feat: Add basic WSA loading (#4)

sathvikkumar-octo · web-flow · commit 1fb38803b95b · 2025-09-01T12:34:13.000+10:00
* Add unit test for validation

* Remove unused webhook verbs and defaulting webhook config

* Add listing of WSAs

* Add E2E test for WSA listing
diff --git a/PROJECT b/PROJECT
@@ -18,7 +18,6 @@ resources:
   path: github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1
   version: v1beta1
   webhooks:
-    defaulting: true
     validation: true
     webhookVersion: v1
 version: "3"
diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml
@@ -4,18 +4,11 @@ nameReference:
 - kind: Service
   version: v1
   fieldSpecs:
-  - kind: MutatingWebhookConfiguration
-    group: admissionregistration.k8s.io
-    path: webhooks/clientConfig/service/name
   - kind: ValidatingWebhookConfiguration
     group: admissionregistration.k8s.io
     path: webhooks/clientConfig/service/name
 
 namespace:
-- kind: MutatingWebhookConfiguration
-  group: admissionregistration.k8s.io
-  path: webhooks/clientConfig/service/namespace
-  create: true
 - kind: ValidatingWebhookConfiguration
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -20,7 +20,6 @@ webhooks:
     - v1beta1
     operations:
     - CREATE
-    - UPDATE
     resources:
     - workloadserviceaccounts
   sideEffects: None
diff --git a/internal/controller/workloadserviceaccount_controller.go b/internal/controller/workloadserviceaccount_controller.go
@@ -39,38 +39,35 @@ type WorkloadServiceAccountReconciler struct {
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
-// TODO(user): Modify the Reconcile function to compare the state specified by
-// the WorkloadServiceAccount object against the actual cluster state, and then
-// perform operations to make the cluster state reflect the state specified by
-// the user.
-//
-// For more details, check Reconcile and its Result here:
-// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/reconcile
 func (r *WorkloadServiceAccountReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := logf.FromContext(ctx)
 
-	var wsa agentoctopuscomv1beta1.WorkloadServiceAccount
-	if err := r.Get(ctx, req.NamespacedName, &wsa); err != nil {
-		log.Error(err, "unable to fetch WorkloadServiceAccount")
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	for _, project := range wsa.Spec.Scope.Projects {
-		log.Info("We have a project scope", "project", project)
-	}
-
-	for _, environment := range wsa.Spec.Scope.Environments {
-		log.Info("We have an environment scope", "project", environment)
-	}
+	log.Info("WorkloadServiceAccount reconciliation triggered")
 
-	for _, tenant := range wsa.Spec.Scope.Tenants {
-		log.Info("We have a tenant scope", "tenant", tenant)
+	wsaList := &agentoctopuscomv1beta1.WorkloadServiceAccountList{}
+	if err := r.List(ctx, wsaList, client.InNamespace(req.Namespace)); err != nil {
+		log.Error(err, "failed to list WorkloadServiceAccounts")
+		return ctrl.Result{}, err
 	}
 
-	for _, step := range wsa.Spec.Scope.Steps {
-		log.Info("We have a step scope", "step", step)
+	log.Info("Found WSAs in namespace", "count", len(wsaList.Items))
+
+	for _, currentWSA := range wsaList.Items {
+		for _, project := range currentWSA.Spec.Scope.Projects {
+			log.Info("WSA has project scope", "wsa", currentWSA.Name, "project", project)
+		}
+		for _, environment := range currentWSA.Spec.Scope.Environments {
+			log.Info("WSA has environment scope", "wsa", currentWSA.Name, "environment", environment)
+		}
+		for _, tenant := range currentWSA.Spec.Scope.Tenants {
+			log.Info("WSA has tenant scope", "wsa", currentWSA.Name, "tenant", tenant)
+		}
+		for _, step := range currentWSA.Spec.Scope.Steps {
+			log.Info("WSA has step scope", "wsa", currentWSA.Name, "step", step)
+		}
 	}
 
