feat: add bare policy binding controller

2026-05-17 19:38:29 +02:00
parent 27b55d5a7b
commit 8e8989c576
31 changed files with 2192 additions and 1 deletions
@@ -0,0 +1,295 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policybinding
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"slices"
+	"time"
+
+	"golang.org/x/time/rate"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/policybinding/v1alpha1"
+	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
+	operatorscheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
+	informers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/policybinding/v1alpha1"
+	listers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/listers/policybinding/v1alpha1"
+	authentikapi "goauthentik.io/api/v3"
+)
+
+const controllerAgentName = "policybinding-controller"
+
+const (
+	SuccessSynced         = "Synced"
+	ErrResourceExists     = "ErrResourceExists"
+	MessageResourceExists = "Resource %q already exists and is not managed by PolicyBinding"
+	MessageResourceSynced = "PolicyBinding synced successfully"
+	FieldManager          = controllerAgentName
+)
+
+// Finalizers
+const (
+	DeleteAuthentikPolicyBindingFinalizer = "policybinding.t000-n.de/delete-authentik-policybinding"
+)
+
+type Controller struct {
+	kubeclientset          kubernetes.Interface
+	policyBindingClientset clientset.Interface
+	authentik              *authentikapi.APIClient
+
+	policyBindingListener listers.PolicyBindingLister
+	policyBindingSynced   cache.InformerSynced
+
+	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName]
+	recorder  record.EventRecorder
+}
+
+func NewController(
+	ctx context.Context,
+	kubeclientset kubernetes.Interface,
+	policyBindingClientset clientset.Interface,
+	authentik *authentikapi.APIClient,
+	policyBindingInformer informers.PolicyBindingInformer,
+) *Controller {
+	logger := klog.FromContext(ctx)
+
+	utilruntime.Must(operatorscheme.AddToScheme(scheme.Scheme))
+	logger.V(4).Info("Creating event broadcaster")
+
+	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
+	eventBroadcaster.StartStructuredLogging(0)
+	eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: kubeclientset.CoreV1().Events("")})
+	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: controllerAgentName})
+	ratelimiter := workqueue.NewTypedMaxOfRateLimiter(
+		workqueue.NewTypedItemExponentialFailureRateLimiter[cache.ObjectName](5*time.Millisecond, 1000*time.Second),
+		&workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)},
+	)
+
+	c := &Controller{
+		kubeclientset:          kubeclientset,
+		policyBindingClientset: policyBindingClientset,
+		authentik:              authentik,
+		policyBindingListener:  policyBindingInformer.Lister(),
+		policyBindingSynced:    policyBindingInformer.Informer().HasSynced,
+		workqueue:              workqueue.NewTypedRateLimitingQueue(ratelimiter),
+		recorder:               recorder,
+	}
+
+	logger.Info("Setting up event handlers")
+	policyBindingInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: c.enqueuePolicyBinding,
+		UpdateFunc: func(_, newObj interface{}) {
+			c.enqueuePolicyBinding(newObj)
+		},
+	})
+
+	return c
+}
+
+func (c *Controller) Run(ctx context.Context, workers int) error {
+	defer utilruntime.HandleCrash()
+	defer c.workqueue.ShutDown()
+	logger := klog.FromContext(ctx)
+
+	logger.Info("Starting PolicyBinding controller")
+
+	logger.Info("Waiting for informer caches to sync")
+	if ok := cache.WaitForCacheSync(ctx.Done(), c.policyBindingSynced); !ok {
+		return fmt.Errorf("failed to wait for caches to sync")
+	}
+
+	logger.Info("Starting workers", "count", workers)
+	for i := 0; i < workers; i++ {
+		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+	}
+
+	logger.Info("Started workers")
+	<-ctx.Done()
+	logger.Info("Shutting down workers")
+	return nil
+}
+
+func (c *Controller) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
+	}
+}
+
+func (c *Controller) processNextWorkItem(ctx context.Context) bool {
+	objRef, shutdown := c.workqueue.Get()
+	logger := klog.FromContext(ctx)
+	if shutdown {
+		return false
+	}
+	defer c.workqueue.Done(objRef)
+
+	err := c.syncHandler(ctx, objRef)
+	if err == nil {
+		c.workqueue.Forget(objRef)
+		logger.Info("Successfully synced", "objectName", objRef)
+		return true
+	}
+	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
+	c.workqueue.AddRateLimited(objRef)
+	return true
+}
+
+func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
+	logger := klog.LoggerWithValues(klog.FromContext(ctx), "objectRef", objectRef)
+
+	pb, err := c.policyBindingListener.PolicyBindings(objectRef.Namespace).Get(objectRef.Name)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			logger.V(4).Info("PolicyBinding no longer exists")
+			return nil
+		}
+		return err
+	}
+	logger.V(4).Info("sync PolicyBinding", "name", pb.Name)
+
+	if !pb.ObjectMeta.DeletionTimestamp.IsZero() {
+		logger.Info("Reconciling deletion of PolicyBinding", "name", pb.Name)
+		return c.reconcileDelete(ctx, pb)
+	}
+
+	if pb.Status.PK == "" {
+		logger.Info("Reconciling creation of PolicyBinding", "name", pb.Name)
+		return c.reconcileCreate(ctx, pb)
+	}
+
+	// Check if all finalizers are present. If not, we add them. Same pattern as above, just needs a helper function to check for presence of a finalizer.
