Update unit tests

Signed-off-by: perdasilva <[email protected]>
Upstream-repository: perdasilva
Upstream-commit: fd1011590bdd0fb1200188bb26bffb76020a0024

Author: perdasilva

staging/operator-lifecycle-manager/pkg/controller/install/certresources.go

@@ -46,7 +46,8 @@ const (
 	OLMManagedLabelValue = "true"
 
 	// service deletion timeout
-	serviceDeletionTimeout = 3 * time.Minute
+	serviceDeletionTimeout                = 3 * time.Minute
+	defaultServiceDeletionPollingInterval = 5 * time.Second
 )
 
 type certResource interface {
@@ -265,7 +266,7 @@ func (i *StrategyDeploymentInstaller) installCertRequirementsForDeployment(deplo
 		service.SetOwnerReferences(existingService.GetOwnerReferences())
 
 		// Delete the Service to replace
-		if err := i.deleteServiceWithTimeout(existingService, serviceDeletionTimeout); err != nil {
+		if err := i.deleteServiceWithTimeout(service, serviceDeletionTimeout); err != nil {
 			return nil, nil, err
 		}
 	}
@@ -546,8 +547,7 @@ func (i *StrategyDeploymentInstaller) deleteServiceWithTimeout(service *corev1.S
 	timeout, cancelFn := context.WithTimeout(context.Background(), deletionTimeout)
 	defer cancelFn()
 
-	const pollingInterval = 5 * time.Second
-	err := wait.PollImmediateInfiniteWithContext(timeout, pollingInterval, func(ctx context.Context) (bool, error) {
+	err := wait.PollImmediateInfiniteWithContext(timeout, i.serviceDeletionPollingInterval, func(ctx context.Context) (bool, error) {
 		// try to delete service
 		err := i.strategyClient.GetOpClient().DeleteService(service.GetNamespace(), service.GetName(), &metav1.DeleteOptions{})
 		if err != nil {
@@ -558,7 +558,8 @@ func (i *StrategyDeploymentInstaller) deleteServiceWithTimeout(service *corev1.S
 		}
 
 		// ensure it is deleted
-		_, err = i.strategyClient.GetOpLister().CoreV1().ServiceLister().Services(i.owner.GetNamespace()).Get(service.GetName())
+		_, err = i.strategyClient.GetOpClient().GetService(i.owner.GetNamespace(), service.GetName())
+		// _, err = i.strategyClient.GetOpLister().CoreV1().ServiceLister().Services(i.owner.GetNamespace()).Get(service.GetName())
 
 		// successfully deleted
 		if err != nil && apierrors.IsNotFound(err) {

staging/operator-lifecycle-manager/pkg/controller/install/certresources_test.go

@@ -165,6 +165,7 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 						Selector: selector(t, "test=label").MatchLabels,
 					},
 				}
+				mockOpClient.EXPECT().GetService("", "test-service").Return(nil, errors.NewNotFound(corev1.Resource("service"), "test-service"))
 				mockOpClient.EXPECT().CreateService(&service).Return(&service, nil)
 
 				hosts := []string{
@@ -389,6 +390,8 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 						Selector: selector(t, "test=label").MatchLabels,
 					},
 				}
+
+				mockOpClient.EXPECT().GetService(namespace, "test-service").Return(nil, errors.NewNotFound(corev1.Resource("service"), "test-service"))
 				mockOpClient.EXPECT().CreateService(&service).Return(&service, nil)
 
 				hosts := []string{
@@ -606,6 +609,8 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 						Selector: selector(t, "test=label").MatchLabels,
 					},
 				}
+
+				mockOpClient.EXPECT().GetService(namespace, "test-service").Return(nil, errors.NewNotFound(corev1.Resource("service"), "test-service"))
 				mockOpClient.EXPECT().CreateService(&service).Return(&service, nil)
 
