tests: e2e tests implemented

Signed-off-by: Bharath Nallapeta <[email protected]>

Author: bnallapeta

Makefile

@@ -188,7 +188,8 @@ e2e-templates: $(addprefix $(E2E_NO_ARTIFACT_TEMPLATES_DIR)/, \
 		 cluster-template-flatcar-sysext.yaml \
 		 cluster-template-no-bastion.yaml \
 		 cluster-template-health-monitor.yaml \
-		 cluster-template-capi-v1beta1.yaml)
+		 cluster-template-capi-v1beta1.yaml \
+		 cluster-template-cluster-identity.yaml)
 # Currently no templates that require CI artifacts
 # $(addprefix $(E2E_TEMPLATES_DIR)/, add-templates-here.yaml) \
 

config/crd/kustomization.yaml

@@ -8,6 +8,7 @@ labels:
 # It should be run by config/
 resources:
 - bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
+- bases/infrastructure.cluster.x-k8s.io_openstackclusteridentities.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml

controllers/openstackcluster_controller_test.go

@@ -180,85 +180,71 @@ var _ = Describe("OpenStackCluster controller", func() {
 	})
 
 	It("should successfully create OpenStackCluster with valid identityRef", func() {
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Name:      "creds",
+			CloudName: "openstack",
+			// Type should default to "Secret"
+		}
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		c := &infrav1.OpenStackCluster{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "cluster-valid-identity",
-				Namespace: testNamespace,
-			},
-			Spec: infrav1.OpenStackClusterSpec{
-				IdentityRef: infrav1.OpenStackIdentityReference{
-					Name:      "creds",
-					CloudName: "openstack",
-					// Type should default to "Secret"
-				},
-			},
-		}
-		err = k8sClient.Create(ctx, c)
-		Expect(err).To(Succeed())
-
 		// Verify the object was created and Type was defaulted
 		created := &infrav1.OpenStackCluster{}
-		err = k8sClient.Get(ctx, client.ObjectKey{Name: c.Name, Namespace: c.Namespace}, created)
+		err = k8sClient.Get(ctx, client.ObjectKey{Name: testCluster.Name, Namespace: testCluster.Namespace}, created)
 		Expect(err).To(Succeed())
 		Expect(created.Spec.IdentityRef.Type).To(Equal("Secret"))
 		Expect(created.Spec.IdentityRef.Name).To(Equal("creds"))
 		Expect(created.Spec.IdentityRef.CloudName).To(Equal("openstack"))
 	})
 
 	It("should successfully create OpenStackCluster with ClusterIdentity type", func() {
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Type:      "ClusterIdentity",
+			Name:      "global-creds",
+			CloudName: "openstack",
+			Region:    "RegionOne",
+		}
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		c := &infrav1.OpenStackCluster{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "cluster-clusteridentity-type",
-				Namespace: testNamespace,
-			},
-			Spec: infrav1.OpenStackClusterSpec{
-				IdentityRef: infrav1.OpenStackIdentityReference{
-					Type:      "ClusterIdentity",
-					Name:      "global-creds",
-					CloudName: "openstack",
-					Region:    "RegionOne",
-				},
-			},
-		}
-		err = k8sClient.Create(ctx, c)
-		Expect(err).To(Succeed())
-
 		// Verify all fields are preserved
 		created := &infrav1.OpenStackCluster{}
-		err = k8sClient.Get(ctx, client.ObjectKey{Name: c.Name, Namespace: c.Namespace}, created)
+		err = k8sClient.Get(ctx, client.ObjectKey{Name: testCluster.Name, Namespace: testCluster.Namespace}, created)
 		Expect(err).To(Succeed())
 		Expect(created.Spec.IdentityRef.Type).To(Equal("ClusterIdentity"))
 		Expect(created.Spec.IdentityRef.Name).To(Equal("global-creds"))
 		Expect(created.Spec.IdentityRef.CloudName).To(Equal("openstack"))
 		Expect(created.Spec.IdentityRef.Region).To(Equal("RegionOne"))
 	})
 
