Skip to content

Commit e054d35

Browse files
jgwestjgwest
committed
Backport cluster/namespace-scoped RBAC tests to 0.0.3
Signed-off-by: Jonathan West <[email protected]>
1 parent 8f6c902 commit e054d35

File tree

2 files changed

+254
-0
lines changed

2 files changed

+254
-0
lines changed

tests/e2e/cluster-scoped/cluster_scoped_rollouts_test.go

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
controllers "github.com/argoproj-labs/argo-rollouts-manager/controllers"
1919

2020
corev1 "k8s.io/api/core/v1"
21+
rbacv1 "k8s.io/api/rbac/v1"
2122
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2223
)
2324

@@ -293,4 +294,129 @@ var _ = Describe("Cluster-scoped RolloutManager tests", func() {
293294
})
294295

295296
})
297+
298+
Context("Backport of cluster/namespace-scoped RBAC tests to 0.0.3", func() {
299+
300+
namespaceScopedParam := false
301+
302+
var (
303+
k8sClient client.Client
304+
ctx context.Context
305+
rolloutManager rmv1alpha1.RolloutManager
306+
)
307+
308+
BeforeEach(func() {
309+
Expect(fixture.EnsureCleanSlate()).To(Succeed())
310+
311+
var err error
312+
k8sClient, _, err = fixture.GetE2ETestKubeClient()
313+
Expect(err).ToNot(HaveOccurred())
314+
ctx = context.Background()
315+
316+
rolloutManager = rmv1alpha1.RolloutManager{
317+
ObjectMeta: metav1.ObjectMeta{
318+
Name: "basic-rollouts-manager",
319+
Namespace: fixture.TestE2ENamespace,
320+
},
321+
Spec: rmv1alpha1.RolloutManagerSpec{
322+
NamespaceScoped: namespaceScopedParam,
323+
},
324+
}
325+
})
326+
327+
When("a namespace-scoped RolloutManager is installed into a namespace that previously contained a cluster-scoped RolloutManager, or vice versa", func() {
328+
329+
It("should cleanup any cluster/role/rolebinding resources that are present in the namespace, that do not match the current .spec.namespaceScoped value of the RolloutManager CR", func() {
330+
331+
var fakeRole rbacv1.Role
332+
var fakeRoleBinding rbacv1.RoleBinding
333+
334+
var fakeClusterRole rbacv1.ClusterRole
335+
var fakeClusterRoleBinding rbacv1.ClusterRoleBinding
336+
337+
By("creating ClusterRole/Binding in the namespace-scoped case, and Role/Binding in the cluster-scoped case")
338+
339+
if namespaceScopedParam {
340+
341+
fakeClusterRole = rbacv1.ClusterRole{
342+
ObjectMeta: metav1.ObjectMeta{
343+
Name: controllers.DefaultArgoRolloutsResourceName,
344+
Namespace: rolloutManager.Namespace,
345+
},
346+
}
347+
Expect(k8sClient.Create(ctx, &fakeClusterRole)).To(Succeed())
348+
349+
fakeClusterRoleBinding = rbacv1.ClusterRoleBinding{
350+
ObjectMeta: metav1.ObjectMeta{
351+
Name: controllers.DefaultArgoRolloutsResourceName,
352+
Namespace: rolloutManager.Namespace,
353+
},
354+
RoleRef: rbacv1.RoleRef{
355+
APIGroup: rbacv1.GroupName,
356+
Kind: "ClusterRole",
357+
Name: fakeClusterRole.Name,
358+
},
359+
Subjects: []rbacv1.Subject{
360+
{
361+
Kind: rbacv1.ServiceAccountKind,
362+
Name: controllers.DefaultArgoRolloutsResourceName,
363+
Namespace: rolloutManager.Namespace,
364+
},
365+
},
366+
}
367+
Expect(k8sClient.Create(ctx, &fakeClusterRoleBinding)).To(Succeed())
368+
369+
} else {
370+
371+
fakeRole = rbacv1.Role{
372+
ObjectMeta: metav1.ObjectMeta{
373+
Name: controllers.DefaultArgoRolloutsResourceName,
374+
Namespace: rolloutManager.Namespace,
375+
},
376+
}
377+
Expect(k8sClient.Create(ctx, &fakeRole)).To(Succeed())
378+
379+
fakeRoleBinding = rbacv1.RoleBinding{
380+
ObjectMeta: metav1.ObjectMeta{
381+
Name: controllers.DefaultArgoRolloutsResourceName,
382+
Namespace: rolloutManager.Namespace,
383+
},
384+
RoleRef: rbacv1.RoleRef{
385+
APIGroup: rbacv1.GroupName,
386+
Kind: "Role",
387+
Name: fakeRole.Name,
388+
},
389+
Subjects: []rbacv1.Subject{
390+
{
391+
Kind: rbacv1.ServiceAccountKind,
392+
Name: controllers.DefaultArgoRolloutsResourceName,
393+
Namespace: rolloutManager.Namespace,
394+
},
395+
},
396+
}
397+
Expect(k8sClient.Create(ctx, &fakeRoleBinding)).To(Succeed())
398+
399+
}
400+
401+
By("creating RolloutManager and waiting for it to be available")
402+
Expect(k8sClient.Create(ctx, &rolloutManager)).To(Succeed())
403+
Eventually(rolloutManager, "1m", "1s").Should(rmFixture.HavePhase(rmv1alpha1.PhaseAvailable))
404+
405+
if namespaceScopedParam {
406+
407+
By("verifying that in the namespace-scoped case, the cluster-scoped resources are deleted after reconciliation")
408+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRole), &fakeClusterRole)).ToNot(Succeed())
409+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRoleBinding), &fakeClusterRoleBinding)).ToNot(Succeed())
410+
411+
} else {
412+
413+
By("verifying that in the cluster-scoped case, the namespace-scoped resources are deleted after reconciliation")
414+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRole), &fakeRole)).ToNot(Succeed())
415+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRoleBinding), &fakeRoleBinding)).ToNot(Succeed())
416+
417+
}
418+
419+
})
420+
})
421+
})
296422
})

