Skip to content

Commit 866e31c

Browse files
alexeykazakovalexeykazakov
committed
update
1 parent 8287436 commit 866e31c

1 file changed

Lines changed: 39 additions & 21 deletions

File tree

testsupport/tiers/checks.go

Lines changed: 39 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,7 @@ func (a *baseTierChecks) GetNamespaceObjectChecks(nsType string) []namespaceObje
116116
checks := []namespaceObjectsCheck{
117117
numberOfLimitRanges(1),
118118
limitRange("1", "1Gi", "10m", "64Mi"),
119+
resourceQuotaSpaceRequests(),
119120
execPodsRole(),
120121
crtadminPodsRoleBinding(),
121122
crtadminViewRoleBinding(),
@@ -200,6 +201,7 @@ func (a *base1nsTierChecks) GetNamespaceObjectChecks(_ string) []namespaceObject
200201
corev1.ResourceName("limits.nvidia.com/gpu"): "0",
201202
}),
202203
resourceQuotaStorage("15Gi", "80Gi", "15Gi", "10"),
204+
resourceQuotaSpaceRequests(),
203205
limitRange("1", "1000Mi", "10m", "64Mi"),
204206
numberOfLimitRanges(1),
205207
execPodsRole(),
@@ -561,15 +563,18 @@ func (a *clawTierChecks) GetSpaceRoleChecks(spaceRoles map[string][]string) ([]s
561563
checks = append(checks, clawUserRole())
562564
roles++
563565
for _, userName := range usernames {
564-
checks = append(checks, clawUserRoleBinding(userName))
565-
rolebindings++
566+
checks = append(checks,
567+
clawUserRoleBinding(userName),
568+
clawViewRoleBinding(userName),
569+
)
570+
rolebindings += 2
566571
}
567572
default:
568573
return nil, fmt.Errorf("unexpected template name: '%s'", role)
569574
}
570575
}
571576
checks = append(checks,
572-
numberOfToolchainRoles(roles+1), // +1 for `exec-pods`
577+
numberOfToolchainRoles(roles+1), // +1 for `exec-pods`
573578
numberOfToolchainRoleBindings(rolebindings+2), // +2 for `crtadmin-pods` and `crtadmin-view`
574579
)
575580
return checks, nil
@@ -649,28 +654,13 @@ func clawUserRole() spaceRoleObjectsCheck {
649654
},
650655
{
651656
APIGroups: []string{""},
652-
Resources: []string{"pods"},
653-
Verbs: []string{"get", "list", "watch"},
654-
},
655-
{
656-
APIGroups: []string{""},
657-
Resources: []string{"pods/log"},
658-
Verbs: []string{"get", "list"},
659-
},
660-
{
661-
APIGroups: []string{""},
662-
Resources: []string{"events"},
663-
Verbs: []string{"get", "list", "watch"},
664-
},
665-
{
666-
APIGroups: []string{"route.openshift.io"},
667-
Resources: []string{"routes"},
668-
Verbs: []string{"get", "list", "watch"},
657+
Resources: []string{"pods/exec"},
658+
Verbs: []string{"get", "create"},
669659
},
670660
{
671661
APIGroups: []string{""},
672662
Resources: []string{"secrets"},
673-
Verbs: []string{"create", "update", "patch", "delete"},
663+
Verbs: []string{"get", "list", "watch", "create", "update", "patch", "delete"},
674664
},
675665
},
676666
}
@@ -692,6 +682,19 @@ func clawUserRoleBinding(userName string) spaceRoleObjectsCheck {
692682
}
693683
}
694684

685+
func clawViewRoleBinding(userName string) spaceRoleObjectsCheck {
686+
return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, owner string) {
687+
rb, err := memberAwait.WaitForRoleBinding(t, ns, userName+"-view", toolchainLabelsWaitCriterion(owner)...)
688+
require.NoError(t, err)
689+
assert.Len(t, rb.Subjects, 1)
690+
assert.Equal(t, "User", rb.Subjects[0].Kind)
691+
assert.Equal(t, userName, rb.Subjects[0].Name)
692+
assert.Equal(t, "view", rb.RoleRef.Name)
693+
assert.Equal(t, "ClusterRole", rb.RoleRef.Kind)
694+
assert.Equal(t, "rbac.authorization.k8s.io", rb.RoleRef.APIGroup)
695+
}
696+
}
697+
695698
// verifyNsTypes checks that there's a namespace.TemplateRef that begins with `<tier>-<type>` for each given templateRef (and no more, no less)
696699
func verifyNsTypes(t *testing.T, tier string, templateRefs TemplateRefs, expectedNSTypes ...string) {
697700
require.Len(t, templateRefs.Namespaces, len(expectedNSTypes))
@@ -895,6 +898,21 @@ func resourceQuotaStorage(ephemeralLimit, storageRequest, ephemeralRequest, pvcs
895898
}
896899
}
897900

901+
func resourceQuotaSpaceRequests() namespaceObjectsCheck {
902+
return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, _ string) {
903+
var err error
904+
spec := corev1.ResourceQuotaSpec{
905+
Hard: make(map[corev1.ResourceName]resource.Quantity),
906+
}
907+
spec.Hard["count/spacerequests.toolchain.dev.openshift.com"], err = resource.ParseQuantity("1")
908+
require.NoError(t, err)
909+
910+
criteria := resourceQuotaMatches(ns.Name, "compute-spacerequests", spec)
911+
_, err = memberAwait.WaitForResourceQuota(t, ns.Name, "compute-spacerequests", criteria)
912+
require.NoError(t, err)
913+
}
914+
}
915+
898916
func resourceQuotaToolchainCrds(spaceRequestLimit string) namespaceObjectsCheck {
899917
return func(t *testing.T, ns *corev1.Namespace, memberAwait *wait.MemberAwaitility, _ string) {
900918
var err error

0 commit comments

Comments
 (0)