Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: helm-chart
Branches Tags
helm-externa...
/
providers
/
v1
/
gcp
/
secretmanager
/
workload_identity_test.go

workload_identity_test.go 14 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package secretmanager
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io"
    25. 

  25. 	"net/http"
    26. 

  26. 	"net/http/httptest"
    27. 

  27. 	"testing"
    28. 

  28. 

  29. 	"cloud.google.com/go/iam/credentials/apiv1/credentialspb"
    30. 

  30. 	"github.com/googleapis/gax-go/v2"
    31. 

  31. 	"github.com/stretchr/testify/assert"
    32. 

  32. 	"golang.org/x/oauth2"
    33. 

  33. 	authv1 "k8s.io/api/authentication/v1"
    34. 

  34. 	v1 "k8s.io/api/core/v1"
    35. 

  35. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    36. 

  36. 	k8sv1 "k8s.io/client-go/kubernetes/typed/core/v1"
    37. 

  37. 	"sigs.k8s.io/controller-runtime/pkg/client"
    38. 

  38. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    39. 

  39. 

  40. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    41. 

  41. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    42. 

  42. )
    43. 

  43. 

  44. type workloadIdentityTest struct {
    45. 

  45. 	name           string
    46. 

  46. 	expTS          bool
    47. 

  47. 	expToken       *oauth2.Token
    48. 

  48. 	expErr         string
    49. 

  49. 	genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
    50. 

  50. 	genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
    51. 

  51. 	genSAToken     func(c context.Context, s1 []string, s2, s3 string) (*authv1.TokenRequest, error)
    52. 

  52. 	instMetadata   map[string]string
    53. 

  53. 	store          esv1.GenericStore
    54. 

  54. 	kubeObjects    []client.Object
    55. 

  55. }
    56. 

  56. 

  57. func TestWorkloadIdentity(t *testing.T) {
    58. 

  58. 	clusterSANamespace := "foobar"
    59. 

  59. 	tbl := []*workloadIdentityTest{
    60. 

  60. 		composeTestcase(
    61. 

  61. 			defaultTestCase("should skip when no workload identity is configured: TokenSource and error must be nil"),
    62. 

  62. 			withStore(&esv1.SecretStore{
    63. 

  63. 				Spec: esv1.SecretStoreSpec{
    64. 

  64. 					Provider: &esv1.SecretStoreProvider{
    65. 

  65. 						GCPSM: &esv1.GCPSMProvider{},
    66. 

  66. 					},
    67. 

  67. 				},
    68. 

  68. 			}),
    69. 

  69. 		),
    70. 

  70. 		composeTestcase(
    71. 

  71. 			defaultTestCase("return access token from GenerateAccessTokenRequest with SecretStore"),
    72. 

  72. 			withStore(defaultStore()),
    73. 

  73. 			expTokenSource(),
    74. 

  74. 			expectToken(defaultGenAccessToken),
    75. 

  75. 		),
    76. 

  76. 		composeTestcase(
    77. 

  77. 			defaultTestCase("return idBindToken when no annotation is set with SecretStore"),
    78. 

  78. 			expTokenSource(),
    79. 

  79. 			expectToken(defaultIDBindToken),
    80. 

  80. 			withStore(defaultStore()),
    81. 

  81. 			withK8sResources([]client.Object{
    82. 

  82. 				&v1.ServiceAccount{
    83. 

  83. 					ObjectMeta: metav1.ObjectMeta{
    84. 

  84. 						Name:        "example",
    85. 

  85. 						Namespace:   "default",
    86. 

  86. 						Annotations: map[string]string{},
    87. 

  87. 					},
    88. 

  88. 				},
    89. 

  89. 			}),
    90. 

  90. 		),
    91. 

  91. 		composeTestcase(
    92. 

  92. 			defaultTestCase("ClusterSecretStore: referent auth / service account without namespace"),
    93. 

  93. 			expTokenSource(),
    94. 

  94. 			withStore(
    95. 

  95. 				composeStore(defaultClusterStore()),
    96. 

  96. 			),
    97. 

  97. 			withK8sResources([]client.Object{
    98. 

  98. 				&v1.ServiceAccount{
    99. 

