-
Notifications
You must be signed in to change notification settings - Fork 321
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Give better error when policy was created manually
In cases where a user creates a policy out-of-band with the same name as one consul-k8s tries to update, give a better error. This is definitely an edge case but has occurred when a user created the cross-namespace-acl-policy manually when trying to work around another issue. This will at least give a better error message in this case.
- Loading branch information
Showing
3 changed files
with
137 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package serveraclinit | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/hashicorp/consul/api" | ||
"github.com/hashicorp/consul/sdk/testutil" | ||
"github.com/hashicorp/go-hclog" | ||
"github.com/mitchellh/cli" | ||
"github.com/stretchr/testify/require" | ||
"k8s.io/client-go/kubernetes/fake" | ||
) | ||
|
||
// Test that we give an error if an ACL policy we were going to create | ||
// already exists but it has a different description than what consul-k8s | ||
// expected. In this case, it's likely that a user manually created an ACL | ||
// policy with the same name and so we want to error. | ||
func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) { | ||
require := require.New(t) | ||
ui := cli.NewMockUi() | ||
k8s := fake.NewSimpleClientset() | ||
cmd := Command{ | ||
UI: ui, | ||
clientset: k8s, | ||
log: hclog.NewNullLogger(), | ||
flagCreateSyncToken: true, | ||
} | ||
|
||
// Start Consul. | ||
bootToken := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" | ||
svr, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { | ||
c.ACL.Enabled = true | ||
c.ACL.Tokens.Master = bootToken | ||
}) | ||
require.NoError(err) | ||
svr.WaitForServiceIntentions(t) | ||
|
||
// Get a Consul client. | ||
consul, err := api.NewClient(&api.Config{ | ||
Address: svr.HTTPAddr, | ||
Token: bootToken, | ||
}) | ||
require.NoError(err) | ||
|
||
// Create the policy manually. | ||
policyDescription := "not the expected description" | ||
policyName := "policy-name" | ||
policy, _, err := consul.ACL().PolicyCreate(&api.ACLPolicy{ | ||
Name: policyName, | ||
Description: policyDescription, | ||
}, nil) | ||
require.NoError(err) | ||
|
||
// Now run the function. | ||
err = cmd.createOrUpdateACLPolicy(api.ACLPolicy{ | ||
Name: policyName, | ||
Description: "expected description", | ||
}, consul) | ||
require.EqualError(err, | ||
"policy found with name \"policy-name\" but not with expected description \"expected description\";"+ | ||
" if this policy was created manually it must be deleted so consul-k8s can recreate it and manage it itself", | ||
) | ||
|
||
// Check that the policy wasn't modified. | ||
rereadPolicy, _, err := consul.ACL().PolicyRead(policy.ID, nil) | ||
require.NoError(err) | ||
require.Equal(policyDescription, rereadPolicy.Description) | ||
} |