디렉토리 구조 및 각 서비스 추가
This commit is contained in:
dsk-minchulahn
217
helm/jenkins/unittests/rbac-test.yaml
Normal file
217
helm/jenkins/unittests/rbac-test.yaml
Normal file
@@ -0,0 +1,217 @@
|
||||
suite: Role Based Access Control
|
||||
release:
|
||||
name: my-release
|
||||
namespace: my-namespace
|
||||
templates:
|
||||
- rbac.yaml
|
||||
tests:
|
||||
- it: test default number of documents
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 4
|
||||
- it: disable auto reload
|
||||
set:
|
||||
controller.sidecars.configAutoReload.enabled: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 2
|
||||
|
||||
- it: disable rbac create
|
||||
set:
|
||||
rbac.create: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: Role schedule-agents
|
||||
documentIndex: 0
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Role
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-schedule-agents
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: rules
|
||||
value:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "pods/exec", "persistentvolumeclaims"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
|
||||
- it: RoleBinding schedule-agents
|
||||
documentIndex: 1
|
||||
asserts:
|
||||
- isKind:
|
||||
of: RoleBinding
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-schedule-agents
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: roleRef
|
||||
value:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: my-release-jenkins-schedule-agents
|
||||
- equal:
|
||||
path: subjects
|
||||
value:
|
||||
- kind: ServiceAccount
|
||||
name: my-release-jenkins
|
||||
namespace: my-namespace
|
||||
|
||||
- it: Separate Agent Namespace
|
||||
set:
|
||||
agent.namespace: agent-namespace
|
||||
asserts:
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: agent-namespace
|
||||
documentIndex: 0
|
||||
- equal:
|
||||
path: subjects
|
||||
value:
|
||||
- kind: ServiceAccount
|
||||
name: my-release-jenkins
|
||||
namespace: my-namespace
|
||||
documentIndex: 1
|
||||
|
||||
- it: Role casc-reload
|
||||
documentIndex: 2
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Role
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-casc-reload
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: rules
|
||||
value:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
- it: RoleBinding casc-reload
|
||||
documentIndex: 3
|
||||
asserts:
|
||||
- isKind:
|
||||
of: RoleBinding
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-watch-configmaps
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: roleRef
|
||||
value:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: my-release-jenkins-casc-reload
|
||||
- equal:
|
||||
path: subjects
|
||||
value:
|
||||
- kind: ServiceAccount
|
||||
name: my-release-jenkins
|
||||
namespace: my-namespace
|
||||
|
||||
- it: enable read secrets
|
||||
set:
|
||||
rbac.readSecrets: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 6
|
||||
- matchRegex:
|
||||
path: metadata.labels.helm\.sh/chart
|
||||
pattern: ^jenkins-
|
||||
|
||||
- it: disable helm.sh label
|
||||
set:
|
||||
renderHelmLabels: false
|
||||
rbac.readSecrets: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 6
|
||||
- equal:
|
||||
path: metadata.labels
|
||||
value:
|
||||
app.kubernetes.io/component: jenkins-controller
|
||||
app.kubernetes.io/instance: my-release
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: jenkins
|
||||
|
||||
- it: Role read-secrets
|
||||
set:
|
||||
rbac.readSecrets: true
|
||||
documentIndex: 2
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Role
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-read-secrets
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: rules
|
||||
value:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
||||
- it: RoleBinding read-secrets
|
||||
set:
|
||||
rbac.readSecrets: true
|
||||
documentIndex: 3
|
||||
asserts:
|
||||
- isKind:
|
||||
of: RoleBinding
|
||||
- equal:
|
||||
path: apiVersion
|
||||
value: rbac.authorization.k8s.io/v1
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: my-release-jenkins-read-secrets
|
||||
- equal:
|
||||
path: metadata.namespace
|
||||
value: my-namespace
|
||||
- equal:
|
||||
path: roleRef
|
||||
value:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: my-release-jenkins-read-secrets
|
||||
- equal:
|
||||
path: subjects
|
||||
value:
|
||||
- kind: ServiceAccount
|
||||
name: my-release-jenkins
|
||||
namespace: my-namespace
|
||||
|
||||
Reference in New Issue
Block a user