Skip to content

Commit 1cb6793

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#121262 from my-git9/ut-tlsbootstrap
kubeadm: increase ut coverage for bootstraptoken/node
2 parents 478c934 + e312d93 commit 1cb6793

File tree

1 file changed

+301
-0
lines changed

1 file changed

+301
-0
lines changed

cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap_test.go

Lines changed: 301 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,301 @@
1+
/*
2+
Copyright 2023 The Kubernetes Authors.
3+
4+
Licensed under the Apache License, Version 2.0 (the "License");
5+
you may not use this file except in compliance with the License.
6+
You may obtain a copy of the License at
7+
8+
http://www.apache.org/licenses/LICENSE-2.0
9+
10+
Unless required by applicable law or agreed to in writing, software
11+
distributed under the License is distributed on an "AS IS" BASIS,
12+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
See the License for the specific language governing permissions and
14+
limitations under the License.
15+
*/
16+
17+
package node
18+
19+
import (
20+
"context"
21+
"testing"
22+
23+
rbac "k8s.io/api/rbac/v1"
24+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
25+
clientset "k8s.io/client-go/kubernetes"
26+
clientsetfake "k8s.io/client-go/kubernetes/fake"
27+
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
28+
)
29+
30+
func TestAllowBootstrapTokensToPostCSRs(t *testing.T) {
31+
tests := []struct {
32+
name string
33+
client clientset.Interface
34+
}{
35+
{
36+
name: "ClusterRoleBindings is empty",
37+
client: clientsetfake.NewSimpleClientset(),
38+
},
39+
{
40+
name: "ClusterRoleBindings already exists",
41+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
42+
ObjectMeta: metav1.ObjectMeta{
43+
Name: constants.NodeKubeletBootstrap,
44+
},
45+
RoleRef: rbac.RoleRef{
46+
APIGroup: rbac.GroupName,
47+
Kind: "ClusterRole",
48+
Name: constants.NodeBootstrapperClusterRoleName,
49+
},
50+
Subjects: []rbac.Subject{
51+
{
52+
Kind: rbac.GroupKind,
53+
Name: constants.NodeBootstrapTokenAuthGroup,
54+
},
55+
},
56+
}),
57+
},
58+
{
59+
name: "Create new ClusterRoleBindings",
60+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
61+
ObjectMeta: metav1.ObjectMeta{
62+
Name: constants.NodeKubeletBootstrap,
63+
},
64+
RoleRef: rbac.RoleRef{
65+
APIGroup: rbac.GroupName,
66+
Kind: "ClusterRole",
67+
Name: constants.NodeBootstrapperClusterRoleName,
68+
},
69+
Subjects: []rbac.Subject{
70+
{
71+
Kind: rbac.GroupKind,
72+
Name: constants.KubeProxyClusterRoleName,
73+
},
74+
},
75+
}),
76+
},
77+
}
78+
for _, tt := range tests {
79+
t.Run(tt.name, func(t *testing.T) {
80+
if err := AllowBootstrapTokensToPostCSRs(tt.client); err != nil {
81+
t.Errorf("AllowBootstrapTokensToPostCSRs() return error = %v", err)
82+
}
83+
})
84+
}
85+
}
86+
87+
func TestAutoApproveNodeBootstrapTokens(t *testing.T) {
88+
tests := []struct {
89+
name string
90+
client clientset.Interface
91+
}{
92+
{
93+
name: "ClusterRoleBindings is empty",
94+
client: clientsetfake.NewSimpleClientset(),
95+
},
96+
{
97+
name: "ClusterRoleBindings already exists",
98+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
99+
ObjectMeta: metav1.ObjectMeta{
100+
Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
101+
},
102+
RoleRef: rbac.RoleRef{
103+
APIGroup: rbac.GroupName,
104+
Kind: "ClusterRole",
105+
Name: constants.CSRAutoApprovalClusterRoleName,
106+
},
107+
Subjects: []rbac.Subject{
108+
{
109+
Kind: rbac.GroupKind,
110+
Name: constants.NodeBootstrapTokenAuthGroup,
111+
},
112+
},
113+
}),
114+
},
115+
{
116+
name: "Create new ClusterRoleBindings",
117+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
118+
ObjectMeta: metav1.ObjectMeta{
119+
Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
120+
},
121+
RoleRef: rbac.RoleRef{
122+
APIGroup: rbac.GroupName,
123+
Kind: "ClusterRole",
124+
Name: constants.NodeSelfCSRAutoApprovalClusterRoleName,
125+
},
126+
Subjects: []rbac.Subject{
127+
{
128+
Kind: rbac.GroupKind,
129+
Name: constants.NodeBootstrapTokenAuthGroup,
130+
},
131+
},
132+
}),
133+
},
134+
}
135+
for _, tt := range tests {
136+
t.Run(tt.name, func(t *testing.T) {
137+
if err := AutoApproveNodeBootstrapTokens(tt.client); err != nil {
138+
t.Errorf("AutoApproveNodeBootstrapTokens() return error = %v", err)
139+
}
140+
})
141+
}
142+
}
143+
144+
func TestAutoApproveNodeCertificateRotation(t *testing.T) {
145+
tests := []struct {
146+
name string