+	if !slices.Contains(pb.ObjectMeta.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		logger.Info("Ensuring finalizers are present", "name", pb.Name)
+		return c.ensureFinalizers(ctx, pb)
+	}
+
+	logger.Info("Reconciling update of PolicyBinding", "name", pb.Name)
+	return c.reconcileUpdate(ctx, pb)
+}
+
+func (c *Controller) ensureFinalizers(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	pb.ObjectMeta.Finalizers = append(pb.ObjectMeta.Finalizers, DeleteAuthentikPolicyBindingFinalizer)
+	return c.updatePolicyBinding(ctx, pb)
+}
+
+func (c *Controller) reconcileDelete(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	r, err := c.authentik.PoliciesApi.PoliciesBindingsDestroy(ctx, pb.Status.PK).Execute()
+	if err != nil {
+		// This handles an edge-case, where when the PolicyBinding on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
+		if r != nil && r.StatusCode != http.StatusNotFound {
+			return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsDestroy`: %w with response %v", err, r)
+		}
+	}
+
+	pb.ObjectMeta.Finalizers = slices.Delete(pb.ObjectMeta.Finalizers, slices.Index(pb.ObjectMeta.Finalizers, DeleteAuthentikPolicyBindingFinalizer), 1)
+	return c.updatePolicyBinding(ctx, pb)
+}
+
+func (c *Controller) reconcileUpdate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	_, r, err := c.authentik.PoliciesApi.PoliciesBindingsRetrieve(ctx, pb.Status.PK).Execute()
+	if err != nil {
+		if r != nil && r.StatusCode == http.StatusNotFound {
+			// This handles an edge-case, where when the PolicyBinding on Authentik has been deleted, e.g. by mistake. We just remove the PK and return.
+			// During the next reconciliation, the PolicyBinding will be re-created.
+			pb.Status.PK = ""
+			return c.updatePolicyBindingStatus(ctx, pb)
+		}
+		return fmt.Errorf("error retrieving existing PolicyBinding: %v with response %v", err, r)
+	}
+
+	patchedPolicyBindingRequest := &authentikapi.PatchedPolicyBindingRequest{
+		Target: &pb.Spec.Target,
+		Order:  &pb.Spec.Order,
+	}
+	if pb.Spec.Policy != "" {
+		patchedPolicyBindingRequest.SetPolicy(pb.Spec.Policy)
+	}
+	if pb.Spec.Group != "" {
+		patchedPolicyBindingRequest.SetGroup(pb.Spec.Group)
+	}
+	if pb.Spec.User != 0 {
+		patchedPolicyBindingRequest.SetUser(pb.Spec.User)
+	}
+
+	resp, r, err := c.authentik.PoliciesApi.PoliciesBindingsPartialUpdate(ctx, pb.Status.PK).PatchedPolicyBindingRequest(*patchedPolicyBindingRequest).Execute()
+	if err != nil {
+		return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsPartialUpdate`: %w with response %v", err, r)
+	}
+
+	pb.Status.PK = resp.Pk
+	return c.updatePolicyBindingStatus(ctx, pb)
+}
+
+func (c *Controller) reconcileCreate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	policyBindingRequest := &authentikapi.PolicyBindingRequest{
+		Target: pb.Spec.Target,
+		Order:  pb.Spec.Order,
+	}
+	if pb.Spec.Policy != "" {
+		policyBindingRequest.SetPolicy(pb.Spec.Policy)
+	}
+	if pb.Spec.Group != "" {
+		policyBindingRequest.SetGroup(pb.Spec.Group)
+	}
+	if pb.Spec.User != 0 {
+		policyBindingRequest.SetUser(pb.Spec.User)
+	}
+
+	resp, r, err := c.authentik.PoliciesApi.PoliciesBindingsCreate(ctx).PolicyBindingRequest(*policyBindingRequest).Execute()
+	if err != nil {
+		return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsCreate`: %w with response %v", err, r)
+	}
+
+	pb.Status.PK = resp.Pk
+	return c.updatePolicyBindingStatus(ctx, pb)
+}
+
+func (c *Controller) enqueuePolicyBinding(obj interface{}) {
+	objectRef, err := cache.ObjectToName(obj)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
+	c.workqueue.Add(objectRef)
+}
+
+func (c *Controller) updatePolicyBindingStatus(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	pbCopy := pb.DeepCopy()
+	_, err := c.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(pbCopy.Namespace).UpdateStatus(ctx, pbCopy, metav1.UpdateOptions{FieldManager: FieldManager})
+	return err
+}
+
+// Update metadata, spec, etc. of the PolicyBinding object.
