Skip to content

Commit 0c5265b

Browse files
Per Goncalves da Silvaperdasilva
Per Goncalves da Silva
authored and
perdasilva
committed
Add unit tests
Signed-off-by: Per Goncalves da Silva <[email protected]>
1 parent 2e871d3 commit 0c5265b

File tree

1 file changed

+283
-0
lines changed

1 file changed

+283
-0
lines changed

internal/operator-controller/rukpak/convert/installer_rbac_test.go

+283
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,283 @@
1+
package convert_test
2+
3+
import (
4+
"testing"
5+
6+
"github.com/stretchr/testify/require"
7+
corev1 "k8s.io/api/core/v1"
8+
rbacv1 "k8s.io/api/rbac/v1"
9+
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
10+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
11+
"sigs.k8s.io/controller-runtime/pkg/client"
12+
13+
"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
14+
)
15+
16+
func Test_GenerateResourceManagerClusterRolePerms_GeneratesRBACSuccessfully(t *testing.T) {
17+
objs := []client.Object{
18+
// ClusterRole created by convert.Convert
19+
&rbacv1.ClusterRole{
20+
TypeMeta: metav1.TypeMeta{
21+
Kind: "ClusterRole",
22+
APIVersion: rbacv1.SchemeGroupVersion.String(),
23+
},
24+
ObjectMeta: metav1.ObjectMeta{
25+
Name: "operator-controller-cluster-perms",
26+
Annotations: map[string]string{
27+
convert.AnnotationRegistryV1GeneratedManifest: "",
28+
},
29+
},
30+
Rules: []rbacv1.PolicyRule{
31+
{
32+
APIGroups: []string{""},
33+
Resources: []string{"configmaps"},
34+
Verbs: []string{"get", "list", "watch"},
35+
}, {
36+
APIGroups: []string{"apps"},
37+
Resources: []string{"deployments"},
38+
Verbs: []string{"get", "list", "watch"},
39+
},
40+
},
41+
},
42+
// Some CRD
43+
&apiextensions.CustomResourceDefinition{
44+
TypeMeta: metav1.TypeMeta{
45+
Kind: "CustomResourceDefinition",
46+
APIVersion: apiextensions.SchemeGroupVersion.String(),
47+
},
48+
ObjectMeta: metav1.ObjectMeta{
49+
Name: "operator-controller-crd",
50+
},
51+
Spec: apiextensions.CustomResourceDefinitionSpec{
52+
Group: "some.operator.domain",
53+
Names: apiextensions.CustomResourceDefinitionNames{
54+
Plural: "operatorresources",
55+
Kind: "OperatorResource",
56+
ListKind: "OperatorResourceList",
57+
Singular: "OperatorResource",
58+
},
59+
Versions: []apiextensions.CustomResourceDefinitionVersion{
60+
{
61+
Name: "v1alpha1",
62+
Served: true,
63+
},
64+
},
65+
},
66+
},
67+
// Some Namespaced Resource
68+
&corev1.ConfigMap{
69+
TypeMeta: metav1.TypeMeta{
70+
Kind: "ConfigMap",
71+
APIVersion: corev1.SchemeGroupVersion.String(),
72+
},
73+
ObjectMeta: metav1.ObjectMeta{
74+
Name: "operator-controller-config",
75+
},
76+
Data: map[string]string{
77+
"some": "data",
78+
},
79+
},
80+
}
81+
82+
clusterRolePerms := convert.GenerateResourceManagerClusterRolePerms(objs)
83+
require.ElementsMatch(t, []rbacv1.PolicyRule{
84+
// Aggregates operator-controller ClusterRole rules
85+
{
86+
APIGroups: []string{""},
87+
Resources: []string{"configmaps"},
88+
Verbs: []string{"get", "list", "watch"},
89+
}, {
90+
APIGroups: []string{"apps"},
91+
Resources: []string{"deployments"},
92+
