2024-04-29 16:03:48 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
|
|
|
|
//go:build linux
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/google/go-cmp/cmp"
|
2024-09-08 19:57:29 +00:00
|
|
|
"tailscale.com/kube/kubeapi"
|
|
|
|
"tailscale.com/kube/kubeclient"
|
2024-04-29 16:03:48 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestSetupKube(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
cfg *settings
|
|
|
|
wantErr bool
|
|
|
|
wantCfg *settings
|
2024-11-20 17:17:34 +00:00
|
|
|
kc *kubeClient
|
2024-04-29 16:03:48 +00:00
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY set, state Secret exists",
|
|
|
|
cfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
2024-04-29 16:03:48 +00:00
|
|
|
return nil, nil
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY set, state Secret does not exist, we have permissions to create it",
|
|
|
|
cfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, true, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return nil, &kubeapi.Status{Code: 404}
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY set, state Secret does not exist, we do not have permissions to create it",
|
|
|
|
cfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return nil, &kubeapi.Status{Code: 404}
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY set, we encounter a non-404 error when trying to retrieve the state Secret",
|
|
|
|
cfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return nil, &kubeapi.Status{Code: 403}
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY set, we encounter a non-404 error when trying to check Secret permissions",
|
|
|
|
cfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantCfg: &settings{
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, errors.New("broken")
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Interactive login using URL in Pod logs
|
|
|
|
name: "TS_AUTHKEY not set, state Secret does not exist, we have permissions to create it",
|
|
|
|
cfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantCfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, true, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return nil, &kubeapi.Status{Code: 404}
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
// Interactive login using URL in Pod logs
|
|
|
|
name: "TS_AUTHKEY not set, state Secret exists, but does not contain auth key",
|
|
|
|
cfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantCfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return &kubeapi.Secret{}, nil
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY not set, state Secret contains auth key, we do not have RBAC to patch it",
|
|
|
|
cfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return false, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return &kubeapi.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
|
|
|
wantErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "TS_AUTHKEY not set, state Secret contains auth key, we have RBAC to patch it",
|
|
|
|
cfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
kc: &kubeClient{stateSecret: "foo", Client: &kubeclient.FakeClient{
|
2024-04-29 16:03:48 +00:00
|
|
|
CheckSecretPermissionsImpl: func(context.Context, string) (bool, bool, error) {
|
|
|
|
return true, false, nil
|
|
|
|
},
|
2024-09-08 18:06:07 +00:00
|
|
|
GetSecretImpl: func(context.Context, string) (*kubeapi.Secret, error) {
|
|
|
|
return &kubeapi.Secret{Data: map[string][]byte{"authkey": []byte("foo")}}, nil
|
2024-04-29 16:03:48 +00:00
|
|
|
},
|
2024-11-20 17:17:34 +00:00
|
|
|
}},
|
2024-04-29 16:03:48 +00:00
|
|
|
wantCfg: &settings{
|
|
|
|
KubeSecret: "foo",
|
|
|
|
AuthKey: "foo",
|
|
|
|
KubernetesCanPatch: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tt := range tests {
|
2024-11-20 17:17:34 +00:00
|
|
|
kc := tt.kc
|
2024-04-29 16:03:48 +00:00
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2024-11-20 17:17:34 +00:00
|
|
|
if err := tt.cfg.setupKube(context.Background(), kc); (err != nil) != tt.wantErr {
|
2024-04-29 16:03:48 +00:00
|
|
|
t.Errorf("settings.setupKube() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
}
|
|
|
|
if diff := cmp.Diff(*tt.cfg, *tt.wantCfg); diff != "" {
|
|
|
|
t.Errorf("unexpected contents of settings after running settings.setupKube()\n(-got +want):\n%s", diff)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|