test: expand grpc transport contracts

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

providers/v2/common/grpc/client_test.go

@@ -153,7 +153,7 @@ func TestClientGetSecretSendsProviderReferenceAndNamespace(t *testing.T) {
 	defer cleanup()
 
 	client := NewClientWithConn(conn)
-	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ProviderKindStr}
 	ref := esv1.ExternalSecretDataRemoteRef{
 		Key:              "test-key",
 		Version:          "v1",
@@ -198,7 +198,7 @@ func TestClientGetSecretMapSendsProviderReferenceAndNamespace(t *testing.T) {
 	defer cleanup()
 
 	client := NewClientWithConn(conn)
-	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ProviderKindStr}
 
 	value, err := client.GetSecretMap(context.Background(), esv1.ExternalSecretDataRemoteRef{Key: "test-key"}, providerRef, "tenant-a")
 	if err != nil {
@@ -223,7 +223,7 @@ func TestClientGetAllSecretsSendsFindCriteria(t *testing.T) {
 	defer cleanup()
 
 	client := NewClientWithConn(conn)
-	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ProviderKindStr}
 	path := "/team-a"
 
 	secrets, err := client.GetAllSecrets(context.Background(), esv1.ExternalSecretFind{
@@ -259,7 +259,7 @@ func TestClientPushDeleteExistsAndCapabilitiesSendProviderReferenceAndNamespace(
 	defer cleanup()
 
 	client := NewClientWithConn(conn)
-	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ProviderKindStr}
 
 	err := client.PushSecret(context.Background(), &corev1.Secret{
 		Data: map[string][]byte{"token": []byte("value")},
@@ -329,7 +329,7 @@ func TestClientPushSecretSendsExpandedKubernetesSecretFields(t *testing.T) {
 	defer cleanup()
 
 	client := NewClientWithConn(conn)
-	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ClusterProviderKindStr}
 
 	err := client.PushSecret(context.Background(), &corev1.Secret{
 		Type: corev1.SecretTypeDockerConfigJson,
@@ -380,7 +380,7 @@ func TestClientValidate(t *testing.T) {
 		defer cleanup()
 
 		client := NewClientWithConn(conn)
-		providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
+		providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns", StoreRefKind: esv1.ProviderKindStr}
 
 		err := client.Validate(context.Background(), providerRef, "tenant-a")
 		if err != nil {
@@ -442,7 +442,7 @@ func assertProviderRefEqual(t *testing.T, got, want *pb.ProviderReference) {
 	if got == nil || want == nil {
 		t.Fatalf("provider refs must not be nil: got=%#v want=%#v", got, want)
 	}
-	if got.ApiVersion != want.ApiVersion || got.Kind != want.Kind || got.Name != want.Name || got.Namespace != want.Namespace {
+	if got.ApiVersion != want.ApiVersion || got.Kind != want.Kind || got.Name != want.Name || got.Namespace != want.Namespace || got.StoreRefKind != want.StoreRefKind {
 		t.Fatalf("unexpected provider ref: got=%#v want=%#v", got, want)
 	}
 }

providers/v2/common/grpc/pool_test.go

@@ -143,6 +143,69 @@ func TestConnectionPoolCleanupIdleConnectionsRemovesReleasedConnection(t *testin
 	}
 }
 
+func TestConnectionPoolCheckConnectionHealthRemovesShutdownConnection(t *testing.T) {
+	address, tlsConfig := newPoolTestServer(t)
+
+	pool := NewConnectionPool(PoolConfig{
+		MaxIdleTime:         time.Minute,
+		MaxLifetime:         time.Minute,
+		HealthCheckInterval: time.Hour,
+	})
+	defer func() {
+		_ = pool.Close()
+	}()
+
+	_, err := pool.Get(context.Background(), address, tlsConfig)
+	if err != nil {
+		t.Fatalf("Get() error = %v", err)
+	}
+	pool.Release(address, tlsConfig)
+
+	key := pool.connectionKey(address, tlsConfig)
+	pooled := pool.connections[key]
+	if pooled == nil {
+		t.Fatalf("expected pooled connection for key %q", key)
+	}
+
+	if err := pooled.conn.Close(); err != nil {
+		t.Fatalf("Close() error = %v", err)
+	}
+
+	pool.checkConnectionHealth()
+
+	if _, ok := pool.connections[key]; ok {
+		t.Fatalf("expected unhealthy pooled connection %q to be removed", key)
+	}
+}
+
+func TestConnectionPoolCloseClearsTrackedConnections(t *testing.T) {
+	address, tlsConfig := newPoolTestServer(t)
+
+	pool := NewConnectionPool(PoolConfig{
+		MaxIdleTime:         time.Minute,
+		MaxLifetime:         time.Minute,
+		HealthCheckInterval: time.Hour,
+	})
+
+	_, err := pool.Get(context.Background(), address, tlsConfig)
+	if err != nil {
+		t.Fatalf("Get() error = %v", err)
+	}
+	pool.Release(address, tlsConfig)
+
+	if len(pool.connections) != 1 {
+		t.Fatalf("expected one tracked connection, got %d", len(pool.connections))
+	}
+
+	if err := pool.Close(); err != nil {
+		t.Fatalf("Close() error = %v", err)
+	}
+
+	if len(pool.connections) != 0 {
+		t.Fatalf("expected no tracked connections after close, got %d", len(pool.connections))
+	}
+}
+
 func newPoolTestServer(t *testing.T) (string, *TLSConfig) {
 	t.Helper()
 

providers/v2/common/grpc/tls_test.go

@@ -144,6 +144,20 @@ func TestLoadClientTLSConfig(t *testing.T) {
 		}
 	})
 
+	t.Run("missing_secret", func(t *testing.T) {
+		scheme := runtime.NewScheme()
+		utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+
+		kubeClient := fakeclient.NewClientBuilder().
+			WithScheme(scheme).
+			Build()
+
+		_, err := LoadClientTLSConfig(context.Background(), kubeClient, "127.0.0.1:9443", "tenant-a")
+		if err == nil || err.Error() == "" {
+			t.Fatalf("expected missing secret error, got %v", err)
+		}
+	})
+
 	t.Run("missing_secret_data", func(t *testing.T) {
 		kubeClient := newTLSSecretClient(t, map[string][]byte{
 			"ca.crt": []byte("ca"),
@@ -195,6 +209,21 @@ func TestTLSConfigToGRPCTLSConfig(t *testing.T) {
 			t.Fatal("expected invalid keypair to fail")
 		}
 	})
+
+	t.Run("invalid_ca", func(t *testing.T) {
+		serverName := "127.0.0.1"
+		_, _, clientCertPEM, clientKeyPEM, _ := newTLSArtifactsForTest(t, serverName)
+
+		_, err := (&TLSConfig{
+			CACert:     []byte("not-a-ca"),
+			ClientCert: clientCertPEM,
+			ClientKey:  clientKeyPEM,
+			ServerName: serverName,
+		}).ToGRPCTLSConfig()
+		if err == nil || err.Error() != "failed to parse CA certificate" {
+			t.Fatalf("unexpected error: %v", err)
+		}
+	})
 }
 
 func newTLSSecretClient(t *testing.T, data map[string][]byte) ctrlclient.Client {