github.com/redhat-appstudio/e2e-tests@v0.0.0-20230619105049-9a422b2094d7/pkg/utils/common/rbac.go

github.com/redhat-appstudio/e2e-tests@v0.0.0-20230619105049-9a422b2094d7/pkg/utils/common/rbac.go (about)

     1  package common
     2  
     3  import (
     4  	"context"
     5  	"strings"
     6  
     7  	"github.com/redhat-appstudio/e2e-tests/pkg/constants"
     8  	rbacv1 "k8s.io/api/rbac/v1"
     9  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    10  	"k8s.io/apimachinery/pkg/util/wait"
    11  )
    12  
    13  func (s *SuiteController) ListRoles(namespace string) (*rbacv1.RoleList, error) {
    14  	listOptions := metav1.ListOptions{}
    15  	return s.KubeInterface().RbacV1().Roles(namespace).List(context.TODO(), listOptions)
    16  }
    17  
    18  func (s *SuiteController) ListRoleBindings(namespace string) (*rbacv1.RoleBindingList, error) {
    19  
    20  	listOptions := metav1.ListOptions{}
    21  	return s.KubeInterface().RbacV1().RoleBindings(namespace).List(context.TODO(), listOptions)
    22  }
    23  
    24  func (s *SuiteController) GetRole(roleName, namespace string) (*rbacv1.Role, error) {
    25  	return s.KubeInterface().RbacV1().Roles(namespace).Get(context.TODO(), roleName, metav1.GetOptions{})
    26  }
    27  
    28  func (s *SuiteController) GetRoleBinding(rolebindingName, namespace string) (*rbacv1.RoleBinding, error) {
    29  	return s.KubeInterface().RbacV1().RoleBindings(namespace).Get(context.TODO(), rolebindingName, metav1.GetOptions{})
    30  }
    31  
    32  // argoCDNamespaceRBACPresent returns a condition which waits for the Argo CD role/rolebindings to be set on the namespace.
    33  //   - This Role/RoleBinding allows Argo cd to deploy into the namespace (which is referred to as 'managing the namespace'), and
    34  //     is created by the GitOps Operator.
    35  func (s *SuiteController) argoCDNamespaceRBACPresent(namespace string) wait.ConditionFunc {
    36  	return func() (bool, error) {
    37  		roles, err := s.ListRoles(namespace)
    38  		if err != nil || roles == nil {
    39  			return false, nil
    40  		}
    41  
    42  		// The namespace should contain a 'gitops-service-argocd-' Role
    43  		roleFound := false
    44  		for _, role := range roles.Items {
    45  			if strings.HasPrefix(role.Name, constants.ArgoCDLabelValue+"-") {
    46  				roleFound = true
    47  			}
    48  		}
    49  		if !roleFound {
    50  			return false, nil
    51  		}
    52  
    53  		// The namespace should contain a 'gitops-service-argocd-' RoleBinding
    54  		roleBindingFound := false
    55  		roleBindings, err := s.ListRoleBindings(namespace)
    56  		if err != nil || roleBindings == nil {
    57  			return false, nil
    58  		}
    59  		for _, roleBinding := range roleBindings.Items {
    60  			if strings.HasPrefix(roleBinding.Name, constants.ArgoCDLabelValue+"-") {
    61  				roleBindingFound = true
    62  			}
    63  		}
    64  
    65  		return roleBindingFound, nil
    66  	}
    67  }
    68  
    69  // CreateRole creates a role with the provided name and namespace using the given list of rules
    70  func (s *SuiteController) CreateRole(roleName, namespace string, roleRules map[string][]string) (*rbacv1.Role, error) {
    71  	rules := &rbacv1.PolicyRule{
    72  		APIGroups: roleRules["apiGroupsList"],
    73  		Resources: roleRules["roleResources"],
    74  		Verbs:     roleRules["roleVerbs"],
    75  	}
    76  	role := &rbacv1.Role{
    77  		ObjectMeta: metav1.ObjectMeta{
    78  			Name:      roleName,
    79  			Namespace: namespace,
    80  		},
    81  		Rules: []rbacv1.PolicyRule{
    82  			*rules,
    83  		},
    84  	}
    85  	createdRole, err := s.KubeInterface().RbacV1().Roles(namespace).Create(context.TODO(), role, metav1.CreateOptions{})
    86  	if err != nil {
    87  		return nil, err
    88  	}
    89  	return createdRole, nil
    90  }
    91  
    92  // CreateRoleBinding creates an object of Role Binding in namespace with service account provided and role reference api group.
    93  func (s *SuiteController) CreateRoleBinding(roleBindingName, namespace, subjectKind, serviceAccountName, roleRefKind, roleRefName, roleRefApiGroup string) (*rbacv1.RoleBinding, error) {
    94  	roleBindingSubjects := []rbacv1.Subject{
    95  		{
    96  			Kind:      subjectKind,
    97  			Name:      serviceAccountName,
    98  			Namespace: namespace,
    99  		},
   100  	}
   101  
   102  	roleBindingRoleRef := rbacv1.RoleRef{
   103  		Kind:     roleRefKind,
   104  		Name:     roleRefName,
   105  		APIGroup: roleRefApiGroup,
   106  	}
   107  
   108  	roleBinding := &rbacv1.RoleBinding{
   109  		ObjectMeta: metav1.ObjectMeta{
   110  			Name:      roleBindingName,
   111  			Namespace: namespace,
   112  		},
   113  		Subjects: roleBindingSubjects,
   114  		RoleRef:  roleBindingRoleRef,
   115  	}
   116  
   117  	createdRoleBinding, err := s.KubeInterface().RbacV1().RoleBindings(namespace).Create(context.TODO(), roleBinding, metav1.CreateOptions{})
   118  	if err != nil {
   119  		return nil, err
   120  	}
   121  	return createdRoleBinding, nil
   122  }