Skip to content

Commit 950a2bd

Browse files
riggi-alekajriggi-alekaj
committed
updated operations tests for job and dedicated RBAC
1 parent 1037266 commit 950a2bd

File tree

1 file changed

+39
-36
lines changed

1 file changed

+39
-36
lines changed

internal/unit_tests/helm_template_neo4j_operations_test.go

Lines changed: 39 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66

77
"github.com/neo4j/helm-charts/internal/model"
88
"github.com/stretchr/testify/assert"
9+
batchv1 "k8s.io/api/batch/v1"
910
v1 "k8s.io/api/core/v1"
1011
v12 "k8s.io/api/rbac/v1"
1112
)
@@ -32,15 +33,16 @@ func TestNeo4jOperationsEnableServer(t *testing.T) {
3233
return
3334
}
3435

35-
operationsPod := manifest.OfTypeWithName(
36-
&v1.Pod{},
36+
operationsJob := manifest.OfTypeWithName(
37+
&batchv1.Job{},
3738
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
38-
).(*v1.Pod)
39-
assert.NotNil(t, operationsPod, "operations pod not found")
40-
assert.Equal(t, operationsPod.Spec.RestartPolicy, v1.RestartPolicyNever)
41-
assert.Len(t, operationsPod.Spec.Containers, 1)
39+
).(*batchv1.Job)
40+
assert.NotNil(t, operationsJob, "operations job not found")
41+
podSpec := operationsJob.Spec.Template.Spec
42+
assert.Equal(t, podSpec.RestartPolicy, v1.RestartPolicyNever)
43+
assert.Len(t, podSpec.Containers, 1)
4244
envVarNames := make(map[string]bool)
43-
for _, envVar := range operationsPod.Spec.Containers[0].Env {
45+
for _, envVar := range podSpec.Containers[0].Env {
4446
envVarNames[envVar.Name] = true
4547
}
4648

@@ -50,7 +52,7 @@ func TestNeo4jOperationsEnableServer(t *testing.T) {
5052
assert.True(t, envVarNames[required], "Required environment variable %s not found", required)
5153
}
5254

53-
for _, envVar := range operationsPod.Spec.Containers[0].Env {
55+
for _, envVar := range podSpec.Containers[0].Env {
5456
switch envVar.Name {
5557
case "RELEASE_NAME", "NAMESPACE", "SECRETNAME", "PROTOCOL":
5658
case "SSL_DISABLE_HOSTNAME_VERIFICATION", "SSL_INSECURE_SKIP_VERIFY":
@@ -59,7 +61,7 @@ func TestNeo4jOperationsEnableServer(t *testing.T) {
5961
}
6062
}
6163

62-
for _, envVar := range operationsPod.Spec.Containers[0].Env {
64+
for _, envVar := range podSpec.Containers[0].Env {
6365
switch envVar.Name {
6466
case "RELEASE_NAME":
6567
assert.Equal(t, envVar.Value, model.DefaultHelmTemplateReleaseName.String())
@@ -71,32 +73,33 @@ func TestNeo4jOperationsEnableServer(t *testing.T) {
7173
assert.Equal(t, envVar.Value, "neo4j")
7274
}
7375
}
74-
assert.Contains(t, operationsPod.ObjectMeta.Labels, "testkey")
76+
assert.Contains(t, operationsJob.ObjectMeta.Labels, "testkey")
7577

7678
operationsRole := manifest.OfTypeWithName(
7779
&v12.Role{},
78-
fmt.Sprintf("%s-secrets-reader", model.DefaultHelmTemplateReleaseName.String()),
80+
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
7981
).(*v12.Role)
8082
assert.NotNil(t, operationsRole, "operations role not found")
8183
assert.Len(t, operationsRole.Rules, 1)
82-
assert.Equal(t, operationsRole.Rules[0].Verbs, []string{"get", "watch", "list"})
84+
assert.Equal(t, operationsRole.Rules[0].Verbs, []string{"get"})
8385
assert.Equal(t, operationsRole.Rules[0].Resources, []string{"secrets"})
86+
assert.NotEmpty(t, operationsRole.Rules[0].ResourceNames, "operations role should have resourceNames for least-privilege")
8487

85-
serviceAccount := manifest.OfTypeWithName(
88+
operationsServiceAccount := manifest.OfTypeWithName(
8689
&v1.ServiceAccount{},
87-
model.DefaultHelmTemplateReleaseName.String(),
90+
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
8891
).(*v1.ServiceAccount)
89-
assert.NotNil(t, serviceAccount, "serviceaccount not found")
92+
assert.NotNil(t, operationsServiceAccount, "operations serviceaccount not found")
9093

