Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: f9acd4b1ae
Branches Tags
helm-externa...
/
pkg
/
controllers
/
secretstore
/
common_test.go

common_test.go 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package secretstore
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	corev1 "k8s.io/api/core/v1"
    24. 

  24. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	"k8s.io/apimachinery/pkg/types"
    27. 

  27. 

  28. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    29. 

  29. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    30. 

  30. 

  31. 	. "github.com/onsi/ginkgo/v2"
    32. 

  32. 	. "github.com/onsi/gomega"
    33. 

  33. )
    34. 

  34. 

  35. type testCase struct {
    36. 

  36. 	store  esapi.GenericStore
    37. 

  37. 	ps     *esv1alpha1.PushSecret
    38. 

  38. 	assert func()
    39. 

  39. }
    40. 

  40. 

  41. const (
    42. 

  42. 	defaultStoreName       = "default-store"
    43. 

  43. 	defaultControllerClass = "test-ctrl"
    44. 

  44. )
    45. 

  45. 

  46. var _ = Describe("SecretStore Controller", func() {
    47. 

  47. 	var test *testCase
    48. 

  48. 

  49. 	BeforeEach(func() {
    50. 

  50. 		test = makeDefaultTestcase()
    51. 

  51. 	})
    52. 

  52. 

  53. 	Context("Reconcile Logic", func() {
    54. 

  54. 		AfterEach(func() {
    55. 

  55. 			Expect(k8sClient.Delete(context.Background(), test.store)).ToNot(HaveOccurred())
    56. 

  56. 		})
    57. 

  57. 

  58. 		// an invalid provider config should be reflected
    59. 

  59. 		// in the store status condition
    60. 

  60. 		invalidProvider := func(tc *testCase) {
    61. 

  61. 			tc.assert = func() {
    62. 

  62. 				Eventually(func() bool {
    63. 

  63. 					ss := tc.store.Copy()
    64. 

  64. 					err := k8sClient.Get(context.Background(), types.NamespacedName{
    65. 

  65. 						Name:      defaultStoreName,
    66. 

  66. 						Namespace: ss.GetObjectMeta().Namespace,
    67. 

  67. 					}, ss)
    68. 

  68. 					if err != nil {
    69. 

  69. 						return false
    70. 

  70. 					}
    71. 

  71. 					status := ss.GetStatus()
    72. 

  72. 					if len(status.Conditions) != 1 {
    73. 

  73. 						return false
    74. 

  74. 					}
    75. 

  75. 					return status.Conditions[0].Reason == esapi.ReasonInvalidProviderConfig &&
    76. 

  76. 						hasEvent(tc.store.GetTypeMeta().Kind, ss.GetName(), esapi.ReasonInvalidProviderConfig)
    77. 

  77. 				}).
    78. 

  78. 					WithTimeout(time.Second * 10).
    79. 

  79. 					WithPolling(time.Second).
    80. 

  80. 					Should(BeTrue())
    81. 

  81. 			}
    82. 

  82. 		}
    83. 

  83. 

  84. 		// if controllerClass does not match the controller
    85. 

  85. 		// should not touch this store
    86. 

  86. 		ignoreControllerClass := func(tc *testCase) {
    87. 

  87. 			spc := tc.store.GetSpec()
    88. 

  88. 			spc.Controller = "something-else"
    89. 

  89. 			tc.assert = func() {
    90. 

  90. 				Consistently(func() bool {
    91. 

  91. 					ss := tc.store.Copy()
    92. 

  92. 					err := k8sClient.Get(context.Background(), types.NamespacedName{
    93. 

  93. 						Name:      defaultStoreName,
    94. 

  94. 						Namespace: ss.GetObjectMeta().Namespace,
    95. 

  95. 					}, ss)
    96. 

  96. 					if err != nil {
    97. 

  97. 						return true
    98. 

  98. 					}
    99. 

  99. 

  100. 					conditionLen := len(ss.GetStatus().Conditions) == 0
    101. 

  101. 					if !conditionLen {
    102. 

  102. 						GinkgoLogr.Info("store conditions is NOT empty but should have been", "conditions", ss.GetStatus().Conditions)
    103. 

