Skip to content

Commit ee784d8

Browse files
enxebreJoelSpeed
authored andcommitted
Add validation for credentials existence in Azure
1 parent 1706724 commit ee784d8

File tree

4 files changed

+67
-4
lines changed

4 files changed

+67
-4
lines changed

pkg/apis/machine/v1beta1/machine_webhook.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -793,6 +793,9 @@ func validateAzure(m *Machine, config *admissionConfig) (bool, []string, utilerr
793793
if providerSpec.CredentialsSecret.Name == "" {
794794
errs = append(errs, field.Required(field.NewPath("providerSpec", "credentialsSecret", "name"), "name must be provided"))
795795
}
796+
if providerSpec.CredentialsSecret.Name != "" && providerSpec.CredentialsSecret.Namespace != "" {
797+
errs = append(errs, credentialsSecretExists(config.client, providerSpec.CredentialsSecret.Name, providerSpec.CredentialsSecret.Namespace)...)
798+
}
796799
}
797800

798801
if providerSpec.OSDisk.DiskSizeGB <= 0 || providerSpec.OSDisk.DiskSizeGB >= azureMaxDiskSizeGB {

pkg/apis/machine/v1beta1/machine_webhook_test.go

Lines changed: 35 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -76,13 +76,21 @@ func TestMachineCreation(t *testing.T) {
7676
Namespace: namespace.Name,
7777
},
7878
}
79+
azureSecret := &corev1.Secret{
80+
ObjectMeta: metav1.ObjectMeta{
81+
Name: defaultAzureCredentialsSecret,
82+
Namespace: defaultSecretNamespace,
83+
},
84+
}
7985
g.Expect(c.Create(ctx, awsSecret)).To(Succeed())
8086
g.Expect(c.Create(ctx, vSphereSecret)).To(Succeed())
8187
g.Expect(c.Create(ctx, GCPSecret)).To(Succeed())
88+
g.Expect(c.Create(ctx, azureSecret)).To(Succeed())
8289
defer func() {
8390
g.Expect(c.Delete(ctx, awsSecret)).To(Succeed())
8491
g.Expect(c.Delete(ctx, vSphereSecret)).To(Succeed())
8592
g.Expect(c.Delete(ctx, GCPSecret)).To(Succeed())
93+
g.Expect(c.Delete(ctx, azureSecret)).To(Succeed())
8694
}()
8795

8896
testCases := []struct {
@@ -474,13 +482,21 @@ func TestMachineUpdate(t *testing.T) {
474482
Namespace: namespace.Name,
475483
},
476484
}
485+
azureSecret := &corev1.Secret{
486+
ObjectMeta: metav1.ObjectMeta{
487+
Name: defaultAzureCredentialsSecret,
488+
Namespace: defaultSecretNamespace,
489+
},
490+
}
477491
g.Expect(c.Create(ctx, awsSecret)).To(Succeed())
478492
g.Expect(c.Create(ctx, vSphereSecret)).To(Succeed())
479493
g.Expect(c.Create(ctx, GCPSecret)).To(Succeed())
494+
g.Expect(c.Create(ctx, azureSecret)).To(Succeed())
480495
defer func() {
481496
g.Expect(c.Delete(ctx, awsSecret)).To(Succeed())
482497
g.Expect(c.Delete(ctx, vSphereSecret)).To(Succeed())
483498
g.Expect(c.Delete(ctx, GCPSecret)).To(Succeed())
499+
g.Expect(c.Delete(ctx, azureSecret)).To(Succeed())
484500
}()
485501

486502
testCases := []struct {
@@ -1086,6 +1102,11 @@ func TestDefaultAWSProviderSpec(t *testing.T) {
10861102
}
10871103

10881104
func TestValidateAzureProviderSpec(t *testing.T) {
1105+
namespace := &corev1.Namespace{
1106+
ObjectMeta: metav1.ObjectMeta{
1107+
Name: "azure-validation-test",
1108+
},
1109+
}
10891110

10901111
testCases := []struct {
10911112
testCase string
@@ -1240,7 +1261,7 @@ func TestValidateAzureProviderSpec(t *testing.T) {
12401261
testCase: "with no credentials secret name it fails",
12411262
modifySpec: func(p *azure.AzureMachineProviderSpec) {
12421263
p.CredentialsSecret = &corev1.SecretReference{
1243-
Namespace: "namespace",
1264+
Namespace: namespace.Name,
12441265
}
12451266
},
12461267
expectedOk: false,
@@ -1289,7 +1310,13 @@ func TestValidateAzureProviderSpec(t *testing.T) {
12891310