-	It("should accept cluster and default identityRef.type to Secret", func() {
-		testCluster.Spec = infrav1.OpenStackClusterSpec{
-			IdentityRef: infrav1.OpenStackIdentityReference{
-				Name:      "creds",
-				CloudName: "openstack",
-				// Type omitted -> should default to Secret
-			},
+	It("should fail when namespace is denied access to ClusterIdentity", func() {
+		testCluster.SetName("identity-access-denied")
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Type:      "ClusterIdentity",
+			Name:      "test-cluster-identity",
+			CloudName: "openstack",
 		}
+
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
 		Expect(err).To(BeNil())
 
-		fetched := &infrav1.OpenStackCluster{}
-		Expect(k8sClient.Get(ctx, types.NamespacedName{Name: testClusterName, Namespace: testNamespace}, fetched)).To(Succeed())
-		Expect(fetched.Spec.IdentityRef.Type).To(Equal("Secret"))
+		identityAccessErr := &scope.IdentityAccessDeniedError{
+			IdentityName:       "test-cluster-identity",
+			RequesterNamespace: testNamespace,
+		}
+		mockScopeFactory.SetClientScopeCreateError(identityAccessErr)
+
+		req := createRequestFromOSCluster(testCluster)
+		result, err := reconciler.Reconcile(ctx, req)
+
+		Expect(err).To(MatchError(identityAccessErr))
+		Expect(result).To(Equal(reconcile.Result{}))
 	})
 
 	It("should reject updates that modify identityRef.region (immutable)", func() {

docs/book/src/topics/openstack-cluster-identity.md

@@ -69,7 +69,7 @@ spec:
     cloudName: openstack
 ```
 
-## Using a Secret directly (legacy/default)
+## Using a Secret directly (default)
 - If you don’t need cross-namespace identities, use a Secret in the same namespace.
 ```yaml
 spec:

pkg/scope/provider.go

@@ -120,12 +120,10 @@ func (f *providerScopeFactory) NewClientScopeFromObject(ctx context.Context, ctr
 	}
 
 	// Read cloud from the resolved secret using the provided cloudName
-	c, cert, err := getCloudFromSecret(ctx, ctrlClient, secretNamespace, secretName, identityRef.CloudName)
+	cloud, caCert, err := getCloudFromSecret(ctx, ctrlClient, secretNamespace, secretName, identityRef.CloudName)
 	if err != nil {
 		return nil, err
 	}
-	cloud = c
-	caCert = cert
 
 	if caCert == nil {
 		caCert = defaultCACert

pkg/scope/provider_resolution_test.go

@@ -67,6 +67,7 @@ var (
 	testDefaultCloudsYAML = []byte("clouds: { default: {} }\n")
 )
 
+// ensureSchemes creates a runtime scheme with all required API types for testing.
 func ensureSchemes(t *testing.T) *runtime.Scheme {
 	t.Helper()
 	local := runtime.NewScheme()
@@ -82,6 +83,7 @@ func ensureSchemes(t *testing.T) *runtime.Scheme {
 	return local
 }
 
+// createResTestSecret creates a test Secret with the given namespace, name, and data.
 func createResTestSecret(namespace, name string, data map[string][]byte) *corev1.Secret {
 	secret := &corev1.Secret{}
 	secret.Namespace = namespace
@@ -90,13 +92,15 @@ func createResTestSecret(namespace, name string, data map[string][]byte) *corev1
 	return secret
 }
 
+// createTestNamespace creates a test Namespace with the given name and labels.
 func createTestNamespace(name string, labels map[string]string) *corev1.Namespace {
 	ns := &corev1.Namespace{}
 	ns.Name = name
 	ns.Labels = labels
 	return ns
 }
 
+// createTestClusterIdentity creates a test OpenStackClusterIdentity with the given name and namespace selector.
 func createTestClusterIdentity(name string, selector *metav1.LabelSelector) *infrav1alpha1.OpenStackClusterIdentity {
 	identity := &infrav1alpha1.OpenStackClusterIdentity{}
 	identity.Name = name
@@ -108,7 +112,7 @@ func createTestClusterIdentity(name string, selector *metav1.LabelSelector) *inf
 	return identity
 }
 
-// newFakeClient creates a fake client with the provided scheme and objects.
+// newFakeClient creates a fake Kubernetes client with the provided scheme and objects.
 func newFakeClient(sch *runtime.Scheme, objs ...client.Object) client.Client {
 	return fake.NewClientBuilder().WithScheme(sch).WithObjects(objs...).Build()
 }
@@ -129,6 +133,7 @@ func assertResolutionReached(t *testing.T, err error) {
 	}
 }
 