  99. 					ObjectMeta: metav1.ObjectMeta{
    100. 

  100. 						Name:        "example",
    101. 

  101. 						Namespace:   "default",
    102. 

  102. 						Annotations: map[string]string{},
    103. 

  103. 					},
    104. 

  104. 				},
    105. 

  105. 			}),
    106. 

  106. 		),
    107. 

  107. 		composeTestcase(
    108. 

  108. 			defaultTestCase("ClusterSecretStore: invalid service account"),
    109. 

  109. 			expErr("foobar"),
    110. 

  110. 			withStore(
    111. 

  111. 				composeStore(defaultClusterStore()),
    112. 

  112. 			),
    113. 

  113. 			withK8sResources([]client.Object{
    114. 

  114. 				&v1.ServiceAccount{
    115. 

  115. 					ObjectMeta: metav1.ObjectMeta{
    116. 

  116. 						Name:        "does not exist",
    117. 

  117. 						Namespace:   "default",
    118. 

  118. 						Annotations: map[string]string{},
    119. 

  119. 					},
    120. 

  120. 				},
    121. 

  121. 			}),
    122. 

  122. 		),
    123. 

  123. 		composeTestcase(
    124. 

  124. 			defaultTestCase("return access token from GenerateAccessTokenRequest with ClusterSecretStore"),
    125. 

  125. 			expTokenSource(),
    126. 

  126. 			expectToken(defaultGenAccessToken),
    127. 

  127. 			withStore(
    128. 

  128. 				composeStore(defaultClusterStore(), withSANamespace(clusterSANamespace)),
    129. 

  129. 			),
    130. 

  130. 			withK8sResources([]client.Object{
    131. 

  131. 				&v1.ServiceAccount{
    132. 

  132. 					ObjectMeta: metav1.ObjectMeta{
    133. 

  133. 						Name:      "example",
    134. 

  134. 						Namespace: clusterSANamespace,
    135. 

  135. 						Annotations: map[string]string{
    136. 

  136. 							gcpSAAnnotation: "example",
    137. 

  137. 						},
    138. 

  138. 					},
    139. 

  139. 				},
    140. 

  140. 			}),
    141. 

  141. 		),
    142. 

  142. 		composeTestcase(
    143. 

  143. 			defaultTestCase("lookup cluster id from instance metadata"),
    144. 

  144. 			expTokenSource(),
    145. 

  145. 			expectToken(defaultGenAccessToken),
    146. 

  146. 			withStore(
    147. 

  147. 				composeStore(defaultStore(), withClusterID("", "", "")),
    148. 

  148. 			),
    149. 

  149. 			withInstMetadata(map[string]string{
    150. 

  150. 				"project-id":       "1234",
    151. 

  151. 				"cluster-location": "example",
    152. 

  152. 				"cluster-name":     "foobar",
    153. 

  153. 			}),
    154. 

  154. 		),
    155. 

  155. 	}
    156. 

  156. 

  157. 	for _, row := range tbl {
    158. 

  158. 		t.Run(row.name, func(t *testing.T) {
    159. 

  159. 			fakeIam := &fakeIAMClient{generateAccessTokenFunc: row.genAccessToken}
    160. 

  160. 			fakeMeta := &fakeMetadataClient{metadata: row.instMetadata}
    161. 

  161. 			fakeIDBGen := &fakeIDBindTokenGen{generateFunc: row.genIDBindToken}
    162. 

  162. 			fakeSATG := &fakeSATokenGen{GenerateFunc: row.genSAToken}
    163. 

  163. 			w := &workloadIdentity{
    164. 

  164. 				iamClient:            fakeIam,
    165. 

  165. 				metadataClient:       fakeMeta,
    166. 

  166. 				idBindTokenGenerator: fakeIDBGen,
    167. 

  167. 				saTokenGenerator:     fakeSATG,
    168. 

  168. 			}
    169. 

  169. 			cb := clientfake.NewClientBuilder()
    170. 

  170. 			cb.WithObjects(row.kubeObjects...)
    171. 

  171. 			client := cb.Build()
    172. 

  172. 			isCluster := row.store.GetTypeMeta().Kind == esv1.ClusterSecretStoreKind
    173. 

