add conflict tests

Ryan Zhang · Ryan Zhang · commit 34730603f6c5 · 2024-12-03T23:15:19.000-08:00
diff --git a/pkg/controllers/workgenerator/controller.go b/pkg/controllers/workgenerator/controller.go
@@ -456,7 +456,7 @@ func (r *Reconciler) syncAllWork(ctx context.Context, resourceBinding *fleetv1be
 			}
 		}
 		if len(simpleManifests) == 0 {
-			klog.V(2).InfoS("the snapshot contains enveloped resource only", "snapshot", klog.KObj(snapshot))
+			klog.V(2).InfoS("the snapshot contains no resource to apply either because of override or enveloped resources", "snapshot", klog.KObj(snapshot))
 		}
 		// generate a work object for the manifests even if there is nothing to place
 		// to allow CRP to collect the status of the placement
diff --git a/pkg/controllers/workgenerator/override_test.go b/pkg/controllers/workgenerator/override_test.go
@@ -521,7 +521,7 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 			},
 		},
 		{
-			name: "selected by clusterResourceOverride",
+			name: "selected by clusterResourceOverride but only one rule matched the cluster",
 			clusterRole: rbacv1.ClusterRole{
 				TypeMeta: clusterRoleType,
 				ObjectMeta: metav1.ObjectMeta{
@@ -553,6 +553,7 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 								Policy: &placementv1alpha1.OverridePolicy{
 									OverrideRules: []placementv1alpha1.OverrideRule{
 										{
+											// matching rule
 											ClusterSelector: &placementv1beta1.ClusterSelector{
 												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
 													{
@@ -573,6 +574,7 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 											},
 										},
 										{
+											// non matching rule
 											ClusterSelector: &placementv1beta1.ClusterSelector{
 												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
 													{
@@ -611,12 +613,19 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 			},
 		},
 		{
-			name: "invalid json patch of clusterResourceOverride",
+			name: "selected by clusterResourceOverride with two rules that don't conflict",
 			clusterRole: rbacv1.ClusterRole{
 				TypeMeta: clusterRoleType,
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "clusterrole-name",
 				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"authorization.k8s.io"},
+						Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"},
+						Verbs:     []string{"create"},
+					},
+				},
 			},
 			cluster: clusterv1beta1.MemberCluster{
 				ObjectMeta: metav1.ObjectMeta{
@@ -654,8 +663,8 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
 												{
 													Operator: placementv1alpha1.JSONPatchOverrideOpAdd,
-													Path:     "/metadata/labels/new-label",
-													Value:    apiextensionsv1.JSON{Raw: []byte(`"new-value"`)},
+													Path:     "/rules/0/verbs/1",
+													Value:    apiextensionsv1.JSON{Raw: []byte(`"read"`)},
 												},
 											},
 										},
@@ -665,17 +674,266 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 													{
 														LabelSelector: &metav1.LabelSelector{
 															MatchLabels: map[string]string{
-																"key2": "value1",
+																"key2": "value2",
 															},
 														},
 													},
 												},
 											},
 											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
 												{
-													Operator: placementv1alpha1.JSONPatchOverrideOpReplace,
+													Operator: placementv1alpha1.JSONPatchOverrideOpRemove,
+													Path:     "/rules/0/verbs/0",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantClusterRole: rbacv1.ClusterRole{
+				TypeMeta: clusterRoleType,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "clusterrole-name",
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"authorization.k8s.io"},
+						Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"},
+						Verbs:     []string{"read"},
+					},
+				},
+			},
+		},
+		{
+			name: "selected by clusterResourceOverride with two rules that conflict but still a valid patch",
+			clusterRole: rbacv1.ClusterRole{
