Skip to content

Commit

Permalink
test(e2e): support multiple tenant owners(add applications to act as …
Browse files Browse the repository at this point in the history
…tenant owners)
  • Loading branch information
Maksim Fedotov committed Jul 8, 2021
1 parent 480b897 commit 74d8494
Show file tree
Hide file tree
Showing 36 changed files with 360 additions and 295 deletions.
12 changes: 7 additions & 5 deletions e2e/additional_role_bindings_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("creating a Namespace with an additional Role Binding", func()
Name: "additional-role-binding",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "dale",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "dale",
Kind: "User",
},
},
AdditionalRoleBindings: []capsulev1beta1.AdditionalRoleBindingsSpec{
{
Expand Down Expand Up @@ -55,13 +57,13 @@ var _ = Describe("creating a Namespace with an additional Role Binding", func()
It("should be assigned to each Namespace", func() {
for _, ns := range []string{"rb-1", "rb-2", "rb-3"} {
ns := NewNamespace(ns)
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
TenantNamespaceList(tnt, defaultTimeoutInterval).Should(ContainElement(ns.GetName()))

var rb *rbacv1.RoleBinding

Eventually(func() (err error) {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
rb, err = cs.RbacV1().RoleBindings(ns.Name).Get(context.Background(), fmt.Sprintf("capsule-%s-0-%s", tnt.Name, "crds-rolebinding"), metav1.GetOptions{})
return err
}, defaultTimeoutInterval, defaultPollInterval).Should(Succeed())
Expand Down
20 changes: 11 additions & 9 deletions e2e/allowed_external_ips_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("enforcing an allowed set of Service external IPs", func() {
Name: "allowed-external-ip",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "google",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "google",
Kind: "User",
},
},
ExternalServiceIPs: &capsulev1beta1.ExternalServiceIPsSpec{
Allowed: []capsulev1beta1.AllowedIP{
Expand All @@ -48,7 +50,7 @@ var _ = Describe("enforcing an allowed set of Service external IPs", func() {

It("should fail creating an evil service", func() {
ns := NewNamespace("evil-service")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -73,15 +75,15 @@ var _ = Describe("enforcing an allowed set of Service external IPs", func() {
},
}
EventuallyCreation(func() error {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Services(ns.Name).Create(context.Background(), svc, metav1.CreateOptions{})
return err
}).ShouldNot(Succeed())
})

It("should allow the first CIDR block", func() {
ns := NewNamespace("allowed-service-cidr")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -106,15 +108,15 @@ var _ = Describe("enforcing an allowed set of Service external IPs", func() {
},
}
EventuallyCreation(func() error {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Services(ns.Name).Create(context.Background(), svc, metav1.CreateOptions{})
return err
}).Should(Succeed())
})

It("should allow the /32 CIDR block", func() {
ns := NewNamespace("allowed-service-strict")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -138,7 +140,7 @@ var _ = Describe("enforcing an allowed set of Service external IPs", func() {
},
}
EventuallyCreation(func() error {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Services(ns.Name).Create(context.Background(), svc, metav1.CreateOptions{})
return err
}).Should(Succeed())
Expand Down
22 changes: 12 additions & 10 deletions e2e/container_registry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("enforcing a Container Registry", func() {
Name: "container-registry",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "matt",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "matt",
Kind: "User",
},
},
ContainerRegistries: &capsulev1beta1.AllowedListSpec{
Exact: []string{"docker.io", "docker.tld"},
Expand All @@ -46,7 +48,7 @@ var _ = Describe("enforcing a Container Registry", func() {

It("should add labels to Namespace", func() {
ns := NewNamespace("registry-labels")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
Eventually(func() (ok bool) {
Expect(k8sClient.Get(context.Background(), types.NamespacedName{Name: ns.Name}, ns)).Should(Succeed())
ok, _ = HaveKeyWithValue("capsule.clastix.io/allowed-registries", "docker.io,docker.tld").Match(ns.Annotations)
Expand All @@ -63,7 +65,7 @@ var _ = Describe("enforcing a Container Registry", func() {

It("should deny running a gcr.io container", func() {
ns := NewNamespace("registry-deny")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -78,14 +80,14 @@ var _ = Describe("enforcing a Container Registry", func() {
},
},
}
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Pods(ns.Name).Create(context.Background(), pod, metav1.CreateOptions{})
Expect(err).ShouldNot(Succeed())
})

It("should allow using an exact match", func() {
ns := NewNamespace("registry-list")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -101,7 +103,7 @@ var _ = Describe("enforcing a Container Registry", func() {
},
}

cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
EventuallyCreation(func() error {
_, err := cs.CoreV1().Pods(ns.Name).Create(context.Background(), pod, metav1.CreateOptions{})
return err
Expand All @@ -110,7 +112,7 @@ var _ = Describe("enforcing a Container Registry", func() {

It("should allow using a regex match", func() {
ns := NewNamespace("registry-regex")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

pod := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -126,7 +128,7 @@ var _ = Describe("enforcing a Container Registry", func() {
},
}

cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
EventuallyCreation(func() error {
_, err := cs.CoreV1().Pods(ns.Name).Create(context.Background(), pod, metav1.CreateOptions{})
return err
Expand Down
14 changes: 8 additions & 6 deletions e2e/custom_capsule_group_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro
Name: "tenant-assigned-custom-group",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "alice",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "alice",
Kind: "User",
},
},
},
}
Expand All @@ -46,7 +48,7 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro
})

ns := NewNamespace("cg-namespace-fail")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).ShouldNot(Succeed())
})

