add inital integration test cases

Author: deads2k

.gitignore

@@ -19,3 +19,4 @@ tags
 .envrc
 authentication-operator
 telepresence.log
+/test-output/

pkg/cmd/mom/apply_configuration_command.go

@@ -15,8 +15,6 @@ func NewApplyConfigurationCommand(streams genericiooptions.IOStreams) *cobra.Com
 }
 
 func RunApplyConfiguration(ctx context.Context, input libraryapplyconfiguration.ApplyConfigurationInput) (libraryapplyconfiguration.AllDesiredMutationsGetter, error) {
-	// TODO initialize dynamic clients, informers, operator clients, and kubeclients from the input to demonstrate.
-
 	authenticationOperatorInput, err := operator.CreateOperatorInputFromMOM(ctx, input)
 	if err != nil {
 		return nil, fmt.Errorf("unable to configure operator input: %w", err)

pkg/cmd/mom/output_resources_command.go

@@ -22,21 +22,28 @@ func RunOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
 		ManagementResources: libraryoutputresources.ResourceList{
 			ExactResources: []libraryoutputresources.ExactResourceID{
 				libraryoutputresources.ExactClusterOperator("authentication"),
-				libraryoutputresources.ExactResource("operator.openshift.io", "authentications", "", "cluster"),
+				libraryoutputresources.ExactConfigMap("openshift-authentication", "audit"),
+				libraryoutputresources.ExactConfigMap("openshift-authentication", "v4-0-config-system-trusted-ca-bundle"),
+				libraryoutputresources.ExactDeployment("openshift-authentication", "oauth-openshift"),
+				libraryoutputresources.ExactLowLevelOperator("authentications"),
+				exactNamespace("openshift-authentication"),
+				exactRole("openshift-config-managed", "system:openshift:oauth-servercert-trust"),
+				exactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"),
+				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-session"),
+				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-ocp-branding-template"),
+				exactService("openshift-authentication", "oauth-openshift"),
+				libraryoutputresources.ExactServiceAccount("openshift-authentication", "oauth-openshift"),
+			},
+			EventingNamespaces: []string{
+				"openshift-authentication-operator",
 			},
 		},
 		UserWorkloadResources: libraryoutputresources.ResourceList{
 			ExactResources: []libraryoutputresources.ExactResourceID{
-				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-session"),
-				libraryoutputresources.ExactSecret("openshift-authentication", "v4-0-config-system-ocp-branding-template"),
-				libraryoutputresources.ExactServiceAccount("openshift-authentication", "oauth-openshift"),
-				libraryoutputresources.ExactDeployments("openshift-authentication", "oauth-openshift"),
+				libraryoutputresources.ExactClusterRoleBinding("system:openshift:openshift-authentication"),
 				exactOAuthClient("openshift-browser-client"),
 				exactOAuthClient("openshift-challenging-client"),
 				exactOAuthClient("openshift-cli-client"),
-				libraryoutputresources.ExactClusterRoleBinding("system:openshift:openshift-authentication"),
-				libraryoutputresources.ExactRoleBinding("openshift-config-managed", "system:openshift:oauth-servercert-trust"),
-				libraryoutputresources.ExactRole("openshift-config-managed", "system:openshift:oauth-servercert-trust"),
 			},
 			GeneratedNameResources: []libraryoutputresources.GeneratedResourceID{
 				libraryoutputresources.GeneratedCSR("system:openshift:openshift-authenticator-"),
@@ -48,3 +55,19 @@ func RunOutputResources(ctx context.Context) (*libraryoutputresources.OutputReso
 func exactOAuthClient(name string) libraryoutputresources.ExactResourceID {
 	return libraryoutputresources.ExactResource("oauth.openshift.io", "oauthclients", "", name)
 }
+
+func exactNamespace(name string) libraryoutputresources.ExactResourceID {
+	return libraryoutputresources.ExactResource("", "namespaces", "", name)
+}
+
+func exactService(namespace, name string) libraryoutputresources.ExactResourceID {
+	return libraryoutputresources.ExactResource("", "services", namespace, name)
+}
+
+func exactRole(namespace, name string) libraryoutputresources.ExactResourceID {
+	return libraryoutputresources.ExactResource("rbac.authorization.k8s.io", "roles", namespace, name)
+}
+
+func exactRoleBinding(namespace, name string) libraryoutputresources.ExactResourceID {
+	return libraryoutputresources.ExactResource("rbac.authorization.k8s.io", "rolebindings", namespace, name)
+}

pkg/operator/replacement_starter.go

@@ -59,31 +59,36 @@ type authenticationOperatorInput struct {
 const componentName = "cluster-authentication-operator"
 
 func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfiguration.ApplyConfigurationInput) (*authenticationOperatorInput, error) {
-	kubeClient, err := kubernetes.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	// TODO replace with the library-go function in https://github.com/openshift/library-go/pull/1857 once it merges
+	recommendedRESTConfig := &rest.Config{
+		QPS:   1000,
+		Burst: 10000,
+	}
+	kubeClient, err := kubernetes.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	configClient, err := configclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	configClient, err := configclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	operatorClient, err := operatorclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	operatorClient, err := operatorclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	routeClient, err := routeclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	routeClient, err := routeclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	oauthClient, err := oauthclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	oauthClient, err := oauthclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	apiregistrationv1Client, err := apiregistrationclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	apiregistrationv1Client, err := apiregistrationclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
-	migrationClient, err := kubemigratorclient.NewForConfigAndClient(&rest.Config{}, momInput.MutationTrackingClient.GetHTTPClient())
+	migrationClient, err := kubemigratorclient.NewForConfigAndClient(recommendedRESTConfig, momInput.MutationTrackingClient.GetHTTPClient())
 	if err != nil {
 		return nil, err
 	}
@@ -100,16 +105,25 @@ func CreateOperatorInputFromMOM(ctx context.Context, momInput libraryapplyconfig
 		return nil, err
 	}
 