 				hosts := []string{
@@ -825,6 +830,239 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "retries deletion if service is still present",
+			mockExternal: func(mockOpClient *operatorclientmocks.MockClientInterface, fakeLister *operatorlisterfakes.FakeOperatorLister, namespace string, args args) {
+				mockOpClient.EXPECT().DeleteService(namespace, "test-service", &metav1.DeleteOptions{}).Return(nil)
+				service := corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test-service",
+						OwnerReferences: []metav1.OwnerReference{
+							ownerutil.NonBlockingOwner(&v1alpha1.ClusterServiceVersion{}),
+						},
+					},
+					Spec: corev1.ServiceSpec{
+						Ports:    args.ports,
+						Selector: selector(t, "test=label").MatchLabels,
+					},
+				}
+				mockOpClient.EXPECT().GetService(namespace, "test-service").Return(&service, nil)
+
+				// retry
+				mockOpClient.EXPECT().DeleteService(namespace, "test-service", &metav1.DeleteOptions{}).Return(nil)
+				mockOpClient.EXPECT().GetService(namespace, "test-service").Return(&service, nil)
+				mockOpClient.EXPECT().DeleteService(namespace, "test-service", &metav1.DeleteOptions{}).Return(nil)
+
+				// done
+				mockOpClient.EXPECT().GetService(namespace, "test-service").Return(nil, errors.NewNotFound(corev1.Resource("service"), "test-service"))
+
+				mockOpClient.EXPECT().CreateService(&service).Return(&service, nil)
+
+				hosts := []string{
+					fmt.Sprintf("%s.%s", service.GetName(), namespace),
+					fmt.Sprintf("%s.%s.svc", service.GetName(), namespace),
+				}
+				servingPair, err := certGenerator.Generate(args.rotateAt, Organization, args.ca, hosts)
+				require.NoError(t, err)
+
+				// Create Secret for serving cert
+				certPEM, privPEM, err := servingPair.ToPEM()
+				require.NoError(t, err)
+
+				secret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:        "test-service-cert",
+						Namespace:   namespace,
+						Annotations: map[string]string{OLMCAHashAnnotationKey: caHash},
+						Labels:      map[string]string{OLMManagedLabelKey: OLMManagedLabelValue},
+					},
+					Data: map[string][]byte{
+						"tls.crt":   certPEM,
+						"tls.key":   privPEM,
+						OLMCAPEMKey: caPEM,
+					},
+					Type: corev1.SecretTypeTLS,
+				}
+				mockOpClient.EXPECT().UpdateSecret(secret).Return(secret, nil)
+
+				secretRole := &rbacv1.Role{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      secret.GetName(),
+						Namespace: namespace,
+					},
+					Rules: []rbacv1.PolicyRule{
+						{
+							Verbs:         []string{"get"},
+							APIGroups:     []string{""},
+							Resources:     []string{"secrets"},
+							ResourceNames: []string{secret.GetName()},
+						},
+					},
+				}
+				mockOpClient.EXPECT().UpdateRole(secretRole).Return(secretRole, nil)
+
+				roleBinding := &rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      secret.GetName(),
+						Namespace: namespace,
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "test-sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "Role",
+						Name:     secretRole.GetName(),
+					},
+				}
+				mockOpClient.EXPECT().UpdateRoleBinding(roleBinding).Return(roleBinding, nil)
+
+				authDelegatorClusterRoleBinding := &rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: service.GetName() + "-system:auth-delegator",
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      "test-sa",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "ClusterRole",
+						Name:     "system:auth-delegator",
+					},
+				}
+
+				mockOpClient.EXPECT().UpdateClusterRoleBinding(authDelegatorClusterRoleBinding).Return(authDelegatorClusterRoleBinding, nil)
+
+				authReaderRoleBinding := &rbacv1.RoleBinding{
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      "ServiceAccount",
+							APIGroup:  "",
+							Name:      args.depSpec.Template.Spec.ServiceAccountName,
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						APIGroup: "rbac.authorization.k8s.io",
+						Kind:     "Role",
+						Name:     "extension-apiserver-authentication-reader",
+					},
+				}
+				authReaderRoleBinding.SetName(service.GetName() + "-auth-reader")
+				authReaderRoleBinding.SetNamespace(KubeSystem)
+
+				mockOpClient.EXPECT().UpdateRoleBinding(authReaderRoleBinding).Return(authReaderRoleBinding, nil)
+			},
+			state: fakeState{
+				existingService: &corev1.Service{
+					ObjectMeta: metav1.ObjectMeta{
+						OwnerReferences: []metav1.OwnerReference{
+							ownerutil.NonBlockingOwner(&v1alpha1.ClusterServiceVersion{}),
+						},
+					},
+				},
+				existingSecret: &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+				existingRole: &rbacv1.Role{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+				existingRoleBinding: &rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+				existingClusterRoleBinding: &rbacv1.ClusterRoleBinding{
+					ObjectMeta: metav1.ObjectMeta{},
+				},
+			},
+			fields: fields{
+				owner:                  &v1alpha1.ClusterServiceVersion{},
+				previousStrategy:       nil,
+				templateAnnotations:    nil,
+				initializers:           nil,
+				apiServiceDescriptions: []certResource{},
+				webhookDescriptions:    []certResource{},
+			},
+			args: args{
+				deploymentName: "test",
+				ca:             ca,
+				rotateAt:       time.Now().Add(time.Hour),
+				ports:          []corev1.ServicePort{},
+				depSpec: appsv1.DeploymentSpec{
+					Selector: selector(t, "test=label"),
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							ServiceAccountName: "test-sa",
+						},
+						ObjectMeta: metav1.ObjectMeta{
+							Annotations: map[string]string{
+								"foo": "bar",
+							},
+						},
+					},
+				},
+			},
+			want: &appsv1.DeploymentSpec{
+				Selector: selector(t, "test=label"),
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							"foo":                  "bar",
+							OLMCAHashAnnotationKey: caHash},
+					},
+					Spec: corev1.PodSpec{
+						ServiceAccountName: "test-sa",
+						Volumes: []corev1.Volume{
+							{
+								Name: "apiservice-cert",
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: "test-service-cert",
+										Items: []corev1.KeyToPath{
+											{
+												Key:  "tls.crt",
+												Path: "apiserver.crt",
+											},
+											{
+												Key:  "tls.key",
+												Path: "apiserver.key",
+											},
+										},
+									},
+								},
+							},
+							{
+								Name: "webhook-cert",
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName: "test-service-cert",
+										Items: []corev1.KeyToPath{
+											{
+												Key:  "tls.crt",
+												Path: "tls.crt",
+											},
+											{
+												Key:  "tls.key",
+												Path: "tls.key",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -839,13 +1077,14 @@ func TestInstallCertRequirementsForDeployment(t *testing.T) {
 
