diff --git a/scheduler/pkg/kafka/config/oauth/k8s_secret.go b/scheduler/pkg/kafka/config/oauth/k8s_secret.go index c6436710a0..7a8154210d 100644 --- a/scheduler/pkg/kafka/config/oauth/k8s_secret.go +++ b/scheduler/pkg/kafka/config/oauth/k8s_secret.go @@ -41,7 +41,7 @@ type OAUTHSecretHandler struct { oauthConfig OAUTHConfig } -func NewOAUTHSecretHandler(secretName string, clientset kubernetes.Interface, namespace string, prefix string, locationSuffix string, logger log.FieldLogger) (*OAUTHSecretHandler, error) { +func NewOAUTHSecretHandler(secretName string, clientset kubernetes.Interface, namespace string, prefix string, logger log.FieldLogger) (*OAUTHSecretHandler, error) { if clientset == nil { var err error clientset, err = k8s.CreateClientset() diff --git a/scheduler/pkg/kafka/config/oauth/store.go b/scheduler/pkg/kafka/config/oauth/store.go index 53b4e96ec5..5ef2464a2f 100644 --- a/scheduler/pkg/kafka/config/oauth/store.go +++ b/scheduler/pkg/kafka/config/oauth/store.go @@ -100,7 +100,7 @@ func NewOAUTHStore(opt ...OAUTHStoreOption) (OAUTHStore, error) { if !ok { return nil, fmt.Errorf("Namespace env var %s not found and needed for OAUTH secret", envNamespace) } - ps, err := NewOAUTHSecretHandler(secretName, opts.clientset, namespace, opts.prefix, opts.locationSuffix, logger) + ps, err := NewOAUTHSecretHandler(secretName, opts.clientset, namespace, opts.prefix, logger) if err != nil { return nil, err } diff --git a/scheduler/pkg/kafka/config/oauth/store_test.go b/scheduler/pkg/kafka/config/oauth/store_test.go new file mode 100644 index 0000000000..879dcb46dc --- /dev/null +++ b/scheduler/pkg/kafka/config/oauth/store_test.go @@ -0,0 +1,94 @@ +/* +Copyright 2023 Seldon Technologies Ltd. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oauth + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "os" + "testing" + "time" + + "github.com/ghodss/yaml" + + . "github.com/onsi/gomega" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes/fake" +) + +func unMarshallYamlStrict(data []byte, msg interface{}) error { + jsonData, err := yaml.YAMLToJSON(data) + if err != nil { + return err + } + d := json.NewDecoder(bytes.NewReader(jsonData)) + d.DisallowUnknownFields() // So we fail if not exactly as required in schema + err = d.Decode(msg) + if err != nil { + return err + } + return nil +} + +func moveStringDataToData(secret *v1.Secret) { + secret.Data = make(map[string][]byte) + for key, val := range secret.StringData { + secret.Data[key] = []byte(val) + } +} + +func TestNewPasswordStoreWithSecret(t *testing.T) { + g := NewGomegaWithT(t) + secretData, err := os.ReadFile("testdata/k8s_secret.yaml") + g.Expect(err).To(BeNil()) + + secret := &v1.Secret{} + err = unMarshallYamlStrict(secretData, secret) + g.Expect(err).To(BeNil()) + + moveStringDataToData(secret) + + prefix := "prefix" + + t.Setenv(fmt.Sprintf("%s%s", prefix, envSecretSuffix), secret.Name) + t.Setenv(envNamespace, secret.Namespace) + + clientset := fake.NewSimpleClientset(secret) + ps, err := NewOAUTHStore(Prefix(prefix), ClientSet(clientset)) + g.Expect(err).To(BeNil()) + + oauthConfig := ps.GetOAUTHConfig() + g.Expect(oauthConfig.Method).To(Equal("OIDC")) + g.Expect(oauthConfig.ClientID).To(Equal("test-client-id")) + g.Expect(oauthConfig.ClientSecret).To(Equal("test-client-secret")) + g.Expect(oauthConfig.TokenEndpointURL).To(Equal("https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/token")) + g.Expect(oauthConfig.Extensions).To(Equal("logicalCluster=logic-1234,identityPoolId=pool-1234")) + + newClientID := "new-client-id" + secret.Data["client_id"] = []byte(newClientID) + + _, err = clientset.CoreV1().Secrets(secret.Namespace).Update(context.Background(), secret, metav1.UpdateOptions{}) + g.Expect(err).To(BeNil()) + time.Sleep(time.Millisecond * 500) + + oauthConfig = ps.GetOAUTHConfig() + g.Expect(oauthConfig.ClientID).To(Equal("new-client-id")) + ps.Stop() +} diff --git a/scheduler/pkg/kafka/config/oauth/testdata/k8s_secret.yaml b/scheduler/pkg/kafka/config/oauth/testdata/k8s_secret.yaml new file mode 100644 index 0000000000..c17bef970c --- /dev/null +++ b/scheduler/pkg/kafka/config/oauth/testdata/k8s_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cc-oauth-test-secret + namespace: default +type: Opaque +stringData: + method: OIDC + client_id: test-client-id + client_secret: test-client-secret + token_endpoint_url: https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/token + extensions: logicalCluster=logic-1234,identityPoolId=pool-1234