Cloud provider GCP: adopt changes to CCM / CNM for GCP

2025-07-23 15:30:44 -04:00 · 2022-03-25 10:55:37 +01:00 · 2022-03-25 10:55:37 +01:00 · 3c1ddfb94e
commit 3c1ddfb94e
parent a59ce30e7b
9 changed files with 430 additions and 60 deletions
--- a/coordinator/cloudprovider/gcp/ccm_test.go
+++ b/coordinator/cloudprovider/gcp/ccm_test.go
@ -1,36 +1,47 @@
 package gcp

 import (
-	"errors"
+	"encoding/json"
 	"testing"

+	"github.com/edgelesssys/constellation/cli/gcp/client"
 	"github.com/edgelesssys/constellation/coordinator/core"
+	"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi/resources"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	k8s "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-func TestPrepareInstance(t *testing.T) {
-	err := errors.New("some err")
-	vpnIP := "192.0.2.0"
-	instance := core.Instance{
-		Name:       "someInstance",
-		ProviderID: "gce://someProjectID/someZone/someInstance",
-		IPs:        []string{"192.0.2.0"},
-	}
-
+func TestConfigMaps(t *testing.T) {
 	testCases := map[string]struct {
-		writer         stubWriter
-		expectErr      bool
-		expectedConfig string
+		instance           core.Instance
+		expectedConfigMaps resources.ConfigMaps
+		expectErr          bool
 	}{
-		"prepare works": {
-			expectedConfig: `[global]
-project-id = someProjectID
+		"ConfigMaps works": {
+			instance: core.Instance{ProviderID: "gce://project-id/zone/instance-name"},
+			expectedConfigMaps: resources.ConfigMaps{
+				&k8s.ConfigMap{
+					TypeMeta: v1.TypeMeta{
+						Kind:       "ConfigMap",
+						APIVersion: "v1",
+					},
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "gceconf",
+						Namespace: "kube-system",
+					},
+					Data: map[string]string{
+						"gce.conf": `[global]
+project-id = project-id
 use-metadata-server = false
 `,
+					},
+				},
+			},
 		},
-		"GCE conf write error is detected": {
-			writer:    stubWriter{writeErr: err},
+		"invalid providerID fails": {
+			instance:  core.Instance{ProviderID: "invalid"},
 			expectErr: true,
 		},
 	}
@ -40,15 +51,77 @@ use-metadata-server = false
 			assert := assert.New(t)
 			require := require.New(t)

-			ccm := CloudControllerManager{writer: &tc.writer}
-			err := ccm.PrepareInstance(instance, vpnIP)
+			cloud := CloudControllerManager{}
+			configMaps, err := cloud.ConfigMaps(tc.instance)

 			if tc.expectErr {
 				assert.Error(err)
 				return
 			}
 			require.NoError(err)
-			assert.ElementsMatch([]string{tc.expectedConfig}, tc.writer.configs)
+			assert.Equal(tc.expectedConfigMaps, configMaps)
+		})
+	}
+}
+
+func TestSecrets(t *testing.T) {
+	serviceAccountKey := client.ServiceAccountKey{
+		Type:                    "type",
+		ProjectID:               "project-id",
+		PrivateKeyID:            "private-key-id",
+		PrivateKey:              "private-key",
+		ClientEmail:             "client-email",
+		ClientID:                "client-id",
+		AuthURI:                 "auth-uri",
+		TokenURI:                "token-uri",
+		AuthProviderX509CertURL: "auth-provider-x509-cert-url",
+		ClientX509CertURL:       "client-x509-cert-url",
+	}
+	rawKey, err := json.Marshal(serviceAccountKey)
+	require.NoError(t, err)
+	testCases := map[string]struct {
+		instance               core.Instance
+		cloudServiceAccountURI string
+		expectedSecrets        resources.Secrets
+		expectErr              bool
+	}{
+		"Secrets works": {
+			cloudServiceAccountURI: "serviceaccount://gcp?type=type&project_id=project-id&private_key_id=private-key-id&private_key=private-key&client_email=client-email&client_id=client-id&auth_uri=auth-uri&token_uri=token-uri&auth_provider_x509_cert_url=auth-provider-x509-cert-url&client_x509_cert_url=client-x509-cert-url",
+			expectedSecrets: resources.Secrets{
+				&k8s.Secret{
+					TypeMeta: v1.TypeMeta{
+						Kind:       "Secret",
+						APIVersion: "v1",
+					},
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "gcekey",
+						Namespace: "kube-system",
+					},
+					Data: map[string][]byte{
+						"key.json": rawKey,
+					},
+				},
+			},
+		},
+		"invalid serviceAccountKey fails": {
+			cloudServiceAccountURI: "invalid",
+			expectErr:              true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			cloud := CloudControllerManager{}
+			secrets, err := cloud.Secrets(tc.instance, tc.cloudServiceAccountURI)
+			if tc.expectErr {
+				assert.Error(err)
+				return
+			}
+			require.NoError(err)
+			assert.Equal(tc.expectedSecrets, secrets)
 		})
 	}
 }
@ -60,16 +133,10 @@ func TestTrivialCCMFunctions(t *testing.T) {
 	assert.NotEmpty(cloud.Image())
 	assert.NotEmpty(cloud.Path())
 	assert.NotEmpty(cloud.Name())
+	assert.NotEmpty(cloud.ExtraArgs())
+	assert.NotEmpty(cloud.Volumes())
+	assert.NotEmpty(cloud.VolumeMounts())
+	assert.NotEmpty(cloud.Env())
+	assert.NoError(cloud.PrepareInstance(core.Instance{}, "192.0.2.0"))
 	assert.True(cloud.Supported())
 }
-
-type stubWriter struct {
-	writeErr error
-
-	configs []string
-}
-
-func (s *stubWriter) WriteGCEConf(config string) error {
-	s.configs = append(s.configs, config)
-	return s.writeErr
-}