Skip to content

Commit 1b970cd

Browse files
mbaldessarimbaldessari
authored
Merge pull request #51 from mbaldessari/clustergroup_race
Precreate the openshift-gitops-cluster-admin-rolebinding CRB
2 parents 963caca + a8584af commit 1b970cd

2 files changed

Lines changed: 93 additions & 17 deletions

File tree

templates/policies/application-policies.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,23 @@ spec:
2929
include:
3030
- default
3131
object-templates:
32+
- complianceType: mustonlyhave
33+
objectDefinition:
34+
apiVersion: rbac.authorization.k8s.io/v1
35+
kind: ClusterRoleBinding
36+
metadata:
37+
name: openshift-gitops-cluster-admin-rolebinding
38+
roleRef:
39+
apiGroup: rbac.authorization.k8s.io
40+
kind: ClusterRole
41+
name: cluster-admin
42+
subjects:
43+
- kind: ServiceAccount
44+
name: openshift-gitops-argocd-application-controller
45+
namespace: openshift-gitops
46+
- kind: ServiceAccount
47+
name: openshift-gitops-argocd-server
48+
namespace: openshift-gitops
3249
- complianceType: mustonlyhave
3350
objectDefinition:
3451
apiVersion: argoproj.io/v1alpha1

tests/application_policy_test.yaml

Lines changed: 76 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,65 @@ tests:
8787
path: spec.clusterSelector.matchLabels.clusterGroup
8888
value: group-two
8989

90+
# Test for openshift-gitops-cluster-admin-rolebinding CRB
91+
- it: Should precreate the openshift-gitops-cluster-admin-rolebinding ClusterRoleBinding
92+
values:
93+
- ./clusterselector_values.yaml
94+
set:
95+
global:
96+
multiSourceSupport: true
97+
multiSourceRepoUrl: "https://charts.example.com"
98+
multiSourceTargetRevision: "0.1.0"
99+
asserts:
100+
- documentSelector:
101+
path: metadata.name
102+
value: group-one-clustergroup-policy
103+
equal:
104+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.kind
105+
value: ClusterRoleBinding
106+
- documentSelector:
107+
path: metadata.name
108+
value: group-one-clustergroup-policy
109+
equal:
110+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.metadata.name
111+
value: openshift-gitops-cluster-admin-rolebinding
112+
- documentSelector:
113+
path: metadata.name
114+
value: group-one-clustergroup-policy
115+
equal:
116+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.roleRef.kind
117+
value: ClusterRole
118+
- documentSelector:
119+
path: metadata.name
120+
value: group-one-clustergroup-policy
121+
equal:
122+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.roleRef.name
123+
value: cluster-admin
124+
- documentSelector:
125+
path: metadata.name
126+
value: group-one-clustergroup-policy
127+
equal:
128+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].complianceType
129+
value: mustonlyhave
130+
- documentSelector:
131+
path: metadata.name
132+
value: group-one-clustergroup-policy
133+
contains:
134+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.subjects
135+
content:
136+
kind: ServiceAccount
137+
name: openshift-gitops-argocd-application-controller
138+
namespace: openshift-gitops
139+
- documentSelector:
140+
path: metadata.name
141+
value: group-one-clustergroup-policy
142+
contains:
143+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.subjects
144+
content:
145+
kind: ServiceAccount
146+
name: openshift-gitops-argocd-server
147+
namespace: openshift-gitops
148+
90149
# Tests for clusterGroupGitRepoUrl and clusterGroupChartGitRevision
91150
- it: Should use chart clustergroup when clusterGroupGitRepoUrl is not set
92151
values:
@@ -101,25 +160,25 @@ tests:
101160
path: metadata.name
102161
value: group-one-clustergroup-policy
103162
equal:
104-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].chart
163+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].chart
105164
value: clustergroup
106165
- documentSelector:
107166
path: metadata.name
108167
value: group-one-clustergroup-policy
109168
equal:
110-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
169+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
111170
value: "https://charts.example.com"
112171
- documentSelector:
113172
path: metadata.name
114173
value: group-one-clustergroup-policy
115174
equal:
116-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
175+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
117176
value: "0.1.0"
118177
- documentSelector:
119178
path: metadata.name
120179
value: group-one-clustergroup-policy
121180
isNull:
122-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
181+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path
123182

124183
- it: Should use path when clusterGroupGitRepoUrl is set
125184
values:
@@ -138,25 +197,25 @@ tests:
138197
path: metadata.name
139198
value: group-one-clustergroup-policy
140199
equal:
141-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
200+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path
142201
value: "."
143202
- documentSelector:
144203
path: metadata.name
145204
value: group-one-clustergroup-policy
146205
equal:
147-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
206+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
148207
value: "https://github.com/example/clustergroup-chart"
149208
- documentSelector:
150209
path: metadata.name
151210
value: group-one-clustergroup-policy
152211
equal:
153-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
212+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
154213
value: "feature-branch"
155214
- documentSelector:
156215
path: metadata.name
157216
value: group-one-clustergroup-policy
158217
isNull:
159-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].chart
218+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].chart
160219

161220
- it: Should use clusterGroupGitRepoUrl with fallback to multiSourceTargetRevision when only clusterGroupGitRepoUrl is set
162221
values:
@@ -174,19 +233,19 @@ tests:
174233
path: metadata.name
175234
value: group-one-clustergroup-policy
176235
equal:
177-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
236+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path
178237
value: "."
179238
- documentSelector:
180239
path: metadata.name
181240
value: group-one-clustergroup-policy
182241
equal:
183-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
242+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
184243
value: "https://github.com/example/clustergroup-chart"
185244
- documentSelector:
186245
path: metadata.name
187246
value: group-one-clustergroup-policy
188247
equal:
189-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
248+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
190249
value: "0.1.0"
191250

192251
- it: should render a spoke app of apps with the correct helm parameters (no deletePattern set)
@@ -208,19 +267,19 @@ tests:
208267
path: metadata.name
209268
value: group-one-clustergroup-policy
210269
lengthEqual:
211-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters
270+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters
212271
count: 20 # 17 (in the helper) +3 (1 override, and 1 clusterGroup.name)
213272
- documentSelector:
214273
path: metadata.name
215274
value: group-one-clustergroup-policy
216275
equal:
217-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].name
276+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].name
218277
value: "global.deletePattern"
219278
- documentSelector:
220279
path: metadata.name
221280
value: group-one-clustergroup-policy
222281
equal:
223-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].value
282+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].value
224283
value: null
225284

226285
- it: should render a spoke app of apps with the correct helm parameters (if deletePattern set to DeleteSpokeChildApps)
@@ -243,19 +302,19 @@ tests:
243302
path: metadata.name
244303
value: group-one-clustergroup-policy
245304
lengthEqual:
246-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters
305+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters
247306
count: 20 # 17 (in the helper) +3 (1 override, and 1 clusterGroup.name)
248307
- documentSelector:
249308
path: metadata.name
250309
value: group-one-clustergroup-policy
251310
equal:
252-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].name
311+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].name
253312
value: "global.deletePattern"
254313
- documentSelector:
255314
path: metadata.name
256315
value: group-one-clustergroup-policy
257316
equal:
258-
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].value
317+
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].value
259318
value: "DeleteChildApps"
260319

261320
- it: should not render a spoke app of apps (if deletePattern set to DeleteSpoke)

0 commit comments

Comments
 (0)