  173. 			ts, err := w.TokenSource(context.Background(), row.store.GetSpec().Provider.GCPSM.Auth, isCluster, client, "default")
    174. 

  174. 			// assert err
    175. 

  175. 			if row.expErr == "" {
    176. 

  176. 				assert.NoError(t, err)
    177. 

  177. 			} else {
    178. 

  178. 				assert.Error(t, err, row.expErr)
    179. 

  179. 			}
    180. 

  180. 			// assert ts
    181. 

  181. 			if row.expTS {
    182. 

  182. 				assert.NotNil(t, ts)
    183. 

  183. 				if row.expToken != nil {
    184. 

  184. 					tk, err := ts.Token()
    185. 

  185. 					assert.NoError(t, err)
    186. 

  186. 					assert.EqualValues(t, tk, row.expToken)
    187. 

  187. 				}
    188. 

  188. 			} else {
    189. 

  189. 				assert.Nil(t, ts)
    190. 

  190. 			}
    191. 

  191. 		})
    192. 

  192. 	}
    193. 

  193. }
    194. 

  194. 

  195. func TestClusterProjectID(t *testing.T) {
    196. 

  196. 	clusterID, err := clusterProjectID(defaultStore().GetSpec())
    197. 

  197. 	assert.Nil(t, err)
    198. 

  198. 	assert.Equal(t, clusterID, "1234")
    199. 

  199. 	externalClusterID, err := clusterProjectID(defaultExternalStore().GetSpec())
    200. 

  200. 	assert.Nil(t, err)
    201. 

  201. 	assert.Equal(t, externalClusterID, "5678")
    202. 

  202. }
    203. 

  203. 

  204. func TestSATokenGen(t *testing.T) {
    205. 

  205. 	corev1 := &fakeK8sV1{}
    206. 

  206. 	g := &k8sSATokenGenerator{
    207. 

  207. 		corev1: corev1,
    208. 

  208. 	}
    209. 

  209. 	token, err := g.Generate(context.Background(), []string{"my-fake-audience"}, "bar", "default")
    210. 

  210. 	assert.Nil(t, err)
    211. 

  211. 	assert.Equal(t, token.Status.Token, defaultSAToken)
    212. 

  212. 	assert.Equal(t, token.Spec.Audiences[0], "my-fake-audience")
    213. 

  213. }
    214. 

  214. 

  215. func TestIDBTokenGen(t *testing.T) {
    216. 

  216. 	srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
    217. 

  217. 		payload := make(map[string]string)
    218. 

  218. 		rb, err := io.ReadAll(r.Body)
    219. 

  219. 		assert.Nil(t, err)
    220. 

  220. 		err = json.Unmarshal(rb, &payload)
    221. 

  221. 		assert.Nil(t, err)
    222. 

  222. 		assert.Equal(t, payload["audience"], "identitynamespace:some-idpool:some-id-provider")
    223. 

  223. 

  224. 		bt, err := json.Marshal(&oauth2.Token{
    225. 

  225. 			AccessToken: "12345",
    226. 

  226. 		})
    227. 

  227. 		assert.Nil(t, err)
    228. 

  228. 		rw.WriteHeader(http.StatusOK)
    229. 

  229. 		rw.Write(bt)
    230. 

  230. 	}))
    231. 

  231. 	defer srv.Close()
    232. 

  232. 	gen := &gcpIDBindTokenGenerator{
    233. 

  233. 		targetURL: srv.URL,
    234. 

  234. 	}
    235. 

  235. 	token, err := gen.Generate(context.Background(), http.DefaultClient, "some-token", "some-idpool", "some-id-provider")
    236. 

  236. 	assert.Nil(t, err)
    237. 

  237. 	assert.Equal(t, token.AccessToken, "12345")
    238. 

  238. }
    239. 

  239. 

  240. type testCaseMutator func(tc *workloadIdentityTest)
    241. 

  241. 

  242. func composeTestcase(tc *workloadIdentityTest, mutators ...testCaseMutator) *workloadIdentityTest {
    243. 

  243. 	for _, m := range mutators {
    244. 

  244. 		m(tc)
    245. 

