Skip to content

Commit c8eebb9

Browse files
maelvlswallrj
maelvls
and
wallrj
committed
feedback: tests: move to inline YAML manifests for RBAC and secrets too
Co-authored-by: Richard Wall <[email protected]>
1 parent a48b3e4 commit c8eebb9

File tree

1 file changed

+107
-40
lines changed

1 file changed

+107
-40
lines changed

pkg/client/client_venconn_test.go

+107-40
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,6 @@ import (
1717
"github.com/stretchr/testify/require"
1818
corev1 "k8s.io/api/core/v1"
1919
rbacv1 "k8s.io/api/rbac/v1"
20-
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2120
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
2221
"k8s.io/apimachinery/pkg/runtime"
2322
"k8s.io/apimachinery/pkg/types"
@@ -102,6 +101,67 @@ func TestVenConnClient_PostDataReadingsWithOptions(t *testing.T) {
102101
}))
103102
}
104103

104+
// Generated using:
105+
//
106+
// helm template ./deploy/charts/venafi-kubernetes-agent -n venafi --set venafiConnection.include=true --show-only templates/venafi-connection-rbac.yaml | grep -ivE '(helm|\/version)'
107+
const rbac = `
108+
apiVersion: v1
109+
kind: Namespace
110+
metadata:
111+
name: venafi
112+
---
113+
# Source: venafi-kubernetes-agent/templates/venafi-connection-rbac.yaml
114+
# The 'venafi-connection' service account is used by multiple
115+
# controllers. When configuring which resources a VenafiConnection
116+
# can access, the RBAC rules you create manually must point to this SA.
117+
apiVersion: v1
118+
kind: ServiceAccount
119+
metadata:
120+
name: venafi-connection
121+
namespace: "venafi"
122+
labels:
123+
app.kubernetes.io/name: "venafi-connection"
124+
app.kubernetes.io/instance: release-name
125+
---
126+
# Source: venafi-kubernetes-agent/templates/venafi-connection-rbac.yaml
127+
apiVersion: rbac.authorization.k8s.io/v1
128+
kind: ClusterRole
129+
metadata:
130+
name: venafi-connection-role
131+
labels:
132+
app.kubernetes.io/name: "venafi-connection"
133+
app.kubernetes.io/instance: release-name
134+
rules:
135+
- apiGroups: [ "" ]
136+
resources: [ "namespaces" ]
137+
verbs: [ "get", "list", "watch" ]
138+
139+
- apiGroups: [ "jetstack.io" ]
140+
resources: [ "venaficonnections" ]
141+
verbs: [ "get", "list", "watch" ]
142+
143+
- apiGroups: [ "jetstack.io" ]
144+
resources: [ "venaficonnections/status" ]
145+
verbs: [ "get", "patch" ]
146+
---
147+
# Source: venafi-kubernetes-agent/templates/venafi-connection-rbac.yaml
148+
apiVersion: rbac.authorization.k8s.io/v1
149+
kind: ClusterRoleBinding
150+
metadata:
151+
name: venafi-connection-rolebinding
152+
labels:
153+
app.kubernetes.io/name: "venafi-connection"
154+
app.kubernetes.io/instance: release-name
155+
roleRef:
156+
apiGroup: rbac.authorization.k8s.io
157+
kind: ClusterRole
158+
name: venafi-connection-role
159+
subjects:
160+
- kind: ServiceAccount
161+
name: venafi-connection
162+
namespace: "venafi"
163+
`
164+
105165
type testcase struct {
106166
given string
107167
expectErr string
@@ -144,48 +204,55 @@ func run(test testcase) func(t *testing.T) {
144204
// Apply the same RBAC as what you would get from the Venafi
145205
// Connection Helm chart, for example after running this:
146206
// helm template venafi-connection oci://registry.venafi.cloud/charts/venafi-connection --version v0.1.0 -n venafi --show-only templates/venafi-connection-rbac.yaml
147-
require.NoError(t, kclient.Create(context.Background(), &corev1.Namespace{
148-
ObjectMeta: metav1.ObjectMeta{Name: "venafi"},
149-
}))
150-
require.NoError(t, kclient.Create(context.Background(), &corev1.ServiceAccount{
151-
ObjectMeta: metav1.ObjectMeta{Name: "venafi-connection", Namespace: "venafi"},
152-
}))
153-
require.NoError(t, kclient.Create(context.Background(), &rbacv1.ClusterRole{
154-
ObjectMeta: metav1.ObjectMeta{Name: "venafi-connection-role"},
155-
Rules: []rbacv1.PolicyRule{
156-
{APIGroups: []string{""}, Resources: []string{"namespaces"}, Verbs: []string{"get", "list", "watch"}},
157-
{APIGroups: []string{"jetstack.io"}, Resources: []string{"venaficonnections"}, Verbs: []string{"get", "list", "watch"}},
158-
{APIGroups: []string{"jetstack.io"}, Resources: []string{"venaficonnections/status"}, Verbs: []string{"get", "patch"}},
159-
},
160-
}))
161-
require.NoError(t, kclient.Create(context.Background(), &rbacv1.ClusterRoleBinding{
162-
ObjectMeta: metav1.ObjectMeta{Name: "venafi-connection-rolebinding"},
163-
RoleRef: rbacv1.RoleRef{APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", Name: "venafi-connection-role"},
164-
Subjects: []rbacv1.Subject{{Kind: "ServiceAccount", Name: "venafi-connection", Namespace: "venafi"}},
165-
}))
166-
require.NoError(t, kclient.Create(context.Background(), &corev1.Secret{
167-
ObjectMeta: metav1.ObjectMeta{Name: "accesstoken", Namespace: "venafi"},
168-
StringData: map[string]string{"accesstoken": "VALID_ACCESS_TOKEN"},
169-
}))
170-
require.NoError(t, kclient.Create(context.Background(), &corev1.Secret{
171-
ObjectMeta: metav1.ObjectMeta{Name: "apikey", Namespace: "venafi"},
172-
StringData: map[string]string{"apikey": "VALID_API_KEY"},
173-
}))
174-
require.NoError(t, kclient.Create(context.Background(), &rbacv1.Role{
175-
ObjectMeta: metav1.ObjectMeta{Name: "venafi-connection-secret-reader", Namespace: "venafi"},
176-
Rules: []rbacv1.PolicyRule{
177-
{APIGroups: []string{""}, Resources: []string{"secrets"}, Verbs: []string{"get"}, ResourceNames: []string{"accesstoken", "apikey"}},
178-
},
179-
}))
180-
require.NoError(t, kclient.Create(context.Background(), &rbacv1.RoleBinding{
181-
ObjectMeta: metav1.ObjectMeta{Name: "venafi-connection-secret-reader", Namespace: "venafi"},
182-
RoleRef: rbacv1.RoleRef{APIGroup: "rbac.authorization.k8s.io", Kind: "Role", Name: "venafi-connection-secret-reader"},
183-
Subjects: []rbacv1.Subject{{Kind: "ServiceAccount", Name: "venafi-connection", Namespace: "venafi"}},
184-
}))
185207

