From 53e329f981c8339403b4ee60b470560326140f0e Mon Sep 17 00:00:00 2001 From: OZGCloud <ozgcloud@mgm-tp.com> Date: Mon, 19 Aug 2024 17:47:51 +0200 Subject: [PATCH] OZG-6247 solve comments --- elster-transfer/templates/_helpers.tpl | 3 + ...nsfer_operator_configmap_create_role.yaml} | 10 +- ...transfer_operator_configmap_read_role.yaml | 3 +- ...ansfer_operator_configmap_update_role.yaml | 51 ++++++++ ...ransfer_operator_deployment_read_role.yaml | 2 +- ...ansfer_operator_deployment_write_role.yaml | 2 +- ...r_operator_configmap_create_role_test.yaml | 121 ++++++++++++++++++ ...fer_operator_configmap_read_role_test.yaml | 6 +- ..._operator_configmap_update_role_test.yaml} | 15 +-- ...er_operator_deployment_read_role_test.yaml | 4 - ...r_operator_deployment_write_role_test.yaml | 5 +- 11 files changed, 193 insertions(+), 29 deletions(-) rename elster-transfer/templates/{ozgcloud_elstertransfer_operator_configmap_write_role.yaml => ozgcloud_elstertransfer_operator_configmap_create_role.yaml} (80%) create mode 100644 elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml create mode 100644 elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml rename elster-transfer/unit-tests/{ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml => ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml} (88%) diff --git a/elster-transfer/templates/_helpers.tpl b/elster-transfer/templates/_helpers.tpl index d9a5ac7..3f8f650 100644 --- a/elster-transfer/templates/_helpers.tpl +++ b/elster-transfer/templates/_helpers.tpl @@ -63,3 +63,6 @@ app.kubernetes.io/namespace: {{ .Release.Namespace }} {{- end -}} +{{- define "app.elsterTransferOperatorNamespace" -}} +{{- required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace -}} +{{- end -}} \ No newline at end of file diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml similarity index 80% rename from elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml rename to elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml index 90f2e16..a80c872 100644 --- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml +++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml @@ -26,25 +26,25 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ozgcloud-elster-transfer-operator-configmap-write-role-binding + name: ozgcloud-elster-transfer-operator-configmap-create-role-binding namespace: {{ include "app.namespace" . }} subjects: - kind: ServiceAccount name: ozgcloud-elster-transfer-operator-service-account - namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }} + namespace: {{ include "app.elsterTransferOperatorNamespace" . }} roleRef: kind: Role - name: ozgcloud-elster-transfer-operator-configmap-write-role + name: ozgcloud-elster-transfer-operator-configmap-create-role apiGroup: rbac.authorization.k8s.io --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ozgcloud-elster-transfer-operator-configmap-write-role + name: ozgcloud-elster-transfer-operator-configmap-create-role namespace: {{ include "app.namespace" . }} rules: - apiGroups: [""] resources: ["configmaps"] - verbs: ["create", "update", "patch"] + verbs: ["create"] {{- end -}} \ No newline at end of file diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml index c80d279..51833bd 100644 --- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml +++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_read_role.yaml @@ -31,7 +31,7 @@ metadata: subjects: - kind: ServiceAccount name: ozgcloud-elster-transfer-operator-service-account - namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }} + namespace: {{ include "app.elsterTransferOperatorNamespace" . }} roleRef: kind: Role name: ozgcloud-elster-transfer-operator-configmap-read-role @@ -47,4 +47,5 @@ rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list"] + resourceNames: ["etr-user-config"] {{- end -}} \ No newline at end of file diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml new file mode 100644 index 0000000..70b5d99 --- /dev/null +++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml @@ -0,0 +1,51 @@ +# +# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den +# Ministerpräsidenten des Landes Schleswig-Holstein +# Staatskanzlei +# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung +# +# Lizenziert unter der EUPL, Version 1.2 oder - sobald +# diese von der Europäischen Kommission genehmigt wurden - +# Folgeversionen der EUPL ("Lizenz"); +# Sie dürfen dieses Werk ausschließlich gemäß +# dieser Lizenz nutzen. +# Eine