github.com/terraform-modules-krish/terratest@v0.29.0/modules/k8s/service_account_test.go (about) 1 // +build kubeall kubernetes 2 3 // NOTE: we have build tags to differentiate kubernetes tests from non-kubernetes tests. This is done because minikube 4 // is heavy and can interfere with docker related tests in terratest. Specifically, many of the tests start to fail with 5 // `connection refused` errors from `minikube`. To avoid overloading the system, we run the kubernetes tests and helm 6 // tests separately from the others. This may not be necessary if you have a sufficiently powerful machine. We 7 // recommend at least 4 cores and 16GB of RAM if you want to run all the tests together. 8 9 package k8s 10 11 import ( 12 "fmt" 13 "strings" 14 "testing" 15 16 "github.com/stretchr/testify/require" 17 authv1 "k8s.io/api/authorization/v1" 18 19 "github.com/terraform-modules-krish/terratest/modules/random" 20 ) 21 22 func TestGetServiceAccountWithAuthTokenGetsTokenThatCanBeUsedForAuth(t *testing.T) { 23 t.Parallel() 24 25 // make a copy of kubeconfig to namespace it 26 tmpConfigPath := CopyHomeKubeConfigToTemp(t) 27 28 // Create a new namespace to work in 29 namespaceName := strings.ToLower(random.UniqueId()) 30 31 options := NewKubectlOptions("", tmpConfigPath, namespaceName) 32 33 CreateNamespace(t, options, namespaceName) 34 defer DeleteNamespace(t, options, namespaceName) 35 36 // Create service account 37 serviceAccountName := strings.ToLower(random.UniqueId()) 38 CreateServiceAccount(t, options, serviceAccountName) 39 token := GetServiceAccountAuthToken(t, options, serviceAccountName) 40 require.NoError(t, AddConfigContextForServiceAccountE(t, options, serviceAccountName, serviceAccountName, token)) 41 42 // Now validate auth as service account. This is a bit tricky because we don't have an API endpoint in k8s that 43 // tells you who you are, so we will rely on the self subject access review and see if we have access to the 44 // kube-system namespace. 45 serviceAccountOptions := NewKubectlOptions(serviceAccountName, tmpConfigPath, namespaceName) 46 action := authv1.ResourceAttributes{ 47 Namespace: "kube-system", 48 Verb: "list", 49 Resource: "pod", 50 } 51 require.False(t, CanIDo(t, serviceAccountOptions, action)) 52 } 53 54 func TestGetServiceAccountEReturnsErrorForNonExistantServiceAccount(t *testing.T) { 55 t.Parallel() 56 57 options := NewKubectlOptions("", "", "default") 58 _, err := GetServiceAccountE(t, options, "terratest") 59 require.Error(t, err) 60 } 61 62 func TestGetServiceAccountEReturnsCorrectServiceAccountInCorrectNamespace(t *testing.T) { 63 t.Parallel() 64 65 uniqueID := strings.ToLower(random.UniqueId()) 66 options := NewKubectlOptions("", "", uniqueID) 67 configData := fmt.Sprintf(EXAMPLE_SERVICEACCOUNT_YAML_TEMPLATE, uniqueID, uniqueID) 68 defer KubectlDeleteFromString(t, options, configData) 69 KubectlApplyFromString(t, options, configData) 70 71 serviceAccount := GetServiceAccount(t, options, "terratest") 72 require.Equal(t, serviceAccount.Name, "terratest") 73 require.Equal(t, serviceAccount.Namespace, uniqueID) 74 } 75 76 func TestCreateServiceAccountECreatesServiceAccountInNamespaceWithGivenName(t *testing.T) { 77 t.Parallel() 78 79 uniqueID := strings.ToLower(random.UniqueId()) 80 options := NewKubectlOptions("", "", uniqueID) 81 defer DeleteNamespace(t, options, options.Namespace) 82 CreateNamespace(t, options, options.Namespace) 83 84 // Note: We don't need to delete this at the end of test, because deleting the namespace automatically deletes 85 // everything created in the namespace. 86 CreateServiceAccount(t, options, "terratest") 87 serviceAccount := GetServiceAccount(t, options, "terratest") 88 require.Equal(t, serviceAccount.Name, "terratest") 89 require.Equal(t, serviceAccount.Namespace, uniqueID) 90 } 91 92 const EXAMPLE_SERVICEACCOUNT_YAML_TEMPLATE = `--- 93 apiVersion: v1 94 kind: Namespace 95 metadata: 96 name: %s 97 --- 98 apiVersion: v1 99 kind: ServiceAccount 100 metadata: 101 name: terratest 102 namespace: %s 103 `