186208
test.given = strings.ReplaceAll(test.given, "FAKE_VENAFI_CLOUD_URL", fakeVenafiCloud.URL)
187209
test.given = strings.ReplaceAll(test.given, "FAKE_TPP_URL", fakeTPP.URL)
188-
for _, obj := range parse(test.given) {
210+
211+
var given []ctrlruntime.Object
212+
given = append(given, parse(rbac)...)
213+
given = append(given, parse(undent(`
214+
apiVersion: v1
215+
kind: Secret
216+
metadata:
217+
name: accesstoken
218+
namespace: venafi
219+
stringData:
220+
accesstoken: VALID_ACCESS_TOKEN
221+
---
222+
apiVersion: v1
223+
kind: Secret
224+
metadata:
225+
name: apikey
226+
namespace: venafi
227+
stringData:
228+
apikey: VALID_API_KEY
229+
---
230+
apiVersion: rbac.authorization.k8s.io/v1
231+
kind: Role
232+
metadata:
233+
name: venafi-connection-secret-reader
234+
namespace: venafi
235+
rules:
236+
- apiGroups: [""]
237+
resources: ["secrets"]
238+
verbs: ["get"]
239+
resourceNames: ["accesstoken", "apikey"]
240+
---
241+
apiVersion: rbac.authorization.k8s.io/v1
242+
kind: RoleBinding
243+
metadata:
244+
name: venafi-connection-secret-reader
245+
namespace: venafi
246+
roleRef:
247+
apiGroup: rbac.authorization.k8s.io
248+
kind: Role
249+
name: venafi-connection-secret-reader
250+
subjects:
251+
- kind: ServiceAccount
252+
name: venafi-connection
253+
namespace: venafi`))...)
254+
given = append(given, parse(test.given)...)
255+
for _, obj := range given {
189256
require.NoError(t, kclient.Create(context.Background(), obj))
190257
}
191258

0 commit comments

Comments
 (0)