 			client := wrappers.NewInstallStrategyDeploymentClient(mockOpClient, fakeLister, tt.fields.owner.GetNamespace())
 			i := &StrategyDeploymentInstaller{
-				strategyClient:         client,
-				owner:                  tt.fields.owner,
-				previousStrategy:       tt.fields.previousStrategy,
-				templateAnnotations:    tt.fields.templateAnnotations,
-				initializers:           tt.fields.initializers,
-				apiServiceDescriptions: tt.fields.apiServiceDescriptions,
-				webhookDescriptions:    tt.fields.webhookDescriptions,
+				strategyClient:                 client,
+				owner:                          tt.fields.owner,
+				previousStrategy:               tt.fields.previousStrategy,
+				templateAnnotations:            tt.fields.templateAnnotations,
+				initializers:                   tt.fields.initializers,
+				apiServiceDescriptions:         tt.fields.apiServiceDescriptions,
+				webhookDescriptions:            tt.fields.webhookDescriptions,
+				serviceDeletionPollingInterval: shortDeletionPollingInterval,
 			}
 			got, _, err := i.installCertRequirementsForDeployment(tt.args.deploymentName, tt.args.ca, tt.args.rotateAt, tt.args.depSpec, tt.args.ports)
 			if (err != nil) != tt.wantErr {