It("should succeed and be available in Tenant namespaces list with multiple groups", func() {
Expand All @@ -56,7 +58,7 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro

ns := NewNamespace("cg-namespace-1")

NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
TenantNamespaceList(tnt, defaultTimeoutInterval).Should(ContainElement(ns.GetName()))
})

Expand All @@ -67,7 +69,7 @@ var _ = Describe("creating a Namespace as Tenant owner with custom --capsule-gro

ns := NewNamespace("cg-namespace-2")

NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
TenantNamespaceList(tnt, defaultTimeoutInterval).Should(ContainElement(ns.GetName()))
})
})
12 changes: 7 additions & 5 deletions e2e/disable_node_ports_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("creating a nodePort service when it is disabled for Tenant", f
Name: "disable-node-ports",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "google",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "google",
Kind: "User",
},
},
EnableNodePorts: false,
},
Expand All @@ -43,7 +45,7 @@ var _ = Describe("creating a nodePort service when it is disabled for Tenant", f

It("should fail creating a service with NodePort type", func() {
ns := NewNamespace("disable-node-ports")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -65,7 +67,7 @@ var _ = Describe("creating a nodePort service when it is disabled for Tenant", f
},
}
EventuallyCreation(func() error {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Services(ns.Name).Create(context.Background(), svc, metav1.CreateOptions{})
return err
}).ShouldNot(Succeed())
Expand Down
12 changes: 7 additions & 5 deletions e2e/enable_node_ports_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("creating a nodePort service when it is enabled for Tenant", fu
Name: "enable-node-ports",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "google",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "google",
Kind: "User",
},
},
},
}
Expand All @@ -42,7 +44,7 @@ var _ = Describe("creating a nodePort service when it is enabled for Tenant", fu

It("should allow creating a service with NodePort type", func() {
ns := NewNamespace("enable-node-ports")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

svc := &corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -64,7 +66,7 @@ var _ = Describe("creating a nodePort service when it is enabled for Tenant", fu
},
}
EventuallyCreation(func() error {
cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])
_, err := cs.CoreV1().Services(ns.Name).Create(context.Background(), svc, metav1.CreateOptions{})
return err
}).Should(Succeed())
Expand Down
24 changes: 14 additions & 10 deletions e2e/force_tenant_prefix_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ var _ = Describe("creating a Namespace with Tenant name prefix enforcement", fun
Name: "awesome",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "john",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "john",
Kind: "User",
},
},
},
}
Expand All @@ -34,9 +36,11 @@ var _ = Describe("creating a Namespace with Tenant name prefix enforcement", fun
Name: "awesome-tenant",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "john",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "john",
Kind: "User",
},
},
},
}
Expand Down Expand Up @@ -66,20 +70,20 @@ var _ = Describe("creating a Namespace with Tenant name prefix enforcement", fun

It("should fail when non using prefix", func() {
ns := NewNamespace("awesome")
NamespaceCreation(ns, t1, defaultTimeoutInterval).ShouldNot(Succeed())
NamespaceCreation(ns, t1.Spec.Owners[0], defaultTimeoutInterval).ShouldNot(Succeed())
})

It("should succeed using prefix", func() {
ns := NewNamespace("awesome-namespace")
NamespaceCreation(ns, t1, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, t1.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
})

It("should succeed and assigned according to closest match", func() {
ns1 := NewNamespace("awesome-tenant")
ns2 := NewNamespace("awesome-tenant-namespace")

NamespaceCreation(ns1, t1, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns2, t2, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns1, t1.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns2, t2.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

TenantNamespaceList(t1, defaultTimeoutInterval).Should(ContainElement(ns1.GetName()))
TenantNamespaceList(t2, defaultTimeoutInterval).Should(ContainElement(ns2.GetName()))
Expand Down
12 changes: 7 additions & 5 deletions e2e/imagepullpolicy_multiple_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ var _ = Describe("enforcing some defined ImagePullPolicy", func() {
Name: "image-pull-policies",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "alex",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "alex",
Kind: "User",
},
},
ImagePullPolicies: []capsulev1beta1.ImagePullPolicySpec{"Always", "IfNotPresent"},
},
Expand All @@ -43,9 +45,9 @@ var _ = Describe("enforcing some defined ImagePullPolicy", func() {

It("should just allow the defined policies", func() {
ns := NewNamespace("allow-policy")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])

By("allowing Always", func() {
pod := &corev1.Pod{
Expand Down
12 changes: 7 additions & 5 deletions e2e/imagepullpolicy_single_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ var _ = Describe("enforcing a defined ImagePullPolicy", func() {
Name: "image-pull-policy",
},
Spec: capsulev1beta1.TenantSpec{
Owner: capsulev1beta1.OwnerSpec{
Name: "axel",
Kind: "User",
Owners: []capsulev1beta1.OwnerSpec{
{
Name: "axel",
Kind: "User",
},
},
ImagePullPolicies: []capsulev1beta1.ImagePullPolicySpec{"Always"},
},
Expand All @@ -43,9 +45,9 @@ var _ = Describe("enforcing a defined ImagePullPolicy", func() {

It("should just allow the defined policy", func() {
ns := NewNamespace("allow-policies")
NamespaceCreation(ns, tnt, defaultTimeoutInterval).Should(Succeed())
NamespaceCreation(ns, tnt.Spec.Owners[0], defaultTimeoutInterval).Should(Succeed())

cs := ownerClient(tnt)
cs := ownerClient(tnt.Spec.Owners[0])

By("allowing Always", func() {
pod := &corev1.Pod{
Expand Down
Loading

0 comments on commit 74d8494

Please sign in to comment.