update dag-deploy permissions for rollback feature (#494)

* Update roles needed for dag-deploy components * Add target: test * Update hooks. Forbid role-binding with a dash. * Extend dag-deploy tests
astronomer · May 14, 2024 · 23adf3d · 23adf3d
1 parent 023e7ce
commit 23adf3d
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 12 deletions.
diff --git a/Makefile b/Makefile
@@ -11,6 +11,9 @@ venv: ## Setup venv required for unit testing the helm chart
 charts: ## Update dependent charts
 	helm dep update
 
+.PHONY: test
+test: unittest-chart ## Run all tests
+
 .PHONY: unittest-chart
 unittest-chart: charts venv ## Unittest the helm chart
 	# Protip: you can modify pytest behavior like: make unittest-chart PYTEST_ADDOPTS='-v --maxfail=1 --pdb -k 1.20'

diff --git a/templates/dag-deploy/dag-deploy-role.yaml b/templates/dag-deploy/dag-deploy-role.yaml
@@ -9,8 +9,8 @@ metadata:
   name: {{ .Release.Name }}-dag-server-role
 rules:
 - apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "watch", "list"]
+  resources: ["configmaps"]
+  verbs: ["create", "get", "list", "patch", "update", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -19,6 +19,7 @@ metadata:
   name: {{ .Release.Name }}-dag-downloader-role
 rules:
 - apiGroups: [""]
-  resources: ["events"]
-  verbs: ["watch"]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+
 {{- end -}}
diff --git a/tests/chart/test_dag_deploy_role.py b/tests/chart/test_dag_deploy_role.py
@@ -24,7 +24,26 @@ def test_dag_server_role_dag_server_enabled(self, kube_version):
             values=values,
         )
         assert len(docs) == 2
-        doc = docs[0]
-        assert doc["kind"] == "Role"
-        assert doc["apiVersion"] == "rbac.authorization.k8s.io/v1"
-        assert doc["metadata"]["name"] == "release-name-dag-server-role"
+        for doc in docs:
+            assert doc["kind"] == "Role"
+            assert doc["apiVersion"] == "rbac.authorization.k8s.io/v1"
+            assert doc["rules"][0]["apiGroups"] == [""]
+            assert doc["rules"][0]["resources"] == ["configmaps"]
+
+        server = docs[0]
+        downloader = docs[1]
+
+        assert server["metadata"]["name"] == "release-name-dag-server-role"
+        assert len(server["rules"]) == 1
+        assert server["rules"][0]["verbs"] == [
+            "create",
+            "get",
+            "list",
+            "patch",
+            "update",
+            "watch",
+        ]
+
+        assert downloader["metadata"]["name"] == "release-name-dag-downloader-role"
+        assert len(downloader["rules"]) == 1
+        assert downloader["rules"][0]["verbs"] == ["get", "list", "watch"]
diff --git a/tests/chart/test_dag_deploy_rolebinding.py b/tests/chart/test_dag_deploy_rolebinding.py
@@ -21,10 +21,34 @@ def test_dag_deploy_rolebinding_dag_server_enabled(self, kube_version):
         docs = render_chart(
             kube_version=kube_version,
             show_only="templates/dag-deploy/dag-deploy-rolebinding.yaml",
+            namespace="test-namespace",
             values=values,
         )
         assert len(docs) == 2
-        doc = docs[0]
-        assert doc["kind"] == "RoleBinding"
-        assert doc["apiVersion"] == "rbac.authorization.k8s.io/v1"
-        assert doc["metadata"]["name"] == "release-name-dag-server-rolebinding"
+        for doc in docs:
+            assert doc["kind"] == "RoleBinding"
+            assert doc["apiVersion"] == "rbac.authorization.k8s.io/v1"
+
+        server = docs[0]
+        downloader = docs[1]
+
+        assert server["metadata"]["name"] == "release-name-dag-server-rolebinding"
+        assert len(server["subjects"]) == 1
+        assert server["subjects"][0]["kind"] == "ServiceAccount"
+        assert server["subjects"][0]["name"] == "release-name-dag-server"
+        assert server["subjects"][0]["namespace"] == "test-namespace"
+        assert server["roleRef"]["kind"] == "Role"
+        assert server["roleRef"]["name"] == "release-name-dag-server-role"
+        assert server["roleRef"]["apiGroup"] == "rbac.authorization.k8s.io"
+
+        assert (
+            downloader["metadata"]["name"] == "release-name-dag-downloader-rolebinding"
+        )
+        assert len(downloader["subjects"]) == 4
+        assert all(sub["kind"] == "ServiceAccount" for sub in downloader["subjects"])
+        assert all(
+            sub["namespace"] == "test-namespace" for sub in downloader["subjects"]
+        )
+        assert downloader["roleRef"]["kind"] == "Role"
+        assert downloader["roleRef"]["name"] == "release-name-dag-downloader-role"
+        assert downloader["roleRef"]["apiGroup"] == "rbac.authorization.k8s.io"