Skip to content

Commit 3be23dd

Browse files
authored
Fix gcloud container command (#26)
* Fix gcloud container command * Add test for gcloudSetupContainer
1 parent e2f40b7 commit 3be23dd

File tree

4 files changed

+116
-7
lines changed

4 files changed

+116
-7
lines changed

go.mod

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,13 @@ toolchain go1.21.3
77
require (
88
github.com/MakeNowJust/heredoc v1.0.0
99
github.com/go-logr/logr v1.2.0
10+
github.com/google/go-cmp v0.5.5
1011
github.com/onsi/ginkgo/v2 v2.1.4
1112
github.com/onsi/gomega v1.19.0
1213
k8s.io/api v0.24.7
1314
k8s.io/apimachinery v0.24.7
1415
k8s.io/client-go v0.24.7
15-
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
16+
k8s.io/utils v0.0.0-20240102154912-e7106e64919e
1617
sigs.k8s.io/controller-runtime v0.12.3
1718
)
1819

@@ -41,7 +42,6 @@ require (
4142
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
4243
github.com/golang/protobuf v1.5.2 // indirect
4344
github.com/google/gnostic v0.5.7-v3refs // indirect
44-
github.com/google/go-cmp v0.5.5 // indirect
4545
github.com/google/gofuzz v1.1.0 // indirect
4646
github.com/google/uuid v1.1.2 // indirect
4747
github.com/imdario/mergo v0.3.12 // indirect
@@ -76,7 +76,7 @@ require (
7676
gopkg.in/yaml.v3 v3.0.1 // indirect
7777
k8s.io/apiextensions-apiserver v0.24.2 // indirect
7878
k8s.io/component-base v0.24.2 // indirect
79-
k8s.io/klog/v2 v2.60.1 // indirect
79+
k8s.io/klog/v2 v2.80.1 // indirect
8080
k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
8181
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
8282
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect

go.sum

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -957,13 +957,15 @@ k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE
957957
k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
958958
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
959959
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
960-
k8s.io/klog/v2 v2.60.1 h1:VW25q3bZx9uE3vvdL6M8ezOX79vA2Aq1nEWLqNQclHc=
961960
k8s.io/klog/v2 v2.60.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
961+
k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
962+
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
962963
k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 h1:Gii5eqf+GmIEwGNKQYQClCayuJCe2/4fZUvF7VG99sU=
963964
k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42/go.mod h1:Z/45zLw8lUo4wdiUkI+v/ImEGAvu3WatcZl3lPMR4Rk=
964965
k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
965-
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 h1:HNSDgDCrr/6Ly3WEGKZftiE7IY19Vz2GdbOCyI4qqhc=
966966
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
967+
k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
968+
k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
967969
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
968970
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
969971
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

webhooks/mutatepod_parts.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,8 +113,8 @@ func gcloudSetupContainer(
113113
--output-file=$(CLOUDSDK_CONFIG)/%s \
114114
--credential-source-file=%s
115115
gcloud auth login --cred-file=$(CLOUDSDK_CONFIG)/%s
116-
`, filepath.Join(K8sSATokenMountPath, K8sSATokenName),
117-
ExternalCredConfigFilename,
116+
`, ExternalCredConfigFilename,
117+
filepath.Join(K8sSATokenMountPath, K8sSATokenName),
118118
ExternalCredConfigFilename,
119119
),
120120
},

