From 48a5d55b4b5e072685644ea383ec64e663eb4db8 Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Tue, 22 Nov 2022 19:22:10 +0200 Subject: [PATCH] add primary rbac + tests --- .../serviceAccount/serviceAccount_test.yaml | 2 +- .../tests/utils/utils_primary_rbac_test.yaml | 400 ++++++++++++++++++ .../templates/lib/util/_primary_rbac.tpl | 27 ++ 3 files changed, 428 insertions(+), 1 deletion(-) create mode 100644 library/common-test/tests/utils/utils_primary_rbac_test.yaml create mode 100644 library/common/1.0.0/templates/lib/util/_primary_rbac.tpl diff --git a/library/common-test/tests/serviceAccount/serviceAccount_test.yaml b/library/common-test/tests/serviceAccount/serviceAccount_test.yaml index 9e2099f5..79dba359 100644 --- a/library/common-test/tests/serviceAccount/serviceAccount_test.yaml +++ b/library/common-test/tests/serviceAccount/serviceAccount_test.yaml @@ -1,5 +1,5 @@ -suite: deployment service account +suite: service account templates: - common.yaml chart: diff --git a/library/common-test/tests/utils/utils_primary_rbac_test.yaml b/library/common-test/tests/utils/utils_primary_rbac_test.yaml new file mode 100644 index 00000000..120036ce --- /dev/null +++ b/library/common-test/tests/utils/utils_primary_rbac_test.yaml @@ -0,0 +1,400 @@ + +suite: primary rbac utils test +templates: + - common.yaml +tests: + - it: should pass with default values + asserts: + - hasDocuments: + count: 1 + + - it: should fail with more than 1 primary rbac + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: true + asserts: + - failedTemplate: + errorMessage: More than one RBACS are set as primary. This is not supported. + + - it: should pass with no rbac set as primary (Role) + documentIndex: &roleDoc 0 + set: + rbac: + main: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 3 + - isKind: + of: Role + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with no rbac set as primary (RoleBinding) + documentIndex: &roleBindingDoc 1 + set: + rbac: + main: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 3 + - isKind: + of: RoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with no rbac set as primary (ClusterRole) + documentIndex: *roleDoc + set: + rbac: + main: + enabled: true + primary: false + clusterWide: true + asserts: + - hasDocuments: + count: 3 + - isKind: + of: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with no rbac set as primary (ClusterRoleBinding) + documentIndex: *roleBindingDoc + set: + rbac: + main: + enabled: true + primary: false + clusterWide: true + asserts: + - hasDocuments: + count: 3 + - isKind: + of: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test +###asdsa + - it: should pass with main rbac set as primary and other not (Role - main) + documentIndex: *roleDoc + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: Role + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with main rbac set as primary and other not (Role - other) + documentIndex: &otherRoleDoc 2 + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: Role + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-other + + - it: should pass with main rbac set as primary and other not (RoleBinding - main) + documentIndex: *roleBindingDoc + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: RoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with main rbac set as primary and other not (RoleBinding - other) + documentIndex: &otherRoleBindingDoc 3 + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: RoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-other + + - it: should pass with main rbac set as primary and other not (ClusterRole - main) + documentIndex: *roleDoc + set: + rbac: + main: + enabled: true + primary: true + clusterWide: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with main rbac set as primary and other not (ClusterRole - other) + documentIndex: *otherRoleDoc + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + clusterWide: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-other + + - it: should pass with main rbac set as primary and other not (ClusterRoleBinding - main) + documentIndex: *roleBindingDoc + set: + rbac: + main: + enabled: true + primary: true + clusterWide: true + other: + enabled: true + primary: false + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with main rbac set as primary and other not (ClusterRoleBinding - other) + documentIndex: *otherRoleBindingDoc + set: + rbac: + main: + enabled: true + primary: true + other: + enabled: true + primary: false + clusterWide: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-other +###### + - it: should pass with other rbac set as primary and main not (Role - main) + documentIndex: *roleDoc + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: Role + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-main + + - it: should pass with other rbac set as primary and main not (Role - other) + documentIndex: &otherRoleDoc 2 + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: Role + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with other rbac set as primary and main not (RoleBinding - main) + documentIndex: *roleBindingDoc + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: RoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-main + + - it: should pass with other rbac set as primary and main not (RoleBinding - other) + documentIndex: &otherRoleBindingDoc 3 + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: RoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with other rbac set as primary and main not (ClusterRole - main) + documentIndex: *roleDoc + set: + rbac: + main: + enabled: true + primary: false + clusterWide: true + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-main + + - it: should pass with other rbac set as primary and main not (ClusterRole - other) + documentIndex: *otherRoleDoc + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + clusterWide: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRole + - equal: + path: metadata.name + value: RELEASE-NAME-common-test + + - it: should pass with other rbac set as primary and main not (ClusterRoleBinding - main) + documentIndex: *roleBindingDoc + set: + rbac: + main: + enabled: true + primary: false + clusterWide: true + other: + enabled: true + primary: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-main + + - it: should pass with other rbac set as primary and main not (ClusterRoleBinding - other) + documentIndex: *otherRoleBindingDoc + set: + rbac: + main: + enabled: true + primary: false + other: + enabled: true + primary: true + clusterWide: true + asserts: + - hasDocuments: + count: 5 + - isKind: + of: ClusterRoleBinding + - equal: + path: metadata.name + value: RELEASE-NAME-common-test diff --git a/library/common/1.0.0/templates/lib/util/_primary_rbac.tpl b/library/common/1.0.0/templates/lib/util/_primary_rbac.tpl new file mode 100644 index 00000000..a5968490 --- /dev/null +++ b/library/common/1.0.0/templates/lib/util/_primary_rbac.tpl @@ -0,0 +1,27 @@ +{{/* Returns the primary rbac object */}} +{{- define "ix.v1.common.lib.util.rbac.primary" -}} + {{- $enabledrbacs := dict -}} + {{- range $name, $rbac := .Values.rbac -}} + {{- if $rbac.enabled -}} + {{- $_ := set $enabledrbacs $name . -}} + {{- end -}} + {{- end -}} + + {{- $result := "" -}} + {{- range $name, $rbac := $enabledrbacs -}} + {{- if (hasKey $rbac "primary") -}} + {{- if $rbac.primary -}} + {{- if $result -}} + {{- fail "More than one RBACS are set as primary. This is not supported." -}} + {{- end -}} + {{- $result = $name -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if not $result -}} + {{- $result = keys $enabledrbacs | first -}} + {{- end -}} + + {{- $result -}} +{{- end -}}