+	log.Info("Successfully reconciled WorkloadServiceAccounts")
 	return ctrl.Result{}, nil
 }
 
diff --git a/internal/webhook/v1beta1/workloadserviceaccount_webhook.go b/internal/webhook/v1beta1/workloadserviceaccount_webhook.go
@@ -45,10 +45,10 @@ func SetupWorkloadServiceAccountWebhookWithManager(mgr ctrl.Manager) error {
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 // NOTE: The 'path' attribute must follow a specific pattern and should not be modified directly here.
 // Modifying the path for an invalid path can cause API server errors; failing to locate the webhook.
-// +kubebuilder:webhook:path=/validate-agent-octopus-com-v1beta1-workloadserviceaccount,mutating=false,failurePolicy=fail,sideEffects=None,groups=agent.octopus.com,resources=workloadserviceaccounts,verbs=create;update,versions=v1beta1,name=vworkloadserviceaccount-v1beta1.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/validate-agent-octopus-com-v1beta1-workloadserviceaccount,mutating=false,failurePolicy=fail,sideEffects=None,groups=agent.octopus.com,resources=workloadserviceaccounts,verbs=create,versions=v1beta1,name=vworkloadserviceaccount-v1beta1.kb.io,admissionReviewVersions=v1
 
 // WorkloadServiceAccountCustomValidator struct is responsible for validating the WorkloadServiceAccount resource
-// when it is created, updated, or deleted.
+// when it is created.
 //
 // NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
 // as this struct is used only for temporary operations and does not need to be deeply copied.
@@ -74,28 +74,12 @@ func (v *WorkloadServiceAccountCustomValidator) ValidateCreate(_ context.Context
 	return nil, nil
 }
 
-// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type WorkloadServiceAccount.
-func (v *WorkloadServiceAccountCustomValidator) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
-	workloadserviceaccount, ok := newObj.(*agentoctopuscomv1beta1.WorkloadServiceAccount)
-	if !ok {
-		return nil, fmt.Errorf("expected a WorkloadServiceAccount object for the newObj but got %T", newObj)
-	}
-	workloadserviceaccountlog.Info("Validation for WorkloadServiceAccount upon update", "name", workloadserviceaccount.GetName())
-
-	// TODO(user): fill in your validation logic upon object update.
-
+// ValidateUpdate implements webhook.CustomValidator but is not used since webhook only handles create operations.
+func (v *WorkloadServiceAccountCustomValidator) ValidateUpdate(_ context.Context, _, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
-// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type WorkloadServiceAccount.
-func (v *WorkloadServiceAccountCustomValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	workloadserviceaccount, ok := obj.(*agentoctopuscomv1beta1.WorkloadServiceAccount)
-	if !ok {
-		return nil, fmt.Errorf("expected a WorkloadServiceAccount object but got %T", obj)
-	}
-	workloadserviceaccountlog.Info("Validation for WorkloadServiceAccount upon deletion", "name", workloadserviceaccount.GetName())
-
-	// TODO(user): fill in your validation logic upon object deletion.
-
+// ValidateDelete implements webhook.CustomValidator but is not used since webhook only handles create operations.
+func (v *WorkloadServiceAccountCustomValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
diff --git a/internal/webhook/v1beta1/workloadserviceaccount_webhook_test.go b/internal/webhook/v1beta1/workloadserviceaccount_webhook_test.go
@@ -17,55 +17,58 @@ limitations under the License.
 package v1beta1
 
 import (
+	"context"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	agentoctopuscomv1beta1 "github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1"
-	// TODO (user): Add any additional imports if needed
 )
 
 var _ = Describe("WorkloadServiceAccount Webhook", func() {
 	var (
 		obj       *agentoctopuscomv1beta1.WorkloadServiceAccount
 		oldObj    *agentoctopuscomv1beta1.WorkloadServiceAccount
 		validator WorkloadServiceAccountCustomValidator
+		ctx       context.Context
 	)
 
 	BeforeEach(func() {
 		obj = &agentoctopuscomv1beta1.WorkloadServiceAccount{}
 		oldObj = &agentoctopuscomv1beta1.WorkloadServiceAccount{}
 		validator = WorkloadServiceAccountCustomValidator{}
+		ctx = context.Background()
 		Expect(validator).NotTo(BeNil(), "Expected validator to be initialized")
 		Expect(oldObj).NotTo(BeNil(), "Expected oldObj to be initialized")
 		Expect(obj).NotTo(BeNil(), "Expected obj to be initialized")
-		// TODO (user): Add any setup logic common to all tests
 	})
 
 	AfterEach(func() {
 		// TODO (user): Add any teardown logic common to all tests
 	})
 
