tests: e2e tests implemented

Signed-off-by: Bharath Nallapeta <[email protected]>

Author: bnallapeta

Makefile

@@ -188,7 +188,8 @@ e2e-templates: $(addprefix $(E2E_NO_ARTIFACT_TEMPLATES_DIR)/, \
 		 cluster-template-flatcar-sysext.yaml \
 		 cluster-template-no-bastion.yaml \
 		 cluster-template-health-monitor.yaml \
-		 cluster-template-capi-v1beta1.yaml)
+		 cluster-template-capi-v1beta1.yaml \
+		 cluster-template-cluster-identity.yaml)
 # Currently no templates that require CI artifacts
 # $(addprefix $(E2E_TEMPLATES_DIR)/, add-templates-here.yaml) \
 

config/crd/kustomization.yaml

@@ -8,6 +8,7 @@ labels:
 # It should be run by config/
 resources:
 - bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
+- bases/infrastructure.cluster.x-k8s.io_openstackclusteridentities.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml

controllers/openstackcluster_controller_test.go

@@ -180,85 +180,71 @@ var _ = Describe("OpenStackCluster controller", func() {
 	})
 
 	It("should successfully create OpenStackCluster with valid identityRef", func() {
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Name:      "creds",
+			CloudName: "openstack",
+			// Type should default to "Secret"
+		}
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		c := &infrav1.OpenStackCluster{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "cluster-valid-identity",
-				Namespace: testNamespace,
-			},
-			Spec: infrav1.OpenStackClusterSpec{
-				IdentityRef: infrav1.OpenStackIdentityReference{
-					Name:      "creds",
-					CloudName: "openstack",
-					// Type should default to "Secret"
-				},
-			},
-		}
-		err = k8sClient.Create(ctx, c)
-		Expect(err).To(Succeed())
-
 		// Verify the object was created and Type was defaulted
 		created := &infrav1.OpenStackCluster{}
-		err = k8sClient.Get(ctx, client.ObjectKey{Name: c.Name, Namespace: c.Namespace}, created)
+		err = k8sClient.Get(ctx, client.ObjectKey{Name: testCluster.Name, Namespace: testCluster.Namespace}, created)
 		Expect(err).To(Succeed())
 		Expect(created.Spec.IdentityRef.Type).To(Equal("Secret"))
 		Expect(created.Spec.IdentityRef.Name).To(Equal("creds"))
 		Expect(created.Spec.IdentityRef.CloudName).To(Equal("openstack"))
 	})
 
 	It("should successfully create OpenStackCluster with ClusterIdentity type", func() {
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Type:      "ClusterIdentity",
+			Name:      "global-creds",
+			CloudName: "openstack",
+			Region:    "RegionOne",
+		}
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		c := &infrav1.OpenStackCluster{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "cluster-clusteridentity-type",
-				Namespace: testNamespace,
-			},
-			Spec: infrav1.OpenStackClusterSpec{
-				IdentityRef: infrav1.OpenStackIdentityReference{
-					Type:      "ClusterIdentity",
-					Name:      "global-creds",
-					CloudName: "openstack",
-					Region:    "RegionOne",
-				},
-			},
-		}
-		err = k8sClient.Create(ctx, c)
-		Expect(err).To(Succeed())
-
 		// Verify all fields are preserved
 		created := &infrav1.OpenStackCluster{}
-		err = k8sClient.Get(ctx, client.ObjectKey{Name: c.Name, Namespace: c.Namespace}, created)
+		err = k8sClient.Get(ctx, client.ObjectKey{Name: testCluster.Name, Namespace: testCluster.Namespace}, created)
 		Expect(err).To(Succeed())
 		Expect(created.Spec.IdentityRef.Type).To(Equal("ClusterIdentity"))
 		Expect(created.Spec.IdentityRef.Name).To(Equal("global-creds"))
 		Expect(created.Spec.IdentityRef.CloudName).To(Equal("openstack"))
 		Expect(created.Spec.IdentityRef.Region).To(Equal("RegionOne"))
 	})
 