+// assertDenied verifies that the error is an IdentityAccessDeniedError.
 func assertDenied(t *testing.T, err error) {
 	t.Helper()
 	var denied *IdentityAccessDeniedError
@@ -137,6 +142,7 @@ func assertDenied(t *testing.T, err error) {
 	}
 }
 
+// assertNotDenied verifies that the error is NOT an IdentityAccessDeniedError.
 func assertNotDenied(t *testing.T, err error) {
 	t.Helper()
 	var denied *IdentityAccessDeniedError
@@ -145,6 +151,7 @@ func assertNotDenied(t *testing.T, err error) {
 	}
 }
 
+// TestNewClientScopeFromObject_Resolution tests credential resolution logic for both Secret and ClusterIdentity paths.
 func TestNewClientScopeFromObject_Resolution(t *testing.T) {
 	t.Parallel()
 	localScheme := ensureSchemes(t)

pkg/scope/provider_test.go

@@ -47,6 +47,7 @@ var (
 	testCACert = []byte("-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----\n")
 )
 
+// buildCoreScheme creates a runtime scheme with core Kubernetes API types for testing.
 func buildCoreScheme(t *testing.T) *runtime.Scheme {
 	t.Helper()
 	sch := runtime.NewScheme()
@@ -56,6 +57,7 @@ func buildCoreScheme(t *testing.T) *runtime.Scheme {
 	return sch
 }
 
+// createTestSecret creates a test Secret in the test namespace with the given name and data.
 func createTestSecret(name string, data map[string][]byte) *corev1.Secret {
 	secret := &corev1.Secret{}
 	secret.Namespace = testNamespace
@@ -64,6 +66,7 @@ func createTestSecret(name string, data map[string][]byte) *corev1.Secret {
 	return secret
 }
 
+// TestGetCloudFromSecret_SuccessWithCACert tests successful cloud retrieval when CA certificate is present.
 func TestGetCloudFromSecret_SuccessWithCACert(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -88,6 +91,7 @@ func TestGetCloudFromSecret_SuccessWithCACert(t *testing.T) {
 	}
 }
 
+// TestGetCloudFromSecret_SuccessWithoutCACert tests successful cloud retrieval when CA certificate is not present.
 func TestGetCloudFromSecret_SuccessWithoutCACert(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -111,6 +115,7 @@ func TestGetCloudFromSecret_SuccessWithoutCACert(t *testing.T) {
 	}
 }
 
+// TestGetCloudFromSecret_MissingSecret tests error handling when the secret does not exist.
 func TestGetCloudFromSecret_MissingSecret(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -123,6 +128,7 @@ func TestGetCloudFromSecret_MissingSecret(t *testing.T) {
 	}
 }
 
+// TestGetCloudFromSecret_MissingCloudsKey tests error handling when the clouds.yaml key is missing from the secret.
 func TestGetCloudFromSecret_MissingCloudsKey(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -141,6 +147,7 @@ func TestGetCloudFromSecret_MissingCloudsKey(t *testing.T) {
 	}
 }
 
+// TestGetCloudFromSecret_EmptyCloudName tests error handling when cloudName is empty.
 func TestGetCloudFromSecret_EmptyCloudName(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
@@ -158,6 +165,7 @@ func TestGetCloudFromSecret_EmptyCloudName(t *testing.T) {
 	}
 }
 
+// TestGetCloudFromSecret_InvalidCloudName tests behavior when cloudName does not exist in clouds.yaml.
 func TestGetCloudFromSecret_InvalidCloudName(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()

test/e2e/data/e2e_conf.yaml

@@ -170,6 +170,7 @@ providers:
     - sourcePath: "../data/shared/provider/metadata.yaml"
     - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template.yaml"
     - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template-without-lb.yaml"
+    - sourcePath: "./infrastructure-openstack-no-artifact/cluster-template-cluster-identity.yaml"
     replacements:
     - old: gcr.io/k8s-staging-capi-openstack/capi-openstack-controller:dev
       new: gcr.io/k8s-staging-capi-openstack/capi-openstack-controller:e2e