tests/e2e/namespace-scoped/namespace_scoped_rollouts_test.go

Lines changed: 128 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,12 @@ import (
1717

1818
rmv1alpha1 "github.com/argoproj-labs/argo-rollouts-manager/api/v1alpha1"
1919

20+
rolloutManagerFixture "github.com/argoproj-labs/argo-rollouts-manager/tests/e2e/fixture/rolloutmanager"
21+
2022
controllers "github.com/argoproj-labs/argo-rollouts-manager/controllers"
2123
appsv1 "k8s.io/api/apps/v1"
2224
corev1 "k8s.io/api/core/v1"
25+
rbacv1 "k8s.io/api/rbac/v1"
2326
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2427
)
2528

@@ -344,4 +347,129 @@ var _ = Describe("Namespace-scoped RolloutManager tests", func() {
344347
utils.ValidateArgoRolloutsResources(ctx, k8sClient, nsName, 31000, 32000)
345348
})
346349
})
350+
351+
Context("Backport of cluster/namespace-scoped RBAC tests to 0.0.3", func() {
352+
353+
namespaceScopedParam := true
354+
355+
var (
356+
k8sClient client.Client
357+
ctx context.Context
358+
rolloutManager rmv1alpha1.RolloutManager
359+
)
360+
361+
BeforeEach(func() {
362+
Expect(fixture.EnsureCleanSlate()).To(Succeed())
363+
364+
var err error
365+
k8sClient, _, err = fixture.GetE2ETestKubeClient()
366+
Expect(err).ToNot(HaveOccurred())
367+
ctx = context.Background()
368+
369+
rolloutManager = rmv1alpha1.RolloutManager{
370+
ObjectMeta: metav1.ObjectMeta{
371+
Name: "basic-rollouts-manager",
372+
Namespace: fixture.TestE2ENamespace,
373+
},
374+
Spec: rmv1alpha1.RolloutManagerSpec{
375+
NamespaceScoped: namespaceScopedParam,
376+
},
377+
}
378+
})
379+
380+
When("a namespace-scoped RolloutManager is installed into a namespace that previously contained a cluster-scoped RolloutManager, or vice versa", func() {
381+
382+
It("should cleanup any cluster/role/rolebinding resources that are present in the namespace, that do not match the current .spec.namespaceScoped value of the RolloutManager CR", func() {
383+
384+
var fakeRole rbacv1.Role
385+
var fakeRoleBinding rbacv1.RoleBinding
386+
387+
var fakeClusterRole rbacv1.ClusterRole
388+
var fakeClusterRoleBinding rbacv1.ClusterRoleBinding
389+
390+
By("creating ClusterRole/Binding in the namespace-scoped case, and Role/Binding in the cluster-scoped case")
391+
392+
if namespaceScopedParam {
393+
394+
fakeClusterRole = rbacv1.ClusterRole{
395+
ObjectMeta: metav1.ObjectMeta{
396+
Name: controllers.DefaultArgoRolloutsResourceName,
397+
Namespace: rolloutManager.Namespace,
398+
},
399+
}
400+
Expect(k8sClient.Create(ctx, &fakeClusterRole)).To(Succeed())