-	It("should accept cluster and default identityRef.type to Secret", func() {
-		testCluster.Spec = infrav1.OpenStackClusterSpec{
-			IdentityRef: infrav1.OpenStackIdentityReference{
-				Name:      "creds",
-				CloudName: "openstack",
-				// Type omitted -> should default to Secret
-			},
+	It("should fail when namespace is denied access to ClusterIdentity", func() {
+		testCluster.SetName("identity-access-denied")
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Type:      "ClusterIdentity",
+			Name:      "test-cluster-identity",
+			CloudName: "openstack",
 		}
+
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		fetched := &infrav1.OpenStackCluster{}
-		Expect(k8sClient.Get(ctx, types.NamespacedName{Name: testClusterName, Namespace: testNamespace}, fetched)).To(Succeed())
-		Expect(fetched.Spec.IdentityRef.Type).To(Equal("Secret"))
+		identityAccessErr := &scope.IdentityAccessDeniedError{
+			IdentityName:       "test-cluster-identity",
+			RequesterNamespace: testNamespace,
+		}
+		mockScopeFactory.SetClientScopeCreateError(identityAccessErr)
+
+		req := createRequestFromOSCluster(testCluster)
+		result, err := reconciler.Reconcile(ctx, req)
+
+		Expect(err).To(MatchError(identityAccessErr))
+		Expect(result).To(Equal(reconcile.Result{}))
 	})
 
 	It("should reject updates that modify identityRef.region (immutable)", func() {

test/e2e/data/e2e_conf.yaml

@@ -170,6 +170,7 @@ providers:
     - sourcePath: "../data/shared/provider/metadata.yaml"
     - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template.yaml"
     - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template-without-lb.yaml"
+    - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template-cluster-identity.yaml"
     replacements:
     - old: gcr.io/k8s-staging-capi-openstack/capi-openstack-controller:dev
       new: gcr.io/k8s-staging-capi-openstack/capi-openstack-controller:e2e

test/e2e/data/kustomize/cluster-identity-denied/kustomization.yaml

@@ -2,20 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../../../../../kustomize/v1beta1/default
+- ../default
 - openstackclusteridentity.yaml
 
-components:
-- ../common-patches/cluster
-- ../common-patches/cni
-- ../upgrade-patches
-- ../common-patches/ccm
-- ../common-patches/externalNetworkByName
-- ../common-patches/images
-
 patches:
 - path: patch-openstackcluster-identityref.yaml
   target:
     kind: OpenStackCluster
-    name: ${CLUSTER_NAME}
+    name: \${CLUSTER_NAME}
 

test/e2e/data/kustomize/cluster-identity-denied/openstackclusteridentity.yaml

@@ -35,35 +35,35 @@ import (
 )
 
 const (
-	DefaultSSHKeyPairName       = "cluster-api-provider-openstack-sigs-k8s-io"
-	KubeContext                 = "KUBE_CONTEXT"
-	KubernetesVersion           = "KUBERNETES_VERSION"
-	CCMPath                     = "CCM"
-	CCMResources                = "CCM_RESOURCES"
-	OpenStackBastionFlavorAlt   = "OPENSTACK_BASTION_MACHINE_FLAVOR_ALT"
-	OpenStackCloudYAMLFile      = "OPENSTACK_CLOUD_YAML_FILE"
-	OpenStackCloud              = "OPENSTACK_CLOUD"
-	OpenStackCloudCACertB64     = "OPENSTACK_CLOUD_CACERT_B64"
-	OpenStackCloudAdmin         = "OPENSTACK_CLOUD_ADMIN"
-	OpenStackFailureDomain      = "OPENSTACK_FAILURE_DOMAIN" //nolint:gosec // Linter thinks this could be credentials...
-	OpenStackFailureDomainAlt   = "OPENSTACK_FAILURE_DOMAIN_ALT"
-	OpenStackVolumeTypeAlt      = "OPENSTACK_VOLUME_TYPE_ALT"
-	OpenStackImageName          = "OPENSTACK_IMAGE_NAME"
-	OpenStackNodeMachineFlavor  = "OPENSTACK_NODE_MACHINE_FLAVOR"
-	SSHUserMachine              = "SSH_USER_MACHINE"
-	FlavorDefault               = ""
-	FlavorNoBastion             = "no-bastion"
-	FlavorWithoutLB             = "without-lb"
-	FlavorMultiNetwork          = "multi-network"
-	FlavorMultiAZ               = "multi-az"
-	FlavorMDRemediation         = "md-remediation"
-	FlavorKCPRemediation        = "kcp-remediation"
-	FlavorFlatcar               = "flatcar"
-	FlavorKubernetesUpgrade     = "k8s-upgrade"
-	FlavorFlatcarSysext         = "flatcar-sysext"
-	FlavorHealthMonitor         = "health-monitor"
-	FlavorClusterIdentity       = "cluster-identity"
-	FlavorClusterIdentityDenied = "cluster-identity-denied"
+	DefaultSSHKeyPairName      = "cluster-api-provider-openstack-sigs-k8s-io"
+	KubeContext                = "KUBE_CONTEXT"
+	KubernetesVersion          = "KUBERNETES_VERSION"
+	CCMPath                    = "CCM"
+	CCMResources               = "CCM_RESOURCES"
+	OpenStackBastionFlavorAlt  = "OPENSTACK_BASTION_MACHINE_FLAVOR_ALT"
+	OpenStackCloudYAMLFile     = "OPENSTACK_CLOUD_YAML_FILE"
+	OpenStackCloud             = "OPENSTACK_CLOUD"
+	OpenStackCloudCACertB64    = "OPENSTACK_CLOUD_CACERT_B64"
+	OpenStackCloudAdmin        = "OPENSTACK_CLOUD_ADMIN"
+	OpenStackFailureDomain     = "OPENSTACK_FAILURE_DOMAIN" //nolint:gosec // Linter thinks this could be credentials...
+	OpenStackFailureDomainAlt  = "OPENSTACK_FAILURE_DOMAIN_ALT"
+	OpenStackVolumeTypeAlt     = "OPENSTACK_VOLUME_TYPE_ALT"
+	OpenStackImageName         = "OPENSTACK_IMAGE_NAME"
+	OpenStackNodeMachineFlavor = "OPENSTACK_NODE_MACHINE_FLAVOR"
+	SSHUserMachine             = "SSH_USER_MACHINE"
+	FlavorDefault              = ""
+	FlavorNoBastion            = "no-bastion"
+	FlavorWithoutLB            = "without-lb"
+	FlavorMultiNetwork         = "multi-network"
+	FlavorMultiAZ              = "multi-az"
+	FlavorMDRemediation        = "md-remediation"
+	FlavorKCPRemediation       = "kcp-remediation"
+	FlavorFlatcar              = "flatcar"
+	FlavorKubernetesUpgrade    = "k8s-upgrade"
+	FlavorFlatcarSysext        = "flatcar-sysext"
+	FlavorHealthMonitor        = "health-monitor"
+	FlavorCapiV1Beta1          = "capi-v1beta1"
+	FlavorClusterIdentity      = "cluster-identity"
 )
 