webhooks/mutatepod_parts_test.go

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
package webhooks
2+
3+
import (
4+
"testing"
5+
6+
"github.com/google/go-cmp/cmp"
7+
corev1 "k8s.io/api/core/v1"
8+
"k8s.io/apimachinery/pkg/api/resource"
9+
"k8s.io/utils/ptr"
10+
)
11+
12+
func TestGcloudSetupContainer(t *testing.T) {
13+
const (
14+
workloadIdProvider = "projects/12345/locations/global/workloadIdentityPools/on-prem-kubernetes/providers/this-cluster"
15+
saEmail = "[email protected]"
16+
project = "project"
17+
gcloudImage = "google/cloud-sdk:slim"
18+
)
19+
20+
expectedTemplate := corev1.Container{
21+
Name: "gcloud-setup",
22+
Image: gcloudImage,
23+
Command: []string{
24+
"sh", "-c",
25+
`gcloud iam workload-identity-pools create-cred-config \
26+
$(GCP_WORKLOAD_IDENTITY_PROVIDER) \
27+
--service-account=$(GCP_SERVICE_ACCOUNT) \
28+
--output-file=$(CLOUDSDK_CONFIG)/federation.json \
29+
--credential-source-file=/var/run/secrets/sts.googleapis.com/serviceaccount/token
30+
gcloud auth login --cred-file=$(CLOUDSDK_CONFIG)/federation.json
31+
`,
32+
},
33+
VolumeMounts: []corev1.VolumeMount{
34+
{
35+
Name: "gcp-iam-token",
36+
MountPath: "/var/run/secrets/sts.googleapis.com/serviceaccount",
37+
ReadOnly: true,
38+
},
39+
{
40+
Name: "gcloud-config",
41+
MountPath: "/var/run/secrets/gcloud/config",
42+
},
43+
},
44+
Env: []corev1.EnvVar{
45+
{
46+
Name: "GCP_WORKLOAD_IDENTITY_PROVIDER",
47+
Value: workloadIdProvider,
48+
},
49+
{
50+
Name: "GCP_SERVICE_ACCOUNT",
51+
Value: saEmail,
52+
},
53+
{
54+
Name: "CLOUDSDK_CONFIG",
55+
Value: "/var/run/secrets/gcloud/config",
56+
},
57+
{
58+
Name: "CLOUDSDK_CORE_PROJECT",
59+
Value: project,
60+
},
61+
},
62+
SecurityContext: &corev1.SecurityContext{
63+
AllowPrivilegeEscalation: ptr.To(false),
64+
Capabilities: &corev1.Capabilities{
65+
Drop: []corev1.Capability{
66+
"ALL",
67+
},
68+
},
69+
},
70+
}
71+
72+
t.Run("Without runAsUser and resources", func(t *testing.T) {
73+
actual := gcloudSetupContainer(workloadIdProvider, saEmail, project, gcloudImage, nil, nil)
74+
expected := *expectedTemplate.DeepCopy()
75+
if diff := cmp.Diff(actual, expected); diff != "" {
76+
t.Errorf("gcloudSetupContainer() mismatch (-want +got):\n%s", diff)
77+
}
78+
})
79+
80+
t.Run("With runAsUser", func(t *testing.T) {
81+
user := int64(1000)
82+
actual := gcloudSetupContainer(workloadIdProvider, saEmail, project, gcloudImage, ptr.To(user), nil)
83+
84+
expected := *expectedTemplate.DeepCopy()
85+
expected.SecurityContext.RunAsUser = ptr.To(user)
86+
87+
if diff := cmp.Diff(actual, expected); diff != "" {
88+
t.Errorf("gcloudSetupContainer() mismatch (-want +got):\n%s", diff)
89+
}
90+
})
91+
92+
t.Run("With resources", func(t *testing.T) {
93+
resources := corev1.ResourceRequirements{
94+
Requests: corev1.ResourceList{
95+
corev1.ResourceCPU: resource.MustParse("100m"),
96+
},
97+
}
98+
actual := gcloudSetupContainer(workloadIdProvider, saEmail, project, gcloudImage, nil, &resources)
99+
100+
expected := *expectedTemplate.DeepCopy()
101+
expected.Resources = resources
102+
103+
if diff := cmp.Diff(actual, expected); diff != "" {
104+
t.Errorf("gcloudSetupContainer() mismatch (-want +got):\n%s", diff)
105+
}
106+
})
107+
}

0 commit comments

Comments
 (0)