package controller import ( "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "github.com/lukaszraczylo/kubemirror/pkg/constants" ) func TestCreateMirror_Secret(t *testing.T) { source := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test-secret", Namespace: "default", UID: "source-uid-123", ResourceVersion: "100", Generation: 5, }, Type: corev1.SecretTypeOpaque, Data: map[string][]byte{ "password": []byte("secret123"), }, } mirror, err := CreateMirror(source, "app1") require.NoError(t, err) require.NotNil(t, mirror) secretMirror, ok := mirror.(*corev1.Secret) require.True(t, ok, "mirror should be a Secret") // Verify mirror properties assert.Equal(t, "test-secret", secretMirror.Name) assert.Equal(t, "app1", secretMirror.Namespace) assert.Equal(t, corev1.SecretTypeOpaque, secretMirror.Type) assert.Equal(t, source.Data, secretMirror.Data) // Verify ownership labels assert.Equal(t, constants.ControllerName, secretMirror.Labels[constants.LabelManagedBy]) assert.Equal(t, "true", secretMirror.Labels[constants.LabelMirror]) // Verify ownership annotations assert.Equal(t, "default", secretMirror.Annotations[constants.AnnotationSourceNamespace]) assert.Equal(t, "test-secret", secretMirror.Annotations[constants.AnnotationSourceName]) assert.Equal(t, "source-uid-123", secretMirror.Annotations[constants.AnnotationSourceUID]) assert.Equal(t, "5", secretMirror.Annotations[constants.AnnotationSourceGeneration]) assert.NotEmpty(t, secretMirror.Annotations[constants.AnnotationSourceContentHash]) assert.NotEmpty(t, secretMirror.Annotations[constants.AnnotationLastSyncTime]) } func TestCreateMirror_ConfigMap(t *testing.T) { source := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test-config", Namespace: "default", UID: "config-uid-456", ResourceVersion: "200", }, Data: map[string]string{ "config.yaml": "setting: value", }, BinaryData: map[string][]byte{ "binary": {0x00, 0x01, 0x02}, }, } mirror, err := CreateMirror(source, "prod-ns") require.NoError(t, err) require.NotNil(t, mirror) cmMirror, ok := mirror.(*corev1.ConfigMap) require.True(t, ok, "mirror should be a ConfigMap") // Verify mirror properties assert.Equal(t, "test-config", cmMirror.Name) assert.Equal(t, "prod-ns", cmMirror.Namespace) assert.Equal(t, source.Data, cmMirror.Data) assert.Equal(t, source.BinaryData, cmMirror.BinaryData) // Verify ownership labels assert.Equal(t, constants.ControllerName, cmMirror.Labels[constants.LabelManagedBy]) assert.Equal(t, "true", cmMirror.Labels[constants.LabelMirror]) // Verify ownership annotations assert.Equal(t, "default", cmMirror.Annotations[constants.AnnotationSourceNamespace]) assert.Equal(t, "test-config", cmMirror.Annotations[constants.AnnotationSourceName]) assert.Equal(t, "config-uid-456", cmMirror.Annotations[constants.AnnotationSourceUID]) assert.NotEmpty(t, cmMirror.Annotations[constants.AnnotationSourceContentHash]) } func TestCreateMirror_Unstructured(t *testing.T) { source := &unstructured.Unstructured{ Object: map[string]interface{}{ "apiVersion": "traefik.io/v1alpha1", "kind": "Middleware", "metadata": map[string]interface{}{ "name": "test-middleware", "namespace": "traefik", "uid": "middleware-uid-789", "resourceVersion": "300", "generation": int64(3), }, "spec": map[string]interface{}{ "basicAuth": map[string]interface{}{ "secret": "auth-secret", }, }, "status": map[string]interface{}{ "condition": "Ready", }, }, } mirror, err := CreateMirror(source, "app-ns") require.NoError(t, err) require.NotNil(t, mirror) uMirror, ok := mirror.(*unstructured.Unstructured) require.True(t, ok, "mirror should be Unstructured") // Verify mirror properties assert.Equal(t, "test-middleware", uMirror.GetName()) assert.Equal(t, "app-ns", uMirror.GetNamespace()) // Verify spec is copied spec, found, err := unstructured.NestedMap(uMirror.Object, "spec") require.NoError(t, err) require.True(t, found) assert.NotNil(t, spec) // Verify status is NOT copied _, found, err = unstructured.NestedMap(uMirror.Object, "status") require.NoError(t, err) assert.False(t, found, "status should not be mirrored") // Verify metadata is cleared assert.Empty(t, uMirror.GetResourceVersion()) assert.Empty(t, uMirror.GetUID()) assert.Equal(t, int64(0), uMirror.GetGeneration()) // Verify ownership labels assert.Equal(t, constants.ControllerName, uMirror.GetLabels()[constants.LabelManagedBy]) assert.Equal(t, "true", uMirror.GetLabels()[constants.LabelMirror]) // Verify ownership annotations annotations := uMirror.GetAnnotations() assert.Equal(t, "traefik", annotations[constants.AnnotationSourceNamespace]) assert.Equal(t, "test-middleware", annotations[constants.AnnotationSourceName]) assert.Equal(t, "middleware-uid-789", annotations[constants.AnnotationSourceUID]) assert.Equal(t, "3", annotations[constants.AnnotationSourceGeneration]) } func TestUpdateMirror_Secret(t *testing.T) { mirror := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test-secret", Namespace: "app1", Labels: map[string]string{ constants.LabelManagedBy: constants.ControllerName, }, Annotations: map[string]string{ constants.AnnotationSourceContentHash: "oldhash", }, }, Data: map[string][]byte{ "password": []byte("old"), }, Type: corev1.SecretTypeOpaque, } source := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test-secret", Namespace: "default", Generation: 10, }, Data: map[string][]byte{ "password": []byte("new"), }, Type: corev1.SecretTypeTLS, } err := UpdateMirror(mirror, source) require.NoError(t, err) // Verify data updated assert.Equal(t, source.Data, mirror.Data) assert.Equal(t, source.Type, mirror.Type) // Verify hash updated assert.NotEqual(t, "oldhash", mirror.Annotations[constants.AnnotationSourceContentHash]) assert.Equal(t, "10", mirror.Annotations[constants.AnnotationSourceGeneration]) assert.NotEmpty(t, mirror.Annotations[constants.AnnotationLastSyncTime]) } func TestUpdateMirror_ConfigMap(t *testing.T) { mirror := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test-config", Namespace: "app1", Annotations: map[string]string{ constants.AnnotationSourceContentHash: "oldhash", }, }, Data: map[string]string{ "key": "old", }, } source := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test-config", Namespace: "default", }, Data: map[string]string{ "key": "new", }, BinaryData: map[string][]byte{ "binary": {0xFF}, }, } err := UpdateMirror(mirror, source) require.NoError(t, err) // Verify data updated assert.Equal(t, source.Data, mirror.Data) assert.Equal(t, source.BinaryData, mirror.BinaryData) assert.NotEqual(t, "oldhash", mirror.Annotations[constants.AnnotationSourceContentHash]) } func TestIsManagedByUs(t *testing.T) { tests := []struct { obj metav1.Object name string want bool }{ { name: "managed by us", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ constants.LabelManagedBy: constants.ControllerName, }, }, }, want: true, }, { name: "not managed by us", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ constants.LabelManagedBy: "other-controller", }, }, }, want: false, }, { name: "no labels", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{}, }, want: false, }, { name: "nil labels", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: nil, }, }, want: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := IsManagedByUs(tt.obj) assert.Equal(t, tt.want, got) }) } } func TestIsMirrorResource(t *testing.T) { tests := []struct { obj metav1.Object name string want bool }{ { name: "is mirror", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ constants.LabelMirror: "true", }, }, }, want: true, }, { name: "not mirror", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ constants.LabelMirror: "false", }, }, }, want: false, }, { name: "no labels", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{}, }, want: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := IsMirrorResource(tt.obj) assert.Equal(t, tt.want, got) }) } } func TestGetSourceReference(t *testing.T) { tests := []struct { name string obj metav1.Object wantNamespace string wantName string wantUID string wantFound bool }{ { name: "valid source reference", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ constants.AnnotationSourceNamespace: "default", constants.AnnotationSourceName: "my-secret", constants.AnnotationSourceUID: "uid-123", }, }, }, wantNamespace: "default", wantName: "my-secret", wantUID: "uid-123", wantFound: true, }, { name: "missing annotations", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{}, }, wantFound: false, }, { name: "incomplete annotations - missing name", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ constants.AnnotationSourceNamespace: "default", }, }, }, wantFound: false, }, { name: "incomplete annotations - missing namespace", obj: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ constants.AnnotationSourceName: "my-secret", }, }, }, wantFound: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { gotNS, gotName, gotUID, gotFound := GetSourceReference(tt.obj) assert.Equal(t, tt.wantFound, gotFound) if tt.wantFound { assert.Equal(t, tt.wantNamespace, gotNS) assert.Equal(t, tt.wantName, gotName) assert.Equal(t, tt.wantUID, gotUID) } }) } } // Test that mirrors don't include sync annotations (prevent infinite loop) func TestCreateMirror_NoSyncAnnotations(t *testing.T) { source := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test", Namespace: "default", Labels: map[string]string{ constants.LabelEnabled: "true", }, Annotations: map[string]string{ constants.AnnotationSync: "true", constants.AnnotationTargetNamespaces: "app1,app2", constants.AnnotationExclude: "false", constants.AnnotationRecreateOnImmutableChange: "true", }, }, Data: map[string][]byte{"key": []byte("value")}, } mirror, err := CreateMirror(source, "app1") require.NoError(t, err) secretMirror := mirror.