@@ -641,42 +641,38 @@ func TestReconcile_PSSLabels(t *testing.T) {
641641 s := scheme .Scheme
642642 addKnownTypesToScheme (s )
643643
644+ // Unit tests only assert the operator-managed sync label; pod-security.kubernetes.io/* is owned by OpenShift (e2e).
644645 testCases := []struct {
645- name string
646- namespace string
647- labels map [string ]string
646+ name string
647+ namespace string
648+ initial_labels map [string ]string
649+ wantPodSecurityLabelSync bool
648650 }{
649651 {
650- name : "modified valid PSS labels for openshift-gitops ns " ,
652+ name : "openshift-gitops: podSecurityLabelSync absent " ,
651653 namespace : "openshift-gitops" ,
652- labels : map [string ]string {
653- "pod-security.kubernetes.io/enforce" : "privileged" ,
654- "pod-security.kubernetes.io/enforce-version" : "v1.30" ,
655- "pod-security.kubernetes.io/audit" : "privileged" ,
656- "pod-security.kubernetes.io/audit-version" : "v1.29" ,
657- "pod-security.kubernetes.io/warn" : "privileged" ,
658- "pod-security.kubernetes.io/warn-version" : "v1.29" ,
654+ initial_labels : map [string ]string {
655+ "openshift.io/cluster-monitoring" : "true" ,
659656 },
657+ wantPodSecurityLabelSync : true ,
660658 },
661659 {
662- name : "modified invalid and empty PSS labels for openshift-gitops ns " ,
660+ name : "openshift-gitops: podSecurityLabelSync wrong value " ,
663661 namespace : "openshift-gitops" ,
664- labels : map [string ]string {
665- "pod-security.kubernetes.io/enforce" : "invalid" ,
666- "pod-security.kubernetes.io/enforce-version" : "invalid" ,
667- "pod-security.kubernetes.io/warn" : "invalid" ,
668- "pod-security.kubernetes.io/warn-version" : "invalid" ,
662+ initial_labels : map [string ]string {
663+ "openshift.io/cluster-monitoring" : "true" ,
664+ PodSecurityLabelSyncLabel : "false" ,
669665 },
666+ wantPodSecurityLabelSync : true ,
667+ },
668+ {
669+ name : "test: operator does not set podSecurityLabelSync on non-openshift-* namespaces" ,
670+ namespace : "test" ,
671+ initial_labels : map [string ]string {
672+ "openshift.io/cluster-monitoring" : "true" ,
673+ },
674+ wantPodSecurityLabelSync : false ,
670675 },
671- }
672-
673- expected_labels := map [string ]string {
674- "pod-security.kubernetes.io/enforce" : "restricted" ,
675- "pod-security.kubernetes.io/enforce-version" : "v1.29" ,
676- "pod-security.kubernetes.io/audit" : "restricted" ,
677- "pod-security.kubernetes.io/audit-version" : "latest" ,
678- "pod-security.kubernetes.io/warn" : "restricted" ,
679- "pod-security.kubernetes.io/warn-version" : "latest" ,
680676 }
681677
682678 fakeClient := fake .NewFakeClient (util .NewClusterVersion ("4.7.1" ), newGitopsService ())
@@ -704,40 +700,24 @@ func TestReconcile_PSSLabels(t *testing.T) {
704700 _ , err = reconciler .Reconcile (context .TODO (), newRequest ("test" , "test" ))
705701 assertNoError (t , err )
706702
707- // Check if PSS labels are addded to the user defined ns
708- reconciled_ns := & corev1.Namespace {}
709- err = fakeClient .Get (context .TODO (), types.NamespacedName {Name : "test" },
710- reconciled_ns )
711- assertNoError (t , err )
712-
713- for label := range reconciled_ns .Labels {
714- _ , found := expected_labels [label ]
715- // Fail if label is found
716- assert .Check (t , found != true )
717- }
718-
719703 for _ , tc := range testCases {
720- existing_ns := & corev1.Namespace {}
721- assert .NilError (t , fakeClient .Get (context .TODO (), types.NamespacedName {Name : tc .namespace }, existing_ns ), err )
722-
723- // Assign new values, confirm the assignment and update the PSS labels
724- existing_ns .Labels = tc .labels
725- err := fakeClient .Update (context .TODO (), existing_ns )
726- assert .NilError (t , err )
727- assert .NilError (t , fakeClient .Get (context .TODO (), types.NamespacedName {Name : tc .namespace }, existing_ns ), err )
728- assert .DeepEqual (t , existing_ns .Labels , tc .labels )
729-
730- _ , err = reconciler .Reconcile (context .TODO (), newRequest ("test" , "test" ))
731- assertNoError (t , err )
732-
733- assert .NilError (t , fakeClient .Get (context .TODO (), types.NamespacedName {Name : tc .namespace }, reconciled_ns ), err )
734-
735- for key , value := range expected_labels {
736- label , found := reconciled_ns .Labels [key ]
737- // Fail if label is not found, comapre the values with the expected values if found
738- assert .Check (t , found )
739- assert .Equal (t , label , value )
740- }
704+ t .Run (tc .name , func (t * testing.T ) {
705+ ns := & corev1.Namespace {}
706+ assert .NilError (t , fakeClient .Get (context .TODO (), types.NamespacedName {Name : tc .namespace }, ns ))
707+ ns .Labels = tc .initial_labels
708+ assert .NilError (t , fakeClient .Update (context .TODO (), ns ))
709+
710+ _ , err := reconciler .Reconcile (context .TODO (), newRequest ("test" , "test" ))
711+ assertNoError (t , err )
712+
713+ reconciled_ns := & corev1.Namespace {}
714+ assert .NilError (t , fakeClient .Get (context .TODO (), types.NamespacedName {Name : tc .namespace }, reconciled_ns ))
715+ if tc .wantPodSecurityLabelSync {
716+ assert .Equal (t , PodSecurityLabelSyncLabelValue , reconciled_ns .Labels [PodSecurityLabelSyncLabel ])
717+ } else {
718+ assert .Check (t , reconciled_ns .Labels [PodSecurityLabelSyncLabel ] != PodSecurityLabelSyncLabelValue )
719+ }
720+ })
741721 }
742722}
743723
0 commit comments