3600*time.Second+500*time.Millisecond); err != nil {
t.Errorf("CreateServiceAccount() error = %v, wantErr %v", err, false)
}
sa := &corev1.ServiceAccount{}
// check if service account was created and has correct annotations
err := k8sClient.Get(context.TODO(), types.NamespacedName{Name: testServiceAccountName, Namespace: testNamespace}, sa)
if err != nil {
t.Errorf("CreateServiceAccount() error = %v, wantErr %v", err, false)
}
if sa.Annotations[webhook.ClientIDAnnotation] != "client-id" {
t.Errorf("CreateServiceAccount() clientID annotation = %v, want %v", sa.Annotations[webhook.ClientIDAnnotation], "client-id")
}
if sa.Annotations[webhook.TenantIDAnnotation] != "tenant-id" {
t.Errorf("CreateServiceAccount() tenantID annotation = %v, want %v", sa.Annotations[webhook.TenantIDAnnotation], "tenant-id")
}
// also test for rounding (i.e. 3600.5s -> 3601s)
if sa.Annotations[webhook.ServiceAccountTokenExpiryAnnotation] != "3601" {
t.Errorf("CreateServiceAccount() token expiry annotation = %v, want %v", sa.Annotations[webhook.ServiceAccountTokenExpiryAnnotation], "3601")
}
}
func TestCreateOrUpdateServiceAccountDefaultTokenExpiration(t *testing.T) {
// create fake client
k8sClient := fake.NewClientBuilder().Build()
if err := CreateOrUpdateServiceAccount(context.TODO(), k8sClient, testNamespace, testServiceAccountName, "client-id", "tenant-id", time.Duration(webhook.DefaultServiceAccountTokenExpiration)*time.Second); err != nil {
t.Errorf("CreateServiceAccount() error = %v, wantErr %v", err, false)
}
sa := &corev1.ServiceAccount{}
// check if service account was created and has correct annotations
err := k8sClient.Get(context.TODO(), types.NamespacedName{Name: testServiceAccountName, Namespace: testNamespace}, sa)
if err != nil {
t.Errorf("CreateServiceAccount() error = %v, wantErr %v", err, false)
}
if sa.Annotations[webhook.ClientIDAnnotation] != "client-id" {
t.Errorf("CreateServiceAccount() clientID annotation = %v, want %v", sa.Annotations[webhook.ClientIDAnnotation], "client-id")
}
if sa.Annotations[webhook.TenantIDAnnotation] != "tenant-id" {
t.Errorf("CreateServiceAccount() tenantID annotation = %v, want %v", sa.Annotations[webhook.TenantIDAnnotation], "tenant-id")
}
if _, ok := sa.Annotations[webhook.ServiceAccountTokenExpiryAnnotation]; ok {
t.Errorf("CreateServiceAccount() token expiry annotation should not be set")
}
}
func TestDeleteServiceAccount(t *testing.T) {
tests := []struct {
name string
initObjects []client.Object
wantErr bool
}{
{
name: "service account does not exist",
initObjects: []client.Object{},
wantErr: true,
},
{
name: "no error",
initObjects: []client.Object{
&corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: testServiceAccountName,
Namespace: testNamespace,
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// create fake client
k8sClient := fake.NewClientBuilder().WithObjects(tt.initObjects...).Build()
if err := DeleteServiceAccount(context.TODO(), k8sClient, testNamespace, testServiceAccountName); (err != nil) != tt.wantErr {
t.Errorf("DeleteService Account() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}