github.com/redhat-appstudio/e2e-tests@v0.0.0-20230619105049-9a422b2094d7/tests/spi/link-secret-sa.go (about) 1 package spi 2 3 import ( 4 "fmt" 5 "time" 6 7 "github.com/redhat-appstudio/e2e-tests/pkg/constants" 8 "github.com/redhat-appstudio/e2e-tests/pkg/utils" 9 "github.com/redhat-appstudio/service-provider-integration-operator/api/v1beta1" 10 11 . "github.com/onsi/ginkgo/v2" 12 . "github.com/onsi/gomega" 13 "github.com/redhat-appstudio/e2e-tests/pkg/framework" 14 ) 15 16 /* 17 * Component: spi 18 * Description: SVPI-406 Check SA creation and linking to the secret requested by SPIAccessTokenBinding 19 20 * Test Scenario 1: link a secret to an existing service account 21 * Test Scenario 2: link a secret to an existing service account as image pull secret 22 * Test Scenario 3: link a secret to a managed service account 23 * For more details, check ServiceAccountTests in var.go 24 25 * Flow of each test: 26 * 1º - creates SPITokenBinding with SA associated 27 * 2º - uploads token 28 * 3º - checks if SA was linked to the secret 29 */ 30 31 var _ = framework.SPISuiteDescribe(Label("spi-suite", "link-secret-sa"), func() { 32 33 defer GinkgoRecover() 34 35 var fw *framework.Framework 36 var err error 37 var namespace string 38 39 for _, test := range ServiceAccountTests { 40 test := test 41 42 Describe("SVPI-406 - "+test.TestName, Ordered, func() { 43 BeforeAll(func() { 44 // Initialize the tests controllers 45 fw, err = framework.NewFramework(utils.GetGeneratedNamespace("spi-demos")) 46 Expect(err).NotTo(HaveOccurred()) 47 namespace = fw.UserNamespace 48 Expect(namespace).NotTo(BeEmpty()) 49 50 // collect SPI ResourceQuota metrics (temporary) 51 err := fw.AsKubeAdmin.CommonController.GetResourceQuotaInfo("token-upload-rest-endpoint", namespace, "appstudio-crds-spi") 52 Expect(err).NotTo(HaveOccurred()) 53 }) 54 55 // Clean up after running these tests and before the next tests block: can't have multiple AccessTokens in Injected phase 56 AfterAll(func() { 57 // collect SPI ResourceQuota metrics (temporary) 58 err := fw.AsKubeAdmin.CommonController.GetResourceQuotaInfo("link-secret-sa", namespace, "appstudio-crds-spi") 59 Expect(err).NotTo(HaveOccurred()) 60 61 if !CurrentSpecReport().Failed() { 62 Expect(fw.AsKubeAdmin.SPIController.DeleteAllBindingTokensInASpecificNamespace(namespace)).To(Succeed()) 63 Expect(fw.AsKubeAdmin.SPIController.DeleteAllAccessTokensInASpecificNamespace(namespace)).To(Succeed()) 64 Expect(fw.AsKubeAdmin.SPIController.DeleteAllAccessTokenDataInASpecificNamespace(namespace)).To(Succeed()) 65 Expect(fw.AsKubeAdmin.CommonController.DeleteAllServiceAccountsInASpecificNamespace(namespace)).To(Succeed()) 66 } 67 }) 68 69 var binding *v1beta1.SPIAccessTokenBinding 70 secretName := utils.GetGeneratedNamespace("new-secret") 71 nonExistingServiceAccountName := utils.GetGeneratedNamespace("new-service-account") 72 serviceAccountName := nonExistingServiceAccountName 73 74 It("creates service account", func() { 75 if !test.IsManagedServiceAccount { // Test Scenario 1 and Test Scenario 2 (the service account should exist before the binding) 76 existingServiceAccountName := utils.GetGeneratedNamespace("service-account") 77 _, err := fw.AsKubeAdmin.CommonController.CreateServiceAccount(existingServiceAccountName, namespace, nil) 78 Expect(err).NotTo(HaveOccurred()) 79 serviceAccountName = existingServiceAccountName 80 } 81 }) 82 83 It("creates SPIAccessTokenBinding with secret linked to a service account", func() { 84 binding, err = fw.AsKubeDeveloper.SPIController.CreateSPIAccessTokenBindingWithSA( 85 SPIAccessTokenBindingPrefixName, 86 namespace, 87 serviceAccountName, 88 RepoURL, 89 secretName, 90 test.IsImagePullSecret, 91 test.IsManagedServiceAccount) 92 Expect(err).NotTo(HaveOccurred()) 