Merge pull request #44 from uswitch/airship-2513-job-tests

AIRSHIP-2513 Job-mode Tests

.drone.yml

@@ -1,21 +1,13 @@
-workspace:
-  base: /go
-  path: src/github.com/uswitch/vault-webhook
-
 pipeline:
   test:
     image: golang:1.18
-    environment:
-      - GO111MODULE=on    
     commands:
-      - go test -v -cover $(go list ./... | grep -v /vendor)
+      - make test
 
   build:
     image: golang:1.18
-    environment:
-      - GO111MODULE=on
     commands:
-      - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o bin/vault-webhook
+      - make bin/vault-webhook-linux-amd64
 
   docker-branch:
     image: plugins/docker

.gitignore

@@ -1,3 +1,4 @@
 bin/
 deploy/
 skaffold.yaml
+cover.out

Dockerfile

@@ -1,5 +1,7 @@
-FROM scratch
+FROM gcr.io/distroless/static:nonroot
 
-ADD bin/vault-webhook vault-webhook
+WORKDIR /
+COPY bin/vault-webhook-linux-amd64 vault-webhook
+USER nonroot:nonroot
 
 ENTRYPOINT ["/vault-webhook"]

Makefile

@@ -0,0 +1,39 @@
+APP  = vault-webhook
+
+ARCH = amd64
+BIN  = bin/$(APP)
+BIN_LINUX  = $(BIN)-linux-$(ARCH)
+BIN_DARWIN = $(BIN)-darwin-$(ARCH)
+IMAGE   = localhost/$(APP)
+
+SOURCES = $(shell find . -type f -iname "*.go")
+
+.PHONY: all build vet fmt test run image clean private
+
+all: test build
+
+$(BIN_DARWIN): $(SOURCES)
+	GOARCH=$(ARCH) GOOS=darwin go build -o $(BIN_DARWIN)
+
+$(BIN_LINUX): $(SOURCES)
+	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -o $(BIN_LINUX)
+
+build: $(BIN_DARWIN) $(BIN_LINUX) fmt vet
+
+vet:
+	go vet ./...
+
+fmt:
+	go fmt ./...
+
+test: fmt vet
+	go test ./... -coverprofile cover.out
+
+image: Dockerfile $(BIN_LINUX)
+	docker image build -t $(IMAGE) .
+
+run-image: image
+	docker run --rm -ti $(IMAGE)
+
+clean:
+	rm -rf bin/

main.go

@@ -4,9 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"net/http"
-	"os"
-	"time"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	log "github.com/sirupsen/logrus"
@@ -15,6 +12,9 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/sample-controller/pkg/signals"
+	"net/http"
+	"os"
+	"time"
 )
 
 var (

vault_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"strings"
 	"testing"
 
 	"k8s.io/api/core/v1"
@@ -103,3 +104,82 @@ func TestAddVaultPatch(t *testing.T) {
 	}
 
 }
+
+func makePodOwnedByKind(ownerKind string) *v1.Pod {
+	return &v1.Pod{
+		Spec: v1.PodSpec{Containers: []v1.Container{v1.Container{}}},
+		ObjectMeta: metav1.ObjectMeta{
+			OwnerReferences: []metav1.OwnerReference{
+				metav1.OwnerReference{
+					Kind: ownerKind,
+				},
+			},
+		},
+	}
+}
+
+func vaultContainers(containers []v1.Container) []v1.Container {
+	var vc []v1.Container
+	for _, container := range containers {
+		if strings.HasPrefix(container.Name, "vault-creds-") {
+			vc = append(vc, container)
+		}
+	}
+
+	return vc
+}
+
+func containersForPatch(patchOps []patchOperation) []v1.Container {
+	for _, patch := range patchOps {
+		if patch.Path == "/spec/containers" {
+			return patch.Value.([]v1.Container)
+		}
+	}
+	return []v1.Container{}
+}
+
+func checkJobFlagExists(container v1.Container) bool {
+	for _, arg := range container.Args {
+		if arg == "--job" {
+			return true
+		}
+	}
+	return false
+}
+
+func TestVaultJobMode(t *testing.T) {
+	kindTestCases := map[string]bool{
+		"Job":        true,
+		"Workflow":   true,
+		"Deployment": false,
+		"FooBar":     false,
+	}
+
+	testNamespace := "testNamespace"
+	testDatabases := []database{
+		{database: "foo", role: "bar"},
+	}
+
+	for kind, shouldExist := range kindTestCases {
+		t.Run(kind, func(t *testing.T) {
+			pod := makePodOwnedByKind(kind)
+			patchOps := addVault(pod, testNamespace, testDatabases)
+			if len(patchOps) < 1 {
+				t.Error("no patch operations returned from addVault function")
+				return
+			}
+
+			containers := vaultContainers(containersForPatch(patchOps))
+			if len(containers) != 1 {
+				t.Errorf("incorrect number of vault sidecars in patch operation, expected=1, received=%d", len(containers))
+			}
+
+			for _, c := range containers {
+				jobFlagExists := checkJobFlagExists(c)
+				if jobFlagExists != shouldExist {
+					t.Errorf("job flag state incorrect for king=%q, expected=%t, received=%t", kind, shouldExist, jobFlagExists)
+				}
+			}
+		})
+	}
+}