diff --git a/pkg/controller/keyvault/ingress_secret_provider_class_test.go b/pkg/controller/keyvault/ingress_secret_provider_class_test.go index 67f34e35..e58425be 100644 --- a/pkg/controller/keyvault/ingress_secret_provider_class_test.go +++ b/pkg/controller/keyvault/ingress_secret_provider_class_test.go @@ -142,6 +142,7 @@ func TestIngressSecretProviderClassReconcilerIntegration(t *testing.T) { } func TestIngressSecretProviderClassReconcilerIntegrationWithoutSPCLabels(t *testing.T) { + // Create the ingress ing := &netv1.Ingress{} ing.Name = "test-ingress" ing.Namespace = "default" @@ -184,7 +185,7 @@ func TestIngressSecretProviderClassReconcilerIntegrationWithoutSPCLabels(t *test ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("keyvault-%s", ing.Name), Namespace: ing.Namespace, - Labels: map[string]string{}, + Labels: manifests.GetTopLevelLabels(), OwnerReferences: []metav1.OwnerReference{{ APIVersion: ing.APIVersion, Controller: util.BoolPtr(true), @@ -195,18 +196,38 @@ func TestIngressSecretProviderClassReconcilerIntegrationWithoutSPCLabels(t *test }, } - // Prove secret class was not removed after first reconcile - require.False(t, errors.IsNotFound(c.Get(ctx, client.ObjectKeyFromObject(spc), spc))) - assert.Equal(t, len(manifests.GetTopLevelLabels()), len(spc.Labels)) - - // Update it to blank labels + expected := &secv1.SecretProviderClass{ + Spec: secv1.SecretProviderClassSpec{ + Provider: "azure", + Parameters: map[string]string{ + "keyvaultName": "testvault", + "objects": "{\"array\":[\"{\\\"objectName\\\":\\\"testcert\\\",\\\"objectType\\\":\\\"secret\\\",\\\"objectVersion\\\":\\\"f8982febc6894c0697b884f946fb1a34\\\"}\"]}", + "tenantId": i.config.TenantID, + "useVMManagedIdentity": "true", + "userAssignedIdentityID": i.config.MSIClientID, + }, + SecretObjects: []*secv1.SecretObject{{ + SecretName: spc.Name, + Type: "kubernetes.io/tls", + Data: []*secv1.SecretObjectData{ + {ObjectName: "testcert", Key: "tls.key"}, + {ObjectName: "testcert", Key: "tls.crt"}, + }, + }}, + }, + } + assert.Equal(t, 0, len(spc.Labels)) + assert.Equal(t, expected.Spec, spc.Spec) + + // Remove the labels from secret provider class spc.Labels = map[string]string{} require.NoError(t, i.client.Update(ctx, spc)) - assert.Equal(t, 0, len(spc.Labels)) // Remove the cert annotation from the ingress ing.Annotations = map[string]string{} require.NoError(t, i.client.Update(ctx, ing)) + + // Reconcile both changes beforeErrCount = testutils.GetErrMetricCount(t, ingressSecretProviderControllerName) beforeRequestCount = testutils.GetReconcileMetricCount(t, ingressSecretProviderControllerName, metrics.LabelSuccess) _, err = i.Reconcile(ctx, req) @@ -226,32 +247,6 @@ func TestIngressSecretProviderClassReconcilerIntegrationWithoutSPCLabels(t *test require.NoError(t, err) require.Equal(t, testutils.GetErrMetricCount(t, ingressSecretProviderControllerName), beforeErrCount) require.Greater(t, testutils.GetReconcileMetricCount(t, ingressSecretProviderControllerName, metrics.LabelSuccess), beforeRequestCount) - - expected := &secv1.SecretProviderClass{ - Spec: secv1.SecretProviderClassSpec{ - Provider: "azure", - Parameters: map[string]string{ - "keyvaultName": "testvault", - "objects": "{\"array\":[\"{\\\"objectName\\\":\\\"testcert\\\",\\\"objectType\\\":\\\"secret\\\",\\\"objectVersion\\\":\\\"f8982febc6894c0697b884f946fb1a34\\\"}\"]}", - "tenantId": i.config.TenantID, - "useVMManagedIdentity": "true", - "userAssignedIdentityID": i.config.MSIClientID, - }, - SecretObjects: []*secv1.SecretObject{{ - SecretName: spc.Name, - Type: "kubernetes.io/tls", - Data: []*secv1.SecretObjectData{ - {ObjectName: "testcert", Key: "tls.key"}, - {ObjectName: "testcert", Key: "tls.crt"}, - }, - }}, - }, - } - assert.Equal(t, 0, len(spc.Labels)) - assert.Equal(t, expected.Spec, spc.Spec) - - // Prove secret class was not removed after removing ingress anotations - require.False(t, errors.IsNotFound(c.Get(ctx, client.ObjectKeyFromObject(spc), spc))) } func TestIngressSecretProviderClassReconcilerInvalidURL(t *testing.T) {