talos/internal/app/machined/pkg/controllers/kubeaccess/config_test.go

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

package kubeaccess_test

import (
	"testing"
	"time"

	"github.com/cosi-project/runtime/pkg/resource"
	"github.com/siderolabs/go-pointer"
	"github.com/siderolabs/go-retry/retry"
	"github.com/stretchr/testify/suite"

	kubeaccessctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/kubeaccess"
	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1/machine"
	"github.com/siderolabs/talos/pkg/machinery/resources/config"
	"github.com/siderolabs/talos/pkg/machinery/resources/kubeaccess"
)

type ConfigSuite struct {
	KubeaccessSuite
}

func (suite *ConfigSuite) TestReconcileConfig() {
	suite.Require().NoError(suite.runtime.RegisterController(&kubeaccessctrl.ConfigController{}))

	suite.startRuntime()

	machineType := config.NewMachineType()
	machineType.SetMachineType(machine.TypeControlPlane)

	suite.Require().NoError(suite.state.Create(suite.ctx, machineType))

	cfg := config.NewMachineConfig(&v1alpha1.Config{
		ConfigVersion: "v1alpha1",
		MachineConfig: &v1alpha1.MachineConfig{
			MachineFeatures: &v1alpha1.FeaturesConfig{
				KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{
					AccessEnabled:                     pointer.To(true),
					AccessAllowedRoles:                []string{"os:admin"},
					AccessAllowedKubernetesNamespaces: []string{"kube-system"},
				},
			},
		},
	})

	suite.Require().NoError(suite.state.Create(suite.ctx, cfg))

	specMD := resource.NewMetadata(config.NamespaceName, kubeaccess.ConfigType, kubeaccess.ConfigID, resource.VersionUndefined)

	suite.Assert().NoError(retry.Constant(3*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
		suite.assertResource(
			specMD,
			func(res resource.Resource) error {
				spec := res.(*kubeaccess.Config).TypedSpec()

				suite.Assert().True(spec.Enabled)
				suite.Assert().Equal([]string{"os:admin"}, spec.AllowedAPIRoles)
				suite.Assert().Equal([]string{"kube-system"}, spec.AllowedKubernetesNamespaces)

				return nil
			},
		),
	))
}

func (suite *ConfigSuite) TestReconcileDisabled() {
	suite.Require().NoError(suite.runtime.RegisterController(&kubeaccessctrl.ConfigController{}))

	suite.startRuntime()

	machineType := config.NewMachineType()
	machineType.SetMachineType(machine.TypeInit)

	suite.Require().NoError(suite.state.Create(suite.ctx, machineType))

	cfg := config.NewMachineConfig(&v1alpha1.Config{
		ConfigVersion: "v1alpha1",
		MachineConfig: &v1alpha1.MachineConfig{},
	})

	suite.Require().NoError(suite.state.Create(suite.ctx, cfg))

	specMD := resource.NewMetadata(config.NamespaceName, kubeaccess.ConfigType, kubeaccess.ConfigID, resource.VersionUndefined)

	suite.Assert().NoError(retry.Constant(3*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
		suite.assertResource(
			specMD,
			func(res resource.Resource) error {
				spec := res.(*kubeaccess.Config).TypedSpec()

				suite.Assert().False(spec.Enabled)
				suite.Assert().Empty(spec.AllowedAPIRoles)
				suite.Assert().Empty(spec.AllowedKubernetesNamespaces)

				return nil
			},
		),
	))
}

func (suite *ConfigSuite) TestReconcileWorker() {
	suite.Require().NoError(suite.runtime.RegisterController(&kubeaccessctrl.ConfigController{}))

	suite.startRuntime()

	machineType := config.NewMachineType()
	machineType.SetMachineType(machine.TypeWorker)

	suite.Require().NoError(suite.state.Create(suite.ctx, machineType))

	cfg := config.NewMachineConfig(&v1alpha1.Config{
		ConfigVersion: "v1alpha1",
		MachineConfig: &v1alpha1.MachineConfig{
			MachineFeatures: &v1alpha1.FeaturesConfig{
				KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{
					AccessEnabled:                     pointer.To(true),
					AccessAllowedRoles:                []string{"os:admin"},
					AccessAllowedKubernetesNamespaces: []string{"kube-system"},
				},
			},
		},
	})

	suite.Require().NoError(suite.state.Create(suite.ctx, cfg))

	// worker should have feature disabled even if it is enabled in the config
	specMD := resource.NewMetadata(config.NamespaceName, kubeaccess.ConfigType, kubeaccess.ConfigID, resource.VersionUndefined)

	suite.Assert().NoError(retry.Constant(3*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
		suite.assertNoResource(specMD)))
}

func TestConfigSuite(t *testing.T) {
	suite.Run(t, new(ConfigSuite))
}