  103. 					}
    104. 

  104. 

  105. 					return conditionLen
    106. 

  106. 				}).
    107. 

  107. 					WithTimeout(time.Second*3).
    108. 

  108. 					WithPolling(time.Millisecond*500).
    109. 

  109. 					Should(BeTrue(), "condition should have been empty")
    110. 

  110. 			}
    111. 

  111. 		}
    112. 

  112. 

  113. 		validProvider := func(tc *testCase) {
    114. 

  114. 			spc := tc.store.GetSpec()
    115. 

  115. 			spc.Provider.Vault = nil
    116. 

  116. 			spc.Provider.Fake = &esapi.FakeProvider{
    117. 

  117. 				Data: []esapi.FakeProviderData{},
    118. 

  118. 			}
    119. 

  119. 

  120. 			tc.assert = func() {
    121. 

  121. 				Eventually(func() bool {
    122. 

  122. 					ss := tc.store.Copy()
    123. 

  123. 					err := k8sClient.Get(context.Background(), types.NamespacedName{
    124. 

  124. 						Name:      defaultStoreName,
    125. 

  125. 						Namespace: ss.GetNamespace(),
    126. 

  126. 					}, ss)
    127. 

  127. 					if err != nil {
    128. 

  128. 						return false
    129. 

  129. 					}
    130. 

  130. 

  131. 					if len(ss.GetStatus().Conditions) != 1 {
    132. 

  132. 						return false
    133. 

  133. 					}
    134. 

  134. 

  135. 					return ss.GetStatus().Conditions[0].Reason == esapi.ReasonStoreValid &&
    136. 

  136. 						ss.GetStatus().Conditions[0].Type == esapi.SecretStoreReady &&
    137. 

  137. 						ss.GetStatus().Conditions[0].Status == corev1.ConditionTrue &&
    138. 

  138. 						hasEvent(tc.store.GetTypeMeta().Kind, ss.GetName(), esapi.ReasonStoreValid)
    139. 

  139. 				}).
    140. 

  140. 					WithTimeout(time.Second * 10).
    141. 

  141. 					WithPolling(time.Second).
    142. 

  142. 					Should(BeTrue())
    143. 

  143. 			}
    144. 

  144. 

  145. 		}
    146. 

  146. 

  147. 		readWrite := func(tc *testCase) {
    148. 

  148. 			spc := tc.store.GetSpec()
    149. 

  149. 			spc.Provider.Vault = nil
    150. 

  150. 			spc.Provider.Fake = &esapi.FakeProvider{
    151. 

  151. 				Data: []esapi.FakeProviderData{},
    152. 

  152. 			}
    153. 

  153. 

  154. 			tc.assert = func() {
    155. 

  155. 				Eventually(func() bool {
    156. 

  156. 					ss := tc.store.Copy()
    157. 

  157. 					err := k8sClient.Get(context.Background(), types.NamespacedName{
    158. 

  158. 						Name:      defaultStoreName,
    159. 

  159. 						Namespace: ss.GetNamespace(),
    160. 

  160. 					}, ss)
    161. 

  161. 					if err != nil {
    162. 

  162. 						return false
    163. 

  163. 					}
    164. 

  164. 

  165. 					if ss.GetStatus().Capabilities != esapi.SecretStoreReadWrite {
    166. 

  166. 						return false
    167. 

  167. 					}
    168. 

  168. 

  169. 					return true
    170. 

  170. 				}).
    171. 

  171. 					WithTimeout(time.Second * 10).
    172. 

  172. 					WithPolling(time.Second).
    173. 

  173. 					Should(BeTrue())
    174. 

  174. 			}
    175. 

  175. 

  176. 		}
    177. 

  177. 

  178. 		// an unknown store validation result should be reflected
    179. 

  179. 		// in the store status condition
    180. 

  180. 		validationUnknown := func(tc *testCase) {
    181. 

  181. 			spc := tc.store.GetSpec()
    182. 

  182. 			spc.Provider.Vault = nil
    183. 

