From caba342b325ee86407d29a440c0b82f81dcfb9f1 Mon Sep 17 00:00:00 2001 From: Gaelle Fournier Date: Mon, 27 Nov 2023 18:17:11 +0100 Subject: [PATCH] fix(trait): Add test on openshift security context for container trait --- pkg/trait/container_test.go | 85 ++++++++++++++++++++++++++++++++++++- pkg/util/test/client.go | 27 +++++++++--- 2 files changed, 104 insertions(+), 8 deletions(-) diff --git a/pkg/trait/container_test.go b/pkg/trait/container_test.go index c483eedaa3..28383b69c4 100644 --- a/pkg/trait/container_test.go +++ b/pkg/trait/container_test.go @@ -27,6 +27,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/pointer" ctrl "sigs.k8s.io/controller-runtime/pkg/client" @@ -99,13 +100,95 @@ func TestContainerWithDefaults(t *testing.T) { assert.Equal(t, defaultContainerName, d.Spec.Template.Spec.Containers[0].Name) } +func TestContainerWithOpenshift(t *testing.T) { + catalog, err := camel.DefaultCatalog() + assert.Nil(t, err) + + // Integration is in another constrained namespace + constrainedIntNamespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "myuser", + Annotations: map[string]string{ + "openshift.io/sa.scc.mcs": "s0:c26,c5", + "openshift.io/sa.scc.supplemental-groups": "1000860000/10000", + "openshift.io/sa.scc.uid-range": "1000860000/10000", + }, + }, + } + + client, _ := test.NewFakeClient(constrainedIntNamespace) + traitCatalog := NewCatalog(nil) + + // enable openshift + fakeClient := client.(*test.FakeClient) //nolint + fakeClient.EnableOpenshiftDiscovery() + + environment := Environment{ + CamelCatalog: catalog, + Catalog: traitCatalog, + Client: client, + Integration: &v1.Integration{ + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceTestName, + Namespace: "myuser", + }, + Status: v1.IntegrationStatus{ + Phase: v1.IntegrationPhaseDeploying, + }, + Spec: v1.IntegrationSpec{ + Profile: v1.TraitProfileKubernetes, + }, + }, + IntegrationKit: &v1.IntegrationKit{ + Status: v1.IntegrationKitStatus{ + Phase: v1.IntegrationKitPhaseReady, + }, + }, + Platform: &v1.IntegrationPlatform{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + }, + Spec: v1.IntegrationPlatformSpec{ + Cluster: v1.IntegrationPlatformClusterOpenShift, + Build: v1.IntegrationPlatformBuildSpec{ + PublishStrategy: v1.IntegrationPlatformBuildPublishStrategyS2I, + Registry: v1.RegistrySpec{Address: "registry"}, + RuntimeVersion: catalog.Runtime.Version, + }, + }, + Status: v1.IntegrationPlatformStatus{ + Phase: v1.IntegrationPlatformPhaseReady, + }, + }, + EnvVars: make([]corev1.EnvVar, 0), + ExecutedTraits: make([]Trait, 0), + Resources: kubernetes.NewCollection(), + } + environment.Platform.ResyncStatusFullConfig() + + conditions, err := traitCatalog.apply(&environment) + + assert.Nil(t, err) + assert.Empty(t, conditions) + assert.NotEmpty(t, environment.ExecutedTraits) + assert.NotNil(t, environment.GetTrait("deployment")) + assert.NotNil(t, environment.GetTrait("container")) + + d := environment.Resources.GetDeploymentForIntegration(environment.Integration) + + assert.NotNil(t, d) + assert.Len(t, d.Spec.Template.Spec.Containers, 1) + assert.Equal(t, defaultContainerName, d.Spec.Template.Spec.Containers[0].Name) + assert.Equal(t, pointer.Bool(true), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsNonRoot) + assert.Equal(t, pointer.Int64(1000860000), d.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser) +} + func TestContainerWithCustomName(t *testing.T) { catalog, err := camel.DefaultCatalog() assert.Nil(t, err) client, _ := test.NewFakeClient() traitCatalog := NewCatalog(nil) - environment := Environment{ CamelCatalog: catalog, Catalog: traitCatalog, diff --git a/pkg/util/test/client.go b/pkg/util/test/client.go index 7fc1213899..952e0da1f0 100644 --- a/pkg/util/test/client.go +++ b/pkg/util/test/client.go @@ -122,9 +122,10 @@ func filterObjects(scheme *runtime.Scheme, input []runtime.Object, filter func(g type FakeClient struct { controller.Client kubernetes.Interface - camel camel.Interface - scales *fakescale.FakeScaleClient - disabledGroups []string + camel camel.Interface + scales *fakescale.FakeScaleClient + disabledGroups []string + enabledOpenshift bool } func (c *FakeClient) CamelV1() camelv1.CamelV1Interface { @@ -161,10 +162,15 @@ func (c *FakeClient) DisableAPIGroupDiscovery(group string) { c.disabledGroups = append(c.disabledGroups, group) } +func (c *FakeClient) EnableOpenshiftDiscovery() { + c.enabledOpenshift = true +} + func (c *FakeClient) Discovery() discovery.DiscoveryInterface { return &FakeDiscovery{ DiscoveryInterface: c.Interface.Discovery(), disabledGroups: c.disabledGroups, + enabledOpenshift: c.enabledOpenshift, } } @@ -180,15 +186,22 @@ func (c *FakeClient) ScalesClient() (scale.ScalesGetter, error) { type FakeDiscovery struct { discovery.DiscoveryInterface - disabledGroups []string + disabledGroups []string + enabledOpenshift bool } func (f *FakeDiscovery) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) { // Normalize the fake discovery to behave like the real implementation when checking for openshift if groupVersion == "image.openshift.io/v1" { - return nil, k8serrors.NewNotFound(schema.GroupResource{ - Group: "image.openshift.io", - }, "") + if f.enabledOpenshift { + return &metav1.APIResourceList{ + GroupVersion: "image.openshift.io/v1", + }, nil + } else { + return nil, k8serrors.NewNotFound(schema.GroupResource{ + Group: "image.openshift.io", + }, "") + } } // used in util/knative/enabled.go to verify if knative is installed