401+
402+
fakeClusterRoleBinding = rbacv1.ClusterRoleBinding{
403+
ObjectMeta: metav1.ObjectMeta{
404+
Name: controllers.DefaultArgoRolloutsResourceName,
405+
Namespace: rolloutManager.Namespace,
406+
},
407+
RoleRef: rbacv1.RoleRef{
408+
APIGroup: rbacv1.GroupName,
409+
Kind: "ClusterRole",
410+
Name: fakeClusterRole.Name,
411+
},
412+
Subjects: []rbacv1.Subject{
413+
{
414+
Kind: rbacv1.ServiceAccountKind,
415+
Name: controllers.DefaultArgoRolloutsResourceName,
416+
Namespace: rolloutManager.Namespace,
417+
},
418+
},
419+
}
420+
Expect(k8sClient.Create(ctx, &fakeClusterRoleBinding)).To(Succeed())
421+
422+
} else {
423+
424+
fakeRole = rbacv1.Role{
425+
ObjectMeta: metav1.ObjectMeta{
426+
Name: controllers.DefaultArgoRolloutsResourceName,
427+
Namespace: rolloutManager.Namespace,
428+
},
429+
}
430+
Expect(k8sClient.Create(ctx, &fakeRole)).To(Succeed())
431+
432+
fakeRoleBinding = rbacv1.RoleBinding{
433+
ObjectMeta: metav1.ObjectMeta{
434+
Name: controllers.DefaultArgoRolloutsResourceName,
435+
Namespace: rolloutManager.Namespace,
436+
},
437+
RoleRef: rbacv1.RoleRef{
438+
APIGroup: rbacv1.GroupName,
439+
Kind: "Role",
440+
Name: fakeRole.Name,
441+
},
442+
Subjects: []rbacv1.Subject{
443+
{
444+
Kind: rbacv1.ServiceAccountKind,
445+
Name: controllers.DefaultArgoRolloutsResourceName,
446+
Namespace: rolloutManager.Namespace,
447+
},
448+
},
449+
}
450+
Expect(k8sClient.Create(ctx, &fakeRoleBinding)).To(Succeed())
451+
452+
}
453+
454+
By("creating RolloutManager and waiting for it to be available")
455+
Expect(k8sClient.Create(ctx, &rolloutManager)).To(Succeed())
456+
Eventually(rolloutManager, "1m", "1s").Should(rolloutManagerFixture.HavePhase(rmv1alpha1.PhaseAvailable))
457+
458+
if namespaceScopedParam {
459+
460+
By("verifying that in the namespace-scoped case, the cluster-scoped resources are deleted after reconciliation")
461+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRole), &fakeClusterRole)).ToNot(Succeed())
462+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRoleBinding), &fakeClusterRoleBinding)).ToNot(Succeed())
463+
464+
} else {
465+
466+
By("verifying that in the cluster-scoped case, the namespace-scoped resources are deleted after reconciliation")
467+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRole), &fakeRole)).ToNot(Succeed())
468+
Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRoleBinding), &fakeRoleBinding)).ToNot(Succeed())
469+
470+
}
471+
472+
})
473+
})
474+
})
347475
})

0 commit comments

Comments
 (0)