Merge pull request #2930 from Josh-Tigera/josh.users-cleanup

Clean up Linseed elastic users for non-existent tenants

pkg/controller/logstorage/elastic/elastic_controller_test.go

@@ -198,7 +198,7 @@ var _ = Describe("LogStorage controller", func() {
 
 			Context("LogStorage is nil", func() {
 				// Run the reconciler, expect no error.
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 				_, err = r.Reconcile(ctx, reconcile.Request{})
 				Expect(err).ShouldNot(HaveOccurred())
@@ -215,7 +215,7 @@ var _ = Describe("LogStorage controller", func() {
 				})
 
 				It("returns an error if the LogStorage resource exists and is not marked for deletion", func() {
-					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 					Expect(err).ShouldNot(HaveOccurred())
 					mockStatus.On("SetDegraded", operatorv1.ResourceValidationError, "LogStorage validation failed - cluster type is managed but LogStorage CR still exists", mock.Anything, mock.Anything).Return()
 					result, err := r.Reconcile(ctx, reconcile.Request{})
@@ -232,7 +232,7 @@ var _ = Describe("LogStorage controller", func() {
 					mockStatus.On("ReadyToMonitor")
 					// mockStatus.On("SetMetaData", mock.Anything).Return()
 
-					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 					Expect(err).ShouldNot(HaveOccurred())
 
 					ls := &operatorv1.LogStorage{}
@@ -348,7 +348,7 @@ var _ = Describe("LogStorage controller", func() {
 					Data:       map[string]string{"eck_license_level": string(render.ElasticsearchLicenseTypeEnterprise)},
 				})).ShouldNot(HaveOccurred())
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return()
@@ -463,7 +463,7 @@ var _ = Describe("LogStorage controller", func() {
 					ObjectMeta: metav1.ObjectMeta{Namespace: render.ElasticsearchNamespace, Name: render.OIDCUsersESSecretName},
 				})).ShouldNot(HaveOccurred())
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return()
@@ -591,7 +591,7 @@ var _ = Describe("LogStorage controller", func() {
 					Data:       map[string]string{"eck_license_level": string(render.ElasticsearchLicenseTypeEnterprise)},
 				})).ShouldNot(HaveOccurred())
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				// Elasticsearch and kibana secrets are good.
@@ -635,7 +635,7 @@ var _ = Describe("LogStorage controller", func() {
 				Expect(err).ShouldNot(HaveOccurred())
 				Expect(cli.Update(ctx, kbSecret)).ShouldNot(HaveOccurred())
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return()
@@ -719,7 +719,7 @@ var _ = Describe("LogStorage controller", func() {
 					Expect(cli.Create(ctx, rec)).ShouldNot(HaveOccurred())
 				}
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for curator secrets to become available", mock.Anything, mock.Anything).Return()
@@ -759,7 +759,7 @@ var _ = Describe("LogStorage controller", func() {
 					Data:       map[string]string{"eck_license_level": string(render.ElasticsearchLicenseTypeEnterprise)},
 				})).ShouldNot(HaveOccurred())
 
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return()
@@ -830,7 +830,7 @@ var _ = Describe("LogStorage controller", func() {
 				})
 
 				It("should use default images", func() {
-					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 					Expect(err).ShouldNot(HaveOccurred())
 
 					esAdminUserSecret := &corev1.Secret{
@@ -933,7 +933,7 @@ var _ = Describe("LogStorage controller", func() {
 							},
 						},
 					})).ToNot(HaveOccurred())
-					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 					Expect(err).ShouldNot(HaveOccurred())
 
 					esAdminUserSecret := &corev1.Secret{
@@ -1056,7 +1056,7 @@ var _ = Describe("LogStorage controller", func() {
 					// mockStatus.On("SetMetaData", mock.Anything).Return()
 
 					var err error
-					r, err = NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+					r, err = NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 					Expect(err).ShouldNot(HaveOccurred())
 				})
 
@@ -1065,7 +1065,7 @@ var _ = Describe("LogStorage controller", func() {
 				})
 
 				It("should wait if tier watch is not ready", func() {
-					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, &utils.ReadyFlag{})
+					r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, &utils.ReadyFlag{})
 					Expect(err).ShouldNot(HaveOccurred())
 					utils.ExpectWaitForTierWatch(ctx, r, mockStatus)
 				})
@@ -1122,7 +1122,7 @@ var _ = Describe("LogStorage controller", func() {
 			})
 
 			It("deletes Elasticsearch and Kibana then removes the finalizers on the LogStorage CR", func() {
-				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, mockESCLICreator, dns.DefaultClusterDomain, readyFlag)
+				r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag)
 				Expect(err).ShouldNot(HaveOccurred())
 
 				esAdminUserSecret := &corev1.Secret{
@@ -1313,17 +1313,3 @@ func CreateLogStorage(client client.Client, ls *operatorv1.LogStorage) {
 	// Create the LogStorage object.
 	ExpectWithOffset(1, client.Create(context.Background(), ls)).ShouldNot(HaveOccurred())
 }
-
-type mockESClient struct{}
-
-func mockESCLICreator(client client.Client, ctx context.Context, elasticHTTPSEndpoint string) (utils.ElasticClient, error) {
-	return &mockESClient{}, nil
-}
-
-func (m *mockESClient) CreateUser(ctx context.Context, user *utils.User) error {
-	return fmt.Errorf("CreateUser not implemented in mock client")
-}
-
-func (*mockESClient) SetILMPolicies(ctx context.Context, ls *operatorv1.LogStorage) error {
-	return nil
-}

pkg/controller/logstorage/elastic/mock.go

@@ -0,0 +1,74 @@
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package elastic
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/stretchr/testify/mock"
+	operatorv1 "github.com/tigera/operator/api/v1"
+	"github.com/tigera/operator/pkg/controller/utils"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type MockESClientKey string
+
+type MockESClient struct {
+	mock.Mock
+}
+
+func MockESCLICreator(_ client.Client, ctx context.Context, _ string) (utils.ElasticClient, error) {
+	if esCli := ctx.Value(MockESClientKey("mockESClient")); esCli != nil {
+		return esCli.(*MockESClient), nil
+	}
+	return &MockESClient{}, nil
+}
+
+func (m *MockESClient) CreateUser(_ context.Context, _ *utils.User) error {
+	return fmt.Errorf("CreateUser not implemented in mock client")
+}
+
+func (m *MockESClient) SetILMPolicies(_ context.Context, _ *operatorv1.LogStorage) error {
+	return nil
+}
+
+func (m *MockESClient) DeleteRoles(ctx context.Context, roles []utils.Role) error {
+	var ret mock.Arguments
+	for _, role := range roles {
+		ret = m.MethodCalled("deleteRole", ctx, role)
+		if ret.Error(0) != nil {
+			return ret.Error(0)
+		}
+	}
+
+	ret = m.Called(ctx, roles)
+	return ret.Error(0)
+}
+
+func (m *MockESClient) DeleteUser(ctx context.Context, u *utils.User) error {
+	ret := m.MethodCalled("DeleteRoles", ctx, u.Roles)
+	if ret.Error(0) != nil {
+		return ret.Error(0)
+	}
+
+	ret = m.Called(ctx, u)
+	return ret.Error(0)
+}
+
+func (m *MockESClient) GetUsers(ctx context.Context) ([]utils.User, error) {
+	ret := m.Called(ctx)
+	return ret.Get(0).([]utils.User), ret.Error(1)
+}