add ServiceAccount test

Author: cognifloyd

CHANGELOG.md

@@ -4,7 +4,7 @@
 * Advanced Feature: Make securityContext (on Deployments/Jobs) and podSecurityContext (on Pods) configurable. This allows dropping all capabilities, for example. You can override the securityContext for `st2actionrunner`, `st2sensorcontainer`, and `st2client` if your actions or sensors need, for example, additional capabilites that the rest of StackStorm does not need. (#271) (by @cognifloyd)
 * Prefix template helpers with chart name and format helper comments as template comments. (#272) (by @cognifloyd)
 * New feature: Add `extra_volumes` to all python-based st2 deployments. This can facilitate changing log levels by loading logging conf file(s) from a custom ConfigMap. (#276) (by @cognifloyd)
-* Initialize basic unittest infrastructure using `helm-unittest`. Added tests for labels, custom annotations, SecurityContext, pullSecrets, pullPolicy, Resources, nodeSelector, tolerations, affinity, dnsPolicy, and dnsConfig. (#284, #288)
+* Initialize basic unittest infrastructure using `helm-unittest`. Added tests for labels, custom annotations, SecurityContext, pullSecrets, pullPolicy, Resources, nodeSelector, tolerations, affinity, dnsPolicy, dnsConfig, and ServiceAccount attach. (#284, #288)
 
