@@ 0,0 1,135 @@
+package mutator
+
+import (
+ "reflect"
+ "testing"
+
+ "github.com/go-logr/logr"
+ corev1 "k8s.io/api/core/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func TestMutatorHandler(t *testing.T) {
+ logger := logr.Discard()
+ mutator := getTestMutator(t, logger)
+
+ pod := basePod()
+ pod.Annotations[annotationEnabled] = ""
+ pod.Annotations[annotationInPort] = "8080"
+ pod.Annotations[annotationOutPort] = "9090"
+
+ response := mutator.mutatePod(logger, pod)
+ if !response.Allowed {
+ t.Fatal("pod denied without mkproof-proxy enabled")
+ }
+
+ if len(response.Patches) == 0 {
+ t.Fatal("pod with mkproof-proxy enabled was not patched")
+ } else if len(response.Patches) > 1 {
+ t.Fatal("pod with mkproof-proxy enabled was patched too much")
+ }
+
+ expectedPatch := `{"op":"add","path":"/spec/containers/1","value":{"args":["--listen-addr","0.0.0.0:8080","--upstream-url","http://127.0.0.1:9090"],"image":"quay.io/tomleb/mkproof-proxy:latest","name":"mkproof-proxy","resources":{}}}`
+ if !reflect.DeepEqual(response.Patches[0].Json(), expectedPatch) {
+ t.Fatal("wrong patch")
+ }
+}
+
+func TestMutatorHandlerSecret(t *testing.T) {
+ logger := logr.Discard()
+ mutator := getTestMutator(t, logger)
+
+ pod := basePod()
+ pod.Annotations[annotationEnabled] = ""
+ pod.Annotations[annotationInPort] = "8080"
+ pod.Annotations[annotationOutPort] = "9090"
+ pod.Annotations[annotationSecret] = "my-secret"
+
+ response := mutator.mutatePod(logger, pod)
+ if !response.Allowed {
+ t.Fatal("pod denied without mkproof-proxy enabled")
+ }
+
+ if len(response.Patches) == 0 {
+ t.Fatal("pod with mkproof-proxy enabled was not patched")
+ } else if len(response.Patches) > 1 {
+ t.Fatal("pod with mkproof-proxy enabled was patched too much")
+ }
+
+ expectedPatch := `{"op":"add","path":"/spec/containers/1","value":{"args":["--listen-addr","0.0.0.0:8080","--upstream-url","http://127.0.0.1:9090"],"env":[{"name":"MKPROOF_PROXY_SECRET_KEY","valueFrom":{"secretKeyRef":{"key":"secret-key","name":"my-secret"}}}],"image":"quay.io/tomleb/mkproof-proxy:latest","name":"mkproof-proxy","resources":{}}}`
+ if !reflect.DeepEqual(response.Patches[0].Json(), expectedPatch) {
+ t.Fatal("wrong patch")
+ }
+}
+
+func TestMutatorHandlerMissingInPort(t *testing.T) {
+ logger := logr.Discard()
+ mutator := getTestMutator(t, logger)
+
+ pod := basePod()
+ pod.Annotations[annotationEnabled] = ""
+ pod.Annotations[annotationOutPort] = "9090"
+
+ response := mutator.mutatePod(logger, pod)
+ if response.Allowed {
+ t.Fatal("pod allowed with missing inPort")
+ }
+}
+
+func TestMutatorHandlerMissingOutPort(t *testing.T) {
+ logger := logr.Discard()
+ mutator := getTestMutator(t, logger)
+
+ pod := basePod()
+ pod.Annotations[annotationEnabled] = ""
+ pod.Annotations[annotationInPort] = "8080"
+
+ response := mutator.mutatePod(logger, pod)
+ if response.Allowed {
+ t.Fatal("pod allowed with missing outPort")
+ }
+}
+
+func TestMutatorHandlerDisabled(t *testing.T) {
+ logger := logr.Discard()
+ mutator := getTestMutator(t, logger)
+
+ pod := basePod()
+
+ response := mutator.mutatePod(logger, pod)
+ if !response.Allowed {
+ t.Fatal("pod denied without mkproof-proxy enabled")
+ }
+
+ if len(response.Patches) > 0 {
+ t.Fatal("pod without mkproof-proxy enabled was patched")
+ }
+}
+
+func getTestMutator(t *testing.T, logger logr.Logger) *mutator {
+ scheme := runtime.NewScheme()
+ corev1.AddToScheme(scheme)
+ decoder, err := admission.NewDecoder(scheme)
+ if err != nil {
+ t.Fatal("failed to create Decoder", err)
+ }
+
+ mutator := New(logger)
+ mutator.InjectDecoder(decoder)
+ return mutator
+}
+
+func basePod() corev1.Pod {
+ pod := corev1.Pod{
+ Spec: corev1.PodSpec{
+ Containers: []corev1.Container{
+ corev1.Container{
+ Name: "test-container",
+ },
+ },
+ },
+ }
+ pod.Annotations = make(map[string]string)
+ return pod
+}