  245. 	}
    246. 

  246. 	return tc
    247. 

  247. }
    248. 

  248. 

  249. func withStore(store esv1.GenericStore) testCaseMutator {
    250. 

  250. 	return func(tc *workloadIdentityTest) {
    251. 

  251. 		tc.store = store
    252. 

  252. 	}
    253. 

  253. }
    254. 

  254. 

  255. func expTokenSource() testCaseMutator {
    256. 

  256. 	return func(tc *workloadIdentityTest) {
    257. 

  257. 		tc.expTS = true
    258. 

  258. 	}
    259. 

  259. }
    260. 

  260. 

  261. func expectToken(token string) testCaseMutator {
    262. 

  262. 	return func(tc *workloadIdentityTest) {
    263. 

  263. 		tc.expToken = &oauth2.Token{
    264. 

  264. 			AccessToken: token,
    265. 

  265. 		}
    266. 

  266. 	}
    267. 

  267. }
    268. 

  268. 

  269. func expErr(err string) testCaseMutator {
    270. 

  270. 	return func(tc *workloadIdentityTest) {
    271. 

  271. 		tc.expErr = err
    272. 

  272. 	}
    273. 

  273. }
    274. 

  274. 

  275. func withK8sResources(objs []client.Object) testCaseMutator {
    276. 

  276. 	return func(tc *workloadIdentityTest) {
    277. 

  277. 		tc.kubeObjects = objs
    278. 

  278. 	}
    279. 

  279. }
    280. 

  280. 

  281. func withInstMetadata(metadata map[string]string) testCaseMutator {
    282. 

  282. 	return func(tc *workloadIdentityTest) {
    283. 

  283. 		tc.instMetadata = metadata
    284. 

  284. 	}
    285. 

  285. }
    286. 

  286. 

  287. var (
    288. 

  288. 	defaultGenAccessToken = "default-gen-access-token"
    289. 

  289. 	defaultIDBindToken    = "default-id-bind-token"
    290. 

  290. 	defaultSAToken        = "default-k8s-sa-token"
    291. 

  291. )
    292. 

  292. 

  293. func defaultTestCase(name string) *workloadIdentityTest {
    294. 

  294. 	return &workloadIdentityTest{
    295. 

  295. 		name: name,
    296. 

  296. 		genAccessToken: func(c context.Context, gatr *credentialspb.GenerateAccessTokenRequest, co ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
    297. 

  297. 			return &credentialspb.GenerateAccessTokenResponse{
    298. 

  298. 				AccessToken: defaultGenAccessToken,
    299. 

  299. 			}, nil
    300. 

  300. 		},
    301. 

  301. 		genIDBindToken: func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error) {
    302. 

  302. 			return &oauth2.Token{
    303. 

  303. 				AccessToken: defaultIDBindToken,
    304. 

  304. 			}, nil
    305. 

  305. 		},
    306. 

  306. 		genSAToken: func(c context.Context, s1 []string, s2, s3 string) (*authv1.TokenRequest, error) {
    307. 

  307. 			return &authv1.TokenRequest{
    308. 

  308. 				Status: authv1.TokenRequestStatus{
    309. 

  309. 					Token: defaultSAToken,
    310. 

  310. 				},
    311. 

  311. 			}, nil
    312. 

  312. 		},
    313. 

  313. 		instMetadata: map[string]string{
    314. 

  314. 			"project-id": "1234",
    315. 

  315. 		},
    316. 

  316. 		kubeObjects: []client.Object{
    317. 

  317. 			&v1.ServiceAccount{
    318. 

  318. 				ObjectMeta: metav1.ObjectMeta{
    319. 

  319. 					Name:      "example",
    320. 

  320. 					Namespace: "default",
    321. 

  321. 					Annotations: map[string]string{
    322. 

  322. 						gcpSAAnnotation: "example",
    323. 

  323. 					},
    324. 

  324. 				},
    325. 

  325. 			},
    326. 

  326. 		},
    327. 

  327. 	}
    328. 

  328. }
    329. 

  329. 

  330. func defaultStore() *esv1.SecretStore {
    331. 

  331. 	return &esv1.SecretStore{
    332. 

