Add e2e and fix comments

Signed-off-by: Nont <nont@duck.com>

Author: Nont

pkg/webhook/managedresource/managedresource_validating_webhook.go

@@ -24,16 +24,15 @@ import (
 )
 
 const (
-	managedByArmKey      = "managed-by"
-	managedByArmValue    = "arm"
+	ManagedByArmKey      = "managed-by"
+	ManagedByArmValue    = "arm"
 	deniedResource       = "denied admission for managed resource"
 	resourceDeniedFormat = "the operation on the managed resource type '%s' name '%s' in namespace '%s' is not allowed"
 )
 
 // ValidationPath is the webhook service path which admission requests are routed to.
 var (
 	ValidationPath = fmt.Sprintf(utils.ValidationPathFmt, "arm", "managed", "resources")
-	metaAccessor   = meta.NewAccessor()
 )
 
 // Add registers the webhook for K8s bulit-in object types.
@@ -81,7 +80,7 @@ func managedByArm(m map[string]string) bool {
 	if len(m) == 0 {
 		return false
 	}
-	if v, ok := m[managedByArmKey]; ok && v == managedByArmValue {
+	if v, ok := m[ManagedByArmKey]; ok && v == ManagedByArmValue {
 		return true
 	}
 	return false

pkg/webhook/managedresource/managedresource_validating_webhook_test.go

@@ -12,7 +12,6 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/assert"
 	admissionv1 "k8s.io/api/admission/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -60,7 +59,7 @@ func Test_managedResourceValidzaator_Handle(t *testing.T) {
 			operation:      admissionv1.Create,
 			oldLabels:      nil,
 			oldAnnotations: nil,
-			newLabels:      map[string]string{managedByArmKey: managedByArmValue},
+			newLabels:      map[string]string{ManagedByArmKey: ManagedByArmValue},
 			newAnnotations: nil,
 			expectedResp:   admission.Denied(fmt.Sprintf(resourceDeniedFormat, metav1.GroupVersionKind{Kind: "TestKind"}, "test-resource", "default")),
 		},
@@ -70,7 +69,7 @@ func Test_managedResourceValidzaator_Handle(t *testing.T) {
 			oldLabels:      nil,
 			oldAnnotations: nil,
 			newLabels:      nil,
-			newAnnotations: map[string]string{managedByArmKey: managedByArmValue},
+			newAnnotations: map[string]string{ManagedByArmKey: ManagedByArmValue},
 			expectedResp:   admission.Denied(fmt.Sprintf(resourceDeniedFormat, metav1.GroupVersionKind{Kind: "TestKind"}, "test-resource", "default")),
 		},
 		{
@@ -86,7 +85,7 @@ func Test_managedResourceValidzaator_Handle(t *testing.T) {
 			name:           "allowed for other operations - managed by arm, but user whitelisted",
 			username:       "fleet1p",
 			operation:      admissionv1.Update,
-			oldLabels:      map[string]string{"managedBy": managedByArmValue},
+			oldLabels:      map[string]string{"managedBy": ManagedByArmValue},
 			oldAnnotations: nil,
 			newLabels:      nil,
 			newAnnotations: nil,
@@ -164,12 +163,14 @@ func Test_getLabelsAndAnnotations(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			labels, annotations, err := getLabelsAndAnnotations(tt.obj)
-			if tt.expectError {
-				assert.Error(t, err)
-			} else {
-				assert.NoError(t, err)
-				assert.Equal(t, tt.wantLabels, labels)
-				assert.Equal(t, tt.wantAnnotations, annotations)
+			if err != nil && !tt.expectError {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if diff := cmp.Diff(tt.wantLabels, labels); diff != "" {
+				t.Errorf("labels mismatch (-want +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(tt.wantAnnotations, annotations); diff != "" {
+				t.Errorf("annotations mismatch (-want +got):\n%s", diff)
 			}
 		})
 	}
@@ -198,24 +199,26 @@ func Test_managedByArm(t *testing.T) {
 		},
 		{
 			name: "key present, not managed key",
-			m:    map[string]string{"managingBy": managedByArmValue},
+			m:    map[string]string{"managingBy": ManagedByArmValue},
 			want: false,
 		},
 		{
 			name: "key present, not managed value",
-			m:    map[string]string{managedByArmKey: "not-arm"},
+			m:    map[string]string{ManagedByArmKey: "not-arm"},
 			want: false,
 		},
 		{
 			name: "key present, managed key and value",
-			m:    map[string]string{managedByArmKey: managedByArmValue},
+			m:    map[string]string{ManagedByArmKey: ManagedByArmValue},
 			want: true,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.want, managedByArm(tt.m))
+			if diff := cmp.Diff(tt.want, managedByArm(tt.m)); diff != "" {
+				t.Errorf("managedByArm result (-want +got):\n%s", diff)
+			}
 		})
 	}
 }