Kopie der Lizenz finden Sie hier: +# +# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12 +# +# Sofern nicht durch anwendbare Rechtsvorschriften +# gefordert oder in schriftlicher Form vereinbart, wird +# die unter der Lizenz verbreitete Software "so wie sie +# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN - +# ausdrücklich oder stillschweigend - verbreitet. +# Die sprachspezifischen Genehmigungen und Beschränkungen +# unter der Lizenz sind dem Lizenztext zu entnehmen. +# +{{- if (.Values.userAuthentication).enabled }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ozgcloud-elster-transfer-operator-configmap-update-role-binding + namespace: {{ include "app.namespace" . }} +subjects: + - kind: ServiceAccount + name: ozgcloud-elster-transfer-operator-service-account + namespace: {{ include "app.elsterTransferOperatorNamespace" . }} +roleRef: + kind: Role + name: ozgcloud-elster-transfer-operator-configmap-update-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ozgcloud-elster-transfer-operator-configmap-update-role + namespace: {{ include "app.namespace" . }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] + resourceNames: ["etr-user-config"] +{{- end -}} \ No newline at end of file diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml index 0635bae..b457a2c 100644 --- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml +++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_read_role.yaml @@ -30,7 +30,7 @@ metadata: subjects: - kind: ServiceAccount name: ozgcloud-elster-transfer-operator-service-account - namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }} + namespace: {{ include "app.elsterTransferOperatorNamespace" . }} roleRef: kind: Role name: ozgcloud-elster-transfer-operator-deployment-read-role diff --git a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml index 6cf9b44..211e5ca 100644 --- a/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml +++ b/elster-transfer/templates/ozgcloud_elstertransfer_operator_deployment_write_role.yaml @@ -30,7 +30,7 @@ metadata: subjects: - kind: ServiceAccount name: ozgcloud-elster-transfer-operator-service-account - namespace: {{ required "elsterTransferOperator.namespace must be set" (.Values.elsterTransferOperator).namespace }} + namespace: {{ include "app.elsterTransferOperatorNamespace" . }} roleRef: kind: Role name: ozgcloud-elster-transfer-operator-deployment-write-role diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml new file mode 100644 index 0000000..c62c3e8 --- /dev/null +++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_create_role_test.yaml @@ -0,0 +1,121 @@ +# +# Copyright (C) 2022 Das Land Schleswig-Holstein vertreten durch den +# Ministerpräsidenten des Landes Schleswig-Holstein +# Staatskanzlei +# Abteilung Digitalisierung und zentrales IT-Management der Landesregierung +# +# Lizenziert unter der EUPL, Version 1.2 oder - sobald +# diese von der Europäischen Kommission genehmigt wurden - +# Folgeversionen der EUPL ("Lizenz"); +# Sie dürfen dieses Werk ausschließlich gemäß +# dieser Lizenz nutzen. +# Eine Kopie der Lizenz finden Sie hier: +# +# https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12 +# +# Sofern nicht durch anwendbare Rechtsvorschriften +# gefordert oder in schriftlicher Form vereinbart, wird +# die unter der Lizenz verbreitete Software "so wie sie +# ist", OHNE JEGLICHE GEWÄHRLEISTUNG ODER BEDINGUNGEN - +# ausdrücklich oder stillschweigend - verbreitet. +# Die sprachspezifischen Genehmigungen und Beschränkungen +# unter der Lizenz sind dem Lizenztext zu entnehmen. +# + +suite: ElsterTransfer read rbac test +release: + name: elstertransfer + namespace: test-namespace +set: +templates: + - templates/ozgcloud_elstertransfer_operator_configmap_create_role.yaml +tests: + - it: test RoleBinding metadata + set: + userAuthentication: + enabled: true + elsterTransferOperator: + namespace: etr-operator + asserts: + - isKind: + of: RoleBinding + documentIndex: 0 + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - equal: + path: metadata.name + value: ozgcloud-elster-transfer-operator-configmap-create-role-binding + documentIndex: 0 + - it: test RoleBinding subject + set: + userAuthentication: + enabled: true + elsterTransferOperator: + namespace: etr-operator + asserts: + - contains: + path: subjects + content: + kind: ServiceAccount + name: ozgcloud-elster-transfer-operator-service-account + namespace: etr-operator + documentIndex: 0 + - it: test RoleBinding