  332. 		ObjectMeta: metav1.ObjectMeta{
    333. 

  333. 			Name:      "foobar",
    334. 

  334. 			Namespace: "default",
    335. 

  335. 		},
    336. 

  336. 		Spec: defaultStoreSpec(),
    337. 

  337. 	}
    338. 

  338. }
    339. 

  339. 

  340. func defaultExternalStore() *esv1.SecretStore {
    341. 

  341. 	return &esv1.SecretStore{
    342. 

  342. 		ObjectMeta: metav1.ObjectMeta{
    343. 

  343. 			Name:      "foobar",
    344. 

  344. 			Namespace: "default",
    345. 

  345. 		},
    346. 

  346. 		Spec: defaultExternalStoreSpec(),
    347. 

  347. 	}
    348. 

  348. }
    349. 

  349. 

  350. func defaultClusterStore() *esv1.ClusterSecretStore {
    351. 

  351. 	return &esv1.ClusterSecretStore{
    352. 

  352. 		TypeMeta: metav1.TypeMeta{
    353. 

  353. 			Kind: esv1.ClusterSecretStoreKind,
    354. 

  354. 		},
    355. 

  355. 		ObjectMeta: metav1.ObjectMeta{
    356. 

  356. 			Name: "foobar",
    357. 

  357. 		},
    358. 

  358. 		Spec: defaultStoreSpec(),
    359. 

  359. 	}
    360. 

  360. }
    361. 

  361. 

  362. func defaultStoreSpec() esv1.SecretStoreSpec {
    363. 

  363. 	return esv1.SecretStoreSpec{
    364. 

  364. 		Provider: &esv1.SecretStoreProvider{
    365. 

  365. 			GCPSM: &esv1.GCPSMProvider{
    366. 

  366. 				Auth: esv1.GCPSMAuth{
    367. 

  367. 					WorkloadIdentity: &esv1.GCPWorkloadIdentity{
    368. 

  368. 						ServiceAccountRef: esmeta.ServiceAccountSelector{
    369. 

  369. 							Name: "example",
    370. 

  370. 						},
    371. 

  371. 						ClusterLocation: "example",
    372. 

  372. 						ClusterName:     "foobar",
    373. 

  373. 					},
    374. 

  374. 				},
    375. 

  375. 				ProjectID: "1234",
    376. 

  376. 			},
    377. 

  377. 		},
    378. 

  378. 	}
    379. 

  379. }
    380. 

  380. 

  381. func defaultExternalStoreSpec() esv1.SecretStoreSpec {
    382. 

  382. 	return esv1.SecretStoreSpec{
    383. 

  383. 		Provider: &esv1.SecretStoreProvider{
    384. 

  384. 			GCPSM: &esv1.GCPSMProvider{
    385. 

  385. 				Auth: esv1.GCPSMAuth{
    386. 

  386. 					WorkloadIdentity: &esv1.GCPWorkloadIdentity{
    387. 

  387. 						ServiceAccountRef: esmeta.ServiceAccountSelector{
    388. 

  388. 							Name: "example",
    389. 

  389. 						},
    390. 

  390. 						ClusterLocation:  "example",
    391. 

  391. 						ClusterName:      "foobar",
    392. 

  392. 						ClusterProjectID: "5678",
    393. 

  393. 					},
    394. 

  394. 				},
    395. 

  395. 				ProjectID: "1234",
    396. 

  396. 			},
    397. 

  397. 		},
    398. 

  398. 	}
    399. 

  399. }
    400. 

  400. 

  401. type storeMutator func(spc esv1.GenericStore)
    402. 

  402. 

  403. func composeStore(store esv1.GenericStore, mutators ...storeMutator) esv1.GenericStore {
    404. 

  404. 	for _, m := range mutators {
    405. 

  405. 		m(store)
    406. 

  406. 	}
    407. 

  407. 	return store
    408. 

  408. }
    409. 

  409. 

  410. func withClusterID(project, location, name string) storeMutator {
    411. 

  411. 	return func(store esv1.GenericStore) {
    412. 

  412. 		spc := store.GetSpec()
    413. 

  413. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID = project
    414. 

  414. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterLocation = location
    415. 

