github.com/mponton/terratest@v0.44.0/modules/k8s/service_account_test.go (about) 1 //go:build kubeall || kubernetes 2 // +build kubeall kubernetes 3 4 // NOTE: we have build tags to differentiate kubernetes tests from non-kubernetes tests. This is done because minikube 5 // is heavy and can interfere with docker related tests in terratest. Specifically, many of the tests start to fail with 6 // `connection refused` errors from `minikube`. To avoid overloading the system, we run the kubernetes tests and helm 7 // tests separately from the others. This may not be necessary if you have a sufficiently powerful machine. We 8 // recommend at least 4 cores and 16GB of RAM if you want to run all the tests together. 9 10 package k8s 11 12 import ( 13 "fmt" 14 "strings" 15 "testing" 16 17 "github.com/stretchr/testify/require" 18 authv1 "k8s.io/api/authorization/v1" 19 20 "github.com/mponton/terratest/modules/random" 21 ) 22 23 func TestGetServiceAccountWithAuthTokenGetsTokenThatCanBeUsedForAuth(t *testing.T) { 24 t.Parallel() 25 26 // make a copy of kubeconfig to namespace it 27 tmpConfigPath := CopyHomeKubeConfigToTemp(t) 28 29 // Create a new namespace to work in 30 namespaceName := strings.ToLower(random.UniqueId()) 31 32 options := NewKubectlOptions("", tmpConfigPath, namespaceName) 33 34 CreateNamespace(t, options, namespaceName) 35 defer DeleteNamespace(t, options, namespaceName) 36 37 // Create service account 38 serviceAccountName := strings.ToLower(random.UniqueId()) 39 CreateServiceAccount(t, options, serviceAccountName) 40 token := GetServiceAccountAuthToken(t, options, serviceAccountName) 41 require.NoError(t, AddConfigContextForServiceAccountE(t, options, serviceAccountName, serviceAccountName, token)) 42 43 // Now validate auth as service account. This is a bit tricky because we don't have an API endpoint in k8s that 44 // tells you who you are, so we will rely on the self subject access review and see if we have access to the 45 // kube-system namespace. 46 serviceAccountOptions := NewKubectlOptions(serviceAccountName, tmpConfigPath, namespaceName) 47 action := authv1.ResourceAttributes{ 48 Namespace: "kube-system", 49 Verb: "list", 50 Resource: "pod", 51 } 52 require.False(t, CanIDo(t, serviceAccountOptions, action)) 53 } 54 55 func TestGetServiceAccountEReturnsErrorForNonExistantServiceAccount(t *testing.T) { 56 t.Parallel() 57 58 options := NewKubectlOptions("", "", "default") 59 _, err := GetServiceAccountE(t, options, "terratest") 60 require.Error(t, err) 61 } 62 63 func TestGetServiceAccountEReturnsCorrectServiceAccountInCorrectNamespace(t *testing.T) { 64 t.Parallel() 65 66 uniqueID := strings.ToLower(random.UniqueId()) 67 options := NewKubectlOptions("", "", uniqueID) 68 configData := fmt.Sprintf(EXAMPLE_SERVICEACCOUNT_YAML_TEMPLATE, uniqueID, uniqueID) 69 defer KubectlDeleteFromString(t, options, configData) 70 KubectlApplyFromString(t, options, configData) 71 72 serviceAccount := GetServiceAccount(t, options, "terratest") 73 require.Equal(t, serviceAccount.Name, "terratest") 74 require.Equal(t, serviceAccount.Namespace, uniqueID) 75 } 76 77 func TestCreateServiceAccountECreatesServiceAccountInNamespaceWithGivenName(t *testing.T) { 78 t.Parallel() 79 80 uniqueID := strings.ToLower(random.UniqueId()) 81 options := NewKubectlOptions("", "", uniqueID) 82 defer DeleteNamespace(t, options, options.Namespace) 83 CreateNamespace(t, options, options.Namespace) 84 85 // Note: We don't need to delete this at the end of test, because deleting the namespace automatically deletes 86 // everything created in the namespace. 87 CreateServiceAccount(t, options, "terratest") 88 serviceAccount := GetServiceAccount(t, options, "terratest") 89 require.Equal(t, serviceAccount.Name, "terratest") 90 require.Equal(t, serviceAccount.Namespace, uniqueID) 91 } 92 93 const EXAMPLE_SERVICEACCOUNT_YAML_TEMPLATE = `--- 94 apiVersion: v1 95 kind: Namespace 96 metadata: 97 name: %s 98 --- 99 apiVersion: v1 100 kind: ServiceAccount 101 metadata: 102 name: terratest 103 namespace: %s 104 `