 ## v0.80.0
 * Switch st2 to `v3.6` as a new default stable version (#274)

tests/unit/service_account_test.yaml

@@ -0,0 +1,217 @@
+---
+suite: ServiceAccount
+templates:
+  # primary template files
+  - service-account.yaml
+  - deployments.yaml
+
+  # ServiceAccount doesn't attach to Jobs
+
+  # included templates must also be listed
+  - configmaps_packs.yaml
+  - configmaps_rbac.yaml
+  - configmaps_st2-conf.yaml
+  - configmaps_st2web.yaml
+  - secrets_datastore_crypto_key.yaml
+  - secrets_ssh.yaml
+  - secrets_st2auth.yaml
+  - secrets_st2chatops.yaml
+
+# ServiceAccount
+#   serviceAccount.create
+# attach ServiceAccount
+#   st2web: { serviceAccount: { attach: true } }
+#   st2auth: { serviceAccount: { attach: true } }
+#   st2api: { serviceAccount: { attach: true } }
+#   st2stream: { serviceAccount: { attach: true } }
+#   st2rulesengine: { serviceAccount: { attach: true } }
+#   st2timersengine: { serviceAccount: { attach: true } }
+#   st2workflowengine: { serviceAccount: { attach: true } }
+#   st2scheduler: { serviceAccount: { attach: true } }
+#   st2notifier: { serviceAccount: { attach: true } }
+#   st2actionrunner: { serviceAccount: { attach: true } }
+#   st2sensorcontainer: { serviceAccount: { attach: true } }
+#   st2garbagecollector: { serviceAccount: { attach: true } }
+#   st2chatops: { serviceAccount: { attach: true } }
+
+tests:
+  - it: ServiceAccount created by default
+    template: service-account.yaml
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - isAPIVersion:
+          of: v1
+      # service account name is chart name by default
+      - equal:
+          path: metadata.name
+          value: stackstorm-ha
+
+  - it: ServiceAccount creation can be disabled
+    template: service-account.yaml
+    set:
+      serviceAccount:
+        create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: Deployments do not attach ServiceAccount by default
+    template: deployments.yaml
+    set:
+      st2:
+        packs: { sensors: [] } # ensure only 1 sensor
+      st2chatops:
+        enabled: true
+    asserts:
+      - hasDocuments:
+          count: 14
+      - isNull:
+          path: spec.template.spec.serviceAccountName
+
+  - it: Deployments can attach ServiceAccount with default name (except st2client)
+    template: deployments.yaml
+    set:
+      st2:
+        packs: { sensors: [] } # ensure only 1 sensor
+      st2web:
+        serviceAccount: &attach_sa
+          attach: true
+      st2auth:
+        serviceAccount: *attach_sa
+      st2api:
+        serviceAccount: *attach_sa
+      st2stream:
+        serviceAccount: *attach_sa
+      st2rulesengine:
+        serviceAccount: *attach_sa
+      st2timersengine:
+        serviceAccount: *attach_sa
+      st2workflowengine:
+        serviceAccount: *attach_sa
+      st2scheduler:
+        serviceAccount: *attach_sa
+      st2notifier:
+        serviceAccount: *attach_sa
+      st2actionrunner:
+        serviceAccount: *attach_sa
+      st2sensorcontainer:
+        serviceAccount: *attach_sa
+      st2garbagecollector:
+        serviceAccount: *attach_sa
+      st2chatops:
+        enabled: true
+        serviceAccount: *attach_sa
+    asserts:
+      - hasDocuments:
+          count: 14
+      # st2client does not allow attaching serviceAccount
+      - isNull:
+          path: spec.template.spec.serviceAccountName
+        documentIndex: 12
+
+      # all but st2client means documentIndexes 0-11,13
+      - equal: &assert_sa_default
+          path: spec.template.spec.serviceAccountName
+          value: stackstorm-ha
+        documentIndex: 0
+      - equal: *assert_sa_default
+        documentIndex: 1
+      - equal: *assert_sa_default
+        documentIndex: 2
+      - equal: *assert_sa_default
+        documentIndex: 3
+      - equal: *assert_sa_default
+        documentIndex: 4
+      - equal: *assert_sa_default
+        documentIndex: 5
+      - equal: *assert_sa_default
+        documentIndex: 6
+      - equal: *assert_sa_default
+        documentIndex: 7
+      - equal: *assert_sa_default
+        documentIndex: 8
+      - equal: *assert_sa_default
+        documentIndex: 9
+      - equal: *assert_sa_default
+        documentIndex: 10
+      - equal: *assert_sa_default
+        documentIndex: 11
+      - equal: *assert_sa_default
+        documentIndex: 13
+
+
+  - it: Deployments can attach ServiceAccount with alternate name (except st2client)
+    template: deployments.yaml
+    set:
+      serviceAccount:
+        serviceAccountName: custom-service-account
+      st2:
+        packs: { sensors: [] } # ensure only 1 sensor
+      st2web:
+        serviceAccount: *attach_sa
+      st2auth:
+        serviceAccount: *attach_sa
+      st2api:
+        serviceAccount: *attach_sa
+      st2stream:
+        serviceAccount: *attach_sa
+      st2rulesengine:
+        serviceAccount: *attach_sa
+      st2timersengine:
+        serviceAccount: *attach_sa
+      st2workflowengine:
+        serviceAccount: *attach_sa
+      st2scheduler:
+        serviceAccount: *attach_sa
+      st2notifier:
+        serviceAccount: *attach_sa
+      st2actionrunner:
+        serviceAccount: *attach_sa
+      st2sensorcontainer:
+        serviceAccount: *attach_sa
+      st2garbagecollector:
+        serviceAccount: *attach_sa
+      st2chatops:
+        enabled: true
+        serviceAccount: *attach_sa
+    asserts:
+      - hasDocuments:
+          count: 14
+      # st2client does not allow attaching serviceAccount
+      - isNull:
+          path: spec.template.spec.serviceAccountName
+        documentIndex: 12
+
+      # all but st2client means documentIndexes 0-11,13
+      - equal: &assert_sa_custom
+          path: spec.template.spec.serviceAccountName
+          value: custom-service-account
+        documentIndex: 0
+      - equal: *assert_sa_custom
+        documentIndex: 1
+      - equal: *assert_sa_custom
+        documentIndex: 2
+      - equal: *assert_sa_custom
+        documentIndex: 3
+      - equal: *assert_sa_custom
+        documentIndex: 4
+      - equal: *assert_sa_custom
+        documentIndex: 5
+      - equal: *assert_sa_custom
+        documentIndex: 6
+      - equal: *assert_sa_custom
+        documentIndex: 7
+      - equal: *assert_sa_custom
+        documentIndex: 8
+      - equal: *assert_sa_custom
+        documentIndex: 9
+      - equal: *assert_sa_custom
+        documentIndex: 10
+      - equal: *assert_sa_custom
+        documentIndex: 11
+      - equal: *assert_sa_custom
+        documentIndex: 13
+