 	Context("When creating or updating WorkloadServiceAccount under Validating Webhook", func() {
-		// TODO (user): Add logic for validating webhooks
-		// Example:
-		// It("Should deny creation if a required field is missing", func() {
-		//     By("simulating an invalid creation scenario")
-		//     obj.SomeRequiredField = ""
-		//     Expect(validator.ValidateCreate(ctx, obj)).Error().To(HaveOccurred())
-		// })
-		//
-		// It("Should admit creation if all required fields are present", func() {
-		//     By("simulating an invalid creation scenario")
-		//     obj.SomeRequiredField = "valid_value"
-		//     Expect(validator.ValidateCreate(ctx, obj)).To(BeNil())
-		// })
-		//
-		// It("Should validate updates correctly", func() {
-		//     By("simulating a valid update scenario")
-		//     oldObj.SomeRequiredField = "updated_value"
-		//     obj.SomeRequiredField = "updated_value"
-		//     Expect(validator.ValidateUpdate(ctx, oldObj, obj)).To(BeNil())
-		// })
+		It("Should allow creation with valid scope", func() {
+			By("setting up a WorkloadServiceAccount with project scope")
+			obj.Spec.Scope.Projects = []string{"web-app", "api-service"}
+
+			By("validating the creation")
+			warnings, err := validator.ValidateCreate(ctx, obj)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(warnings).To(BeNil())
+		})
+
+		It("Should deny creation if all scopes are missing", func() {
+			By("setting up a WorkloadServiceAccount with no scopes")
+			obj.Spec.Scope = agentoctopuscomv1beta1.WorkloadServiceAccountScope{}
+
+			By("validating the creation should fail")
+			warnings, err := validator.ValidateCreate(ctx, obj)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("at least one scope must be defined"))
+			Expect(warnings).To(BeNil())
+		})
+
 	})
 
 })
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go
@@ -283,6 +283,50 @@ var _ = Describe("Manager", Ordered, func() {
 
 		// +kubebuilder:scaffold:e2e-webhooks-checks
 
+		It("should list WSAs when creating a resource", func() {
+			By("creating a WorkloadServiceAccount resource")
+			cmd := exec.Command("kubectl", "apply", "-f", "test/e2e/test-wsa.yaml", "-n", namespace)
+			_, err := utils.Run(cmd)
+			Expect(err).NotTo(HaveOccurred(), "Failed to create WSA resource")
+
+			By("waiting for reconciliation to process the WSA")
+			Eventually(func(g Gomega) {
+				cmd := exec.Command("kubectl", "logs", controllerPodName, "-n", namespace)
+				output, err := utils.Run(cmd)
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(output).To(ContainSubstring("Found WSAs in namespace"))
+				g.Expect(output).To(ContainSubstring("WSA has project scope"))
+				g.Expect(output).NotTo(ContainSubstring("failed to list WorkloadServiceAccounts"))
+			}).Should(Succeed())
+
+			By("cleaning up the WSA resource")
+			cmd = exec.Command("kubectl", "delete", "-f", "test/e2e/test-wsa.yaml", "-n", namespace)
+			_, _ = utils.Run(cmd)
+		})
+
+		It("should list WSAs when deleting a resource", func() {
+			By("creating a WorkloadServiceAccount resource")
+			cmd := exec.Command("kubectl", "apply", "-f", "test/e2e/test-wsa.yaml", "-n", namespace)
+			_, err := utils.Run(cmd)
+			Expect(err).NotTo(HaveOccurred(), "Failed to create WSA resource")
+
+			By("waiting for initial reconciliation")
+			time.Sleep(2 * time.Second)
+
+			By("deleting the WorkloadServiceAccount resource")
+			cmd = exec.Command("kubectl", "delete", "-f", "test/e2e/test-wsa.yaml", "-n", namespace)
+			_, err = utils.Run(cmd)
+			Expect(err).NotTo(HaveOccurred(), "Failed to delete WSA resource")
+
+			By("verifying reconciliation handles deletion without listing errors")
+			Eventually(func(g Gomega) {
+				cmd := exec.Command("kubectl", "logs", controllerPodName, "-n", namespace, "--tail=50")
+				output, err := utils.Run(cmd)
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(output).NotTo(ContainSubstring("failed to list WorkloadServiceAccounts"))
+			}).Should(Succeed())
+		})
+
 		// TODO: Customize the e2e test suite with scenarios specific to your project.
 		// Consider applying sample/CR(s) and check their status and/or verifying
 		// the reconciliation by using the metrics, i.e.:
diff --git a/test/e2e/test-wsa.yaml b/test/e2e/test-wsa.yaml
@@ -0,0 +1,13 @@
+apiVersion: agent.octopus.com/v1beta1
+kind: WorkloadServiceAccount
+metadata:
+  name: test-wsa
+spec:
+  scope:
+    projects: ["test-project"]
+    environments: ["test-env"]
+  permissions:
+    permissions:
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["get", "list"]