  183. 			validationResultUnknown := esapi.ValidationResultUnknown
    184. 

  184. 			spc.Provider.Fake = &esapi.FakeProvider{
    185. 

  185. 				Data:             []esapi.FakeProviderData{},
    186. 

  186. 				ValidationResult: &validationResultUnknown,
    187. 

  187. 			}
    188. 

  188. 

  189. 			tc.assert = func() {
    190. 

  190. 				Eventually(func() bool {
    191. 

  191. 					ss := tc.store.Copy()
    192. 

  192. 					err := k8sClient.Get(context.Background(), types.NamespacedName{
    193. 

  193. 						Name:      defaultStoreName,
    194. 

  194. 						Namespace: ss.GetNamespace(),
    195. 

  195. 					}, ss)
    196. 

  196. 					if err != nil {
    197. 

  197. 						return false
    198. 

  198. 					}
    199. 

  199. 

  200. 					if len(ss.GetStatus().Conditions) != 1 {
    201. 

  201. 						return false
    202. 

  202. 					}
    203. 

  203. 

  204. 					return ss.GetStatus().Conditions[0].Reason == esapi.ReasonValidationUnknown &&
    205. 

  205. 						ss.GetStatus().Conditions[0].Type == esapi.SecretStoreReady &&
    206. 

  206. 						ss.GetStatus().Conditions[0].Status == corev1.ConditionTrue &&
    207. 

  207. 						hasEvent(tc.store.GetTypeMeta().Kind, ss.GetName(), esapi.ReasonValidationUnknown)
    208. 

  208. 				}).
    209. 

  209. 					WithTimeout(time.Second * 5).
    210. 

  210. 					WithPolling(time.Second).
    211. 

  211. 					Should(BeTrue())
    212. 

  212. 			}
    213. 

  213. 		}
    214. 

  214. 

  215. 		DescribeTable("Provider Configuration", func(muts ...func(tc *testCase)) {
    216. 

  216. 			for _, mut := range muts {
    217. 

  217. 				mut(test)
    218. 

  218. 			}
    219. 

  219. 			err := k8sClient.Create(context.Background(), test.store.Copy())
    220. 

  220. 			Expect(err).ToNot(HaveOccurred())
    221. 

  221. 			test.assert()
    222. 

  222. 		},
    223. 

  223. 			// Namespaced store tests
    224. 

  224. 			Entry("[namespace] invalid provider should set InvalidStore condition", invalidProvider),
    225. 

  225. 			Entry("[namespace] should ignore stores with non-matching controller class", ignoreControllerClass),
    226. 

  226. 			Entry("[namespace] valid provider should have status=ready", validProvider),
    227. 

  227. 			Entry("[namespace] valid provider should have capabilities=ReadWrite", readWrite),
    228. 

  228. 			Entry("[cluster] validation unknown status should set ValidationUnknown condition", validationUnknown),
    229. 

  229. 

  230. 			// Cluster store tests
    231. 

  231. 			Entry("[cluster] invalid provider should set InvalidStore condition", invalidProvider, useClusterStore),
    232. 

  232. 			Entry("[cluster] should ignore stores with non-matching controller class", ignoreControllerClass, useClusterStore),
    233. 

  233. 			Entry("[cluster] valid provider should have status=ready", validProvider, useClusterStore),
    234. 

  234. 			Entry("[cluster] valid provider should have capabilities=ReadWrite", readWrite, useClusterStore),
    235. 

  235. 			Entry("[cluster] validation unknown status should set ValidationUnknown condition", validationUnknown, useClusterStore),
    236. 

  236. 		)
    237. 

  237. 	})
    238. 

  238. 

  239. 	Context("Finalizer Management", func() {
    240. 

  240. 		BeforeEach(func() {
    241. 

  241. 			// Setup valid provider for finalizer tests
    242. 

  242. 			spc := test.store.GetSpec()
    243. 

  243. 			spc.Provider.Vault = nil
    244. 

  244. 			spc.Provider.Fake = &esapi.FakeProvider{
    245. 

  245. 				Data: []esapi.FakeProviderData{},
    246. 

  246. 			}
    247. 