roleRef + set: + userAuthentication: + enabled: true + elsterTransferOperator: + namespace: etr-operator + asserts: + - equal: + path: roleRef + value: + kind: Role + name: ozgcloud-elster-transfer-operator-configmap-create-role + apiGroup: rbac.authorization.k8s.io + documentIndex: 0 + + - it: test Role metadata + set: + userAuthentication: + enabled: true + elsterTransferOperator: + namespace: etr-operator + asserts: + - isKind: + of: Role + documentIndex: 1 + - isAPIVersion: + of: rbac.authorization.k8s.io/v1 + - equal: + path: metadata.name + value: ozgcloud-elster-transfer-operator-configmap-create-role + documentIndex: 1 + - it: test RoleBinding rules + set: + userAuthentication: + enabled: true + elsterTransferOperator: + namespace: etr-operator + asserts: + - contains: + path: rules + content: + apiGroups: + - "" + resources: + - configmaps + verbs: + - create + documentIndex: 1 + - it: RBAC not created by default + asserts: + - hasDocuments: + count: 0 + - it: test elsterTransferOperator.namespace must be set message + set: + userAuthentication: + enabled: true + asserts: + - failedTemplate: + errorMessage: elsterTransferOperator.namespace must be set \ No newline at end of file diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml index 77b266d..7b01f30 100644 --- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml +++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_read_role_test.yaml @@ -108,15 +108,13 @@ tests: verbs: - get - list + resourceNames: + - "etr-user-config" documentIndex: 1 - it: RBAC not created by default asserts: - hasDocuments: count: 0 - documentIndex: 1 - - hasDocuments: - count: 0 - documentIndex: 0 - it: test elsterTransferOperator.namespace must be set message set: userAuthentication: diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml similarity index 88% rename from elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml rename to elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml index 1bfb372..d307c0b 100644 --- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_write_role_test.yaml +++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_configmap_update_role_test.yaml @@ -28,7 +28,7 @@ release: namespace: test-namespace set: templates: - - templates/ozgcloud_elstertransfer_operator_configmap_write_role.yaml + - templates/ozgcloud_elstertransfer_operator_configmap_update_role.yaml tests: - it: test RoleBinding metadata set: @@ -44,7 +44,7 @@ tests: of: rbac.authorization.k8s.io/v1 - equal: path: metadata.name - value: ozgcloud-elster-transfer-operator-configmap-write-role-binding + value: ozgcloud-elster-transfer-operator-configmap-update-role-binding documentIndex: 0 - it: test RoleBinding subject set: @@ -71,7 +71,7 @@ tests: path: roleRef value: kind: Role - name: ozgcloud-elster-transfer-operator-configmap-write-role + name: ozgcloud-elster-transfer-operator-configmap-update-role apiGroup: rbac.authorization.k8s.io documentIndex: 0 @@ -89,7 +89,7 @@ tests: of: rbac.authorization.k8s.io/v1 - equal: path: metadata.name - value: ozgcloud-elster-transfer-operator-configmap-write-role + value: ozgcloud-elster-transfer-operator-configmap-update-role documentIndex: 1 - it: test RoleBinding rules set: @@ -106,18 +106,15 @@ tests: resources: - configmaps verbs: - - create - update - patch + resourceNames: + - etr-user-config documentIndex: 1 - it: RBAC not created by default asserts: - hasDocuments: count: 0 - documentIndex: 1 - - hasDocuments: - count: 0 - documentIndex: 0 - it: test elsterTransferOperator.namespace must be set message set: userAuthentication: diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml index 06b4a6b..53172b9 100644 --- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml +++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_read_role_test.yaml @@ -115,10 +115,6 @@ tests: asserts: - hasDocuments: count: 0 - documentIndex: 1 - - hasDocuments: - count: 0 - documentIndex: 0 - it: test elsterTransferOperator.namespace must be set message set: diff --git a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml index d4637a0..340d39b 100644 --- a/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml +++ b/elster-transfer/unit-tests/ozgcloud_elstertransfer_operator_deployment_write_role_test.yaml @@ -115,10 +115,7 @@ tests: asserts: - hasDocuments: count: 0 - documentIndex: 1 - - hasDocuments: - count: 0 - documentIndex: 0 + - it: test elsterTransferOperator.namespace must be set message set: -- GitLab