fix opa test scaffold

Author: labrenbe

tests/templates/kuttl/opa/10-install-postgresql.yaml

@@ -6,7 +6,7 @@ commands:
       helm install superset-postgresql
       --namespace $NAMESPACE
       --version 12.5.6
-      -f helm-bitnami-postgresql-values.yaml
+      -f 10_helm-bitnami-postgresql-values.yaml
       --repo https://charts.bitnami.com/bitnami postgresql
       --wait
     timeout: 600

tests/templates/kuttl/opa/10_helm-bitnami-postgresql-values.yaml.j2

@@ -0,0 +1,31 @@
+---
+volumePermissions:
+  enabled: false
+  securityContext:
+    runAsUser: auto
+
+primary:
+  podSecurityContext:
+{% if test_scenario['values']['openshift'] == 'true' %}
+    enabled: false
+{% else %}
+    enabled: true
+{% endif %}
+  containerSecurityContext:
+    enabled: false
+  resources:
+    requests:
+      memory: "128Mi"
+      cpu: "512m"
+    limits:
+      memory: "128Mi"
+      cpu: "1"
+
+shmVolume:
+  chmod:
+    enabled: false
+
+auth:
+  username: superset
+  password: superset
+  database: superset

tests/templates/kuttl/opa/20-assert.yaml

@@ -1,14 +1,12 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-metadata:
-  name: test-keycloak
-timeout: 480
+timeout: 300
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: keycloak1
+  name: keycloak
 status:
   readyReplicas: 1
   replicas: 1

tests/templates/kuttl/opa/20-install-keycloak.yaml

@@ -0,0 +1,163 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+{% if test_scenario['values']['openshift'] == 'true' %}
+rules:
+- apiGroups: ["security.openshift.io"]
+  resources: ["securitycontextconstraints"]
+  resourceNames: ["privileged"]
+  verbs: ["use"]
+{% endif %}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: keycloak
+roleRef:
+  kind: Role
+  name: keycloak
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n $NAMESPACE -f - << EOF
+      ---
+      apiVersion: secrets.stackable.tech/v1alpha1
+      kind: SecretClass
+      metadata:
+        name: keycloak-tls-$NAMESPACE
+      spec:
+        backend:
+          autoTls:
+            ca:
+              autoGenerate: true
+              secret:
+                name: tls
+                namespace: $NAMESPACE
+      ---
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: keycloak
+        labels:
+          app: keycloak
+      spec:
+        replicas: 1
+        selector:
+          matchLabels:
+            app: keycloak
+        template:
+          metadata:
+            labels:
+              app: keycloak
+          spec:
+            serviceAccountName: keycloak
+            containers:
+              - name: keycloak
+                image: quay.io/keycloak/keycloak:23.0.4
+                args:
+                  - start
+                  - --hostname-strict=false
+                  - --https-key-store-file=/tls/keystore.p12
+                  - --https-key-store-password=changeit
+                  - --import-realm
+                env:
+                  - name: KEYCLOAK_ADMIN
+                    value: admin
+                  - name: KEYCLOAK_ADMIN_PASSWORD
+                    valueFrom:
+                      secretKeyRef:
+                        name: keycloak-admin-credentials
+                        key: admin
+                  - name: USER_INFO_FETCHER_CLIENT_ID
+                    valueFrom:
+                      secretKeyRef:
+                        name: user-info-fetcher-client-credentials
+                        key: clientId
+                  - name: USER_INFO_FETCHER_CLIENT_SECRET
+                    valueFrom:
+                      secretKeyRef:
+                        name: user-info-fetcher-client-credentials
+                        key: clientSecret
+                ports:
+                  - name: https
+                    containerPort: 8443
+                readinessProbe:
+                  httpGet:
+                    scheme: HTTPS
+                    path: /realms/master
+                    port: https
+                resources:
+                  limits:
+                    cpu: 1
+                    memory: 1024Mi
+                  requests:
+                    cpu: 500m
+                    memory: 1024Mi
+                volumeMounts:
+                  - name: data
+                    mountPath: /opt/keycloak/data/
+                  - name: tls
+                    mountPath: /tls/
+                  - name: realm-volume
+                    mountPath: /opt/keycloak/data/import
+            securityContext:
+              fsGroup: 1000
+              runAsGroup: 1000
+              runAsUser: 1000
+            volumes:
+              - name: data
+                emptyDir: {}
+              - name: tls
+                ephemeral:
+                  volumeClaimTemplate:
+                    metadata:
+                      annotations:
+                        secrets.stackable.tech/class: keycloak-tls-$NAMESPACE
+                        secrets.stackable.tech/format: tls-pkcs12
+                        secrets.stackable.tech/format.compatibility.tls-pkcs12.password: changeit
+                        secrets.stackable.tech/scope: service=keycloak,node
+                    spec:
+                      storageClassName: secrets.stackable.tech
+                      accessModes:
+                        - ReadWriteOnce
+                      resources:
+                        requests:
+                          storage: "1"
+              - name: realm-volume
+                configMap:
+                  name: keycloak-my-dataspace-realm
+      ---
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: keycloak-admin-credentials
+      stringData:
+        admin: "adminadmin"
+      ---
+      apiVersion: v1
+      kind: Service
+      metadata:
+        name: keycloak
+        labels:
+          app: keycloak
+      spec:
+        ports:
+          - name: https
+            port: 8443
+            targetPort: 8443
+        selector:
+          app: keycloak
+      EOF