147+
client clientset.Interface
148+
}{
149+
{
150+
name: "ClusterRoleBindings is empty",
151+
client: clientsetfake.NewSimpleClientset(),
152+
},
153+
{
154+
name: "ClusterRoleBindings already exists",
155+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
156+
ObjectMeta: metav1.ObjectMeta{
157+
Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
158+
},
159+
RoleRef: rbac.RoleRef{
160+
APIGroup: rbac.GroupName,
161+
Kind: "ClusterRole",
162+
Name: constants.NodeSelfCSRAutoApprovalClusterRoleName,
163+
},
164+
Subjects: []rbac.Subject{
165+
{
166+
Kind: rbac.GroupKind,
167+
Name: constants.NodesGroup,
168+
},
169+
},
170+
}),
171+
},
172+
{
173+
name: "Create new ClusterRoleBindings",
174+
client: newMockClusterRoleBinddingClientForTest(t, &rbac.ClusterRoleBinding{
175+
ObjectMeta: metav1.ObjectMeta{
176+
Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
177+
},
178+
RoleRef: rbac.RoleRef{
179+
APIGroup: rbac.GroupName,
180+
Kind: "ClusterRole",
181+
Name: constants.NodeSelfCSRAutoApprovalClusterRoleName,
182+
},
183+
Subjects: []rbac.Subject{
184+
{
185+
Kind: rbac.GroupKind,
186+
Name: constants.NodeBootstrapTokenAuthGroup,
187+
},
188+
},
189+
}),
190+
},
191+
}
192+
for _, tt := range tests {
193+
t.Run(tt.name, func(t *testing.T) {
194+
if err := AutoApproveNodeCertificateRotation(tt.client); err != nil {
195+
t.Errorf("AutoApproveNodeCertificateRotation() return error = %v", err)
196+
}
197+
})
198+
}
199+
}
200+
201+
func TestAllowBoostrapTokensToGetNodes(t *testing.T) {
202+
tests := []struct {
203+
name string
204+
client clientset.Interface
205+
}{
206+
{
207+
name: "RBAC rules are empty",
208+
client: clientsetfake.NewSimpleClientset(),
209+
},
210+
{
211+
name: "RBAC rules already exists",
212+
client: newMockRbacClientForTest(t, &rbac.ClusterRole{
213+
ObjectMeta: metav1.ObjectMeta{
214+
Name: constants.GetNodesClusterRoleName,
215+
},
216+
Rules: []rbac.PolicyRule{
217+
{
218+
Verbs: []string{"get"},
219+
APIGroups: []string{""},
220+
Resources: []string{"nodes"},
221+
},
222+
},
223+
}, &rbac.ClusterRoleBinding{
224+
ObjectMeta: metav1.ObjectMeta{
225+
Name: constants.GetNodesClusterRoleName,
226+
},
227+
RoleRef: rbac.RoleRef{
228+
APIGroup: rbac.GroupName,
229+
Kind: "ClusterRole",
230+
Name: constants.GetNodesClusterRoleName,
231+
},
232+
Subjects: []rbac.Subject{
233+
{
234+
Kind: rbac.GroupKind,
235+
Name: constants.NodeBootstrapTokenAuthGroup,
236+
},
237+
},
238+
}),
239+
},
240+
{
241+
name: "Create new RBAC rules",
242+
client: newMockRbacClientForTest(t, &rbac.ClusterRole{
243+
ObjectMeta: metav1.ObjectMeta{
244+
Name: constants.GetNodesClusterRoleName,
245+
},
246+
Rules: []rbac.PolicyRule{
247+
{
248+
Verbs: []string{"create"},
249+
APIGroups: []string{""},
250+
Resources: []string{"nodes"},
251+
},
252+
},
253+
}, &rbac.ClusterRoleBinding{
254+
ObjectMeta: metav1.ObjectMeta{
255+
Name: constants.GetNodesClusterRoleName,
256+
},
257+
RoleRef: rbac.RoleRef{
258+
APIGroup: rbac.GroupName,
259+
Kind: "ClusterRole",
260+
Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
261+
},
262+
Subjects: []rbac.Subject{
263+
{
264+
Kind: rbac.GroupKind,
265+
Name: constants.NodeBootstrapTokenAuthGroup,
266+
},
267+
},
268+
}),
269+
},
270+
}
271+
for _, tt := range tests {
272+
t.Run(tt.name, func(t *testing.T) {
273+
if err := AllowBoostrapTokensToGetNodes(tt.client); err != nil {
274+
t.Errorf("AllowBoostrapTokensToGetNodes() return error = %v", err)
275+
}
276+
})
277+
}
278+
}
279+
280+
func newMockClusterRoleBinddingClientForTest(t *testing.T, clusterRoleBinding *rbac.ClusterRoleBinding) *clientsetfake.Clientset {
281+
client := clientsetfake.NewSimpleClientset()
282+
_, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{})
283+
284+
if err != nil {
285+
t.Fatalf("error creating ClusterRoleBindings: %v", err)
286+
}
287+
return client
288+
}
289+
290+
func newMockRbacClientForTest(t *testing.T, clusterRole *rbac.ClusterRole, clusterRoleBinding *rbac.ClusterRoleBinding) *clientsetfake.Clientset {
291+
client := clientsetfake.NewSimpleClientset()
292+
_, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{})
293+
if err != nil {
294+
t.Fatalf("error creating ClusterRoles: %v", err)
295+
}
296+
_, err = client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{})
297+
if err != nil {
298+
t.Fatalf("error creating ClusterRoleBindings: %v", err)
299+
}
300+
return client
301+
}

0 commit comments

Comments
 (0)