-	eventRecorder := events.NewKubeRecorderWithOptions(
-		kubeClient.CoreV1().Events("openshift-authentication-operator"),
-		events.RecommendedClusterSingletonCorrelatorOptions(),
+	//eventRecorder := events.NewKubeRecorderWithOptions(
+	//	kubeClient.CoreV1().Events("openshift-authentication-operator"),
+	//	events.RecommendedClusterSingletonCorrelatorOptions(),
+	//	componentName,
+	//	&corev1.ObjectReference{
+	//		Kind:      "Deployment",
+	//		Namespace: "openshift-authentication-operator",
+	//		Name:      "authentication-operator",
+	//	},
+	//)
+	// TODO figure out if we're better off using the event correlator (possible) and making a flush of some kind or if live write are better
+	// but for now don't lose it.
+	eventRecorder := events.NewRecorder(kubeClient.CoreV1().Events("openshift-authentication-operator"),
 		componentName,
 		&corev1.ObjectReference{
 			Kind:      "Deployment",
 			Namespace: "openshift-authentication-operator",
 			Name:      "authentication-operator",
-		},
-	)
+		})
 
 	return &authenticationOperatorInput{
 		kubeClient:                   kubeClient,
@@ -299,7 +313,7 @@ func CreateOperatorStarter(ctx context.Context, authOperatorInput *authenticatio
 
 	oauthAPIServerRunOnceFns, oauthAPIServerRunFns, err := prepareOauthAPIServerOperator(ctx, authOperatorInput, informerFactories, resourceSyncer, versionRecorder)
 	if err != nil {
-		return nil, fmt.Errorf("unable to prepare oauth server: %w", err)
+		return nil, fmt.Errorf("unable to prepare oauth apiserver: %w", err)
 	}
 	ret.ControllerRunFns = append(ret.ControllerRunFns, oauthAPIServerRunFns...)
 	ret.ControllerNamedRunOnceFns = append(ret.ControllerNamedRunOnceFns, oauthAPIServerRunOnceFns...)

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/001-body-cluster.yaml

@@ -0,0 +1,15 @@
+apiVersion: operator.openshift.io/v1
+kind: Authentication
+metadata:
+  annotations:
+    operator.openshift.io/controller-name: TODO-resourceSyncer
+  name: cluster
+status:
+  conditions:
+  - lastTransitionTime: "2024-10-14T22:38:20Z"
+    message: an error on the server ("request namespace \"openshift-oauth-apiserver\"
+      does not equal body namespace \"\"") has prevented the request from succeeding
+      (delete secrets etcd-client)
+    reason: Error
+    status: "True"
+    type: ResourceSyncControllerDegraded

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/001-options-cluster.yaml

@@ -0,0 +1,2 @@
+fieldManager: oauth-server-ResourceSync
+force: true

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/002-body-cluster.yaml

@@ -0,0 +1,12 @@
+apiVersion: operator.openshift.io/v1
+kind: Authentication
+metadata:
+  annotations:
+    operator.openshift.io/controller-name: TODO-configOverridesController
+  name: cluster
+status:
+  conditions:
+  - lastTransitionTime: "2024-10-14T22:38:20Z"
+    reason: NoUnsupportedConfigOverrides
+    status: "True"
+    type: UnsupportedConfigOverridesUpgradeable

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/002-options-cluster.yaml

@@ -0,0 +1,2 @@
+fieldManager: openshift-authentication-UnsupportedConfigOverrides
+force: true

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/008-body-cluster.yaml

@@ -0,0 +1,17 @@
+apiVersion: operator.openshift.io/v1
+kind: Authentication
+metadata:
+  annotations:
+    operator.openshift.io/controller-name: TODO-configObserver
+  name: cluster
+status:
+  conditions:
+  - lastTransitionTime: "2024-10-14T22:38:20Z"
+    message: |-
+      infrastructure.config.openshift.io "cluster" not found
+      console.config.openshift.io "cluster" not found
+      secret "v4-0-config-system-router-certs" not found
+      oauth.config.openshift.io "cluster" not found
+    reason: Error
+    status: "True"
+    type: OAuthServerConfigObservationDegraded

test-data/apply-configuration/overall/minimal-cluster/expected-output/Management/ApplyStatus/cluster-scoped-resources/operator.openshift.io/authentications/008-options-cluster.yaml

@@ -0,0 +1,2 @@
+fieldManager: oauth-server-ConfigObserver
+force: true