diff --git a/internal/webhook/v1/pod_defaulters.go b/internal/webhook/v1/pod_defaulters.go index 3f16b70..e2568c9 100644 --- a/internal/webhook/v1/pod_defaulters.go +++ b/internal/webhook/v1/pod_defaulters.go @@ -14,13 +14,13 @@ type PodDefaulter = func(p *corev1.Pod, nsAnnotations map[string]string) (bool, var ( annotationsAlterImgRegistry = map[string]string{ - apiv1.AnnotationAlterImgRegistry: "false", + apiv1.AnnotationAlterImgRegistry: "true", } annotationsSetPullSecret = map[string]string{ - apiv1.AnnotationSetPullSecret: "false", + apiv1.AnnotationSetPullSecret: "true", } annotationAddClusterTrustBundle = map[string]string{ - apiv1.AnnotationAddClusterTrustBundle: "false", + apiv1.AnnotationAddClusterTrustBundle: "true", } ) @@ -34,15 +34,15 @@ func defaultPod(update func(*corev1.Pod) bool, features map[string]string) PodDe With("ns-annotations", nsAnnotations). With("features", features) - for _, annotations := range []map[string]string{p.Annotations, nsAnnotations} { + for _, annotations := range []map[string]string{nsAnnotations, p.Annotations} { if k8s.Contains(annotations, features) { - logger.Debug("opt out", "ns-annotations", nsAnnotations) - return false, nil + logger.Debug("pod defaulting opt in") + return update(p), nil } } - logger.Debug("pod defaulting opt in") - return update(p), nil + logger.Debug("opt out", "ns-annotations", nsAnnotations) + return false, nil } } diff --git a/pkg/api/v1/types.go b/pkg/api/v1/types.go index e4751b1..5f313f4 100644 --- a/pkg/api/v1/types.go +++ b/pkg/api/v1/types.go @@ -13,7 +13,7 @@ import ( const ( AnnotationAlterImgRegistry = "rt-cfg.kyma-project.io/alter-img-registry" AnnotationSetPullSecret = "rt-cfg.kyma-project.io/add-img-pull-secret" - AnnotationAddClusterTrustBundle = "rt-cfg.kyma-project.io/add-add-cluster-trust-bundle" + AnnotationAddClusterTrustBundle = "rt-cfg.kyma-project.io/add-cluster-trust-bundle" AnnotationDefaulted = "rt-bootstrapper.kyma-project.io/defaulted" FiledManager = "rt-bootstrapper" ) diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 9d04a5f..2b8589f 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -71,7 +71,10 @@ var _ = Describe("Manager", Ordered, func() { By(fmt.Sprintf("opt out altering image registry for namespace: %s", testNamespace2)) cmd = exec.Command("kubectl", "annotate", "ns", testNamespace2, - "rt-cfg.kyma-project.io/add-img-pull-secret=false") + "rt-cfg.kyma-project.io/alter-img-registry=true", + "rt-cfg.kyma-project.io/add-img-pull-secret=true", + "rt-cfg.kyma-project.io/add-cluster-trust-bundle=true", + ) _, err = utils.Run(cmd) Expect(err).NotTo(HaveOccurred(), "Failed to create namespace") @@ -320,20 +323,19 @@ var _ = Describe("Manager", Ordered, func() { Expect(signerName).To(Equal("rt-bootstrapper-k3d.test/ctb")) }) - It("should alter the image name and add imagePullSecret property", func() { - testNamespace := "rt-bootstrapper-test1" + It("should work with all features activated on ns lvl", func() { By("applying the deployment in opt in namespace") cmd := exec.Command("kubectl", "apply", - "-f", "./test/e2e/testdata/test1.yaml", - "-n", testNamespace) + "-f", "./test/e2e/testdata/test2.yaml", + "-n", testNamespace2) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred()) - cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test1", + cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test2", "--for", "condition=Available", - "--namespace", testNamespace, + "--namespace", testNamespace2, "--timeout", "20s", ) @@ -341,73 +343,55 @@ var _ = Describe("Manager", Ordered, func() { Expect(err).ShouldNot(HaveOccurred()) cmd = exec.Command("kubectl", "get", "pod", - "-l", "app=pause-test1", - "-n", testNamespace, + "-l", "app=pause-test2", + "-n", testNamespace2, "-o", "jsonpath={.items[0]}") output, err := utils.Run(cmd) Expect(err).ShouldNot(HaveOccurred()) pod, err := utils.ToPod(output) Expect(err).ShouldNot(HaveOccurred()) + + By("having registry name replaced on pod") Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me")) + + By("having image-pull-secret added on pod") Expect(pod.Spec.ImagePullSecrets).Should(ContainElement(corev1.LocalObjectReference{ Name: "registry-credentials", })) - Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true")) - - cmd = exec.Command("kubectl", "get", "secret", - "-n", testNamespace) - _, err = utils.Run(cmd) - Expect(err).ShouldNot(HaveOccurred()) - }) - - It("should just alter the image name if opt out on pod lvl from adding imagePullSecret property", func() { - By("applying the deployment in opt in namespace") - cmd := exec.Command("kubectl", "apply", - "-f", "./test/e2e/testdata/test2.yaml", - "-n", testNamespace1) - - _, err := utils.Run(cmd) - Expect(err).NotTo(HaveOccurred()) - - cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test2", - "--for", "condition=Available", - "--namespace", testNamespace1, - "--timeout", "20s", - ) - - _, err = utils.Run(cmd) - Expect(err).ShouldNot(HaveOccurred()) - cmd = exec.Command("kubectl", "get", "pod", - "-l", "app=pause-test2", - "-n", testNamespace1, - "-o", "jsonpath={.items[0]}") - output, err := utils.Run(cmd) - Expect(err).ShouldNot(HaveOccurred()) + By("having cluster-trust-bundle volume mounted on pod") + Expect(pod.Spec.Containers[0].VolumeMounts).Should(ContainElement(corev1.VolumeMount{ + Name: "rt-bootstrapper-certs", + ReadOnly: true, + MountPath: "/etc/ssl/certs", + })) - pod, err := utils.ToPod(output) - Expect(err).ShouldNot(HaveOccurred()) + By("having cluster-trust-bundle volume created on pod") + Expect(pod.Spec.Volumes[1].VolumeSource.Projected.Sources).Should(ContainElement(corev1.VolumeProjection{ + ClusterTrustBundle: &corev1.ClusterTrustBundleProjection{ + Name: ptr.To("rt-bootstrapper-k3d.test:ctb:1"), + Path: "kube-apiserver-serving.pem", + }, + })) - Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me")) + By("having 'defaulted' annotation added on pod") Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true")) - Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{ - Name: "registry-credentials", - })) }) - It("should just alter the image name if opt out on ns lvl from adding imagePullSecret property", func() { + It("should work with all features activated on pod lvl", func() { + By("applying the deployment in opt in namespace") cmd := exec.Command("kubectl", "apply", "-f", "./test/e2e/testdata/test1.yaml", - "-n", testNamespace2) + "-n", testNamespace1) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred()) cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test1", "--for", "condition=Available", - "--namespace", testNamespace2, + "--namespace", testNamespace1, "--timeout", "20s", ) @@ -416,54 +400,30 @@ var _ = Describe("Manager", Ordered, func() { cmd = exec.Command("kubectl", "get", "pod", "-l", "app=pause-test1", - "-n", testNamespace2, + "-n", testNamespace1, "-o", "jsonpath={.items[0]}") output, err := utils.Run(cmd) Expect(err).ShouldNot(HaveOccurred()) pod, err := utils.ToPod(output) Expect(err).ShouldNot(HaveOccurred()) + + By("having registry name replaced on pod") Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me")) - Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true")) - Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{ + + By("having image-pull-secret added on pod") + Expect(pod.Spec.ImagePullSecrets).Should(ContainElement(corev1.LocalObjectReference{ Name: "registry-credentials", })) - }) - - It("should inject cluster-trust-bundle", func() { - By("applying the deployment") - cmd := exec.Command("kubectl", "apply", - "-f", "./test/e2e/testdata/test3.yaml", - "-n", testNamespace1) - - _, err := utils.Run(cmd) - Expect(err).NotTo(HaveOccurred()) - - cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test3", - "--for", "condition=Available", - "--namespace", testNamespace1, - "--timeout", "20s", - ) - - _, err = utils.Run(cmd) - Expect(err).ShouldNot(HaveOccurred()) - - cmd = exec.Command("kubectl", "get", "pod", - "-l", "app=pause-test3", - "-n", testNamespace1, - "-o", "jsonpath={.items[0]}") - output, err := utils.Run(cmd) - Expect(err).ShouldNot(HaveOccurred()) - pod, err := utils.ToPod(output) - Expect(err).ShouldNot(HaveOccurred()) - Expect(pod.Spec.Containers[0].Image).Should(HavePrefix("k8s.gcr.io")) - Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true")) + By("having cluster-trust-bundle volume mounted on pod") Expect(pod.Spec.Containers[0].VolumeMounts).Should(ContainElement(corev1.VolumeMount{ Name: "rt-bootstrapper-certs", ReadOnly: true, MountPath: "/etc/ssl/certs", })) + + By("having cluster-trust-bundle volume created on pod") Expect(pod.Spec.Volumes[1].VolumeSource.Projected.Sources).Should(ContainElement(corev1.VolumeProjection{ ClusterTrustBundle: &corev1.ClusterTrustBundleProjection{ Name: ptr.To("rt-bootstrapper-k3d.test:ctb:1"), @@ -471,21 +431,21 @@ var _ = Describe("Manager", Ordered, func() { }, })) - Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{ - Name: "registry-credentials", - })) + By("having 'defaulted' annotation added on pod") + Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true")) }) - It("should not modify pod spec", func() { - By("applying the deployment") + It("should work with all features inactive", func() { + + By("applying the deployment in opt in namespace") cmd := exec.Command("kubectl", "apply", - "-f", "./test/e2e/testdata/test4.yaml", + "-f", "./test/e2e/testdata/test3.yaml", "-n", testNamespace1) _, err := utils.Run(cmd) Expect(err).NotTo(HaveOccurred()) - cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test4", + cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test3", "--for", "condition=Available", "--namespace", testNamespace1, "--timeout", "20s", @@ -495,7 +455,7 @@ var _ = Describe("Manager", Ordered, func() { Expect(err).ShouldNot(HaveOccurred()) cmd = exec.Command("kubectl", "get", "pod", - "-l", "app=pause-test4", + "-l", "app=pause-test3", "-n", testNamespace1, "-o", "jsonpath={.items[0]}") output, err := utils.Run(cmd) @@ -503,12 +463,29 @@ var _ = Describe("Manager", Ordered, func() { pod, err := utils.ToPod(output) Expect(err).ShouldNot(HaveOccurred()) + + By("not having registry name replaced on pod") Expect(pod.Spec.Containers[0].Image).Should(HavePrefix("k8s.gcr.io")) - Expect(pod.Annotations[apiv1.AnnotationDefaulted]).ShouldNot(Equal("true")) + + By("not having image-pull-secret added on pod") Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{ Name: "registry-credentials", })) + + By("not having cluster-trust-bundle volume mounted on pod") + Expect(pod.Spec.Containers[0].VolumeMounts).ShouldNot(ContainElement(corev1.VolumeMount{ + Name: "rt-bootstrapper-certs", + ReadOnly: true, + MountPath: "/etc/ssl/certs", + })) + + By("not having cluster-trust-bundle volume created on pod") + Expect(len(pod.Spec.Volumes)).Should(Equal(1)) + + By("not having 'defaulted' annotation added on pod") + Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(BeEmpty()) }) + // +kubebuilder:scaffold:e2e-webhooks-checks }) }) diff --git a/test/e2e/testdata/test1.yaml b/test/e2e/testdata/test1.yaml index bd7a0cc..eaa2f3d 100644 --- a/test/e2e/testdata/test1.yaml +++ b/test/e2e/testdata/test1.yaml @@ -11,6 +11,10 @@ spec: app: pause-test1 template: metadata: + annotations: + rt-cfg.kyma-project.io/alter-img-registry: "true" + rt-cfg.kyma-project.io/add-img-pull-secret: "true" + rt-cfg.kyma-project.io/add-cluster-trust-bundle: "true" labels: app: pause-test1 spec: diff --git a/test/e2e/testdata/test2.yaml b/test/e2e/testdata/test2.yaml index febff04..016020a 100644 --- a/test/e2e/testdata/test2.yaml +++ b/test/e2e/testdata/test2.yaml @@ -11,8 +11,6 @@ spec: app: pause-test2 template: metadata: - annotations: - rt-cfg.kyma-project.io/add-img-pull-secret: "false" labels: app: pause-test2 spec: diff --git a/test/e2e/testdata/test3.yaml b/test/e2e/testdata/test3.yaml index faee469..c0c6c6f 100644 --- a/test/e2e/testdata/test3.yaml +++ b/test/e2e/testdata/test3.yaml @@ -12,8 +12,6 @@ spec: app: pause-test3 template: metadata: - annotations: - rt-cfg.kyma-project.io/add-img-pull-secret: "false" labels: app: pause-test3 spec: diff --git a/test/e2e/testdata/test4.yaml b/test/e2e/testdata/test4.yaml deleted file mode 100644 index dfd26c0..0000000 --- a/test/e2e/testdata/test4.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pause-test4 - namespace: rt-bootstrapper-test1 - labels: - app: pause-test4 -spec: - replicas: 1 - selector: - matchLabels: - app: pause-test4 - template: - metadata: - annotations: - rt-cfg.kyma-project.io/add-img-pull-secret: "false" - rt-cfg.kyma-project.io/add-add-cluster-trust-bundle: "false" - labels: - app: pause-test4 - spec: - containers: - - name: pause - image: k8s.gcr.io/pause:latest - -