  247. 		})
    248. 

  248. 

  249. 		AfterEach(func() {
    250. 

  250. 			cleanupResources(test)
    251. 

  251. 		})
    252. 

  252. 

  253. 		DescribeTable("Finalizer Addition", func(muts ...func(tc *testCase)) {
    254. 

  254. 			for _, mut := range muts {
    255. 

  255. 				mut(test)
    256. 

  256. 			}
    257. 

  257. 

  258. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    259. 

  259. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    260. 

  260. 

  261. 			Eventually(func() []string {
    262. 

  262. 				return getStoreFinalizers(test.store)
    263. 

  263. 			}).
    264. 

  264. 				WithTimeout(time.Second * 10).
    265. 

  265. 				WithPolling(time.Second).
    266. 

  266. 				Should(ContainElement(secretStoreFinalizer))
    267. 

  267. 		},
    268. 

  268. 			Entry("[namespace] should add finalizer when PushSecret with DeletionPolicy=Delete is created", usePushSecret),
    269. 

  269. 			Entry("[cluster] should add finalizer when PushSecret with DeletionPolicy=Delete is created", usePushSecret, useClusterStore),
    270. 

  270. 		)
    271. 

  271. 

  272. 		DescribeTable("Finalizer Removal on PushSecret Deletion", func(muts ...func(tc *testCase)) {
    273. 

  273. 			for _, mut := range muts {
    274. 

  274. 				mut(test)
    275. 

  275. 			}
    276. 

  276. 

  277. 			test.store.SetFinalizers([]string{secretStoreFinalizer})
    278. 

  278. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    279. 

  279. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    280. 

  280. 			Expect(k8sClient.Delete(context.Background(), test.ps)).ToNot(HaveOccurred())
    281. 

  281. 

  282. 			Eventually(func() []string {
    283. 

  283. 				return getStoreFinalizers(test.store)
    284. 

  284. 			}).
    285. 

  285. 				WithTimeout(time.Second * 10).
    286. 

  286. 				WithPolling(time.Second).
    287. 

  287. 				ShouldNot(ContainElement(secretStoreFinalizer))
    288. 

  288. 		},
    289. 

  289. 			Entry("[namespace] should remove finalizer when PushSecret is deleted", usePushSecret),
    290. 

  290. 			Entry("[cluster] should remove finalizer when PushSecret is deleted", usePushSecret, useClusterStore),
    291. 

  291. 		)
    292. 

  292. 

  293. 		DescribeTable("Store Deletion Prevention", func(muts ...func(tc *testCase)) {
    294. 

  294. 			for _, mut := range muts {
    295. 

  295. 				mut(test)
    296. 

  296. 			}
    297. 

  297. 

  298. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    299. 

  299. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    300. 

  300. 

  301. 			// Wait for finalizer to be added
    302. 

  302. 			Eventually(func() []string {
    303. 

  303. 				return getStoreFinalizers(test.store)
    304. 

  304. 			}).
    305. 

  305. 				WithTimeout(time.Second * 10).
    306. 

  306. 				WithPolling(time.Second).
    307. 

  307. 				Should(ContainElement(secretStoreFinalizer))
    308. 

  308. 

  309. 			Expect(k8sClient.Delete(context.Background(), test.store)).ToNot(HaveOccurred())
    310. 

  310. 

  311. 			Consistently(func() []string {
    312. 

  312. 				return getStoreFinalizers(test.store)
    313. 

  313. 			}).
    314. 

  314. 				WithTimeout(time.Second * 3).
    315. 

  315. 				WithPolling(time.Millisecond * 500).
    316. 

  316. 				Should(ContainElement(secretStoreFinalizer))
    317. 

  317. 		},
    318. 

  318. 			Entry("[namespace] should prevent deletion when finalizer exists", usePushSecret),
    319. 

  319. 			Entry("[cluster] should prevent deletion when finalizer exists", usePushSecret, useClusterStore),
    320. 

  320. 		)
    321. 

  321. 

  322. 		DescribeTable("Complete Deletion Flow", func(muts ...func(tc *testCase)) {
    323. 

  323. 			for _, mut := range muts {
    324. 

