func TestSimpleImageChangeBuildTriggerFromImageStreamTagCustomWithConfigChange(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
projectAdminClient, _ := setup(t)
clusterAdminClient, err := testutil.GetClusterAdminClient(testutil.GetBaseDir() + "/openshift.local.config/master/admin.kubeconfig")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(clusterAdminClient)
subjects := []kapi.ObjectReference{
{
Kind: authorizationapi.SystemGroupKind,
Name: bootstrappolicy.AuthenticatedGroup,
},
}
options := policy.RoleModificationOptions{
RoleNamespace: testutil.Namespace(),
RoleName: bootstrappolicy.BuildStrategyCustomRoleName,
RoleBindingAccessor: clusterRoleBindingAccessor,
Subjects: subjects,
}
options.AddRole()
if err := testutil.WaitForPolicyUpdate(projectAdminClient, testutil.Namespace(), "create", buildapi.Resource(authorizationapi.CustomBuildResource), true); err != nil {
t.Fatal(err)
}
imageStream := mockImageStream2(tag)
imageStreamMapping := mockImageStreamMapping(imageStream.Name, "someimage", tag, "registry:8080/openshift/test-image-trigger:"+tag)
strategy := customStrategy("ImageStreamTag", streamName+":"+tag)
config := imageChangeBuildConfigWithConfigChange("custom-imagestreamtag", strategy)
runTest(t, "SimpleImageChangeBuildTriggerFromImageStreamTagCustom", projectAdminClient, imageStream, imageStreamMapping, config, tag)
}
// simulates: oadm policy add-cluster-role-to-user roleName userName
func addClusterRoleToUser(c *oclient.Client, f *cmdutil.Factory, roleName string, userName string) error {
options := policy.RoleModificationOptions{
RoleName: roleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(c),
Users: []string{userName},
}
return options.AddRole()
}
func AddClusterRole(osClient client.Interface, role, user string) error {
clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(osClient)
addClusterReaderRole := policy.RoleModificationOptions{
RoleName: role,
RoleBindingAccessor: clusterRoleBindingAccessor,
Users: []string{user},
}
return addClusterReaderRole.AddRole()
}
// simulates: oadm policy add-cluster-role-to-user roleName userName
func addClusterRoleToUser(c *oclient.Client, f *cmdutil.Factory, roleName string, userName string) error {
namespace, _, err := f.DefaultNamespace()
if err != nil {
util.Info("No namespace!'\n")
return err
}
options := policy.RoleModificationOptions{
RoleName: roleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, c),
Users: []string{userName},
}
return options.AddRole()
}
func AddRoleToServiceAccount(osClient client.Interface, role, sa, namespace string) error {
roleBindingAccessor := policy.NewLocalRoleBindingAccessor(namespace, osClient)
addRole := policy.RoleModificationOptions{
RoleName: role,
RoleBindingAccessor: roleBindingAccessor,
Subjects: []kapi.ObjectReference{
{
Namespace: namespace,
Name: sa,
Kind: "ServiceAccount",
},
},
}
return addRole.AddRole()
}
func TestPolicyCommands(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
const projectName = "hammer-project"
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addViewer := policy.RoleModificationOptions{
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(projectName, haroldClient),
Users: []string{"valerie"},
Groups: []string{"my-group"},
}
if err := addViewer.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err := haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding := authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if !binding.Users().Has("valerie") {
t.Errorf("expected valerie in users: %v", binding.Users())
}
if !binding.Groups().Has("my-group") {
t.Errorf("expected my-group in groups: %v", binding.Groups())
}
removeValerie := policy.RemoveFromProjectOptions{
BindingNamespace: projectName,
Client: haroldClient,
Users: []string{"valerie"},
Out: ioutil.Discard,
}
if err := removeValerie.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err = haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if binding.Users().Has("valerie") {
t.Errorf("unexpected valerie in users: %v", binding.Users())
}
if !binding.Groups().Has("my-group") {
t.Errorf("expected my-group in groups: %v", binding.Groups())
}
removeMyGroup := policy.RemoveFromProjectOptions{
BindingNamespace: projectName,
Client: haroldClient,
Groups: []string{"my-group"},
Out: ioutil.Discard,
}
if err := removeMyGroup.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err = haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if binding.Users().Has("valerie") {
t.Errorf("unexpected valerie in users: %v", binding.Users())
}
if binding.Groups().Has("my-group") {
t.Errorf("unexpected my-group in groups: %v", binding.Groups())
}
}
// InstallMetrics checks whether metrics is installed and installs it if not already installed
func (h *Helper) InstallMetrics(f *clientcmd.Factory, hostName, imagePrefix, imageVersion string) error {
osClient, kubeClient, err := f.Clients()
if err != nil {
return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
}
_, err = kubeClient.Services(infraNamespace).Get(svcMetrics)
if err == nil {
// If there's no error, the metrics service already exists
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving metrics service").WithCause(err).WithDetails(h.OriginLog())
}
// Create metrics deployer service account
routerSA := &kapi.ServiceAccount{}
routerSA.Name = metricsDeployerSA
_, err = kubeClient.ServiceAccounts(infraNamespace).Create(routerSA)
if err != nil {
return errors.NewError("cannot create metrics deployer service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add edit role to deployer service account
roleBindingAccessor := policy.NewLocalRoleBindingAccessor(infraNamespace, osClient)
addEditRole := policy.RoleModificationOptions{
RoleName: "edit",
RoleBindingAccessor: roleBindingAccessor,
Subjects: []kapi.ObjectReference{
{
Namespace: infraNamespace,
Name: metricsDeployerSA,
Kind: "ServiceAccount",
},
},
}
if err = addEditRole.AddRole(); err != nil {
return errors.NewError("cannot add edit role to metrics deployer service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add cluster reader role to heapster service account
clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(osClient)
addClusterReaderRole := policy.RoleModificationOptions{
RoleName: "cluster-reader",
RoleBindingAccessor: clusterRoleBindingAccessor,
Users: []string{"system:serviceaccount:openshift-infra:heapster"},
}
if err = addClusterReaderRole.AddRole(); err != nil {
return errors.NewError("cannot add cluster reader role to heapster service account").WithCause(err).WithDetails(h.OriginLog())
}
// Create metrics deployer secret
deployerSecret := &kapi.Secret{}
deployerSecret.Name = metricsDeployerSecret
deployerSecret.Data = map[string][]byte{"nothing": []byte("/dev/null")}
if _, err = kubeClient.Secrets(infraNamespace).Create(deployerSecret); err != nil {
return errors.NewError("cannot create metrics deployer secret").WithCause(err).WithDetails(h.OriginLog())
}
// Create deployer Pod
deployerPod := metricsDeployerPod(hostName, imagePrefix, imageVersion)
if _, err = kubeClient.Pods(infraNamespace).Create(deployerPod); err != nil {
return errors.NewError("cannot create metrics deployer pod").WithCause(err).WithDetails(h.OriginLog())
}
return nil
}