+				TypeMeta: clusterRoleType,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "clusterrole-name",
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"authorization.k8s.io"},
+						Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"},
+						Verbs:     []string{"create"},
+					},
+				},
+			},
+			cluster: clusterv1beta1.MemberCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster-1",
+					Labels: map[string]string{
+						"key1": "value1",
+						"key2": "value2",
+					},
+				},
+			},
+			croMap: map[placementv1beta1.ResourceIdentifier][]*placementv1alpha1.ClusterResourceOverrideSnapshot{
+				{
+					Group:   "rbac.authorization.k8s.io",
+					Version: "v1",
+					Kind:    "ClusterRole",
+					Name:    "clusterrole-name",
+				}: {
+					{
+						Spec: placementv1alpha1.ClusterResourceOverrideSnapshotSpec{
+							OverrideSpec: placementv1alpha1.ClusterResourceOverrideSpec{
+								Policy: &placementv1alpha1.OverridePolicy{
+									OverrideRules: []placementv1alpha1.OverrideRule{
+										{
+											ClusterSelector: &placementv1beta1.ClusterSelector{
+												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
+													{
+														LabelSelector: &metav1.LabelSelector{
+															MatchLabels: map[string]string{
+																"key1": "value1",
+															},
+														},
+													},
+												},
+											},
+											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
+												{
+													Operator: placementv1alpha1.JSONPatchOverrideOpAdd,
+													Path:     "/rules/0/verbs/1",
+													Value:    apiextensionsv1.JSON{Raw: []byte(`"read"`)},
+												},
+											},
+										},
+										{
+											ClusterSelector: &placementv1beta1.ClusterSelector{
+												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
+													{
+														LabelSelector: &metav1.LabelSelector{
+															MatchLabels: map[string]string{
+																"key2": "value2",
+															},
+														},
+													},
+												},
+											},
+											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
+												{
+													Operator: placementv1alpha1.JSONPatchOverrideOpRemove,
+													Path:     "/rules/0/verbs/1",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantClusterRole: rbacv1.ClusterRole{
+				TypeMeta: clusterRoleType,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "clusterrole-name",
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"authorization.k8s.io"},
+						Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"},
+						Verbs:     []string{"create"},
+					},
+				},
+			},
+		},
+		{
+			name: "selected by clusterResourceOverride with two rules that conflict and result in error",
+			clusterRole: rbacv1.ClusterRole{
+				TypeMeta: clusterRoleType,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "clusterrole-name",
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{"authorization.k8s.io"},
+						Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"},
+						Verbs:     []string{"create"},
+					},
+				},
+			},
+			cluster: clusterv1beta1.MemberCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster-1",
+					Labels: map[string]string{
+						"key1": "value1",
+						"key2": "value2",
+					},
+				},
+			},
+			croMap: map[placementv1beta1.ResourceIdentifier][]*placementv1alpha1.ClusterResourceOverrideSnapshot{
+				{
+					Group:   "rbac.authorization.k8s.io",
+					Version: "v1",
+					Kind:    "ClusterRole",
+					Name:    "clusterrole-name",
+				}: {
+					{
+						Spec: placementv1alpha1.ClusterResourceOverrideSnapshotSpec{
+							OverrideSpec: placementv1alpha1.ClusterResourceOverrideSpec{
+								Policy: &placementv1alpha1.OverridePolicy{
+									OverrideRules: []placementv1alpha1.OverrideRule{
+										{
+											ClusterSelector: &placementv1beta1.ClusterSelector{
+												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
+													{
+														LabelSelector: &metav1.LabelSelector{
+															MatchLabels: map[string]string{
+																"key1": "value1",
+															},
+														},
+													},
