better tests for k8s.ClientLoader

internal/k8s/client_test.go

@@ -18,24 +18,125 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"github.com/tetratelabs/run"
+
+	configv1 "github.com/tetrateio/authservice-go/config/gen/go/v1"
+	oidcv1 "github.com/tetrateio/authservice-go/config/gen/go/v1/oidc"
+)
+
+var (
+	filterWithClientSecretRef = &configv1.Filter{
+		Type: &configv1.Filter_Oidc{
+			Oidc: &oidcv1.OIDCConfig{
+				ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecretRef{
+					ClientSecretRef: &oidcv1.OIDCConfig_SecretReference{
+						Name: "client-secret",
+					},
+				},
+			},
+		},
+	}
+	filterWithTrustedCASecretRef = &configv1.Filter{
+		Type: &configv1.Filter_Oidc{
+			Oidc: &oidcv1.OIDCConfig{
+				TrustedCaConfig: &oidcv1.OIDCConfig_TrustedCertificateAuthoritySecret{
+					TrustedCertificateAuthoritySecret: &oidcv1.OIDCConfig_SecretReference{
+						Name: "trusted-ca",
+					},
+				},
+			},
+		},
+	}
+	filterWithNoSecretRef = &configv1.Filter{
+		Type: &configv1.Filter_Oidc{
+			Oidc: &oidcv1.OIDCConfig{},
+		},
+	}
 )
 
-func TestGetKubeClient(t *testing.T) {
+func TestClientLoader(t *testing.T) {
+
 	tests := []struct {
 		name       string
+		config     *configv1.Config
 		kubeconfig string
-		err        error
+		wantErr    error
+		wantClient bool
 	}{
-		{"unexisting", "non-existing-file", ErrLoadingConfig},
-		{"invalid", "testdata/kubeconfig-invalid", ErrCreatingClient},
-		{"valid", "testdata/kubeconfig", nil},
+		{"no-secret-ref-no-kubeconfig", &configv1.Config{}, "", nil, false},
+		{
+			"no-secret-ref-valid-kubeconfig", &configv1.Config{
+				Chains: []*configv1.FilterChain{{
+					Filters: []*configv1.Filter{filterWithNoSecretRef},
+				}},
+			},
+			"testdata/kubeconfig",
+			nil,
+			false},
+		{
+			"client-secret-ref-valid-kubeconfig",
+			&configv1.Config{
+				Chains: []*configv1.FilterChain{{
+					Filters: []*configv1.Filter{filterWithClientSecretRef},
+				}},
+			},
+			"testdata/kubeconfig",
+			nil,
+			true,
+		},
+		{
+			"trusted-ca-secret-ref-valid-kubeconfig",
+			&configv1.Config{
+				Chains: []*configv1.FilterChain{{
+					Filters: []*configv1.Filter{filterWithTrustedCASecretRef},
+				}},
+			},
+			"testdata/kubeconfig",
+			nil,
+			true,
+		},
+		{
+			"secret-ref-but-no-kubeconfig",
+			&configv1.Config{
+				Chains: []*configv1.FilterChain{{
+					Filters: []*configv1.Filter{filterWithClientSecretRef, filterWithTrustedCASecretRef},
+				}},
+			},
+			"",
+			ErrLoadingConfig,
+			false,
+		},
+		{
+			"secret-ref-but-invalid-kubeconfig",
+			&configv1.Config{
+				Chains: []*configv1.FilterChain{{
+					Filters: []*configv1.Filter{filterWithClientSecretRef, filterWithTrustedCASecretRef},
+				}},
+			},
+			"testdata/kubeconfig-invalid",
+			ErrCreatingClient,
+			false,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Setenv("KUBECONFIG", tt.kubeconfig)
-			_, err := getKubeClient()
-			require.ErrorIs(t, err, tt.err)
+
+			cl := NewClientLoader(tt.config)
+			err := cl.(run.PreRunner).PreRun()
+
+			if tt.wantErr != nil {
+				require.ErrorIs(t, err, tt.wantErr)
+			} else {
+				require.NoError(t, err)
+			}
+
+			if tt.wantClient {
+				require.NotNil(t, cl.Get())
+			} else {
+				require.Nil(t, cl.Get())
+			}
 		})
 	}
 }

internal/k8s/secrets_test.go

@@ -132,19 +132,6 @@ func TestLoadOIDCClientSecret(t *testing.T) {
 	}
 }
 
-func TestLoadWithInvalidKubeConfig(t *testing.T) {
-	t.Setenv("KUBECONFIG", "non-existing-file")
-
-	var cfg internal.LocalConfigFile
-	cl := NewClientLoader(&cfg.Config)
-
-	g := run.Group{Logger: telemetry.NoopLogger()}
-	g.Register(&cfg, cl)
-	err := g.Run("", "--config-path", "testdata/oidc-with-valid-secret-ref.json")
-
-	require.ErrorIs(t, err, ErrLoadingConfig)
-}
-
 var _ ClientLoader = mockClientLoader{}
 
 type mockClientLoader struct {