pkg/webhook/webhook.go

@@ -429,7 +429,7 @@ func (w *Config) buildFleetValidatingWebhooks() []admv1.ValidatingWebhook {
 							networkingv1.SchemeGroupVersion.Version,
 						},
 						[]string{
-							fleetv1alpha1.ClusterResourcePlacementResource,
+							placementv1beta1.ClusterResourcePlacementResource,
 							namespaceResourceName,
 							resourceQuotaResourceName,
 							networkPolicyResourceName,

pkg/webhook/webhook_test.go

@@ -25,7 +25,7 @@ func TestBuildFleetValidatingWebhooks(t *testing.T) {
 				serviceURL:           "test-url",
 				clientConnectionType: &url,
 			},
-			wantLength: 9,
+			wantLength: 10,
 		},
 	}
 

test/e2e/resources_test.go

@@ -50,6 +50,7 @@ const (
 	crpEvictionNameTemplate           = "crpe-%d"
 	updateRunStrategyNameTemplate     = "curs-%d"
 	updateRunNameWithSubIndexTemplate = "cur-%d-%d"
+	managedNamespaceTemplate          = "managedns-%d"
 
 	customDeletionBlockerFinalizer = "kubernetes-fleet.io/custom-deletion-blocker-finalizer"
 	workNamespaceLabelName         = "process"

test/e2e/utils_test.go

@@ -52,6 +52,7 @@ import (
 	"go.goms.io/fleet/pkg/propertyprovider/azure/trackers"
 	"go.goms.io/fleet/pkg/utils"
 	"go.goms.io/fleet/pkg/utils/condition"
+	"go.goms.io/fleet/pkg/webhook/managedresource"
 	testv1alpha1 "go.goms.io/fleet/test/apis/v1alpha1"
 	"go.goms.io/fleet/test/e2e/framework"
 )
@@ -708,6 +709,20 @@ func cleanupWorkResources() {
 	cleanWorkResourcesOnCluster(hubCluster)
 }
 
+func createManagedNamespace() corev1.Namespace {
+	ns := corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf(managedNamespaceTemplate, GinkgoParallelProcess()),
+			Labels: map[string]string{
+				managedresource.ManagedByArmKey: managedresource.ManagedByArmValue,
+			},
+		},
+	}
+
+	Expect(hubClient.Create(ctx, &ns)).To(Succeed(), "Failed to create namespace %s", ns.Name)
+	return ns
+}
+
 func cleanWorkResourcesOnCluster(cluster *framework.Cluster) {
 	ns := appNamespace()
 	Expect(client.IgnoreNotFound(cluster.KubeClient.Delete(ctx, &ns))).To(Succeed(), "Failed to delete namespace %s", ns.Name)

test/e2e/webhook_test.go

@@ -32,6 +32,8 @@ import (
 	clusterv1beta1 "go.goms.io/fleet/apis/cluster/v1beta1"
 	placementv1alpha1 "go.goms.io/fleet/apis/placement/v1alpha1"
 	placementv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
+	"go.goms.io/fleet/pkg/utils"
+	"go.goms.io/fleet/pkg/webhook/managedresource"
 	testutils "go.goms.io/fleet/test/e2e/v1alpha1/utils"
 )
 