  324. 				mut(test)
    325. 

  325. 			}
    326. 

  326. 

  327. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    328. 

  328. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    329. 

  329. 			Expect(k8sClient.Delete(context.Background(), test.store)).ToNot(HaveOccurred())
    330. 

  330. 			Expect(k8sClient.Delete(context.Background(), test.ps)).ToNot(HaveOccurred())
    331. 

  331. 

  332. 			Eventually(func() bool {
    333. 

  333. 				err := k8sClient.Get(context.Background(), types.NamespacedName{
    334. 

  334. 					Name:      test.store.GetName(),
    335. 

  335. 					Namespace: test.store.GetNamespace(),
    336. 

  336. 				}, test.store)
    337. 

  337. 				return apierrors.IsNotFound(err)
    338. 

  338. 			}).
    339. 

  339. 				WithTimeout(time.Second * 10).
    340. 

  340. 				WithPolling(time.Second).
    341. 

  341. 				Should(BeTrue())
    342. 

  342. 		},
    343. 

  343. 			Entry("[namespace] should allow deletion when both Store and PushSecret are deleted", usePushSecret),
    344. 

  344. 			Entry("[cluster] should allow deletion when both Store and PushSecret are deleted", usePushSecret, useClusterStore),
    345. 

  345. 		)
    346. 

  346. 

  347. 		DescribeTable("Multiple PushSecrets Scenario", func(muts ...func(tc *testCase)) {
    348. 

  348. 			for _, mut := range muts {
    349. 

  349. 				mut(test)
    350. 

  350. 			}
    351. 

  351. 

  352. 			ps2 := test.ps.DeepCopy()
    353. 

  353. 			ps2.Name = "push-secret-2"
    354. 

  354. 

  355. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    356. 

  356. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    357. 

  357. 			Expect(k8sClient.Create(context.Background(), ps2)).ToNot(HaveOccurred())
    358. 

  358. 

  359. 			// Wait for finalizer to be added
    360. 

  360. 			Eventually(func() []string {
    361. 

  361. 				return getStoreFinalizers(test.store)
    362. 

  362. 			}).
    363. 

  363. 				WithTimeout(time.Second * 10).
    364. 

  364. 				WithPolling(time.Second).
    365. 

  365. 				Should(ContainElement(secretStoreFinalizer))
    366. 

  366. 

  367. 			Expect(k8sClient.Delete(context.Background(), test.ps)).ToNot(HaveOccurred())
    368. 

  368. 

  369. 			// Finalizer should remain because ps2 still exists
    370. 

  370. 			Consistently(func() []string {
    371. 

  371. 				return getStoreFinalizers(test.store)
    372. 

  372. 			}).
    373. 

  373. 				WithTimeout(time.Second * 3).
    374. 

  374. 				WithPolling(time.Millisecond * 500).
    375. 

  375. 				Should(ContainElement(secretStoreFinalizer))
    376. 

  376. 

  377. 			// Cleanup
    378. 

  378. 			Expect(k8sClient.Delete(context.Background(), ps2)).ToNot(HaveOccurred())
    379. 

  379. 		},
    380. 

  380. 			Entry("[namespace] finalizer should remain when other PushSecrets exist", usePushSecret),
    381. 

  381. 			Entry("[cluster] finalizer should remain when other PushSecrets exist", usePushSecret, useClusterStore),
    382. 

  382. 		)
    383. 

  383. 

  384. 		DescribeTable("DeletionPolicy Change", func(muts ...func(tc *testCase)) {
    385. 

  385. 			for _, mut := range muts {
    386. 

  386. 				mut(test)
    387. 

  387. 			}
    388. 

  388. 

  389. 			Expect(k8sClient.Create(context.Background(), test.store)).ToNot(HaveOccurred())
    390. 

  390. 			Expect(k8sClient.Create(context.Background(), test.ps)).ToNot(HaveOccurred())
    391. 

  391. 

  392. 			// Wait for finalizer to be added
    393. 

  393. 			Eventually(func() []string {
    394. 

  394. 				return getStoreFinalizers(test.store)
    395. 

