use of io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder in project strimzi-kafka-operator by strimzi.
the class KafkaAssemblyOperatorRbacScopeTest method testRolesDeployedWhenNamespaceRbacScope.
/**
* This test checks that when STRIMZI_RBAC_SCOPE feature is set to 'NAMESPACE', the cluster operator only
* deploys and binds to Roles
*/
@Test
public void testRolesDeployedWhenNamespaceRbacScope(VertxTestContext context) {
Kafka kafka = new KafkaBuilder().withNewMetadata().withName(clusterName).withNamespace(namespace).endMetadata().withNewSpec().withNewKafka().withReplicas(3).endKafka().withNewZookeeper().withReplicas(3).endZookeeper().withNewEntityOperator().withNewUserOperator().endUserOperator().withNewTopicOperator().endTopicOperator().endEntityOperator().endSpec().build();
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(false);
// Mock the CRD Operator for Kafka resources
CrdOperator mockKafkaOps = supplier.kafkaOperator;
when(mockKafkaOps.getAsync(eq(namespace), eq(clusterName))).thenReturn(Future.succeededFuture(kafka));
when(mockKafkaOps.get(eq(namespace), eq(clusterName))).thenReturn(kafka);
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// Mock the operations for RoleBindings
RoleBindingOperator mockRoleBindingOps = supplier.roleBindingOperations;
// Capture the names of reconciled rolebindings and their patched state
ArgumentCaptor<String> roleBindingNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<RoleBinding> roleBindingCaptor = ArgumentCaptor.forClass(RoleBinding.class);
when(mockRoleBindingOps.reconcile(any(), eq(namespace), roleBindingNameCaptor.capture(), roleBindingCaptor.capture())).thenReturn(Future.succeededFuture());
KafkaAssemblyOperatorRolesSubset kao = new KafkaAssemblyOperatorRolesSubset(vertx, new PlatformFeaturesAvailability(false, kubernetesVersion), certManager, passwordGenerator, supplier, configNamespaceRbacScope);
Checkpoint async = context.checkpoint();
kao.reconcile(new Reconciliation("test-trigger", Kafka.RESOURCE_KIND, namespace, clusterName)).onComplete(context.succeeding(v -> context.verify(() -> {
List<String> roleBindingNames = roleBindingNameCaptor.getAllValues();
List<RoleBinding> roleBindings = roleBindingCaptor.getAllValues();
assertThat(roleBindingNames, hasSize(2));
assertThat(roleBindings, hasSize(2));
// Check all RoleBindings, easier to index by order applied
assertThat(roleBindingNames.get(0), is("test-instance-entity-topic-operator-role"));
assertThat(roleBindings.get(0), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName("test-instance-entity-operator").build()));
assertThat(roleBindingNames.get(1), is("test-instance-entity-user-operator-role"));
assertThat(roleBindings.get(1), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName("test-instance-entity-operator").build()));
verify(supplier.clusterRoleBindingOperator, never()).reconcile(any(), anyString(), any());
async.flag();
})));
}
use of io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder in project strimzi-kafka-operator by strimzi.
the class KafkaAssemblyOperatorRbacScopeTest method testRolesDeployedWhenNamespaceRbacScopeAndMultiWatchNamespace.
