From ede27d6256c1b4913c0823720372fd2a24ab1241 Mon Sep 17 00:00:00 2001 From: Varsha B Date: Wed, 29 Jan 2025 16:39:09 +0530 Subject: [PATCH 1/3] add impersonate permission Signed-off-by: Varsha B --- controllers/argocd/policyrule.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/controllers/argocd/policyrule.go b/controllers/argocd/policyrule.go index 67dd1da67..899d722bf 100644 --- a/controllers/argocd/policyrule.go +++ b/controllers/argocd/policyrule.go @@ -25,6 +25,17 @@ func policyRuleForApplicationController() []v1.PolicyRule { "*", }, }, + { + APIGroups: []string{ + "", + }, + Resources: []string{ + "serviceaccounts", + }, + Verbs: []string{ + "impersonate", + }, + }, } } From 73d8604db2bf20bc96ad1de44c65680e607eee29 Mon Sep 17 00:00:00 2001 From: Varsha B Date: Mon, 3 Feb 2025 13:35:23 +0530 Subject: [PATCH 2/3] added kuttl test Signed-off-by: Varsha B --- .github/workflows/ci-build.yaml | 2 +- .../01-assert.yaml | 26 +++++++++++ .../01-install.yaml | 16 +++++++ .../02-assert.yaml | 18 ++++++++ .../02-create-appproject.yaml | 18 ++++++++ .../03-assert.yaml | 24 ++++++++++ .../03-create-app.yaml | 21 +++++++++ .../04-check-app.yaml | 10 +++++ .../05-assert.yaml | 24 ++++++++++ .../05-create-ns.yaml | 24 ++++++++++ .../06-argocd-login.yaml | 12 +++++ .../07-assert.yaml | 24 ++++++++++ .../08-assert.yaml | 44 +++++++++++++++++++ .../08-create-app.yaml | 41 +++++++++++++++++ .../08-errors.yaml | 5 +++ .../09-check-app.yaml | 10 +++++ .../10-delete.yaml | 13 ++++++ .../01-assert.yaml | 28 ++++++++++++ .../01-install.yaml | 18 ++++++++ .../02-assert.yaml | 18 ++++++++ .../02-create-appproject.yaml | 18 ++++++++ .../03-assert.yaml | 26 +++++++++++ .../03-create-app.yaml | 21 +++++++++ .../04-assert.yaml | 26 +++++++++++ .../04-create-sa.yaml | 26 +++++++++++ .../05-argocd-login.yaml | 12 +++++ .../06-check-app.yaml | 11 +++++ .../07-assert.yaml | 24 ++++++++++ .../08-assert.yaml | 44 +++++++++++++++++++ .../08-create-app.yaml | 41 +++++++++++++++++ .../08-errors.yaml | 5 +++ .../09-check-app.yaml | 10 +++++ .../10-delete.yaml | 13 ++++++ 33 files changed, 672 insertions(+), 1 deletion(-) create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-install.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-create-appproject.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-create-app.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/04-check-app.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-create-ns.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/06-argocd-login.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/07-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-assert.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-create-app.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-errors.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/09-check-app.yaml create mode 100644 tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/10-delete.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 87227c7ba..6cae0afeb 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -94,7 +94,7 @@ jobs: go mod download - name: Run the operator locally env: - ARGOCD_CLUSTER_CONFIG_NAMESPACES: argocd-e2e-cluster-config + ARGOCD_CLUSTER_CONFIG_NAMESPACES: argocd-e2e-cluster-config, argocd-test-impersonation run: | set -o pipefail make install generate fmt vet diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-assert.yaml new file mode 100644 index 000000000..0ece3605f --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-assert.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd-test-impersonation +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd-test + namespace: argocd-test-impersonation +spec: + extraConfig: + application.sync.impersonation.enabled: "true" + server: + route: + enabled: true +status: + phase: Available +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: argocd-cm + namespace: argocd-test-impersonation +data: + application.sync.impersonation.enabled: 'true' \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-install.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-install.yaml new file mode 100644 index 000000000..68429ecf8 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/01-install.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd-test-impersonation +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd-test + namespace: argocd-test-impersonation +spec: + extraConfig: + application.sync.impersonation.enabled: "true" + server: + route: + enabled: true \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-assert.yaml new file mode 100644 index 000000000..689d91cc0 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: argocd-test-impersonation +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-create-appproject.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-create-appproject.yaml new file mode 100644 index 000000000..689d91cc0 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/02-create-appproject.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: argocd-test-impersonation +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-assert.yaml new file mode 100644 index 000000000..be916b54f --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: argocd-test-impersonation +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true +status: + health: + status: Missing \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-create-app.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-create-app.yaml new file mode 100644 index 000000000..4eb4f6f33 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/03-create-app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: argocd-test-impersonation +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/04-check-app.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/04-check-app.yaml new file mode 100644 index 000000000..19fdd04ba --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/04-check-app.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + error_message=$(oc get app guestbook -n argocd-test-impersonation -o jsonpath='{.status.operationState.message}') + expected_error="Namespace auto creation failed: namespaces \"guestbook\" is forbidden: User \"system:serviceaccount:guestbook:guestbook-deployer\"" + + if ! [[ ${error_message} =~ ${expected_error} ]]; then + exit 1 + fi \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-assert.yaml new file mode 100644 index 000000000..fd0470855 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: guestbook +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: guestbook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guestbook-deployer-rb + namespace: guestbook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: guestbook-deployer + namespace: guestbook \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-create-ns.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-create-ns.yaml new file mode 100644 index 000000000..0d306dce1 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/05-create-ns.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: guestbook +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: guestbook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guestbook-deployer-rb + namespace: guestbook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: guestbook-deployer + namespace: guestbook diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/06-argocd-login.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/06-argocd-login.yaml new file mode 100644 index 000000000..3a4ba1661 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/06-argocd-login.yaml @@ -0,0 +1,12 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + api_server=$(oc get routes -n argocd-test-impersonation --field-selector metadata.name=argocd-test-server -o jsonpath="{.items[*]['spec.host']}") + password=$(oc get secret argocd-test-cluster -n argocd-test-impersonation -o jsonpath='{.data.admin\.password}' | base64 -d) + + argocd login $api_server --username admin --password $password --insecure + + argocd app sync guestbook + + sleep 5 \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/07-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/07-assert.yaml new file mode 100644 index 000000000..2d5a8a6f3 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/07-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: argocd-test-impersonation +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true +status: + sync: + status: Synced \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-assert.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-assert.yaml new file mode 100644 index 000000000..53192e11e --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-assert.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: argocd-test-impersonation +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + - namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook-dev + namespace: argocd-test-impersonation +spec: + destination: + namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true +status: + health: + status: Missing \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-create-app.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-create-app.yaml new file mode 100644 index 000000000..acc7a3afd --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-create-app.yaml @@ -0,0 +1,41 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: argocd-test-impersonation +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + - namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook-dev + namespace: argocd-test-impersonation +spec: + destination: + namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-errors.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-errors.yaml new file mode 100644 index 000000000..9f9a19400 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/08-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: argocd-test-impersonation \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/09-check-app.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/09-check-app.yaml new file mode 100644 index 000000000..f4e71907a --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/09-check-app.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + error_message=$(oc get app guestbook-dev -n argocd-test-impersonation -o jsonpath='{.status.operationState.message}') + expected_error="failed to find a matching service account to impersonate: no matching service account found for destination server https://kubernetes.default.svc and namespace guestbook-dev" + + if ! [[ ${error_message} =~ ${expected_error} ]]; then + exit 1 + fi \ No newline at end of file diff --git a/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/10-delete.yaml b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/10-delete.yaml new file mode 100644 index 000000000..9ba7f9622 --- /dev/null +++ b/tests/k8s/1-046_validate_impersonation_cluster_scoped_instance/10-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + name: argocd-test +- apiVersion: v1 + kind: Namespace + name: argocd-test-impersonation +- apiVersion: v1 + kind: Namespace + name: guestbook \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml new file mode 100644 index 000000000..ea0e51d05 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-impersonation-ns + labels: + argocd.argoproj.io/managed-by: openshift-gitops +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd-test + namespace: test-impersonation-ns +spec: + extraConfig: + application.sync.impersonation.enabled: "true" + server: + route: + enabled: true +status: + phase: Available +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: argocd-cm + namespace: test-impersonation-ns +data: + application.sync.impersonation.enabled: 'true' \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml new file mode 100644 index 000000000..fcb800399 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-impersonation-ns + labels: + argocd.argoproj.io/managed-by: openshift-gitops +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd-test + namespace: test-impersonation-ns +spec: + extraConfig: + application.sync.impersonation.enabled: "true" + server: + route: + enabled: true \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml new file mode 100644 index 000000000..8a26cf1a8 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: test-impersonation-ns +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml new file mode 100644 index 000000000..8a26cf1a8 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: test-impersonation-ns +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml new file mode 100644 index 000000000..2f757eb70 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: test-impersonation-ns +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true +status: + health: + status: Missing + sync: + status: Unknown \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml new file mode 100644 index 000000000..f18f32226 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: test-impersonation-ns +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml new file mode 100644 index 000000000..b7c13c22f --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: guestbook + labels: + argocd.argoproj.io/managed-by: openshift-gitops +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: guestbook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guestbook-deployer-rb + namespace: guestbook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: guestbook-deployer + namespace: guestbook \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml new file mode 100644 index 000000000..ccceceed8 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: guestbook + labels: + argocd.argoproj.io/managed-by: openshift-gitops +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: guestbook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guestbook-deployer-rb + namespace: guestbook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: guestbook-deployer + namespace: guestbook diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml new file mode 100644 index 000000000..18fe829dd --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml @@ -0,0 +1,12 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + api_server=$(oc get routes -n test-impersonation-ns --field-selector metadata.name=argocd-test-server -o jsonpath="{.items[*]['spec.host']}") + password=$(oc get secret argocd-test-cluster -n test-impersonation-ns -o jsonpath='{.data.admin\.password}' | base64 -d) + + argocd login $api_server --username admin --password $password --insecure + + argocd app sync guestbook + + sleep 5 \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml new file mode 100644 index 000000000..826634a78 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + oc get app guestbook -n test-impersonation-ns -o yaml + error_message=$(oc get app guestbook -n test-impersonation-ns -o jsonpath='{.status.operationState.message}') + expected_error="Namespace auto creation failed: namespaces \"guestbook\" is forbidden: User \"system:serviceaccount:guestbook:guestbook-deployer\"" + + if ! [[ ${error_message} =~ ${expected_error} ]]; then + exit 1 + fi \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml new file mode 100644 index 000000000..a114e8635 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook + namespace: test-impersonation-ns +spec: + destination: + namespace: guestbook + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true + - CreateNamespace=true +status: + sync: + status: Synced \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml new file mode 100644 index 000000000..5ba4df7c3 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: test-impersonation-ns +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + - namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook-dev + namespace: test-impersonation-ns +spec: + destination: + namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true +status: + health: + status: Missing \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml new file mode 100644 index 000000000..b882a483d --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml @@ -0,0 +1,41 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: guestbook-proj + namespace: test-impersonation-ns +spec: + clusterResourceWhitelist: + - group: '*' + kind: '*' + destinationServiceAccounts: + - defaultServiceAccount: guestbook-deployer + namespace: guestbook + server: 'https://kubernetes.default.svc' + destinations: + - namespace: guestbook + server: 'https://kubernetes.default.svc' + - namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + sourceRepos: + - 'https://github.com/argoproj/argocd-example-apps.git' +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook-dev + namespace: test-impersonation-ns +spec: + destination: + namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml new file mode 100644 index 000000000..43a10aeec --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: test-impersonation-ns \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml new file mode 100644 index 000000000..87d973422 --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + error_message=$(oc get app guestbook-dev test-impersonation-ns -o jsonpath='{.status.operationState.message}') + expected_error="failed to find a matching service account to impersonate: no matching service account found for destination server https://kubernetes.default.svc and namespace guestbook-dev" + + if ! [[ ${error_message} =~ ${expected_error} ]]; then + exit 1 + fi \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml new file mode 100644 index 000000000..665fe21ef --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: argoproj.io/v1beta1 + kind: ArgoCD + name: argocd-test +- apiVersion: v1 + kind: Namespace + name: test-impersonation-ns +- apiVersion: v1 + kind: Namespace + name: guestbook \ No newline at end of file From 7bc40ea88dd9561784128e62917b9078bd9a1e09 Mon Sep 17 00:00:00 2001 From: Varsha B Date: Fri, 7 Feb 2025 15:12:11 +0530 Subject: [PATCH 3/3] fix kuttl test Signed-off-by: Varsha B --- .../01-assert.yaml | 8 ++-- .../01-install.yaml | 6 +-- .../02-assert.yaml | 2 +- .../02-create-appproject.yaml | 2 +- .../03-assert.yaml | 48 +++++++++---------- .../{04-create-sa.yaml => 03-create-sa.yaml} | 2 +- .../04-assert.yaml | 47 +++++++++--------- ...{03-create-app.yaml => 04-create-app.yaml} | 5 +- .../05-argocd-login.yaml | 12 ----- .../{08-create-app.yaml => 05-assert.yaml} | 24 ++-------- .../{08-assert.yaml => 05-create-ns.yaml} | 27 ++--------- .../{07-assert.yaml => 06-assert.yaml} | 11 ++--- .../06-check-app.yaml | 11 ----- .../06-create-app.yaml | 21 ++++++++ .../{08-errors.yaml => 06-errors.yaml} | 2 +- .../{09-check-app.yaml => 07-check-app.yaml} | 2 +- .../10-delete.yaml | 13 ----- 17 files changed, 95 insertions(+), 148 deletions(-) rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{04-create-sa.yaml => 03-create-sa.yaml} (89%) rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{03-create-app.yaml => 04-create-app.yaml} (80%) delete mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{08-create-app.yaml => 05-assert.yaml} (55%) rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{08-assert.yaml => 05-create-ns.yaml} (53%) rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{07-assert.yaml => 06-assert.yaml} (74%) delete mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml create mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-create-app.yaml rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{08-errors.yaml => 06-errors.yaml} (68%) rename tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/{09-check-app.yaml => 07-check-app.yaml} (74%) delete mode 100644 tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml index ea0e51d05..d4a7ca340 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-assert.yaml @@ -1,15 +1,13 @@ apiVersion: v1 kind: Namespace metadata: - name: test-impersonation-ns - labels: - argocd.argoproj.io/managed-by: openshift-gitops + name: argocd-test-ns-scoped --- apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd-test - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: extraConfig: application.sync.impersonation.enabled: "true" @@ -23,6 +21,6 @@ kind: ConfigMap apiVersion: v1 metadata: name: argocd-cm - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped data: application.sync.impersonation.enabled: 'true' \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml index fcb800399..5c3d86178 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/01-install.yaml @@ -1,15 +1,13 @@ apiVersion: v1 kind: Namespace metadata: - name: test-impersonation-ns - labels: - argocd.argoproj.io/managed-by: openshift-gitops + name: argocd-test-ns-scoped --- apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd-test - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: extraConfig: application.sync.impersonation.enabled: "true" diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml index 8a26cf1a8..da8eefc41 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-assert.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: guestbook-proj - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: clusterResourceWhitelist: - group: '*' diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml index 8a26cf1a8..da8eefc41 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/02-create-appproject.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: guestbook-proj - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: clusterResourceWhitelist: - group: '*' diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml index 2f757eb70..6a5fbe1c5 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-assert.yaml @@ -1,26 +1,26 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application +apiVersion: v1 +kind: Namespace metadata: name: guestbook - namespace: test-impersonation-ns -spec: - destination: - namespace: guestbook - server: 'https://kubernetes.default.svc' - project: guestbook-proj - source: - directory: - jsonnet: {} - recurse: true - path: guestbook - repoURL: 'https://github.com/argoproj/argocd-example-apps' - syncPolicy: - automated: {} - syncOptions: - - ServerSideApply=true - - CreateNamespace=true -status: - health: - status: Missing - sync: - status: Unknown \ No newline at end of file + labels: + argocd.argoproj.io/managed-by: argocd-test-ns-scoped +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: guestbook-deployer + namespace: guestbook +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guestbook-deployer-rb + namespace: guestbook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: guestbook-deployer + namespace: guestbook \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-sa.yaml similarity index 89% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-sa.yaml index ccceceed8..5b049d26f 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-sa.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-sa.yaml @@ -3,7 +3,7 @@ kind: Namespace metadata: name: guestbook labels: - argocd.argoproj.io/managed-by: openshift-gitops + argocd.argoproj.io/managed-by: argocd-test-ns-scoped --- apiVersion: v1 kind: ServiceAccount diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml index b7c13c22f..9f7ec17c6 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-assert.yaml @@ -1,26 +1,25 @@ -apiVersion: v1 -kind: Namespace +apiVersion: argoproj.io/v1alpha1 +kind: Application metadata: name: guestbook - labels: - argocd.argoproj.io/managed-by: openshift-gitops ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: guestbook-deployer - namespace: guestbook ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: guestbook-deployer-rb - namespace: guestbook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: guestbook-deployer - namespace: guestbook \ No newline at end of file + namespace: argocd-test-ns-scoped +spec: + destination: + namespace: guestbook + server: https://kubernetes.default.svc + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: https://github.com/argoproj/argocd-example-apps + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true +status: + health: + status: Progressing + sync: + status: Synced \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-app.yaml similarity index 80% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-app.yaml index f18f32226..8b0e67f41 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/03-create-app.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/04-create-app.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: guestbook - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: destination: namespace: guestbook @@ -17,5 +17,4 @@ spec: syncPolicy: automated: {} syncOptions: - - ServerSideApply=true - - CreateNamespace=true \ No newline at end of file + - ServerSideApply=true \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml deleted file mode 100644 index 18fe829dd..000000000 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-argocd-login.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - api_server=$(oc get routes -n test-impersonation-ns --field-selector metadata.name=argocd-test-server -o jsonpath="{.items[*]['spec.host']}") - password=$(oc get secret argocd-test-cluster -n test-impersonation-ns -o jsonpath='{.data.admin\.password}' | base64 -d) - - argocd login $api_server --username admin --password $password --insecure - - argocd app sync guestbook - - sleep 5 \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-assert.yaml similarity index 55% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-assert.yaml index b882a483d..8539a2c34 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-create-app.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-assert.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: guestbook-proj - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: clusterResourceWhitelist: - group: '*' @@ -19,23 +19,9 @@ spec: sourceRepos: - 'https://github.com/argoproj/argocd-example-apps.git' --- -apiVersion: argoproj.io/v1alpha1 -kind: Application +apiVersion: v1 +kind: Namespace metadata: name: guestbook-dev - namespace: test-impersonation-ns -spec: - destination: - namespace: guestbook-dev - server: 'https://kubernetes.default.svc' - project: guestbook-proj - source: - directory: - jsonnet: {} - recurse: true - path: guestbook - repoURL: 'https://github.com/argoproj/argocd-example-apps' - syncPolicy: - automated: {} - syncOptions: - - ServerSideApply=true \ No newline at end of file + labels: + argocd.argoproj.io/managed-by: argocd-test-ns-scoped \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-create-ns.yaml similarity index 53% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-create-ns.yaml index 5ba4df7c3..8539a2c34 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/05-create-ns.yaml @@ -2,7 +2,7 @@ apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: guestbook-proj - namespace: test-impersonation-ns + namespace: argocd-test-ns-scoped spec: clusterResourceWhitelist: - group: '*' @@ -19,26 +19,9 @@ spec: sourceRepos: - 'https://github.com/argoproj/argocd-example-apps.git' --- -apiVersion: argoproj.io/v1alpha1 -kind: Application +apiVersion: v1 +kind: Namespace metadata: name: guestbook-dev - namespace: test-impersonation-ns -spec: - destination: - namespace: guestbook-dev - server: 'https://kubernetes.default.svc' - project: guestbook-proj - source: - directory: - jsonnet: {} - recurse: true - path: guestbook - repoURL: 'https://github.com/argoproj/argocd-example-apps' - syncPolicy: - automated: {} - syncOptions: - - ServerSideApply=true -status: - health: - status: Missing \ No newline at end of file + labels: + argocd.argoproj.io/managed-by: argocd-test-ns-scoped \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-assert.yaml similarity index 74% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-assert.yaml index a114e8635..fb907cd69 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-assert.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-assert.yaml @@ -1,11 +1,11 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: guestbook - namespace: test-impersonation-ns + name: guestbook-dev + namespace: argocd-test-ns-scoped spec: destination: - namespace: guestbook + namespace: guestbook-dev server: 'https://kubernetes.default.svc' project: guestbook-proj source: @@ -18,7 +18,6 @@ spec: automated: {} syncOptions: - ServerSideApply=true - - CreateNamespace=true status: - sync: - status: Synced \ No newline at end of file + health: + status: Missing \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml deleted file mode 100644 index 826634a78..000000000 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-check-app.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - oc get app guestbook -n test-impersonation-ns -o yaml - error_message=$(oc get app guestbook -n test-impersonation-ns -o jsonpath='{.status.operationState.message}') - expected_error="Namespace auto creation failed: namespaces \"guestbook\" is forbidden: User \"system:serviceaccount:guestbook:guestbook-deployer\"" - - if ! [[ ${error_message} =~ ${expected_error} ]]; then - exit 1 - fi \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-create-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-create-app.yaml new file mode 100644 index 000000000..0d0d5831f --- /dev/null +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-create-app.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: guestbook-dev + namespace: argocd-test-ns-scoped +spec: + destination: + namespace: guestbook-dev + server: 'https://kubernetes.default.svc' + project: guestbook-proj + source: + directory: + jsonnet: {} + recurse: true + path: guestbook + repoURL: 'https://github.com/argoproj/argocd-example-apps' + syncPolicy: + automated: {} + syncOptions: + - ServerSideApply=true \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-errors.yaml similarity index 68% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-errors.yaml index 43a10aeec..dde6086db 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/08-errors.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/06-errors.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: guestbook-deployer - namespace: test-impersonation-ns \ No newline at end of file + namespace: argocd-test-ns-scoped \ No newline at end of file diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-check-app.yaml similarity index 74% rename from tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml rename to tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-check-app.yaml index 87d973422..2fbcbfa74 100644 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/09-check-app.yaml +++ b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/07-check-app.yaml @@ -2,7 +2,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - script: | - error_message=$(oc get app guestbook-dev test-impersonation-ns -o jsonpath='{.status.operationState.message}') + error_message=$(oc get app guestbook-dev -n argocd-test-ns-scoped -o jsonpath='{.status.operationState.message}') expected_error="failed to find a matching service account to impersonate: no matching service account found for destination server https://kubernetes.default.svc and namespace guestbook-dev" if ! [[ ${error_message} =~ ${expected_error} ]]; then diff --git a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml b/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml deleted file mode 100644 index 665fe21ef..000000000 --- a/tests/k8s/1-047_validate_impersonation_namespace_scoped_instance/10-delete.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: argoproj.io/v1beta1 - kind: ArgoCD - name: argocd-test -- apiVersion: v1 - kind: Namespace - name: test-impersonation-ns -- apiVersion: v1 - kind: Namespace - name: guestbook \ No newline at end of file