+func (c *Controller) updatePolicyBinding(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+	pbCopy := pb.DeepCopy()
+	_, err := c.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(pbCopy.Namespace).Update(ctx, pbCopy, metav1.UpdateOptions{FieldManager: FieldManager})
+	return err
+}
@@ -0,0 +1,363 @@
+// AI generated tests and not yet reviewed.
+package policybinding
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"slices"
+	"strings"
+	"testing"
+
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/policybinding/v1alpha1"
+	operatorfake "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/fake"
+	operatorinformers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions"
+	authentikapi "goauthentik.io/api/v3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
+)
+
+func TestController_syncHandler_create(t *testing.T) {
+	const wantPK = "42"
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingCreate: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, testPolicyBinding(), server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "test-pb"})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, "default", "test-pb")
+	if got.Status.PK != wantPK {
+		t.Fatalf("status.pk = %q, want %q", got.Status.PK, wantPK)
+	}
+}
+
+func TestController_syncHandler_ensureFinalizers(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if !slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want %q", got.Finalizers, DeleteAuthentikPolicyBindingFinalizer)
+	}
+}
+
+func TestController_syncHandler_update(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingRetrieve: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
+		},
+		policyBindingPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if got.Status.PK != "42" {
+		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
+	}
+}
+
+func TestController_syncHandler_update_policyBindingNotFound(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingRetrieve: func(w http.ResponseWriter, _ *http.Request) {
+			http.NotFound(w, nil)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if got.Status.PK != "" {
+		t.Fatalf("status.pk = %q, want empty after policy binding not found", got.Status.PK)
+	}
+}
+
+func TestController_syncHandler_delete(t *testing.T) {
+	now := metav1.Now()
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.DeletionTimestamp = &now
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	var destroyCalled bool
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingDestroy: func(w http.ResponseWriter, r *http.Request) {
+			destroyCalled = true
+			if r.Method != http.MethodDelete {
+				t.Errorf("destroy method = %s, want DELETE", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+	if !destroyCalled {
+		t.Fatal("expected Authentik destroy call")
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want finalizer removed", got.Finalizers)
+	}
+}
+
+func TestController_syncHandler_delete_policyBindingAlreadyGone(t *testing.T) {
+	now := metav1.Now()
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.DeletionTimestamp = &now
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingDestroy: func(w http.ResponseWriter, _ *http.Request) {
+			http.NotFound(w, nil)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want finalizer removed after 404", got.Finalizers)
+	}
+}
+
+func TestController_syncHandler_notFound(t *testing.T) {
+	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, nil, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "missing"})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v, want nil for missing object", err)
+	}
+}
+
+func TestController_enqueuePolicyBinding(t *testing.T) {
+	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	t.Cleanup(server.Close)
+
+	ctrl, _, cancel := newTestController(t, testPolicyBinding(), server.URL)
+	t.Cleanup(cancel)
+
+	ctrl.enqueuePolicyBinding(testPolicyBinding())
+
+	if ctrl.workqueue.Len() != 1 {
+		t.Fatalf("workqueue length = %d, want 1", ctrl.workqueue.Len())
+	}
+}
+
+// --- test helpers ---
+
+func testPolicyBinding() *v1alpha1.PolicyBinding {
+	return &v1alpha1.PolicyBinding{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: v1alpha1.SchemeGroupVersion.String(),
+			Kind:       "PolicyBinding",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pb",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.PolicyBindingSpec{
+			Group:  "14ab813f-a7f9-481b-9b08-781953ae9ebf",
+			Target: "8dd85627-9c48-49c2-8afc-d73dd122ffc2",
+			Order:  1,
+		},
+	}
+}
+
+func newTestController(t *testing.T, pb *v1alpha1.PolicyBinding, authentikURL string) (*Controller, context.Context, context.CancelFunc) {
+	t.Helper()
+	ctx, cancel := context.WithCancel(context.Background())
+	ctrl, _, stop := newTestControllerWithContext(t, ctx, pb, authentikURL)
+	return ctrl, ctx, func() {
+		cancel()
+		stop()
+	}
+}
+
+func newTestControllerWithContext(t *testing.T, ctx context.Context, pb *v1alpha1.PolicyBinding, authentikURL string) (*Controller, context.Context, func()) {
+	t.Helper()
+
+	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)
+
+	var objects []runtime.Object
+	if pb != nil {
+		objects = append(objects, pb)
+	}
+	policyBindingClient := operatorfake.NewSimpleClientset(objects...)
