add units for global pull secret clone mechanism

djoshy · djoshy · commit 6c476d9dc1d4 · 2025-01-24T14:54:30.000-06:00
diff --git a/pkg/controller/build/buildrequest/buildrequestopts_test.go b/pkg/controller/build/buildrequest/buildrequestopts_test.go
@@ -11,20 +11,24 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+
+	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
 )
 
 func TestBuildRequestOpts(t *testing.T) {
 	testCases := []struct {
-		name        string
-		addlObjects []runtime.Object
-		addlAsserts func(*testing.T, BuildRequestOpts)
+		name            string
+		addlObjects     []runtime.Object
+		addlObjectSetup func(*testing.T, *fixtures.ObjectsForTest)
+		addlAsserts     func(*testing.T, BuildRequestOpts)
 	}{
 		{
 			name: "no entitlement data",
 			addlAsserts: func(t *testing.T, brOpts BuildRequestOpts) {
 				assert.False(t, brOpts.HasEtcPkiRpmGpgKeys)
 				assert.False(t, brOpts.HasEtcYumReposDConfigs)
 				assert.False(t, brOpts.HasEtcPkiEntitlementKeys)
+				assert.False(t, brOpts.hasUserDefinedBaseImagePullSecret)
 			},
 		},
 		{
@@ -41,6 +45,7 @@ func TestBuildRequestOpts(t *testing.T) {
 				assert.False(t, brOpts.HasEtcPkiRpmGpgKeys)
 				assert.False(t, brOpts.HasEtcYumReposDConfigs)
 				assert.True(t, brOpts.HasEtcPkiEntitlementKeys)
+				assert.False(t, brOpts.hasUserDefinedBaseImagePullSecret)
 			},
 		},
 		{
@@ -57,6 +62,7 @@ func TestBuildRequestOpts(t *testing.T) {
 				assert.False(t, brOpts.HasEtcPkiRpmGpgKeys)
 				assert.True(t, brOpts.HasEtcYumReposDConfigs)
 				assert.False(t, brOpts.HasEtcPkiEntitlementKeys)
+				assert.False(t, brOpts.hasUserDefinedBaseImagePullSecret)
 			},
 		},
 		{
@@ -73,6 +79,7 @@ func TestBuildRequestOpts(t *testing.T) {
 				assert.True(t, brOpts.HasEtcPkiRpmGpgKeys)
 				assert.False(t, brOpts.HasEtcYumReposDConfigs)
 				assert.False(t, brOpts.HasEtcPkiEntitlementKeys)
+				assert.False(t, brOpts.hasUserDefinedBaseImagePullSecret)
 			},
 		},
 		{
@@ -101,6 +108,16 @@ func TestBuildRequestOpts(t *testing.T) {
 				assert.True(t, brOpts.HasEtcPkiRpmGpgKeys)
 				assert.True(t, brOpts.HasEtcYumReposDConfigs)
 				assert.True(t, brOpts.HasEtcPkiEntitlementKeys)
+				assert.False(t, brOpts.hasUserDefinedBaseImagePullSecret)
+			},
+		},
+		{
+			name: "with user defined base image pull secret",
+			addlObjectSetup: func(t *testing.T, lobj *fixtures.ObjectsForTest) {
+				lobj.MachineOSConfig.Spec.BaseImagePullSecret = &mcfgv1.ImageSecretObjectReference{Name: fixtures.BaseImagePullSecretName}
+			},
+			addlAsserts: func(t *testing.T, brOpts BuildRequestOpts) {
+				assert.True(t, brOpts.hasUserDefinedBaseImagePullSecret)
 			},
 		},
 	}
@@ -115,6 +132,10 @@ func TestBuildRequestOpts(t *testing.T) {
 
 			kubeclient, mcfgclient, lobj, _ := fixtures.GetClientsForTestWithAdditionalObjects(t, testCase.addlObjects, []runtime.Object{})
 
+			if testCase.addlObjectSetup != nil {
+				testCase.addlObjectSetup(t, lobj)
+			}
+
 			brOpts, err := newBuildRequestOptsFromAPI(ctx, kubeclient, mcfgclient, lobj.MachineOSBuild, lobj.MachineOSConfig)
 			assert.NoError(t, err)
 
diff --git a/pkg/controller/build/buildrequest/machineosbuild_test.go b/pkg/controller/build/buildrequest/machineosbuild_test.go
@@ -28,7 +28,7 @@ func TestMachineOSBuild(t *testing.T) {
 	}
 
 	// Some of the test cases expect the hash name to be the same. This is that hash value.
-	expectedCommonHashName := "worker-2ab43b54f9fb493af95d32937247895a"
+	expectedCommonHashName := "worker-e945ec808b468c07f6a2cf1936c23a13"
 
 	testCases := []struct {
 		name         string
diff --git a/pkg/controller/build/fixtures/objects.go b/pkg/controller/build/fixtures/objects.go
@@ -14,7 +14,7 @@ import (
 )
 
 const (
-	baseImagePullSecretName  string = "base-image-pull-secret"
+	BaseImagePullSecretName  string = "base-image-pull-secret"
 	finalImagePushSecretName string = "final-image-push-secret"
 )
 
@@ -86,7 +86,6 @@ func NewObjectBuildersForTest(poolName string) ObjectBuildersForTest {
 
 	moscBuilder := testhelpers.NewMachineOSConfigBuilder(moscName).
 		WithMachineConfigPool(poolName).
-		WithBaseImagePullSecret(baseImagePullSecretName).
 		WithRenderedImagePushSecret(finalImagePushSecretName).
 		WithRenderedImagePushSpec("registry.hostname.com/org/repo:latest").
 		WithContainerfile(mcfgv1.NoArch, "FROM configs AS final\n\nRUN echo 'hi' > /etc/hi")
@@ -131,7 +130,17 @@ func defaultKubeObjects() []runtime.Object {
 		},
 		&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      baseImagePullSecretName,
+				Name:      BaseImagePullSecretName,
+				Namespace: ctrlcommon.MCONamespace,
+			},
+			Data: map[string][]byte{
+				corev1.DockerConfigJsonKey: []byte(pullSecret),
+			},
+			Type: corev1.SecretTypeDockerConfigJson,
+		},
+		&corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      ctrlcommon.GlobalPullSecretCopyName,
 				Namespace: ctrlcommon.MCONamespace,
 			},
 			Data: map[string][]byte{
diff --git a/pkg/operator/sync_test.go b/pkg/operator/sync_test.go
@@ -161,56 +161,73 @@ func withCABundle(caBundle string) kubeCloudConfigOption {
 	}
 }
 
-func TestReconcileSimpleContentAccessSecret(t *testing.T) {
+func TestMachineOSBuilderSecretReconciliation(t *testing.T) {
 	masterPool := helpers.NewMachineConfigPool("master", nil, helpers.MasterSelector, "v0")
 	workerPool := helpers.NewMachineConfigPool("worker", nil, helpers.MasterSelector, "v0")
 	infraPool := helpers.NewMachineConfigPool("infra", nil, helpers.MasterSelector, "v0")
 	entitlementSecret := helpers.NewOpaqueSecret(ctrlcommon.SimpleContentAccessSecretName, ctrlcommon.OpenshiftConfigManagedNamespace, "abc")
 	workerEntitlementSecret := helpers.NewOpaqueSecretWithOwnerPool(ctrlcommon.SimpleContentAccessSecretName+"-"+workerPool.Name, ctrlcommon.MCONamespace, "abc", *workerPool)
 	infraEntitlementSecret := helpers.NewOpaqueSecretWithOwnerPool(ctrlcommon.SimpleContentAccessSecretName+"-"+infraPool.Name, ctrlcommon.MCONamespace, "abc", *infraPool)
 	outOfDateInfraEntitlementSecret := helpers.NewOpaqueSecretWithOwnerPool(ctrlcommon.SimpleContentAccessSecretName+"-"+infraPool.Name, ctrlcommon.MCONamespace, "123", *infraPool)
+	globalPullSecret := helpers.NewDockerCfgJSONSecret(ctrlcommon.GlobalPullSecretName, ctrlcommon.OpenshiftConfigNamespace, "abc")
+	outOfDateGlobalPullSecretCopy := helpers.NewDockerCfgJSONSecret(ctrlcommon.GlobalPullSecretCopyName, ctrlcommon.MCONamespace, "123")
+	globalPullSecretCopy := helpers.NewDockerCfgJSONSecret(ctrlcommon.GlobalPullSecretCopyName, ctrlcommon.MCONamespace, "abc")
 
 	cases := []struct {
 		name               string
 		mcoSecrets         []*corev1.Secret
+		ocSecrets          []*corev1.Secret
 		ocManagedSecrets   []*corev1.Secret
 		expectedMCOSecrets []corev1.Secret
 		layeredMCPs        []*mcfgv1.MachineConfigPool
 	}{
 		{
 			name:               "no entitlement secret on cluster, with opted-in pool",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
 			ocManagedSecrets:   []*corev1.Secret{},
 			mcoSecrets:         []*corev1.Secret{},
-			expectedMCOSecrets: []corev1.Secret{},
 			layeredMCPs:        []*mcfgv1.MachineConfigPool{infraPool.DeepCopy()},
+			expectedMCOSecrets: []corev1.Secret{*globalPullSecretCopy.DeepCopy()},
 		},
 		{
 			name:               "entitlement secret on cluster, with opted-in pool",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
 			ocManagedSecrets:   []*corev1.Secret{entitlementSecret.DeepCopy()},
 			mcoSecrets:         []*corev1.Secret{},
 			layeredMCPs:        []*mcfgv1.MachineConfigPool{infraPool.DeepCopy()},
-			expectedMCOSecrets: []corev1.Secret{*infraEntitlementSecret.DeepCopy()},
+			expectedMCOSecrets: []corev1.Secret{*infraEntitlementSecret.DeepCopy(), *globalPullSecretCopy.DeepCopy()},
 		},
 		{
 			name:               "entitlement secret on cluster, with multiple opted-in pools",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
 			ocManagedSecrets:   []*corev1.Secret{entitlementSecret.DeepCopy()},
 			mcoSecrets:         []*corev1.Secret{},
 			layeredMCPs:        []*mcfgv1.MachineConfigPool{workerPool.DeepCopy(), infraPool.DeepCopy()},
-			expectedMCOSecrets: []corev1.Secret{*workerEntitlementSecret.DeepCopy(), *infraEntitlementSecret.DeepCopy()},
+			expectedMCOSecrets: []corev1.Secret{*workerEntitlementSecret.DeepCopy(), *infraEntitlementSecret.DeepCopy(), *globalPullSecretCopy.DeepCopy()},
 		},
 		{
-			name:               "entitlement and cloned secret on cluster, with no opted-in pools",
+			name:               "entitlement, cloned secret and global pull secret copy on cluster, with no opted-in pools",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
 			ocManagedSecrets:   []*corev1.Secret{entitlementSecret.DeepCopy()},
-			mcoSecrets:         []*corev1.Secret{infraEntitlementSecret.DeepCopy()},
+			mcoSecrets:         []*corev1.Secret{infraEntitlementSecret.DeepCopy(), globalPullSecretCopy.DeepCopy()},
 			layeredMCPs:        []*mcfgv1.MachineConfigPool{},
 			expectedMCOSecrets: []corev1.Secret{},
 		},
 		{
 			name:               "entitlement and cloned secret on cluster, with an outdated cloned secret",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
 			ocManagedSecrets:   []*corev1.Secret{entitlementSecret.DeepCopy()},
 			mcoSecrets:         []*corev1.Secret{outOfDateInfraEntitlementSecret.DeepCopy()},
 			layeredMCPs:        []*mcfgv1.MachineConfigPool{infraPool.DeepCopy()},
-			expectedMCOSecrets: []corev1.Secret{*infraEntitlementSecret.DeepCopy()},
+			expectedMCOSecrets: []corev1.Secret{*infraEntitlementSecret.DeepCopy(), *globalPullSecretCopy.DeepCopy()},
+		},
+		{
+			name:               "outdated global pull secret copy on cluster",
+			ocSecrets:          []*corev1.Secret{globalPullSecret.DeepCopy()},
+			ocManagedSecrets:   []*corev1.Secret{},
+			mcoSecrets:         []*corev1.Secret{outOfDateGlobalPullSecretCopy.DeepCopy()},
+			layeredMCPs:        []*mcfgv1.MachineConfigPool{infraPool.DeepCopy()},
+			expectedMCOSecrets: []corev1.Secret{*globalPullSecretCopy.DeepCopy()},
 		},
 	}
 	for _, tc := range cases {
@@ -222,6 +239,7 @@ func TestReconcileSimpleContentAccessSecret(t *testing.T) {
 			sharedInformerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
 			mcoSecretInformer := sharedInformerFactory.Core().V1().Secrets()
 			ocManagedSecretInformer := sharedInformerFactory.Core().V1().Secrets()
+			ocSecretInformer := sharedInformerFactory.Core().V1().Secrets()
 
