GitOps for k8s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

images_test.go 3.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
  1. package kubernetes
  2. import (
  3. "encoding/base64"
  4. "testing"
  5. "github.com/ryanuber/go-glob"
  6. "github.com/stretchr/testify/assert"
  7. apiv1 "k8s.io/api/core/v1"
  8. "k8s.io/client-go/kubernetes/fake"
  9. "github.com/fluxcd/flux/image"
  10. "github.com/fluxcd/flux/registry"
  11. )
  12. func noopLog(...interface{}) error {
  13. return nil
  14. }
  15. func makeImagePullSecret(ns, name, host string) *apiv1.Secret {
  16. imagePullSecret := apiv1.Secret{Type: apiv1.SecretTypeDockerConfigJson}
  17. imagePullSecret.Name = name
  18. imagePullSecret.Namespace = ns
  19. imagePullSecret.Data = map[string][]byte{
  20. apiv1.DockerConfigJsonKey: []byte(`
  21. {
  22. "auths": {
  23. "` + host + `": {
  24. "auth": "` + base64.StdEncoding.EncodeToString([]byte("user:passwd")) + `"
  25. }
  26. }
  27. }`),
  28. }
  29. return &imagePullSecret
  30. }
  31. func makeServiceAccount(ns, name string, imagePullSecretNames []string) *apiv1.ServiceAccount {
  32. sa := apiv1.ServiceAccount{}
  33. sa.Namespace = ns
  34. sa.Name = name
  35. for _, ips := range imagePullSecretNames {
  36. sa.ImagePullSecrets = append(sa.ImagePullSecrets, apiv1.LocalObjectReference{Name: ips})
  37. }
  38. return &sa
  39. }
  40. func TestMergeCredentials(t *testing.T) {
  41. ns, secretName1, secretName2 := "foo-ns", "secret-creds", "secret-sa-creds"
  42. saName := "service-account"
  43. ref, _ := image.ParseRef("foo/bar:tag")
  44. spec := apiv1.PodTemplateSpec{
  45. Spec: apiv1.PodSpec{
  46. ServiceAccountName: saName,
  47. ImagePullSecrets: []apiv1.LocalObjectReference{
  48. {Name: secretName1},
  49. },
  50. Containers: []apiv1.Container{
  51. {Name: "container1", Image: ref.String()},
  52. },
  53. },
  54. }
  55. clientset := fake.NewSimpleClientset(
  56. makeServiceAccount(ns, saName, []string{secretName2}),
  57. makeImagePullSecret(ns, secretName1, "docker.io"),
  58. makeImagePullSecret(ns, secretName2, "quay.io"))
  59. client := ExtendedClient{coreClient: clientset}
  60. creds := registry.ImageCreds{}
  61. mergeCredentials(noopLog, func(imageName string) bool { return true },
  62. client, ns, spec, creds, make(map[string]registry.Credentials))
  63. // check that we accumulated some credentials
  64. assert.Contains(t, creds, ref.Name)
  65. c := creds[ref.Name]
  66. hosts := c.Hosts()
  67. assert.ElementsMatch(t, []string{"docker.io", "quay.io"}, hosts)
  68. }
  69. func TestMergeCredentials_ImageExclusion(t *testing.T) {
  70. creds := registry.ImageCreds{}
  71. gcrImage, _ := image.ParseRef("gcr.io/foo/bar:tag")
  72. k8sImage, _ := image.ParseRef("k8s.gcr.io/foo/bar:tag")
  73. testImage, _ := image.ParseRef("docker.io/test/bar:tag")
  74. spec := apiv1.PodTemplateSpec{
  75. Spec: apiv1.PodSpec{
  76. InitContainers: []apiv1.Container{
  77. {Name: "container1", Image: testImage.String()},
  78. },
  79. Containers: []apiv1.Container{
  80. {Name: "container1", Image: k8sImage.String()},
  81. {Name: "container2", Image: gcrImage.String()},
  82. },
  83. },
  84. }
  85. clientset := fake.NewSimpleClientset()
  86. client := ExtendedClient{coreClient: clientset}
  87. var includeImage = func(imageName string) bool {
  88. for _, exp := range []string{"k8s.gcr.io/*", "*test*"} {
  89. if glob.Glob(exp, imageName) {
  90. return false
  91. }
  92. }
  93. return true
  94. }
  95. mergeCredentials(noopLog, includeImage, client, "default", spec, creds,
  96. make(map[string]registry.Credentials))
  97. // check test image has been excluded
  98. assert.NotContains(t, creds, testImage.Name)
  99. // check k8s.gcr.io image has been excluded
  100. assert.NotContains(t, creds, k8sImage.Name)
  101. // check gcr.io image exists
  102. assert.Contains(t, creds, gcrImage.Name)
  103. }