 // DefaultScheme returns the default scheme to use for testing.

test/e2e/data/kustomize/cluster-identity-denied/patch-openstackcluster-identityref.yaml

@@ -358,38 +358,6 @@ var _ = Describe("e2e tests [PR-Blocking]", func() {
 		})
 	})
 
-	Describe("Workload cluster (cluster-identity denied)", func() {
-		It("should fail to reconcile new workers when namespaceSelector denies access", func(ctx context.Context) {
-			shared.Logf("Creating a cluster with ClusterIdentity (denied flavor) and 0 workers")
-			clusterName := fmt.Sprintf("cluster-%s", namespace.Name)
-			configCluster := defaultConfigCluster(clusterName, namespace.Name)
-			configCluster.ControlPlaneMachineCount = ptr.To(int64(1))
-			configCluster.WorkerMachineCount = ptr.To(int64(0))
-			configCluster.Flavor = shared.FlavorClusterIdentityDenied
-			createCluster(ctx, configCluster, clusterResources)
-
-			// Create a new MachineDeployment that should fail to reconcile due to denied identity access
-			mdName := clusterName + "-md-denied"
-			replicas := int32(1)
-			framework.CreateMachineDeployment(ctx, framework.CreateMachineDeploymentInput{
-				Creator:                 e2eCtx.Environment.BootstrapClusterProxy.GetClient(),
-				MachineDeployment:       makeMachineDeployment(namespace.Name, mdName, clusterName, e2eCtx.E2EConfig.MustGetVariable(shared.OpenStackFailureDomain), replicas),
-				BootstrapConfigTemplate: makeJoinBootstrapConfigTemplate(namespace.Name, mdName),
-				InfraMachineTemplate:    makeOpenStackMachineTemplate(namespace.Name, clusterName, mdName),
-			})
-
-			// Assert that no worker servers are created
-			machineTags := fmt.Sprintf("%s,%s", clusterName, "machine")
-			Consistently(func() (int, error) {
-				serversList, err := shared.DumpOpenStackServers(e2eCtx, servers.ListOpts{Tags: machineTags})
-				if err != nil {
-					return -1, err
-				}
-				return len(serversList), nil
-			}, e2eCtx.E2EConfig.GetIntervals(specName, "wait-worker-nodes")[0]).Should(Equal(0))
-		})
-	})
-
 	Describe("Workload cluster (no bastion)", func() {
 		It("should be creatable and deletable", func(ctx context.Context) {
 			shared.Logf("Creating a cluster")