From ce05702136f7f5fec0bad4f64786e6cd896ebc37 Mon Sep 17 00:00:00 2001
From: Eric Tune <etune@google.com>
Date: Thu, 19 Mar 2015 17:00:54 -0700
Subject: [PATCH] Added integration test of secrets.

Tests apiserver side functionality.

Also deleted dead code in auth_test.go.
---
 test/integration/auth_test.go   |  14 ---
 test/integration/secret_test.go | 155 ++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+), 14 deletions(-)
 create mode 100644 test/integration/secret_test.go

diff --git a/test/integration/auth_test.go b/test/integration/auth_test.go
index b352c1624ea..3ef60cc28b6 100644
--- a/test/integration/auth_test.go
+++ b/test/integration/auth_test.go
@@ -78,20 +78,6 @@ var aPod string = `
   }%s
 }
 `
-var aPodInBar string = `
-{
-  "kind": "Pod",
-  "apiVersion": "v1beta1",
-  "id": "a",
-  "desiredState": {
-    "manifest": {
-      "version": "v1beta1",
-      "id": "a",
-      "containers": [{ "name": "foo", "image": "bar/foo" }]
-    }
-  }%s
-}
-`
 var aRC string = `
 {
   "kind": "ReplicationController",
diff --git a/test/integration/secret_test.go b/test/integration/secret_test.go
new file mode 100644
index 00000000000..21f32322e50
--- /dev/null
+++ b/test/integration/secret_test.go
@@ -0,0 +1,155 @@
+// +build integration,!no-etcd
+
+/*
+Copyright 2015 Google Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integration
+
+// This file tests use of the secrets API resource.
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/master"
+	"github.com/GoogleCloudPlatform/kubernetes/plugin/pkg/admission/admit"
+)
+
+func init() {
+	requireEtcd()
+}
+
+func deletePodOrErrorf(t *testing.T, c *client.Client, ns, name string) {
+	if err := c.Pods(ns).Delete(name); err != nil {
+		t.Errorf("unable to delete pods %v: %v", name, err)
+	}
+}
+func deleteSecretOrErrorf(t *testing.T, c *client.Client, ns, name string) {
+	if err := c.Secrets(ns).Delete(name); err != nil {
+		t.Errorf("unable to delete secret %v: %v", name, err)
+	}
+}
+
+// TestSecrets tests apiserver-side behavior of creation of secret objects and their use by pods.
+func TestSecrets(t *testing.T) {
+	helper, err := master.NewEtcdHelper(newEtcdClient(), "v1beta1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	var m *master.Master
+	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		m.Handler.ServeHTTP(w, req)
+	}))
+	defer s.Close()
+
+	m = master.New(&master.Config{
+		EtcdHelper:        helper,
+		KubeletClient:     client.FakeKubeletClient{},
+		EnableLogsSupport: false,
+		EnableUISupport:   false,
+		EnableIndex:       true,
+		APIPrefix:         "/api",
+		Authorizer:        apiserver.NewAlwaysAllowAuthorizer(),
+		AdmissionControl:  admit.NewAlwaysAdmit(),
+	})
+
+	testCases := []string{
+		"v1beta1",
+		"v1beta2",
+	}
+
+	for _, apiVersion := range testCases {
+		deleteAllEtcdKeys()
+		client := client.NewOrDie(&client.Config{Host: s.URL, Version: apiVersion})
+		DoTestSecrets(t, client, apiVersion)
+	}
+}
+
+// DoTestSecrets test secrets for one api version.
+func DoTestSecrets(t *testing.T, client *client.Client, apiVersion string) {
+	// Make a secret object.
+	ns := "ns"
+	s := api.Secret{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "secret",
+			Namespace: ns,
+		},
+		Data: map[string][]byte{
+			"data": []byte("value1\n"),
+		},
+	}
+
+	if _, err := client.Secrets(s.Namespace).Create(&s); err != nil {
+		t.Errorf("unable to create test secret: %v", err)
+	}
+	defer deleteSecretOrErrorf(t, client, s.Namespace, s.Name)
+
+	// Template for pods that use a secret.
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{
+			Name: "XXX",
+		},
+		Spec: api.PodSpec{
+			Volumes: []api.Volume{
+				{
+					Name: "secvol",
+					VolumeSource: api.VolumeSource{
+						Secret: &api.SecretVolumeSource{
+							SecretName: "secret",
+						},
+					},
+				},
+			},
+			Containers: []api.Container{
+				{
+					Name:  "fake-name",
+					Image: "fakeimage",
+					VolumeMounts: []api.VolumeMount{
+						{
+							Name:      "secvol",
+							MountPath: "/fake/path",
+							ReadOnly:  true,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	// Create a pod to consume secret.
+	pod.ObjectMeta.Name = "uses-secret"
+	if _, err := client.Pods(ns).Create(pod); err != nil {
+		t.Errorf("Failed to create pod: %v", err)
+	}
+	defer deletePodOrErrorf(t, client, ns, pod.Name)
+
+	// Create a pod that consumes non-existent secret.
+	pod.ObjectMeta.Name = "uses-non-existant-secret"
+	if _, err := client.Pods(ns).Create(pod); err != nil {
+		t.Errorf("Failed to create pod: %v", err)
+	}
+	defer deletePodOrErrorf(t, client, ns, pod.Name)
+	// This pod may fail to run, but we don't currently prevent this, and this
+	// test can't check whether the kubelet actually pulls the secret.
+
+	// Verifying contents of the volumes is out of scope for a
+	// apiserver<->kubelet integration test.  It is covered by an e2e test.
+}