  395. 			}).
    396. 

  396. 				WithTimeout(time.Second * 10).
    397. 

  397. 				WithPolling(time.Second).
    398. 

  398. 				Should(ContainElement(secretStoreFinalizer))
    399. 

  399. 

  400. 			// Update PushSecret to DeletionPolicy=None
    401. 

  401. 			Eventually(func() error {
    402. 

  402. 				err := k8sClient.Get(context.Background(), types.NamespacedName{
    403. 

  403. 					Name:      test.ps.Name,
    404. 

  404. 					Namespace: test.ps.Namespace,
    405. 

  405. 				}, test.ps)
    406. 

  406. 				Expect(err).ToNot(HaveOccurred())
    407. 

  407. 				test.ps.Spec.DeletionPolicy = esv1alpha1.PushSecretDeletionPolicyNone
    408. 

  408. 				return k8sClient.Update(context.Background(), test.ps)
    409. 

  409. 			}).
    410. 

  410. 				WithTimeout(time.Second * 10).
    411. 

  411. 				WithPolling(time.Second).
    412. 

  412. 				Should(Succeed())
    413. 

  413. 

  414. 			Eventually(func() []string {
    415. 

  415. 				return getStoreFinalizers(test.store)
    416. 

  416. 			}).
    417. 

  417. 				WithTimeout(time.Second * 10).
    418. 

  418. 				WithPolling(time.Second).
    419. 

  419. 				ShouldNot(ContainElement(secretStoreFinalizer))
    420. 

  420. 		},
    421. 

  421. 			Entry("[namespace] should remove finalizer when DeletionPolicy changes to None", usePushSecret),
    422. 

  422. 			Entry("[cluster] should remove finalizer when DeletionPolicy changes to None", usePushSecret, useClusterStore),
    423. 

  423. 		)
    424. 

  424. 	})
    425. 

  425. 

  426. })
    427. 

  427. 

  428. func cleanupResources(test *testCase) {
    429. 

  429. 	if test.ps != nil {
    430. 

  430. 		err := k8sClient.Delete(context.Background(), test.ps)
    431. 

  431. 		if err != nil && !apierrors.IsNotFound(err) {
    432. 

  432. 			Expect(err).ToNot(HaveOccurred())
    433. 

  433. 		}
    434. 

  434. 	}
    435. 

  435. 

  436. 	err := k8sClient.Delete(context.Background(), test.store)
    437. 

  437. 	if err != nil && !apierrors.IsNotFound(err) {
    438. 

  438. 		Expect(err).ToNot(HaveOccurred())
    439. 

  439. 	}
    440. 

  440. 

  441. 	Eventually(func() bool {
    442. 

  442. 		err := k8sClient.Get(context.Background(), types.NamespacedName{
    443. 

  443. 			Name:      test.store.GetName(),
    444. 

  444. 			Namespace: test.store.GetNamespace(),
    445. 

  445. 		}, test.store)
    446. 

  446. 		return apierrors.IsNotFound(err)
    447. 

  447. 	}).
    448. 

  448. 		WithTimeout(time.Second * 10).
    449. 

  449. 		WithPolling(time.Second).
    450. 

  450. 		Should(BeTrue())
    451. 

  451. }
    452. 

  452. 

  453. func getStoreFinalizers(store esapi.GenericStore) []string {
    454. 

  454. 	err := k8sClient.Get(context.Background(), types.NamespacedName{
    455. 

  455. 		Name:      store.GetName(),
    456. 

  456. 		Namespace: store.GetNamespace(),
    457. 

  457. 	}, store)
    458. 

  458. 	if err != nil {
    459. 

  459. 		return []string{}
    460. 

  460. 	}
    461. 

  461. 	return store.GetFinalizers()
    462. 

  462. }
    463. 

  463. 

  464. func makeDefaultTestcase() *testCase {
    465. 

  465. 	return &testCase{
    466. 

  466. 		assert: func() {
    467. 

  467. 			// this is a noop by default
    468. 

  468. 		},
    469. 

  469. 		store: &esapi.SecretStore{
    470. 