93 94 binding, err = fw.AsKubeDeveloper.SPIController.GetSPIAccessTokenBinding(binding.Name, namespace) 95 Expect(err).NotTo(HaveOccurred()) 96 }) 97 98 // start of upload token 99 It("SPITokenBinding to be in AwaitingTokenData phase", func() { 100 Eventually(func() bool { 101 binding, err = fw.AsKubeDeveloper.SPIController.GetSPIAccessTokenBinding(binding.Name, namespace) 102 Expect(err).NotTo(HaveOccurred()) 103 104 return (binding.Status.Phase == v1beta1.SPIAccessTokenBindingPhaseAwaitingTokenData) 105 }, 1*time.Minute, 5*time.Second).Should(BeTrue(), "SPIAccessTokenBinding is not in AwaitingTokenData phase") 106 }) 107 108 It("uploads username and token using rest endpoint", func() { 109 // the UploadUrl in SPITokenBinding should be available before uploading the token 110 Eventually(func() bool { 111 binding, err = fw.AsKubeDeveloper.SPIController.GetSPIAccessTokenBinding(binding.Name, namespace) 112 Expect(err).NotTo(HaveOccurred()) 113 114 return binding.Status.UploadUrl != "" 115 }, 1*time.Minute, 10*time.Second).Should(BeTrue(), "uploadUrl not set") 116 Expect(err).NotTo(HaveOccurred()) 117 118 // linked accessToken token should exist 119 linkedAccessTokenName := binding.Status.LinkedAccessTokenName 120 Expect(linkedAccessTokenName).NotTo(BeEmpty()) 121 122 // get the url to manually upload the token 123 uploadURL := binding.Status.UploadUrl 124 Expect(uploadURL).NotTo(BeEmpty()) 125 126 // Get the token for the current openshift user 127 bearerToken, err := utils.GetOpenshiftToken() 128 Expect(err).NotTo(HaveOccurred()) 129 130 // build and upload the payload using the uploadURL. it should return 204 131 oauthCredentials := `{"access_token":"` + utils.GetEnv(constants.GITHUB_TOKEN_ENV, "") + `"}` 132 statusCode, err := fw.AsKubeDeveloper.SPIController.UploadWithRestEndpoint(uploadURL, oauthCredentials, bearerToken) 133 Expect(err).NotTo(HaveOccurred()) 134 Expect(statusCode).Should(Equal(204)) 135 }) 136 137 It("SPITokenBinding to be in Injected phase", func() { 138 Eventually(func() bool { 139 binding, err = fw.AsKubeDeveloper.SPIController.GetSPIAccessTokenBinding(binding.Name, namespace) 140 Expect(err).NotTo(HaveOccurred()) 141 return binding.Status.Phase == v1beta1.SPIAccessTokenBindingPhaseInjected 142 }, 1*time.Minute, 5*time.Second).Should(BeTrue(), "SPIAccessTokenBinding is not in Injected phase") 143 }) 144 // end of upload token 145 146 It("checks if service account was linked to the secret", func() { 147 // get the service account name associated with the binding 148 // this is a workaround to get the managed service account name that is generated 149 serviceAccountNames := binding.Status.ServiceAccountNames 150 Expect(serviceAccountNames).NotTo(BeEmpty()) 151 saName := serviceAccountNames[0] 152 153 if !test.IsImagePullSecret { 154 // Test Scenario 1 and 3 155 Eventually(func() bool { 156 sa, err := fw.AsKubeDeveloper.CommonController.GetServiceAccount(saName, namespace) 157 Expect(err).NotTo(HaveOccurred()) 158 for _, secret := range sa.Secrets { 159 if secret.Name == secretName { 160 return true 161 } 162 } 163 return false 164 }, 1*time.Minute, 5*time.Second).Should(BeTrue(), fmt.Sprintf("The secret %s is not linked to the service account %s", secretName, saName)) 165 } else { 166 // Test Scenario 2 167 Eventually(func() bool { 168 sa, err := fw.AsKubeDeveloper.CommonController.GetServiceAccount(saName, namespace) 169 Expect(err).NotTo(HaveOccurred()) 170 for _, secret := range sa.ImagePullSecrets { 171 if secret.Name == secretName { 172 return true 173 } 174 } 175 return false 176 }, 1*time.Minute, 5*time.Second).Should(BeTrue(), fmt.Sprintf("The secret %s is not linked to the service account %s", secretName, saName)) 177 } 178 }) 179 }) 180 } 181 })