github.com/redhat-appstudio/e2e-tests@v0.0.0-20240520140907-9709f6f59323/pkg/clients/common/rbac.go

github.com/redhat-appstudio/e2e-tests@v0.0.0-20240520140907-9709f6f59323/pkg/clients/common/rbac.go (about)

     1  package common
     2  
     3  import (
     4  	"context"
     5  	"strings"
     6  
     7  	"github.com/redhat-appstudio/e2e-tests/pkg/constants"
     8  	rbacv1 "k8s.io/api/rbac/v1"
     9  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    10  	"k8s.io/apimachinery/pkg/util/wait"
    11  )
    12  
    13  func (s *SuiteController) ListRoles(namespace string) (*rbacv1.RoleList, error) {
    14  	listOptions := metav1.ListOptions{}
    15  	return s.KubeInterface().RbacV1().Roles(namespace).List(context.Background(), listOptions)
    16  }
    17  
    18  func (s *SuiteController) ListRoleBindings(namespace string) (*rbacv1.RoleBindingList, error) {
    19  	listOptions := metav1.ListOptions{}
    20  	return s.KubeInterface().RbacV1().RoleBindings(namespace).List(context.Background(), listOptions)
    21  }
    22  
    23  func (s *SuiteController) GetRole(roleName, namespace string) (*rbacv1.Role, error) {
    24  	return s.KubeInterface().RbacV1().Roles(namespace).Get(context.Background(), roleName, metav1.GetOptions{})
    25  }
    26  
    27  func (s *SuiteController) GetRoleBinding(rolebindingName, namespace string) (*rbacv1.RoleBinding, error) {
    28  	return s.KubeInterface().RbacV1().RoleBindings(namespace).Get(context.Background(), rolebindingName, metav1.GetOptions{})
    29  }
    30  
    31  // argoCDNamespaceRBACPresent returns a condition which waits for the Argo CD role/rolebindings to be set on the namespace.
    32  //   - This Role/RoleBinding allows Argo cd to deploy into the namespace (which is referred to as 'managing the namespace'), and
    33  //     is created by the GitOps Operator.
    34  func (s *SuiteController) argoCDNamespaceRBACPresent(namespace string) wait.ConditionFunc {
    35  	return func() (bool, error) {
    36  		roles, err := s.ListRoles(namespace)
    37  		if err != nil || roles == nil {
    38  			return false, nil
    39  		}
    40  
    41  		// The namespace should contain a 'gitops-service-argocd-' Role
    42  		roleFound := false
    43  		for _, role := range roles.Items {
    44  			if strings.HasPrefix(role.Name, constants.ArgoCDLabelValue+"-") {
    45  				roleFound = true
    46  			}
    47  		}
    48  		if !roleFound {
    49  			return false, nil
    50  		}
    51  
    52  		// The namespace should contain a 'gitops-service-argocd-' RoleBinding
    53  		roleBindingFound := false
    54  		roleBindings, err := s.ListRoleBindings(namespace)
    55  		if err != nil || roleBindings == nil {
    56  			return false, nil
    57  		}
    58  		for _, roleBinding := range roleBindings.Items {
    59  			if strings.HasPrefix(roleBinding.Name, constants.ArgoCDLabelValue+"-") {
    60  				roleBindingFound = true
    61  			}
    62  		}
    63  
    64  		return roleBindingFound, nil
    65  	}
    66  }
    67  
    68  // CreateRole creates a role with the provided name and namespace using the given list of rules
    69  func (s *SuiteController) CreateRole(roleName, namespace string, roleRules map[string][]string) (*rbacv1.Role, error) {
    70  	rules := &rbacv1.PolicyRule{
    71  		APIGroups: roleRules["apiGroupsList"],
    72  		Resources: roleRules["roleResources"],
    73  		Verbs:     roleRules["roleVerbs"],
    74  	}
    75  	role := &rbacv1.Role{
    76  		ObjectMeta: metav1.ObjectMeta{
    77  			Name:      roleName,
    78  			Namespace: namespace,
    79  		},
    80  		Rules: []rbacv1.PolicyRule{
    81  			*rules,
    82  		},
    83  	}
    84  	createdRole, err := s.KubeInterface().RbacV1().Roles(namespace).Create(context.Background(), role, metav1.CreateOptions{})
    85  	if err != nil {
    86  		return nil, err
    87  	}
    88  	return createdRole, nil
    89  }
    90  
    91  // CreateRoleBinding creates an object of Role Binding in namespace with service account provided and role reference api group.
    92  func (s *SuiteController) CreateRoleBinding(roleBindingName, namespace, subjectKind, serviceAccountName, serviceAccountNamespace, roleRefKind, roleRefName, roleRefApiGroup string) (*rbacv1.RoleBinding, error) {
    93  	roleBindingSubjects := []rbacv1.Subject{
    94  		{
    95  			Kind:      subjectKind,
    96  			Name:      serviceAccountName,
    97  			Namespace: serviceAccountNamespace,
    98  		},
    99  	}
   100  
   101  	roleBindingRoleRef := rbacv1.RoleRef{
   102  		Kind:     roleRefKind,
   103  		Name:     roleRefName,
   104  		APIGroup: roleRefApiGroup,
   105  	}
   106  
   107  	roleBinding := &rbacv1.RoleBinding{
   108  		ObjectMeta: metav1.ObjectMeta{
   109  			Name:      roleBindingName,
   110  			Namespace: namespace,
   111  		},
   112  		Subjects: roleBindingSubjects,
   113  		RoleRef:  roleBindingRoleRef,
   114  	}
   115  
   116  	createdRoleBinding, err := s.KubeInterface().RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
   117  	if err != nil {
   118  		return nil, err
   119  	}
   120  	return createdRoleBinding, nil
   121  }