Test operator calls purge (#174)

JohnGarbutt · bertiethorpe · web-flow · commit 99986a0fa4e4 · 2025-04-28T18:07:36.000+01:00
* Test operator calls purge

* fix logging assertions

---------

Co-authored-by: bertiethorpe &lt;bertie443@gmail.com&gt;
diff --git a/capi_janitor/openstack/operator.py b/capi_janitor/openstack/operator.py
@@ -389,14 +389,13 @@ async def _on_openstackcluster_event_impl(
 
     # Get the cloud credential from the cluster and use it to delete dangling
     # resources created by OpenStack integrations on the cluster
-    secrets = await ekclient.api("v1").resource("secrets")
-    try:
-        clouds_secret = await secrets.fetch(
-            spec["identityRef"]["name"], namespace=namespace
-        )
-    except easykube.ApiError as exc:
-        if exc.status_code != 404:
-            raise
+    clouds_secret = await _get_clouds_secret(
+        spec["identityRef"]["name"], namespace=namespace
+    )
+    if clouds_secret is None:
+        # TODO(johngarbutt): fail better when secret not found?
+        logger.error(f"clouds.yaml not found for: {clustername}")
+
     else:
         clouds = yaml.safe_load(base64.b64decode(clouds_secret.data["clouds.yaml"]))
         if "cacert" in clouds_secret.data:
@@ -424,6 +423,7 @@ async def _on_openstackcluster_event_impl(
             CREDENTIAL_ANNOTATION
         )
         remove_appcred = credential_annotation_value == CREDENTIAL_ANNOTATION_DELETE
+
         await purge_openstack_resources(
             logger,
             clouds,
@@ -436,7 +436,7 @@ async def _on_openstackcluster_event_impl(
         # If we get to here, OpenStack resources have been successfully deleted
         # So we can remove the appcred secret if we are the last actor
         if remove_appcred and len(finalizers) == 1:
-            await secrets.delete(clouds_secret.metadata.name, namespace=namespace)
+            await _delete_secret(clouds_secret.metadata["name"], namespace)
             logger.info("cloud credential secret deleted")
         elif remove_appcred:
             # If the annotation says delete but other controllers are still acting, go round again
@@ -451,7 +451,22 @@ async def _on_openstackcluster_event_impl(
     logger.info("removed janitor finalizer from cluster")
 
 
+async def _delete_secret(name, namespace):
+    secrets = await ekclient.api("v1").resource("secrets")
+    await secrets.delete(name, namespace=namespace)
+
+
 async def _get_os_cluster_client():
     capoapi = await ekclient.api_preferred_version(CAPO_API_GROUP)
     openstackclusters = await capoapi.resource("openstackclusters")
     return openstackclusters
+
+
+async def _get_clouds_secret(secret_name, namespace):
+    secrets = await ekclient.api("v1").resource("secrets")
+    try:
+        return await secrets.fetch(secret_name, namespace=namespace)
+    except easykube.ApiError as exc:
+        if exc.status_code != 404:
+            raise
+        # TODO(johngarbutt): fail better when not found?
diff --git a/capi_janitor/tests/openstack/test_operator.py b/capi_janitor/tests/openstack/test_operator.py
@@ -1,3 +1,5 @@
+import base64
+import yaml
 import unittest
 from unittest import mock
 
@@ -67,3 +69,79 @@ async def test_on_openstackcluster_event_skip_no_finalizers(
         logger.info.assert_has_calls(
             [mock.call("janitor finalizer not present, skipping cleanup")]
         )
+
+    @mock.patch.object(operator, "_delete_secret")
+    @mock.patch.object(operator, "_get_clouds_secret")
+    @mock.patch.object(operator, "purge_openstack_resources")
+    @mock.patch.object(operator, "patch_finalizers")
+    @mock.patch.object(operator, "_get_os_cluster_client")
+    async def test_on_openstackcluster_event_calls_purge(
+        self,
+        mock_get_client,
+        mock_patch_finalizers,
+        mock_purge,
+        mock_clouds_secret,
+        mock_delete_secret,
+    ):
+        logger = mock.Mock()
+        mock_get_client.return_value = "mock_client"
+        mock_secret = mock.Mock()
+        mock_clouds_secret.return_value = mock_secret
+        clouds_yaml_data = {
+            "openstack": {
+                "auth": {
+                    "auth_url": "https://example.com:5000/v3",
+                    "username": "user",
+                    "password": "pass",
+                    "project_name": "project",
+                    "user_domain_name": "Default",
+                    "project_domain_name": "Default",
+                }
+            }
+        }
+        mock_secret.data = {
+            "clouds.yaml": base64.b64encode(yaml.dump(clouds_yaml_data).encode("utf-8"))
+        }
+        mock_secret.metadata = {
+            "annotations": {"janitor.capi.stackhpc.com/credential-policy": "delete"},
+            "name": "appcred42",
+        }
+
+        await operator._on_openstackcluster_event_impl(
+            name="mycluster",
+            namespace="namespace1",
+            meta={
+                "deletionTimestamp": "2023-10-01T00:00:00Z",
+                "finalizers": ["janitor.capi.stackhpc.com"],
+                "annotations": {
+                    "janitor.capi.stackhpc.com/volumes-policy": "delete",
+                },
+            },
+            labels={},
+            spec={"identityRef": {"name": "appcred42"}},
+            logger=logger,
+            body={},
+        )
+
+        mock_purge.assert_awaited_once_with(
+            logger,
+            clouds_yaml_data,
+            "openstack",
+            None,
+            "mycluster",
+            True,
+            True,
+        )
+        mock_delete_secret.assert_awaited_once_with("appcred42", "namespace1")
+        mock_patch_finalizers.assert_awaited_once_with(
+            "mock_client", "mycluster", "namespace1", []
+        )
+        logger.debug.assert_has_calls(
+            [mock.call("cluster name that will be used for cleanup: 'mycluster'")]
+        )
+        logger.info.assert_has_calls(
+            [
+                mock.call("cloud credential secret deleted"),
+                mock.call("removed janitor finalizer from cluster"),
+            ]
+        )