(*corev1.Secret) // Verify sync annotations are NOT copied assert.NotContains(t, secretMirror.Annotations, constants.AnnotationSync) assert.NotContains(t, secretMirror.Annotations, constants.AnnotationTargetNamespaces) // Verify enabled label is NOT copied assert.NotContains(t, secretMirror.Labels, constants.LabelEnabled) // Verify ownership annotations ARE present assert.Contains(t, secretMirror.Annotations, constants.AnnotationSourceNamespace) } // Benchmarks for critical paths func BenchmarkCreateMirror_Secret(b *testing.B) { source := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "bench-secret", Namespace: "default", UID: "uid-123", ResourceVersion: "100", Generation: 1, }, Type: corev1.SecretTypeOpaque, Data: map[string][]byte{ "password": []byte("secret123"), "username": []byte("admin"), "token": []byte("abcdef123456"), }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _, _ = CreateMirror(source, "target-ns") } } func BenchmarkCreateMirror_ConfigMap(b *testing.B) { source := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "bench-config", Namespace: "default", UID: "uid-456", ResourceVersion: "200", }, Data: map[string]string{ "config.yaml": "key1: value1\nkey2: value2\nkey3: value3", "app.conf": "setting=value", }, BinaryData: map[string][]byte{ "binary": {0x00, 0x01, 0x02, 0x03, 0x04}, }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _, _ = CreateMirror(source, "target-ns") } } func BenchmarkCreateMirror_Unstructured(b *testing.B) { source := &unstructured.Unstructured{ Object: map[string]interface{}{ "apiVersion": "traefik.io/v1alpha1", "kind": "Middleware", "metadata": map[string]interface{}{ "name": "bench-middleware", "namespace": "traefik", "uid": "uid-789", "resourceVersion": "300", "generation": int64(3), }, "spec": map[string]interface{}{ "basicAuth": map[string]interface{}{ "secret": "auth-secret", }, "headers": map[string]interface{}{ "customRequestHeaders": map[string]interface{}{ "X-Custom-Header": "value", }, }, }, }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _, _ = CreateMirror(source, "target-ns") } } func BenchmarkUpdateMirror_Secret(b *testing.B) { mirror := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test-secret", Namespace: "app1", Labels: map[string]string{ constants.LabelManagedBy: constants.ControllerName, }, Annotations: map[string]string{ constants.AnnotationSourceContentHash: "oldhash", }, }, Data: map[string][]byte{ "password": []byte("old"), }, Type: corev1.SecretTypeOpaque, } source := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "test-secret", Namespace: "default", Generation: 10, }, Data: map[string][]byte{ "password": []byte("new"), }, Type: corev1.SecretTypeOpaque, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _ = UpdateMirror(mirror, source) } } func BenchmarkUpdateMirror_ConfigMap(b *testing.B) { mirror := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test-config", Namespace: "app1", Annotations: map[string]string{ constants.AnnotationSourceContentHash: "oldhash", }, }, Data: map[string]string{ "key": "old", }, } source := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "test-config", Namespace: "default", }, Data: map[string]string{ "key": "new", }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _ = UpdateMirror(mirror, source) } } func BenchmarkIsManagedByUs(b *testing.B) { obj := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{ constants.LabelManagedBy: constants.ControllerName, }, }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _ = IsManagedByUs(obj) } } func BenchmarkGetSourceReference(b *testing.B) { obj := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ constants.AnnotationSourceNamespace: "default", constants.AnnotationSourceName: "my-secret", constants.AnnotationSourceUID: "uid-123", }, }, } b.ResetTimer() b.ReportAllocs() for i := 0; i < b.N; i++ { _, _, _, _ = GetSourceReference(obj) } }