Verbs: []string{"get", "list", "watch"},
93+
},
94+
// Adds cluster-scoped resource management rules
95+
{
96+
APIGroups: []string{"rbac.authorization.k8s.io"},
97+
Resources: []string{"clusterroles"},
98+
Verbs: []string{"create", "list", "watch"},
99+
}, {
100+
APIGroups: []string{"rbac.authorization.k8s.io"},
101+
Resources: []string{"clusterroles"},
102+
Verbs: []string{"get", "update", "patch", "delete"},
103+
ResourceNames: []string{"operator-controller-cluster-perms"},
104+
}, {
105+
APIGroups: []string{"apiextensions.k8s.io"},
106+
Resources: []string{"customresourcedefinitions"},
107+
Verbs: []string{"create", "list", "watch"},
108+
}, {
109+
APIGroups: []string{"apiextensions.k8s.io"},
110+
Resources: []string{"customresourcedefinitions"},
111+
Verbs: []string{"get", "update", "patch", "delete"},
112+
ResourceNames: []string{"operator-controller-crd"},
113+
},
114+
// Nothing to be said about namespaced resources
115+
}, clusterRolePerms)
116+
}
117+
118+
func Test_GenerateResourceManagerRolePerms_GeneratesRBACSuccessfully(t *testing.T) {
119+
objs := []client.Object{
120+
// ClusterRole generated by convert.Convert - should be ignored
121+
&rbacv1.ClusterRole{
122+
TypeMeta: metav1.TypeMeta{
123+
Kind: "ClusterRole",
124+
APIVersion: rbacv1.SchemeGroupVersion.String(),
125+
},
126+
ObjectMeta: metav1.ObjectMeta{
127+
Name: "operator-controller-namespace-perms",
128+
Annotations: map[string]string{
129+
convert.AnnotationRegistryV1GeneratedManifest: "",
130+
},
131+
},
132+
Rules: []rbacv1.PolicyRule{
133+
{
134+
APIGroups: []string{""},
135+
Resources: []string{"configmaps"},
136+
Verbs: []string{"get", "list", "watch"},
137+
}, {
138+
APIGroups: []string{"apps"},
139+
Resources: []string{"deployments"},
140+
Verbs: []string{"get", "list", "watch"},
141+
},
142+
},
143+
},
144+
// Some cluster-scoped resources - should be ignored
145+
&apiextensions.CustomResourceDefinition{
146+
TypeMeta: metav1.TypeMeta{
147+
Kind: "CustomResourceDefinition",
148+
APIVersion: apiextensions.SchemeGroupVersion.String(),
149+
},
150+
ObjectMeta: metav1.ObjectMeta{
151+
Name: "operator-controller-crd",
152+
},
153+
Spec: apiextensions.CustomResourceDefinitionSpec{
154+
Group: "some.operator.domain",
155+
Names: apiextensions.CustomResourceDefinitionNames{
156+
Plural: "operatorresources",
157+
Kind: "OperatorResource",
158+
ListKind: "OperatorResourceList",
159+
Singular: "OperatorResource",
160+
},
161+
Versions: []apiextensions.CustomResourceDefinitionVersion{
162+
{
163+
Name: "v1alpha1",
164+
Served: true,
165+
},
166+
},
167+
},
168+
},
169+
// Some Namespaced Resource
170+
&corev1.ConfigMap{
171+
TypeMeta: metav1.TypeMeta{
172+
Kind: "ConfigMap",
173+
APIVersion: corev1.SchemeGroupVersion.String(),
174+
},
175+
ObjectMeta: metav1.ObjectMeta{
176+
Name: "operator-controller-config",
177+
Namespace: "install-namespace",
178+
},
179+
Data: map[string]string{
180+
"some": "data",
181+
},
182+
},
183+
// Some namespaces resource in a different namespace
184+
&corev1.Service{
185+
TypeMeta: metav1.TypeMeta{
186+
Kind: "Service",
187+