/**
* This test checks that when STRIMZI_RBAC_SCOPE feature is set to 'NAMESPACE', the cluster operator
* binds to ClusterRoles when it can't use Roles due to cross namespace permissions
*/
@Test
public void testRolesDeployedWhenNamespaceRbacScopeAndMultiWatchNamespace(VertxTestContext context) {
Kafka kafka = new KafkaBuilder().withNewMetadata().withName(clusterName).withNamespace(namespace).endMetadata().withNewSpec().withNewKafka().withReplicas(3).endKafka().withNewZookeeper().withReplicas(3).endZookeeper().withNewEntityOperator().withNewUserOperator().withWatchedNamespace("other-ns").endUserOperator().withNewTopicOperator().withWatchedNamespace("another-ns").endTopicOperator().endEntityOperator().endSpec().build();
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(false);
// Mock the CRD Operator for Kafka resources
CrdOperator mockKafkaOps = supplier.kafkaOperator;
when(mockKafkaOps.getAsync(eq(namespace), eq(clusterName))).thenReturn(Future.succeededFuture(kafka));
when(mockKafkaOps.get(eq(namespace), eq(clusterName))).thenReturn(kafka);
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// Mock the operations for Roles
RoleOperator mockRoleOps = supplier.roleOperations;
// Capture the names of reconciled Roles and their patched state
ArgumentCaptor<String> roleNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<Role> roleCaptor = ArgumentCaptor.forClass(Role.class);
when(mockRoleOps.reconcile(any(), anyString(), roleNameCaptor.capture(), roleCaptor.capture())).thenReturn(Future.succeededFuture());
// Mock the operations for RoleBindings
RoleBindingOperator mockRoleBindingOps = supplier.roleBindingOperations;
// Capture the names of reconciled RoleBindings and their patched state
ArgumentCaptor<String> roleBindingNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<RoleBinding> roleBindingCaptor = ArgumentCaptor.forClass(RoleBinding.class);
when(mockRoleBindingOps.reconcile(any(), anyString(), roleBindingNameCaptor.capture(), roleBindingCaptor.capture())).thenReturn(Future.succeededFuture());
KafkaAssemblyOperatorRolesSubset kao = new KafkaAssemblyOperatorRolesSubset(vertx, new PlatformFeaturesAvailability(false, kubernetesVersion), certManager, passwordGenerator, supplier, configNamespaceRbacScope);
Checkpoint async = context.checkpoint();
kao.reconcile(new Reconciliation("test-trigger", Kafka.RESOURCE_KIND, namespace, clusterName)).onComplete(context.succeeding(v -> context.verify(() -> {
List<String> roleBindingNames = roleBindingNameCaptor.getAllValues();
List<RoleBinding> roleBindings = roleBindingCaptor.getAllValues();
assertThat(roleBindingNames, hasSize(4));
assertThat(roleBindings, hasSize(4));
// Check all RoleBindings, easier to index by order applied
assertThat(roleBindingNames.get(0), is("test-instance-entity-topic-operator-role"));
assertThat(roleBindings.get(0).getMetadata().getNamespace(), is("another-ns"));
assertThat(roleBindings.get(0), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName(EntityOperator.getRoleName(clusterName)).build()));
assertThat(roleBindingNames.get(1), is("test-instance-entity-topic-operator-role"));
assertThat(roleBindings.get(1).getMetadata().getNamespace(), is("test-ns"));
assertThat(roleBindings.get(1), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName(EntityOperator.getRoleName(clusterName)).build()));
assertThat(roleBindingNames.get(2), is("test-instance-entity-user-operator-role"));
assertThat(roleBindings.get(2).getMetadata().getNamespace(), is("other-ns"));
assertThat(roleBindings.get(2), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName(EntityOperator.getRoleName(clusterName)).build()));
assertThat(roleBindingNames.get(3), is("test-instance-entity-user-operator-role"));
assertThat(roleBindings.get(3).getMetadata().getNamespace(), is("test-ns"));
assertThat(roleBindings.get(3), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName(EntityOperator.getRoleName(clusterName)).build()));
List<String> roleNames = roleNameCaptor.getAllValues();
List<Role> roles = roleCaptor.getAllValues();
assertThat(roleNames, hasSize(3));
assertThat(roles, hasSize(3));
// Check all Roles, easier to index by order applied
assertThat(roleNames.get(0), is("test-instance-entity-operator"));
assertThat(roles.get(0).getMetadata().getNamespace(), is("test-ns"));
assertThat(roleNames.get(1), is("test-instance-entity-operator"));
assertThat(roles.get(1).getMetadata().getNamespace(), is("other-ns"));
assertThat(roleNames.get(2), is("test-instance-entity-operator"));
assertThat(roles.get(2).getMetadata().getNamespace(), is("another-ns"));
async.flag();
})));
}
use of io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder in project strimzi-kafka-operator by strimzi.
the class KafkaAssemblyOperatorRbacScopeTest method testRolesDeployedWhenClusterRbacScope.
/**
* This test checks that when STRIMZI_RBAC_SCOPE feature is set to 'CLUSTER', the cluster operator
* binds to ClusterRoles
*/
@Test
public void testRolesDeployedWhenClusterRbacScope(VertxTestContext context) {
Kafka kafka = new KafkaBuilder().withNewMetadata().withName(clusterName).withNamespace(namespace).endMetadata().withNewSpec().withNewKafka().withReplicas(3).endKafka().withNewZookeeper().withReplicas(3).endZookeeper().withNewEntityOperator().withNewUserOperator().endUserOperator().withNewTopicOperator().endTopicOperator().endEntityOperator().endSpec().build();
ResourceOperatorSupplier supplier = ResourceUtils.supplierWithMocks(false);
// Mock the CRD Operator for Kafka resources
CrdOperator mockKafkaOps = supplier.kafkaOperator;
when(mockKafkaOps.getAsync(eq(namespace), eq(clusterName))).thenReturn(Future.succeededFuture(kafka));
when(mockKafkaOps.get(eq(namespace), eq(clusterName))).thenReturn(kafka);
when(mockKafkaOps.updateStatusAsync(any(), any(Kafka.class))).thenReturn(Future.succeededFuture());
// Mock the operations for RoleBindings
RoleBindingOperator mockRoleBindingOps = supplier.roleBindingOperations;
// Capture the names of reconciled rolebindings and their patched state
ArgumentCaptor<String> roleBindingNameCaptor = ArgumentCaptor.forClass(String.class);
ArgumentCaptor<RoleBinding> roleBindingCaptor = ArgumentCaptor.forClass(RoleBinding.class);
when(mockRoleBindingOps.reconcile(any(), eq(namespace), roleBindingNameCaptor.capture(), roleBindingCaptor.capture())).thenReturn(Future.succeededFuture());
KafkaAssemblyOperatorRolesSubset kao = new KafkaAssemblyOperatorRolesSubset(vertx, new PlatformFeaturesAvailability(false, kubernetesVersion), certManager, passwordGenerator, supplier, config);
Checkpoint async = context.checkpoint();
kao.reconcile(new Reconciliation("test-trigger", Kafka.RESOURCE_KIND, namespace, clusterName)).onComplete(context.succeeding(v -> context.verify(() -> {
List<String> roleBindingNames = roleBindingNameCaptor.getAllValues();
List<RoleBinding> roleBindings = roleBindingCaptor.getAllValues();
assertThat(roleBindingNames, hasSize(2));
assertThat(roleBindings, hasSize(2));
// Check all RoleBindings, easier to index by order applied
assertThat(roleBindingNames.get(0), is("test-instance-entity-topic-operator-role"));
assertThat(roleBindings.get(0), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName("test-instance-entity-operator").build()));
assertThat(roleBindingNames.get(1), is("test-instance-entity-user-operator-role"));
assertThat(roleBindings.get(1), hasRoleRef(new RoleRefBuilder().withApiGroup("rbac.authorization.k8s.io").withKind("Role").withName("test-instance-entity-operator").build()));
async.flag();
})));
}
use of io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder in project stackgres by ongres.
the class DbOpsRole method createRoleBinding.
/**
* Create the RoleBinding for Job associated to the dbOps.
*/
private RoleBinding createRoleBinding(StackGresDbOpsContext context) {
final StackGresDbOps dbOps = context.getSource();
final Map<String, String> labels = labelFactory.clusterLabels(context.getCluster());
return new RoleBindingBuilder().withNewMetadata().withName(roleName(context)).withNamespace(dbOps.getMetadata().getNamespace()).withLabels(labels).endMetadata().withSubjects(new SubjectBuilder().withKind("ServiceAccount").withName(roleName(context)).withNamespace(dbOps.getMetadata().getNamespace()).build()).withRoleRef(new RoleRefBuilder().withKind("Role").withName(roleName(context)).withApiGroup("rbac.authorization.k8s.io").build()).build();
}
use of io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder in project strimzi by strimzi.
the class RoleBindingOperatorIT method getOriginal.
@Override
protected RoleBinding getOriginal() {
Subject ks = new SubjectBuilder().withKind("ServiceAccount").withName("my-service-account").withNamespace("my-namespace").build();
RoleRef roleRef = new RoleRefBuilder().withName("my-cluster-role").withApiGroup("rbac.authorization.k8s.io").withKind("ClusterRole").build();
return new RoleBindingBuilder().withNewMetadata().withName(resourceName).withNamespace(namespace).withLabels(singletonMap("state", "new")).endMetadata().withSubjects(ks).withRoleRef(roleRef).build();
}
Aggregations