+
+	informerFactory := operatorinformers.NewSharedInformerFactory(policyBindingClient, 0)
+	policyBindingInformer := informerFactory.PolicyBinding().V1alpha1().PolicyBindings()
+
+	ctrl := NewController(ctx, fake.NewClientset(), policyBindingClient, authentikClient, policyBindingInformer)
+
+	informerFactory.Start(ctx.Done())
+	for informerType, synced := range informerFactory.WaitForCacheSync(ctx.Done()) {
+		if !synced {
+			t.Fatalf("informer %v failed to sync", informerType)
+		}
+	}
+
+	return ctrl, ctx, func() {}
+}
+
+func newAuthentikAPIClientForTest(t *testing.T, serverURL string) *authentikapi.APIClient {
+	t.Helper()
+
+	u, err := url.Parse(serverURL)
+	if err != nil {
+		t.Fatalf("parse server URL: %v", err)
+	}
+
+	cfg := authentikapi.NewConfiguration()
+	cfg.Scheme = u.Scheme
+	cfg.Host = u.Host
+
+	return authentikapi.NewAPIClient(cfg)
+}
+
+type authentikTestHandlers struct {
+	policyBindingCreate        http.HandlerFunc
+	policyBindingRetrieve      http.HandlerFunc
+	policyBindingPartialUpdate http.HandlerFunc
+	policyBindingDestroy       http.HandlerFunc
+}
+
+func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
+	t.Helper()
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		path := r.URL.Path
+
+		switch {
+		case path == "/api/v3/policies/bindings/" && r.Method == http.MethodPost:
+			if handlers.policyBindingCreate != nil {
+				handlers.policyBindingCreate(w, r)
+				return
+			}
+			http.NotFound(w, r)
+
+		case strings.HasPrefix(path, "/api/v3/policies/bindings/") && strings.HasSuffix(path, "/"):
+			idPath := strings.TrimPrefix(path, "/api/v3/policies/bindings/")
+			if idPath == "" {
+				http.NotFound(w, r)
+				return
+			}
+			switch r.Method {
+			case http.MethodGet:
+				if handlers.policyBindingRetrieve != nil {
+					handlers.policyBindingRetrieve(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			case http.MethodPatch:
+				if handlers.policyBindingPartialUpdate != nil {
+					handlers.policyBindingPartialUpdate(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			case http.MethodDelete:
+				if handlers.policyBindingDestroy != nil {
+					handlers.policyBindingDestroy(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			default:
+				http.Error(w, "unexpected method on policy binding instance", http.StatusMethodNotAllowed)
+			}
+
+		default:
+			http.NotFound(w, r)
+		}
+	})
+
+	return httptest.NewServer(handler)
+}
+
+func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
+	t.Helper()
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(body); err != nil {
+		t.Fatalf("write JSON response: %v", err)
+	}
+}
+
+func getPolicyBinding(t *testing.T, ctrl *Controller, namespace, name string) *v1alpha1.PolicyBinding {
+	t.Helper()
+
+	got, err := ctrl.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(namespace).Get(
+		context.Background(), name, metav1.GetOptions{},
+	)
+	if err != nil {
+		t.Fatalf("get PolicyBinding: %v", err)
+	}
+	return got
+}