9194
operationsRoleBinding := manifest.OfTypeWithName(
9295
&v12.RoleBinding{},
93-
fmt.Sprintf("%s-secrets-binding", model.DefaultHelmTemplateReleaseName.String()),
96+
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
9497
).(*v12.RoleBinding)
9598
assert.NotNil(t, operationsRoleBinding, "operations role binding not found")
9699
assert.Equal(t, operationsRoleBinding.RoleRef.Name, operationsRole.Name)
97100
assert.Len(t, operationsRoleBinding.Subjects, 1)
98101
assert.Equal(t, operationsRoleBinding.Subjects[0].Kind, "ServiceAccount")
99-
assert.Equal(t, operationsRoleBinding.Subjects[0].Name, serviceAccount.Name)
102+
assert.Equal(t, operationsRoleBinding.Subjects[0].Name, operationsServiceAccount.Name)
100103

101104
}
102105

@@ -125,15 +128,15 @@ func TestNeo4jOperationsWithSSLConfiguration(t *testing.T) {
125128
return
126129
}
127130

128-
operationsPod := manifest.OfTypeWithName(
129-
&v1.Pod{},
131+
operationsJob := manifest.OfTypeWithName(
132+
&batchv1.Job{},
130133
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
131-
).(*v1.Pod)
132-
assert.NotNil(t, operationsPod, "operations pod not found")
134+
).(*batchv1.Job)
135+
assert.NotNil(t, operationsJob, "operations job not found")
133136

134137
// Check for SSL environment variables
135138
envVars := make(map[string]string)
136-
for _, envVar := range operationsPod.Spec.Containers[0].Env {
139+
for _, envVar := range operationsJob.Spec.Template.Spec.Containers[0].Env {
137140
envVars[envVar.Name] = envVar.Value
138141
}
139142

@@ -159,15 +162,15 @@ func TestNeo4jOperationsEnableServerForStandalone(t *testing.T) {
159162
return
160163
}
161164

162-
operationsPod := manifest.OfTypeWithName(
163-
&v1.Pod{},
165+
operationsJob := manifest.OfTypeWithName(
166+
&batchv1.Job{},
164167
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
165168
)
166-
assert.Nil(t, operationsPod, "operations pod should not be present for standalone")
169+
assert.Nil(t, operationsJob, "operations job should not be present for standalone")
167170

168171
operationsRole := manifest.OfTypeWithName(
169172
&v12.Role{},
170-
fmt.Sprintf("%s-secrets-reader", model.DefaultHelmTemplateReleaseName.String()),
173+
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
171174
)
172175
assert.Nil(t, operationsRole, "operations role should not be present for standalone")
173176

@@ -194,13 +197,13 @@ func TestNeo4jOperationsImagePullSecrets(t *testing.T) {
194197
return
195198
}
196199

197-
operationsPod := manifest.OfTypeWithName(
198-
&v1.Pod{},
200+
operationsJob := manifest.OfTypeWithName(
201+
&batchv1.Job{},
199202
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
200-
).(*v1.Pod)
201-
assert.NotNil(t, operationsPod, "operations pod not found")
203+
).(*batchv1.Job)
204+
assert.NotNil(t, operationsJob, "operations job not found")
202205

203-
pullSecrets := operationsPod.Spec.ImagePullSecrets
206+
pullSecrets := operationsJob.Spec.Template.Spec.ImagePullSecrets
204207
assert.Len(t, pullSecrets, 2, "should have 2 imagePullSecrets")
205208
assert.Equal(t, "my-pull-secret", pullSecrets[0].Name)
206209
assert.Equal(t, "another-secret", pullSecrets[1].Name)
@@ -227,12 +230,12 @@ func TestNeo4jOperationsImagePullSecretsEmpty(t *testing.T) {
227230
return
228231
}
229232

230-
operationsPod := manifest.OfTypeWithName(
231-
&v1.Pod{},
233+
operationsJob := manifest.OfTypeWithName(
234+
&batchv1.Job{},
232235
fmt.Sprintf("%s-operations", model.DefaultHelmTemplateReleaseName.String()),
233-
).(*v1.Pod)
234-
assert.NotNil(t, operationsPod, "operations pod not found")
236+
).(*batchv1.Job)
237+
assert.NotNil(t, operationsJob, "operations job not found")
235238

236-
pullSecrets := operationsPod.Spec.ImagePullSecrets
239+
pullSecrets := operationsJob.Spec.Template.Spec.ImagePullSecrets
237240
assert.Nil(t, pullSecrets, "imagePullSecrets should be nil when empty")
238241
}

0 commit comments

Comments
 (0)