APIVersion: corev1.SchemeGroupVersion.String(),
188+
},
189+
ObjectMeta: metav1.ObjectMeta{
190+
Name: "some-service",
191+
Namespace: "another-namespace",
192+
},
193+
},
194+
// Some convert.Convert generated Role - perms should be aggregated
195+
&rbacv1.Role{
196+
TypeMeta: metav1.TypeMeta{
197+
Kind: "Role",
198+
APIVersion: rbacv1.SchemeGroupVersion.String(),
199+
},
200+
ObjectMeta: metav1.ObjectMeta{
201+
Name: "operator-controller-perms",
202+
Namespace: "install-namespace",
203+
Annotations: map[string]string{
204+
convert.AnnotationRegistryV1GeneratedManifest: "",
205+
},
206+
},
207+
Rules: []rbacv1.PolicyRule{
208+
{
209+
APIGroups: []string{""},
210+
Resources: []string{"configmaps"},
211+
Verbs: []string{"get", "list", "watch"},
212+
}, {
213+
APIGroups: []string{"apps"},
214+
Resources: []string{"deployments"},
215+
Verbs: []string{"get", "list", "watch"},
216+
},
217+
},
218+
},
219+
}
220+
221+
namespaceRolePerms := convert.GenerateResourceManagerRolePerms(objs)
222+
expected := map[string][]rbacv1.PolicyRule{
223+
"install-namespace": {
224+
// Aggregates operator-controller ClusterRole rules
225+
{
226+
APIGroups: []string{""},
227+
Resources: []string{"configmaps"},
228+
Verbs: []string{"get", "list", "watch"},
229+
}, {
230+
APIGroups: []string{"apps"},
231+
Resources: []string{"deployments"},
232+
Verbs: []string{"get", "list", "watch"},
233+
},
234+
// Adds cluster-scoped resource management rules
235+
{
236+
APIGroups: []string{""},
237+
Resources: []string{"configmaps"},
238+
Verbs: []string{"create", "list", "watch"},
239+
}, {
240+
APIGroups: []string{""},
241+
Resources: []string{"configmaps"},
242+
Verbs: []string{"get", "update", "patch", "delete"},
243+
ResourceNames: []string{"operator-controller-config"},
244+
},
245+
{
246+
APIGroups: []string{"rbac.authorization.k8s.io"},
247+
Resources: []string{"roles"},
248+
Verbs: []string{"create", "list", "watch"},
249+
}, {
250+
APIGroups: []string{"rbac.authorization.k8s.io"},
251+
Resources: []string{"roles"},
252+
Verbs: []string{"get", "update", "patch", "delete"},
253+
ResourceNames: []string{"operator-controller-perms"},
254+
},
255+
},
256+
"another-namespace": {
257+
{
258+
APIGroups: []string{""},
259+
Resources: []string{"services"},
260+
Verbs: []string{"create", "list", "watch"},
261+
}, {
262+
APIGroups: []string{""},
263+
Resources: []string{"services"},
264+
Verbs: []string{"get", "update", "patch", "delete"},
265+
ResourceNames: []string{"some-service"},
266+
},
267+
},
268+
}
269+
270+
for namespace, perms := range namespaceRolePerms {
271+
require.ElementsMatch(t, perms, expected[namespace])
272+
}
273+
}
274+
275+
func Test_GenerateClusterExtensionFinalizerPolicyRule(t *testing.T) {
276+
rule := convert.GenerateClusterExtensionFinalizerPolicyRule("someext")
277+
require.Equal(t, rbacv1.PolicyRule{
278+
APIGroups: []string{"olm.operatorframework.io"},
279+
Resources: []string{"clusterextensions/finalizers"},
280+
Verbs: []string{"update"},
281+
ResourceNames: []string{"someext"},
282+
}, rule)
283+
}

0 commit comments

Comments
 (0)