tests/templates/kuttl/opa/20-install-keycloak.yaml.j2

@@ -0,0 +1,91 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: user-info-fetcher-client-credentials
+stringData:
+  clientId: user-info-fetcher
+  clientSecret: user-info-fetcher-client-secret
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keycloak-my-dataspace-realm
+data:
+  realm.json: |
+    {
+      "realm" : "my-dataspace",
+      "enabled" : true,
+      "groups" : [ {
+        "name" : "group-user",
+        "path" : "/group-user"
+      } ],
+      "users" : [ {
+        "username" : "service-account-user-info-fetcher",
+        "enabled" : true,
+        "totp" : false,
+        "emailVerified" : false,
+        "serviceAccountClientId" : "user-info-fetcher",
+        "credentials" : [ ],
+        "disableableCredentialTypes" : [ ],
+        "requiredActions" : [ ],
+        "realmRoles" : [ "default-roles-my-dataspace" ],
+        "clientRoles" : {
+          "realm-management" : [
+            "view-users"
+          ]
+        },
+        "notBefore" : 0,
+        "groups" : [ ]
+      },
+      {
+          "enabled": true,
+          "username": "alice",
+          "email" : "[email protected]",
+          "credentials": [
+            {
+              "type": "password",
+              "value": "aj238dSbs72k"
+            }
+          ],
+          "realmRoles": [
+            "Test1",
+            "Test2"
+          ]
+        }
+      ],
+      "roles": {
+        "realm": [
+          {
+            "name": "Test1",
+            "description": "Test1"
+          },
+          {
+            "name": "Test2",
+            "description": "Test2"
+          }
+        ]
+      },
+      "clients" : [ {
+        "clientId" : "${USER_INFO_FETCHER_CLIENT_ID}",
+        "surrogateAuthRequired" : false,
+        "enabled" : true,
+        "alwaysDisplayInConsole" : false,
+        "clientAuthenticatorType" : "client-secret",
+        "secret" : "${USER_INFO_FETCHER_CLIENT_SECRET}",
+        "redirectUris" : [ "/*" ],
+        "webOrigins" : [ "/*" ],
+        "notBefore" : 0,
+        "bearerOnly" : false,
+        "serviceAccountsEnabled" : true,
+        "publicClient" : false,
+        "frontchannelLogout" : true,
+        "protocol" : "openid-connect",
+        "attributes" : {
+          "oidc.ciba.grant.enabled" : "true",
+          "oauth2.device.authorization.grant.enabled" : "false"
+        },
+        "authenticationFlowBindingOverrides" : { },
+        "fullScopeAllowed" : true
+      } ]
+    }

tests/templates/kuttl/opa/20-keycloak-realm-cm.yaml

@@ -4,5 +4,5 @@ kind: TestStep
 timeout: 300
 commands:
   - script: >
-      envsubst '$NAMESPACE' < install-superset.yaml |
+      envsubst '$NAMESPACE' < 40_superset.yaml |
       kubectl apply -n $NAMESPACE -f -

tests/templates/kuttl/opa/40-install-superset.yaml

@@ -20,12 +20,13 @@ metadata:
   name: superset
 spec:
   image:
+    custom: docker.stackable.tech/stackable/superset:4.0.2-stackable0.0.0-dev-opa
     productVersion: "{{ test_scenario['values']['superset'] }}"
     pullPolicy: IfNotPresent
   clusterConfig:
     authorization:
       opa:
-        configMapName: simple-opa
+        configMapName: opa
         package: superset
     credentialsSecret: superset-credentials
 {% if lookup('env', 'VECTOR_AGGREGATOR') %}

tests/templates/kuttl/opa/40_install-superset.yaml.j2 renamed to tests/templates/kuttl/opa/40_superset.yaml.j2

@@ -15,6 +15,9 @@ dimensions:
       - no-tls
       - insecure-tls
       - server-verification-tls
+  - name: opa
+    values:
+      - 0.66.0
   - name: openshift
     values:
       - "false"
@@ -43,6 +46,7 @@ tests:
   - name: opa
     dimensions:
       - superset
+      - opa
       - openshift
   - name: resources
     dimensions: