add e2e tests for LinodeObjectStorageKey

Author: Brian Mendoza

api/v1alpha2/linodeobjectstoragekey_types.go

@@ -36,9 +36,6 @@ type BucketAccessRef struct {
 
 // LinodeObjectStorageKeySpec defines the desired state of LinodeObjectStorageKey
 type LinodeObjectStorageKeySpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// BucketAccess is the list of object storage bucket labels which can be accessed using the key
 	// +kubebuilder:validation:MinItems=1
 	BucketAccess []BucketAccessRef `json:"bucketAccess"`
@@ -61,9 +58,6 @@ type LinodeObjectStorageKeySpec struct {
 
 // LinodeObjectStorageKeyStatus defines the observed state of LinodeObjectStorageKey
 type LinodeObjectStorageKeyStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// Ready denotes that the key has been provisioned.
 	// +optional
 	// +kubebuilder:default=false
@@ -87,7 +81,7 @@ type LinodeObjectStorageKeyStatus struct {
 	// +optional
 	LastKeyGeneration *int `json:"lastKeyGeneration,omitempty"`
 
-	// KeySecretName specifies the name of the Secret containing the access key.
+	// KeySecretName specifies the name of the Secret containing access key data.
 	// +optional
 	KeySecretName *string `json:"keySecretName,omitempty"`
 
@@ -97,7 +91,13 @@ type LinodeObjectStorageKeyStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:resource:path=linodeobjectstoragekeys,scope=Namespaced,categories=cluster-api,shortName=lobjkey
 // +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="clusterctl.cluster.x-k8s.io/move-hierarchy=true"
+// +kubebuilder:printcolumn:name="ID",type="string",JSONPath=".status.accessKeyRef",description="The ID assigned to the access key"
+// +kubebuilder:printcolumn:name="Label",type="string",JSONPath=".metadata.name",description="The label of the access key"
+// +kubebuilder:printcolumn:name="Secret",type="string",JSONPath=".metadata.name",description="The name of the Secret containing access key data"
+// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.ready",description="Whether the access key is synced in the Linode API"
 
 // LinodeObjectStorageKey is the Schema for the linodeobjectstoragekeys API
 type LinodeObjectStorageKey struct {

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeobjectstoragekeys.yaml

@@ -4,17 +4,40 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+  labels:
+    clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
   name: linodeobjectstoragekeys.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io
   names:
+    categories:
+    - cluster-api
     kind: LinodeObjectStorageKey
     listKind: LinodeObjectStorageKeyList
     plural: linodeobjectstoragekeys
+    shortNames:
+    - lobjkey
     singular: linodeobjectstoragekey
   scope: Namespaced
   versions:
-  - name: v1alpha2
+  - additionalPrinterColumns:
+    - description: The ID assigned to the access key
+      jsonPath: .status.accessKeyRef
+      name: ID
+      type: string
+    - description: The label of the access key
+      jsonPath: .metadata.name
+      name: Label
+      type: string
+    - description: The name of the Secret containing access key data
+      jsonPath: .metadata.name
+      name: Secret
+      type: string
+    - description: Whether the access key is synced in the Linode API
+      jsonPath: .status.ready
+      name: Ready
+      type: string
+    name: v1alpha2
     schema:
       openAPIV3Schema:
         description: LinodeObjectStorageKey is the Schema for the linodeobjectstoragekeys
@@ -155,7 +178,7 @@ spec:
                 type: string
               keySecretName:
                 description: KeySecretName specifies the name of the Secret containing
-                  the access key.
+                  access key data.
                 type: string
               lastKeyGeneration:
                 description: LastKeyGeneration tracks the last known value of .spec.keyGeneration.

config/rbac/role.yaml

@@ -21,6 +21,7 @@ rules:
   - secrets
   verbs:
   - create
+  - delete
   - get
   - list
   - patch
@@ -123,7 +124,7 @@ rules:
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:
-  - linodeobjectstoragekey
+  - linodeobjectstoragekeys
   verbs:
   - create
   - delete
@@ -135,13 +136,13 @@ rules:
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:
-  - linodeobjectstoragekey/finalizers
+  - linodeobjectstoragekeys/finalizers
   verbs:
   - update
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:
-  - linodeobjectstoragekey/status
+  - linodeobjectstoragekeys/status
   verbs:
   - get
   - patch

controller/linodeobjectstoragekey_controller.go

@@ -60,9 +60,12 @@ type LinodeObjectStorageKeyReconciler struct {
 	ReconcileTimeout time.Duration
 }
 
-// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekey,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekey/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekey/finalizers,verbs=update
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekeys,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekeys/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=linodeobjectstoragekeys/finalizers,verbs=update
+
+// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch
+// +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.