 			// Add secrets to informer and client
 			for _, secret := range tc.mcoSecrets {
@@ -234,6 +252,11 @@ func TestReconcileSimpleContentAccessSecret(t *testing.T) {
 				_, err := kubeClient.CoreV1().Secrets(ctrlcommon.OpenshiftConfigManagedNamespace).Create(context.TODO(), secret, metav1.CreateOptions{})
 				assert.NoError(t, err)
 			}
+			for _, secret := range tc.ocSecrets {
+				ocSecretInformer.Informer().GetIndexer().Add(secret)
+				_, err := kubeClient.CoreV1().Secrets(ctrlcommon.OpenshiftConfigNamespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+				assert.NoError(t, err)
+			}
 
 			// Create MCO specific clients
 			mcfgClient := fakeclientmachineconfigv1.NewSimpleClientset()
@@ -250,11 +273,15 @@ func TestReconcileSimpleContentAccessSecret(t *testing.T) {
 				kubeClient:            kubeClient,
 				mcpLister:             mcpInformer.Lister(),
 				mcoSecretLister:       mcoSecretInformer.Lister(),
+				ocSecretLister:        ocSecretInformer.Lister(),
 				ocManagedSecretLister: ocManagedSecretInformer.Lister(),
 			}
 			err := optr.reconcileSimpleContentAccessSecrets(tc.layeredMCPs)
 			assert.NoError(t, err)
 
+			err = optr.reconcileGlobalPullSecretCopy(tc.layeredMCPs)
+			assert.NoError(t, err)
+
 			// Verify secrets in MCO namespace are as expected
 			secrets, err := kubeClient.CoreV1().Secrets(ctrlcommon.MCONamespace).List(context.TODO(), metav1.ListOptions{})
 			assert.NoError(t, err)
diff --git a/test/helpers/helpers.go b/test/helpers/helpers.go
@@ -226,6 +226,19 @@ func NewOpaqueSecretWithOwnerPool(name, namespace, content string, pool mcfgv1.M
 	}
 }
 
+func NewDockerCfgJSONSecret(name, namespace, content string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			".dockerconfigjson": []byte(content),
+		},
+		Type: corev1.SecretTypeDockerConfigJson,
+	}
+}
+
 // CreateMachineConfigFromIgnitionWithMetadata returns a MachineConfig object from an Ignition config, name, and role label
 func CreateMachineConfigFromIgnitionWithMetadata(ignCfg interface{}, name, role string) *mcfgv1.MachineConfig {
 	return &mcfgv1.MachineConfig{
diff --git a/test/helpers/machineosconfigbuilder.go b/test/helpers/machineosconfigbuilder.go
@@ -28,7 +28,7 @@ func NewMachineOSConfigBuilder(name string) *MachineOSConfigBuilder {
 				ImageBuilder: mcfgv1.MachineOSImageBuilder{
 					ImageBuilderType: mcfgv1.MachineOSImageBuilderType("PodImageBuilder"),
 				},
-				BaseImagePullSecret:     &mcfgv1.ImageSecretObjectReference{},
+				BaseImagePullSecret:     nil,
 				RenderedImagePushSecret: mcfgv1.ImageSecretObjectReference{},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func TestMachineOSBuild(t *testing.T) {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`// Some of the test cases expect the hash name to be the same. This is that hash value.`
`31`		`- expectedCommonHashName := "worker-2ab43b54f9fb493af95d32937247895a"`
	`31`	`+ expectedCommonHashName := "worker-e945ec808b468c07f6a2cf1936c23a13"`
`32`	`32`
`33`	`33`	`testCases := []struct {`
`34`	`34`	`name string`