+												},
+											},
+											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
+												{
+													Operator: placementv1alpha1.JSONPatchOverrideOpRemove,
+													Path:     "/rules/0/verbs",
+												},
+											},
+										},
+										{
+											ClusterSelector: &placementv1beta1.ClusterSelector{
+												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
+													{
+														LabelSelector: &metav1.LabelSelector{
+															MatchLabels: map[string]string{
+																"key2": "value2",
+															},
+														},
+													},
+												},
+											},
+											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
+												{
+													Operator: placementv1alpha1.JSONPatchOverrideOpAdd,
+													Path:     "/rules/0/verbs/1",
+													Value:    apiextensionsv1.JSON{Raw: []byte(`"read"`)},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: controller.ErrUserError,
+		},
+		{
+			name: "invalid json patch of clusterResourceOverride",
+			clusterRole: rbacv1.ClusterRole{
+				TypeMeta: clusterRoleType,
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "clusterrole-name",
+				},
+			},
+			cluster: clusterv1beta1.MemberCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "cluster-1",
+					Labels: map[string]string{
+						"key1": "value1",
+						"key2": "value2",
+					},
+				},
+			},
+			croMap: map[placementv1beta1.ResourceIdentifier][]*placementv1alpha1.ClusterResourceOverrideSnapshot{
+				{
+					Group:   "rbac.authorization.k8s.io",
+					Version: "v1",
+					Kind:    "ClusterRole",
+					Name:    "clusterrole-name",
+				}: {
+					{
+						Spec: placementv1alpha1.ClusterResourceOverrideSnapshotSpec{
+							OverrideSpec: placementv1alpha1.ClusterResourceOverrideSpec{
+								Policy: &placementv1alpha1.OverridePolicy{
+									OverrideRules: []placementv1alpha1.OverrideRule{
+										{
+											ClusterSelector: &placementv1beta1.ClusterSelector{
+												ClusterSelectorTerms: []placementv1beta1.ClusterSelectorTerm{
+													{
+														LabelSelector: &metav1.LabelSelector{
+															MatchLabels: map[string]string{
+																"key1": "value1",
+															},
+														},
+													},
+												},
+											},
+											JSONPatchOverrides: []placementv1alpha1.JSONPatchOverride{
+												{
+													Operator: placementv1alpha1.JSONPatchOverrideOpAdd,
 													Path:     "/metadata/labels/new-label",
-													Value:    apiextensionsv1.JSON{Raw: []byte(`"new-value1"`)},
+													Value:    apiextensionsv1.JSON{Raw: []byte(`"new-value"`)},
 												},
 											},
 										},
@@ -789,7 +1047,7 @@ func TestApplyOverrides_clusterScopedResource(t *testing.T) {
 
 			var clusterRole rbacv1.ClusterRole
 			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, &clusterRole); err != nil {
-				t.Fatalf("Failed to convert the result to deployment: %v, want nil", err)
+				t.Fatalf("Failed to convert the result to clusterole: %v, want nil", err)
 			}
 
 			if diff := cmp.Diff(tc.wantClusterRole, clusterRole); diff != "" {
@@ -808,7 +1066,7 @@ func TestApplyOverrides_namespacedScopeResource(t *testing.T) {
 				Kind:    "Deployment",
 			}: true,
 		},
-		IsClusterScopedResource: true,
+		IsClusterScopedResource: false,
 	}
 	deploymentType := metav1.TypeMeta{
 		APIVersion: utils.DeploymentGVK.GroupVersion().String(),

Original file line number	Diff line number	Diff line change
`@@ -456,7 +456,7 @@ func (r Reconciler) syncAllWork(ctx context.Context, resourceBinding fleetv1be`
`456`	`456`	`}`
`457`	`457`	`}`
`458`	`458`	`if len(simpleManifests) == 0 {`
`459`		`- klog.V(2).InfoS("the snapshot contains enveloped resource only", "snapshot", klog.KObj(snapshot))`
	`459`	`+ klog.V(2).InfoS("the snapshot contains no resource to apply either because of override or enveloped resources", "snapshot", klog.KObj(snapshot))`
`460`	`460`	`}`
`461`	`461`	`// generate a work object for the manifests even if there is nothing to place`
`462`	`462`	`// to allow CRP to collect the status of the placement`