staging/operator-lifecycle-manager/pkg/controller/install/deployment.go

@@ -23,15 +23,16 @@ import (
 const DeploymentSpecHashLabelKey = "olm.deployment-spec-hash"
 
 type StrategyDeploymentInstaller struct {
-	strategyClient            wrappers.InstallStrategyDeploymentInterface
-	owner                     ownerutil.Owner
-	previousStrategy          Strategy
-	templateAnnotations       map[string]string
-	initializers              DeploymentInitializerFuncChain
-	apiServiceDescriptions    []certResource
-	webhookDescriptions       []certResource
-	certificateExpirationTime time.Time
-	certificatesRotated       bool
+	strategyClient                 wrappers.InstallStrategyDeploymentInterface
+	owner                          ownerutil.Owner
+	previousStrategy               Strategy
+	templateAnnotations            map[string]string
+	initializers                   DeploymentInitializerFuncChain
+	apiServiceDescriptions         []certResource
+	webhookDescriptions            []certResource
+	certificateExpirationTime      time.Time
+	certificatesRotated            bool
+	serviceDeletionPollingInterval time.Duration
 }
 
 var _ Strategy = &v1alpha1.StrategyDetailsDeployment{}
@@ -68,7 +69,7 @@ func (c DeploymentInitializerFuncChain) Apply(deployment *appsv1.Deployment) (er
 // the given context.
 type DeploymentInitializerBuilderFunc func(owner ownerutil.Owner) DeploymentInitializerFunc
 
-func NewStrategyDeploymentInstaller(strategyClient wrappers.InstallStrategyDeploymentInterface, templateAnnotations map[string]string, owner ownerutil.Owner, previousStrategy Strategy, initializers DeploymentInitializerFuncChain, apiServiceDescriptions []v1alpha1.APIServiceDescription, webhookDescriptions []v1alpha1.WebhookDescription) StrategyInstaller {
+func NewStrategyDeploymentInstaller(strategyClient wrappers.InstallStrategyDeploymentInterface, templateAnnotations map[string]string, owner ownerutil.Owner, previousStrategy Strategy, initializers DeploymentInitializerFuncChain, apiServiceDescriptions []v1alpha1.APIServiceDescription, webhookDescriptions []v1alpha1.WebhookDescription, serviceDeletionPollingInterval time.Duration) StrategyInstaller {
 	apiDescs := make([]certResource, len(apiServiceDescriptions))
 	for i := range apiServiceDescriptions {
 		apiDescs[i] = &apiServiceDescriptionsWithCAPEM{apiServiceDescriptions[i], []byte{}}
@@ -80,15 +81,16 @@ func NewStrategyDeploymentInstaller(strategyClient wrappers.InstallStrategyDeplo
 	}
 
 	return &StrategyDeploymentInstaller{
-		strategyClient:            strategyClient,
-		owner:                     owner,
-		previousStrategy:          previousStrategy,
-		templateAnnotations:       templateAnnotations,
-		initializers:              initializers,
-		apiServiceDescriptions:    apiDescs,
-		webhookDescriptions:       webhookDescs,
-		certificatesRotated:       false,
-		certificateExpirationTime: time.Time{},
+		strategyClient:                 strategyClient,
+		owner:                          owner,
+		previousStrategy:               previousStrategy,
+		templateAnnotations:            templateAnnotations,
+		initializers:                   initializers,
+		apiServiceDescriptions:         apiDescs,
+		webhookDescriptions:            webhookDescs,
+		certificatesRotated:            false,
+		certificateExpirationTime:      time.Time{},
+		serviceDeletionPollingInterval: serviceDeletionPollingInterval,
 	}
 }