12901311
for _, tc := range testCases {
12911312
t.Run(tc.testCase, func(t *testing.T) {
1292-
c := fake.NewFakeClientWithScheme(scheme.Scheme)
1313+
secret := &corev1.Secret{
1314+
ObjectMeta: metav1.ObjectMeta{
1315+
Name: "name",
1316+
Namespace: namespace.Name,
1317+
},
1318+
}
1319+
c := fake.NewFakeClientWithScheme(scheme.Scheme, secret)
12931320
infra := plainInfra.DeepCopy()
12941321
infra.Status.InfrastructureName = "clusterID"
12951322
infra.Status.PlatformStatus.Type = osconfigv1.AzurePlatformType
@@ -1308,7 +1335,7 @@ func TestValidateAzureProviderSpec(t *testing.T) {
13081335
},
13091336
CredentialsSecret: &corev1.SecretReference{
13101337
Name: "name",
1311-
Namespace: "namespace",
1338+
Namespace: namespace.Name,
13121339
},
13131340
OSDisk: azure.OSDisk{
13141341
DiskSizeGB: 1,
@@ -1318,7 +1345,11 @@ func TestValidateAzureProviderSpec(t *testing.T) {
13181345
tc.modifySpec(providerSpec)
13191346
}
13201347

1321-
m := &Machine{}
1348+
m := &Machine{
1349+
ObjectMeta: metav1.ObjectMeta{
1350+
Namespace: namespace.Name,
1351+
},
1352+
}
13221353
rawBytes, err := json.Marshal(providerSpec)
13231354
if err != nil {
13241355
t.Fatal(err)

pkg/apis/machine/v1beta1/machineset_webhook_test.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,13 +61,21 @@ func TestMachineSetCreation(t *testing.T) {
6161
Namespace: namespace.Name,
6262
},
6363
}
64+
azureSecret := &corev1.Secret{
65+
ObjectMeta: metav1.ObjectMeta{
66+
Name: defaultAzureCredentialsSecret,
67+
Namespace: defaultSecretNamespace,
68+
},
69+
}
6470
g.Expect(c.Create(ctx, awsSecret)).To(Succeed())
6571
g.Expect(c.Create(ctx, vSphereSecret)).To(Succeed())
6672
g.Expect(c.Create(ctx, GCPSecret)).To(Succeed())
73+
g.Expect(c.Create(ctx, azureSecret)).To(Succeed())
6774
defer func() {
6875
g.Expect(c.Delete(ctx, awsSecret)).To(Succeed())
6976
g.Expect(c.Delete(ctx, vSphereSecret)).To(Succeed())
7077
g.Expect(c.Delete(ctx, GCPSecret)).To(Succeed())
78+
g.Expect(c.Delete(ctx, azureSecret)).To(Succeed())
7179
}()
7280

7381
testCases := []struct {
@@ -452,13 +460,21 @@ func TestMachineSetUpdate(t *testing.T) {
452460
Namespace: namespace.Name,
453461
},
454462
}
463+
azureSecret := &corev1.Secret{
464+
ObjectMeta: metav1.ObjectMeta{
465+
Name: defaultAzureCredentialsSecret,
466+
Namespace: defaultSecretNamespace,
467+
},
468+
}
455469
g.Expect(c.Create(ctx, awsSecret)).To(Succeed())
456470
g.Expect(c.Create(ctx, vSphereSecret)).To(Succeed())
457471
g.Expect(c.Create(ctx, GCPSecret)).To(Succeed())
472+
g.Expect(c.Create(ctx, azureSecret)).To(Succeed())
458473
defer func() {
459474
g.Expect(c.Delete(ctx, awsSecret)).To(Succeed())
460475
g.Expect(c.Delete(ctx, vSphereSecret)).To(Succeed())
461476
g.Expect(c.Delete(ctx, GCPSecret)).To(Succeed())
477+
g.Expect(c.Delete(ctx, azureSecret)).To(Succeed())
462478
}()
463479

464480
testCases := []struct {

pkg/apis/machine/v1beta1/v1beta1_suite_test.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ import (
2626
"testing"
2727
"time"
2828

29+
corev1 "k8s.io/api/core/v1"
30+
2931
fuzz "github.com/google/gofuzz"
3032
osconfigv1 "github.com/openshift/api/config/v1"
3133
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -81,6 +83,17 @@ func TestMain(m *testing.M) {
8183
log.Fatal(err)
8284
}
8385

86+
// Azure credentialsSecret is a secretRef defaulting to defaultSecretNamespace instead of a localObjectRef.
87+
// This is so the tests can assume this namespace exists.
88+
namespace := &corev1.Namespace{
89+
ObjectMeta: metav1.ObjectMeta{
90+
Name: defaultSecretNamespace,
91+
},
92+
}
93+
if err = c.Create(ctx, namespace); err != nil {
94+
log.Fatal(err)
95+
}
96+
8497
code := m.Run()
8598
testEnv.Stop()
8699
os.Exit(code)

0 commit comments

Comments
 (0)