@@ -1291,3 +1293,75 @@ var _ = Describe("webhook tests for ResourceOverride UPDATE operations", Ordered
 		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
 	})
 })
+
+var _ = Describe("webhook tests for operations on ARM managed resources", Ordered, func() {
+	BeforeAll(func() {
+		By("creating a managed namespace")
+		createManagedNamespace()
+	})
+
+	AfterAll(func() {
+		By("deleting the managed namespace")
+		ns := createManagedNamespace()
+		Expect(hubClient.Delete(ctx, &ns)).Should(SatisfyAny(Succeed(), utils.NotFoundMatcher{}), "Failed to delete the managed namespace")
+		Eventually(
+			func() error {
+				if err := hubClient.Get(ctx, types.NamespacedName{Name: ns.Name}, &corev1.Namespace{}); !k8sErrors.IsNotFound(err) {
+					return fmt.Errorf("The managed namespace still exists or an unexpected error occurred: %w", err)
+				}
+				return nil
+			}, workloadEventuallyDuration, eventuallyInterval).Should(Succeed(), "Failed to remove the managed namespace %s", ns.Name)
+	})
+
+	It("should deny create a managed resource namespace", func() {
+		Eventually(func(g Gomega) error {
+			createNs := createManagedNamespace()
+			createNs.Name = fmt.Sprintf("test-create-managed-ns-%d", GinkgoParallelProcess())
+			err := impersonateHubClient.Update(ctx, &createNs)
+			if k8sErrors.IsConflict(err) {
+				return err
+			}
+			var statusErr *k8sErrors.StatusError
+			g.Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Create managed namespace call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+			Expect(statusErr.ErrStatus.Message).Should(MatchRegexp("the operation on the managed resource type * is not allowed"))
+			return nil
+		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
+	})
+
+	It("should deny update a managed resource namespace", func() {
+		Eventually(func(g Gomega) error {
+			updateNamespace := createManagedNamespace()
+			updateNamespace.Labels["foo"] = "NotManaged"
+			err := impersonateHubClient.Update(ctx, &updateNamespace)
+			if k8sErrors.IsConflict(err) {
+				return err
+			}
+			var statusErr *k8sErrors.StatusError
+			g.Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Update managed namespace call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+			Expect(statusErr.ErrStatus.Message).Should(MatchRegexp("the operation on the managed resource type * is not allowed"))
+			return nil
+		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
+	})
+
+	It("should deny delete a managed resource namespace", func() {
+		Eventually(func(g Gomega) error {
+			created := createManagedNamespace()
+			err := impersonateHubClient.Delete(ctx, &created)
+			if k8sErrors.IsConflict(err) {
+				return err
+			}
+			var statusErr *k8sErrors.StatusError
+			g.Expect(errors.As(err, &statusErr)).To(BeTrue(), fmt.Sprintf("Delete managed namespace call produced error %s. Error type wanted is %s.", reflect.TypeOf(err), reflect.TypeOf(&k8sErrors.StatusError{})))
+			Expect(statusErr.ErrStatus.Message).Should(MatchRegexp("the operation on the managed resource type * is not allowed"))
+			return nil
+		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
+	})
+
+	It("should allow create an unmanaged resource namespace", func() {
+		Eventually(func(g Gomega) error {
+			creating := createManagedNamespace()
+			delete(creating.Labels, managedresource.ManagedByArmKey)
+			return impersonateHubClient.Create(ctx, &creating)
+		}, testutils.PollTimeout, testutils.PollInterval).Should(Succeed())
+	})
+})