docs/src/developers/testing.md

@@ -236,6 +236,7 @@ There are other selectors you can use to invoke specfic tests. Please look at th
 | Linode Cluster Controller        | `linodecluster` |
 | Linode Machine Controller        | `linodemachine` |
 | Linode Obj Controller            | `linodeobj`     | 
+| Linode Obj Key Controller        | `linodeobjkey`  | 
 | Linode VPC Controller            | `linodevpc`     | 
 
 *Note: For any flavor e2e tests, please set the required env variables*

e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-capi-resources.yaml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: capi-controller-manager
+  namespace: capi-system
+status:
+  availableReplicas: 1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: capl-controller-manager
+  namespace: capl-system
+status:
+  availableReplicas: 1

e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-key-and-secret.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeObjectStorageKey
+metadata:
+  name: ($key)
+spec:
+  bucketAccess:
+    - bucketName: ($key)
+      permissions: read_only
+      region: us-sea
+  keyGeneration: 0
+status:
+  ready: true
+  keySecretName: ($access_key_secret)
+  lastKeyGeneration: 0
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ($access_key_secret)

e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/chainsaw-test.yaml

@@ -0,0 +1,106 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: minimal-linodeobjectstoragekey
+  # Label to trigger the test on every PR
+  labels:
+    all:
+    quick:
+    linodeobjkey:
+spec:
+  bindings:
+    # A short identifier for the E2E test run
+    - name: run
+      value: (join('-', ['e2e', 'min-obj', env('GIT_REF')]))
+    - name: key
+      # Format the key name into a valid Kubernetes object name
+      # TODO: This is over-truncated to account for the Kubernetes access key Secret
+      value: (trim((truncate(($run), `52`)), '-'))
+    - name: access_key_secret
+      value: (join('-', [($key), 'etcd-backup']))
+  template: true
+  steps:
+    - name: Check if CAPI provider resources exist
+      try:
+        - assert:
+            file: assert-capi-resources.yaml
+    - name: Create bucket
+      try:
+        - script:
+            env:
+              - name: URI
+                value: object-storage/buckets
+              - name: BUCKET_LABEL
+                value: ($key)
+            content: |
+              set -e
+              
+              curl -s \
+                -X POST \
+                -H "Authorization: Bearer $LINODE_TOKEN" \
+                -H "Content-Type: application/json" \
+                -d "{\"label\":\"$BUCKET_LABEL\",\"region\":\"us-sea\"}" \
+                "https://api.linode.com/v4/$URI"
+            check:
+              ($error): ~
+    - name: Create LinodeObjectStorageKey
+      try:
+        - apply:
+            file: create-linodeobjectstoragekey.yaml
+        - assert:
+            file: assert-key-and-secret.yaml
+      catch:
+        - describe:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+            kind: LinodeObjectStorageKey
+        - describe:
+            apiVersion: v1
+            kind: Secret
+    - name: Ensure the access key was created
+      try:
+        - script:
+            env:
+              - name: URI
+                value: object-storage/keys
+              - name: OBJ_KEY
+                value: ($key)
+            content: |
+              set -e
+
+              export KEY_ID=$(kubectl -n $NAMESPACE get lobjkey $OBJ_KEY -ojson | jq '.status.accessKeyRef')
+              
+              curl -s \
+                -H "Authorization: Bearer $LINODE_TOKEN" \
+                -H "Content-Type: application/json" \
+                "https://api.linode.com/v4/$URI/$KEY_ID"
+            check:
+              ($error): ~
+    - name: Delete LinodeObjectStorageKey
+      try:
+        - delete:
+            ref:
+              apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+              kind: LinodeObjectStorageKey
+              name: ($key)
+    - name: Check if the LinodeObjectStorageKey and Secret were deleted
+      try:
+        - error:
+            file: check-key-and-secret-deletion.yaml
+    - name: Delete bucket
+      try:
+        - script:
+            env:
+              - name: URI
+                value: object-storage/buckets/us-sea
+              - name: BUCKET_LABEL
+                value: ($key)
+            content: |
+              set -e
+              
+              curl -s \
+                -X DELETE \
+                -H "Authorization: Bearer $LINODE_TOKEN" \
+                "https://api.linode.com/v4/$URI/$BUCKET_LABEL"
+            check:
+              ($error): ~

e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/check-key-and-secret-deletion.yaml

@@ -0,0 +1,9 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeObjectStorageKey
+metadata:
+  name: ($key)
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ($access_key_secret)

e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/create-linodeobjectstoragekey.yaml

@@ -0,0 +1,9 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeObjectStorageKey
+metadata:
+  name: ($key)
+spec:
+  bucketAccess:
+    - bucketName: ($key)
+      permissions: read_only
+      region: us-sea