  415. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterName = name
    416. 

  416. 	}
    417. 

  417. }
    418. 

  418. 

  419. func withSANamespace(namespace string) storeMutator {
    420. 

  420. 	return func(store esv1.GenericStore) {
    421. 

  421. 		spc := store.GetSpec()
    422. 

  422. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ServiceAccountRef.Namespace = &namespace
    423. 

  423. 	}
    424. 

  424. }
    425. 

  425. 

  426. // fake IDBindToken Generator.
    427. 

  427. type fakeIDBindTokenGen struct {
    428. 

  428. 	generateFunc func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
    429. 

  429. }
    430. 

  430. 

  431. func (g *fakeIDBindTokenGen) Generate(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error) {
    432. 

  432. 	return g.generateFunc(ctx, client, k8sToken, idPool, idProvider)
    433. 

  433. }
    434. 

  434. 

  435. // fake IAM Client.
    436. 

  436. type fakeIAMClient struct {
    437. 

  437. 	generateAccessTokenFunc func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
    438. 

  438. }
    439. 

  439. 

  440. func (f *fakeIAMClient) GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
    441. 

  441. 	return f.generateAccessTokenFunc(ctx, req, opts...)
    442. 

  442. }
    443. 

  443. 

  444. func (f *fakeIAMClient) Close() error {
    445. 

  445. 	return nil
    446. 

  446. }
    447. 

  447. 

  448. // fake Metadata Client.
    449. 

  449. type fakeMetadataClient struct {
    450. 

  450. 	metadata map[string]string
    451. 

  451. }
    452. 

  452. 

  453. func (f *fakeMetadataClient) InstanceAttributeValueWithContext(ctx context.Context, attr string) (string, error) {
    454. 

  454. 	if val, ok := f.metadata[attr]; ok {
    455. 

  455. 		return val, nil
    456. 

  456. 	}
    457. 

  457. 	return "", fmt.Errorf("attr %s not found", attr)
    458. 

  458. }
    459. 

  459. 

  460. func (f *fakeMetadataClient) ProjectIDWithContext(ctx context.Context) (string, error) {
    461. 

  461. 	if val, ok := f.metadata["project-id"]; ok {
    462. 

  462. 		return val, nil
    463. 

  463. 	}
    464. 

  464. 	return "", errors.New("attr project-id not found")
    465. 

  465. }
    466. 

  466. 

  467. // fake SA Token Generator.
    468. 

  468. type fakeSATokenGen struct {
    469. 

  469. 	GenerateFunc func(context.Context, []string, string, string) (*authv1.TokenRequest, error)
    470. 

  470. }
    471. 

  471. 

  472. func (f *fakeSATokenGen) Generate(ctx context.Context, idPool []string, namespace, name string) (*authv1.TokenRequest, error) {
    473. 

  473. 	return f.GenerateFunc(ctx, idPool, namespace, name)
    474. 

  474. }
    475. 

  475. 

  476. // fake k8s client for creating tokens.
    477. 

  477. type fakeK8sV1 struct {
    478. 

  478. 	k8sv1.CoreV1Interface
    479. 

  479. }
    480. 

  480. 

  481. func (m *fakeK8sV1) ServiceAccounts(_ string) k8sv1.ServiceAccountInterface {
    482. 

  482. 	return &fakeK8sV1SA{v1mock: m}
    483. 

  483. }
    484. 

  484. 

  485. // Mock the K8s service account client.
    486. 

  486. type fakeK8sV1SA struct {
    487. 

  487. 	k8sv1.ServiceAccountInterface
    488. 

  488. 	v1mock *fakeK8sV1
    489. 

  489. }
    490. 

  490. 

  491. func (ma *fakeK8sV1SA) CreateToken(
    492. 

  492. 	_ context.Context,
    493. 

  493. 	_ string,
    494. 

  494. 	tokenRequest *authv1.TokenRequest,
    495. 

  495. 	_ metav1.CreateOptions,
    496. 

  496. ) (*authv1.TokenRequest, error) {
    497. 

  497. 	tokenRequest.Status.Token = defaultSAToken
    498. 

  498. 	return tokenRequest, nil
    499. 

  499. }
    500.