  470. 			TypeMeta: metav1.TypeMeta{
    471. 

  471. 				Kind:       esapi.SecretStoreKind,
    472. 

  472. 				APIVersion: esapi.SecretStoreKindAPIVersion,
    473. 

  473. 			},
    474. 

  474. 			ObjectMeta: metav1.ObjectMeta{
    475. 

  475. 				Name:      defaultStoreName,
    476. 

  476. 				Namespace: "default",
    477. 

  477. 			},
    478. 

  478. 			Spec: esapi.SecretStoreSpec{
    479. 

  479. 				Controller: defaultControllerClass,
    480. 

  480. 				// empty provider
    481. 

  481. 				// a testCase mutator must fill in the concrete provider
    482. 

  482. 				Provider: &esapi.SecretStoreProvider{
    483. 

  483. 					Vault: &esapi.VaultProvider{
    484. 

  484. 						Version: esapi.VaultKVStoreV1,
    485. 

  485. 					},
    486. 

  486. 				},
    487. 

  487. 			},
    488. 

  488. 		},
    489. 

  489. 	}
    490. 

  490. }
    491. 

  491. 

  492. func useClusterStore(tc *testCase) {
    493. 

  493. 	spc := tc.store.GetSpec()
    494. 

  494. 	meta := tc.store.GetObjectMeta()
    495. 

  495. 

  496. 	tc.store = &esapi.ClusterSecretStore{
    497. 

  497. 		TypeMeta: metav1.TypeMeta{
    498. 

  498. 			Kind:       esapi.ClusterSecretStoreKind,
    499. 

  499. 			APIVersion: esapi.ClusterSecretStoreKindAPIVersion,
    500. 

  500. 		},
    501. 

  501. 		ObjectMeta: metav1.ObjectMeta{
    502. 

  502. 			Name: meta.Name,
    503. 

  503. 		},
    504. 

  504. 		Spec: *spc,
    505. 

  505. 	}
    506. 

  506. 

  507. 	if tc.ps != nil {
    508. 

  508. 		tc.ps.Spec.SecretStoreRefs[0].Kind = esapi.ClusterSecretStoreKind
    509. 

  509. 	}
    510. 

  510. }
    511. 

  511. 

  512. func usePushSecret(tc *testCase) {
    513. 

  513. 	tc.ps = &esv1alpha1.PushSecret{
    514. 

  514. 		ObjectMeta: metav1.ObjectMeta{
    515. 

  515. 			Name:      "push-secret",
    516. 

  516. 			Namespace: "default",
    517. 

  517. 		},
    518. 

  518. 		Spec: esv1alpha1.PushSecretSpec{
    519. 

  519. 			DeletionPolicy: esv1alpha1.PushSecretDeletionPolicyDelete,
    520. 

  520. 			Selector: esv1alpha1.PushSecretSelector{
    521. 

  521. 				Secret: &esv1alpha1.PushSecretSecret{
    522. 

  522. 					Name: "foo",
    523. 

  523. 				},
    524. 

  524. 			},
    525. 

  525. 			SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{
    526. 

  526. 				{
    527. 

  527. 					Name: defaultStoreName,
    528. 

  528. 				},
    529. 

  529. 			},
    530. 

  530. 		},
    531. 

  531. 	}
    532. 

  532. }
    533. 

  533. 

  534. func hasEvent(involvedKind, name, reason string) bool {
    535. 

  535. 	el := &corev1.EventList{}
    536. 

  536. 	err := k8sClient.List(context.Background(), el)
    537. 

  537. 	if err != nil {
    538. 

  538. 		return false
    539. 

  539. 	}
    540. 

  540. 	for i := range el.Items {
    541. 

  541. 		ev := el.Items[i]
    542. 

  542. 		if ev.InvolvedObject.Kind == involvedKind && ev.InvolvedObject.Name == name {
    543. 

  543. 			if ev.Reason == reason {
    544. 

  544. 				return true
    545. 

  545. 			}
    546. 

  546. 		}
    547. 

  547. 	}
    548. 

  548. 	return false
    549. 

  549. }
    550.