Run helper Pods with service accounts. (#503)

* Run helper Pods with service accounts. * Add service account to authentication test sts
stackabletech · Nov 20, 2023 · bde81e4 · bde81e4
1 parent 4c85a1b
commit bde81e4
Show file tree

Hide file tree

Showing 9 changed files with 123 additions and 1 deletion.
diff --git a/tests/templates/kuttl/authentication/00-rbac.yaml.j2 b/tests/templates/kuttl/authentication/00-rbac.yaml.j2
@@ -0,0 +1,29 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+rules:
+{% if test_scenario['values']['openshift'] == "true" %}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["privileged"]
+    verbs: ["use"]
+{% endif %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: integration-tests-sa
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+subjects:
+  - kind: ServiceAccount
+    name: integration-tests-sa
+roleRef:
+  kind: Role
+  name: use-integration-tests-scc
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/templates/kuttl/authentication/03-install-test-trino.yaml b/tests/templates/kuttl/authentication/03-install-test-trino.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: test-trino
     spec:
+      serviceAccount: integration-tests-sa
       containers:
         - name: test-trino
           image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev

diff --git a/tests/templates/kuttl/logging/00-rbac.yaml.j2 b/tests/templates/kuttl/logging/00-rbac.yaml.j2
@@ -0,0 +1,29 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+rules:
+{% if test_scenario['values']['openshift'] == "true" %}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["privileged"]
+    verbs: ["use"]
+{% endif %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: integration-tests-sa
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+subjects:
+  - kind: ServiceAccount
+    name: integration-tests-sa
+roleRef:
+  kind: Role
+  name: use-integration-tests-scc
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/templates/kuttl/logging/03-install-trino-test-runner.yaml b/tests/templates/kuttl/logging/03-install-trino-test-runner.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: trino-test-runner
     spec:
+      serviceAccount: integration-tests-sa
       containers:
         - name: trino-test-runner
           image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev

diff --git a/tests/templates/kuttl/smoke/00-rbac.yaml.j2 b/tests/templates/kuttl/smoke/00-rbac.yaml.j2
@@ -0,0 +1,29 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+rules:
+{% if test_scenario['values']['openshift'] == "true" %}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["privileged"]
+    verbs: ["use"]
+{% endif %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: integration-tests-sa
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+subjects:
+  - kind: ServiceAccount
+    name: integration-tests-sa
+roleRef:
+  kind: Role
+  name: use-integration-tests-scc
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/templates/kuttl/smoke/20-install-check.yaml b/tests/templates/kuttl/smoke/20-install-check.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: trino-test-helper
     spec:
+      serviceAccount: integration-tests-sa
       containers:
         - name: trino-test-helper
           image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev

diff --git a/tests/templates/kuttl/tls/00-rbac.yaml.j2 b/tests/templates/kuttl/tls/00-rbac.yaml.j2
@@ -0,0 +1,29 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+rules:
+{% if test_scenario['values']['openshift'] == "true" %}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["privileged"]
+    verbs: ["use"]
+{% endif %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: integration-tests-sa
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+subjects:
+  - kind: ServiceAccount
+    name: integration-tests-sa
+roleRef:
+  kind: Role
+  name: use-integration-tests-scc
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/templates/kuttl/tls/20-install-check.yaml.j2 b/tests/templates/kuttl/tls/20-install-check.yaml.j2
@@ -15,6 +15,7 @@ spec:
       labels:
         app: trino-test-helper
     spec:
+      serviceAccount: integration-tests-sa
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
@@ -41,4 +42,4 @@ spec:
                   requests:
                     storage: "1"
                 storageClassName: secrets.stackable.tech
-{% endif %}
+{% endif %}
diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml
@@ -69,6 +69,7 @@ tests:
       - use-authentication
       - use-tls
       - use-internal-tls
+      - openshift
   - name: resources
     dimensions:
       - trino-latest
@@ -83,6 +84,7 @@ tests:
   - name: logging
     dimensions:
       - trino
+      - openshift
   - name: cluster-operation
     dimensions:
       - trino-latest