Concierge controllers add labels to all created resources

test/integration/concierge_api_serving_certs_test.go

@@ -90,6 +90,10 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			require.NotEmpty(t, initialCACert)
 			require.NotEmpty(t, initialPrivateKey)
 			require.NotEmpty(t, initialCertChain)
+			for k, v := range env.ConciergeCustomLabels {
+				require.Equalf(t, v, secret.Labels[k], "expected secret to have label %s: %s", k, v)
+			}
+			require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
 
 			// Check that the APIService has the same CA.
 			apiService, err := aggregatedClient.ApiregistrationV1().APIServices().Get(ctx, apiServiceName, metav1.GetOptions{})
@@ -115,6 +119,10 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 			require.NotEqual(t, initialCACert, regeneratedCACert)
 			require.NotEqual(t, initialPrivateKey, regeneratedPrivateKey)
 			require.NotEqual(t, initialCertChain, regeneratedCertChain)
+			for k, v := range env.ConciergeCustomLabels {
+				require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
+			}
+			require.Equal(t, env.ConciergeAppName, secret.Labels["app"])
 
 			// Expect that the APIService was also updated with the new CA.
 			aggregatedAPIUpdated := func() bool {

test/integration/concierge_credentialissuerconfig_test.go

@@ -33,8 +33,14 @@ func TestCredentialIssuerConfig(t *testing.T) {
 
 		require.Len(t, actualConfigList.Items, 1)
 
+		actualConfig := actualConfigList.Items[0]
 		actualStatusKubeConfigInfo := actualConfigList.Items[0].Status.KubeConfigInfo
 
+		for k, v := range env.ConciergeCustomLabels {
+			require.Equalf(t, v, actualConfig.Labels[k], "expected cic to have label `%s: %s`", k, v)
+		}
+		require.Equal(t, env.ConciergeAppName, actualConfig.Labels["app"])
+
 		// Verify the cluster strategy status based on what's expected of the test cluster's ability to share signing keys.
 		actualStatusStrategies := actualConfigList.Items[0].Status.Strategies
 		require.Len(t, actualStatusStrategies, 1)

test/integration/concierge_kubecertagent_test.go

@@ -44,6 +44,14 @@ func TestKubeCertAgent(t *testing.T) {
 	require.NotEmpty(t, originalAgentPods.Items)
 	sortPods(originalAgentPods)
 
+	for _, agentPod := range originalAgentPods.Items {
+		// All agent pods should contain all custom labels
+		for k, v := range env.ConciergeCustomLabels {
+			require.Equalf(t, v, agentPod.Labels[k], "expected agent pod to have label `%s: %s`", k, v)
+		}
+		require.Equal(t, env.ConciergeAppName, agentPod.Labels["app"])
+	}
+
 	agentPodsReconciled := func() bool {
 		var currentAgentPods *corev1.PodList
 		currentAgentPods, err = kubeClient.CoreV1().Pods(env.ConciergeNamespace).List(ctx, metav1.ListOptions{

test/library/env.go

@@ -26,13 +26,15 @@ const (
 type TestEnv struct {
 	t *testing.T
 
-	ConciergeNamespace  string                                  `json:"conciergeNamespace"`
-	SupervisorNamespace string                                  `json:"supervisorNamespace"`
-	ConciergeAppName    string                                  `json:"conciergeAppName"`
-	SupervisorAppName   string                                  `json:"supervisorAppName"`
-	Capabilities        map[Capability]bool                     `json:"capabilities"`
-	TestWebhook         idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
-	SupervisorAddress   string                                  `json:"supervisorAddress"`
+	ConciergeNamespace     string                                  `json:"conciergeNamespace"`
+	SupervisorNamespace    string                                  `json:"supervisorNamespace"`
+	ConciergeAppName       string                                  `json:"conciergeAppName"`
+	SupervisorAppName      string                                  `json:"supervisorAppName"`
+	SupervisorCustomLabels map[string]string                       `json:"supervisorCustomLabels"`
+	ConciergeCustomLabels  map[string]string                       `json:"conciergeCustomLabels"`
+	Capabilities           map[Capability]bool                     `json:"capabilities"`
+	TestWebhook            idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"`
+	SupervisorAddress      string                                  `json:"supervisorAddress"`
 
 	TestUser struct {
 		Token            string   `json:"token"`
@@ -89,6 +91,19 @@ func IntegrationEnv(t *testing.T) *TestEnv {
 	result.SupervisorAddress = needEnv("PINNIPED_TEST_SUPERVISOR_ADDRESS")
 	result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv("PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
 
+	conciergeCustomLabelsYAML := needEnv("PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS")
+	var conciergeCustomLabels map[string]string
+	err = yaml.Unmarshal([]byte(conciergeCustomLabelsYAML), &conciergeCustomLabels)
+	require.NoErrorf(t, err, "PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS must be a YAML map of string to string")
+	result.ConciergeCustomLabels = conciergeCustomLabels
+	require.NotEmpty(t, result.ConciergeCustomLabels, "PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS cannot be empty")
+	supervisorCustomLabelsYAML := needEnv("PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS")
+	var supervisorCustomLabels map[string]string
+	err = yaml.Unmarshal([]byte(supervisorCustomLabelsYAML), &supervisorCustomLabels)
+	require.NoErrorf(t, err, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS must be a YAML map of string to string")
+	result.SupervisorCustomLabels = supervisorCustomLabels
+	require.NotEmpty(t, result.SupervisorCustomLabels, "PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS cannot be empty")
+
 	result.OIDCUpstream.Issuer = needEnv("PINNIPED_TEST_CLI_OIDC_ISSUER")
 	result.OIDCUpstream.ClientID = needEnv("PINNIPED_TEST_CLI_OIDC_CLIENT_ID")
 	result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv("PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT"))