testkube-api: add support for tests service account and rbac (#636)

* testkube-api: add support for tests service account and rbac * testkube-api: add missing rbac * testkube-api: update readme
kubeshop · Sep 22, 2023 · ff7ede1 · ff7ede1
1 parent 87b9da4
commit ff7ede1
Show file tree

Hide file tree

Showing 8 changed files with 204 additions and 68 deletions.
diff --git a/charts/testkube-api/templates/_helpers.tpl b/charts/testkube-api/templates/_helpers.tpl
@@ -58,6 +58,18 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the test service account to use
+*/}}
+{{- define "testkube-api.testServiceAccountName" -}}
+{{- if .Values.testServiceAccount.create }}
+{{- $prefix := default (include "testkube-api.fullname" .) .Values.jobServiceAccountName }}
+{{- printf "%s-%s" $prefix "tests-job" }}
+{{- else }}
+{{- default "default" .Values.jobServiceAccountName }}
+{{- end }}
+{{- end }}
+
 {{/*
 Define API image
 */}}

diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml
@@ -213,7 +213,7 @@ spec:
             - name: TESTKUBE_NAMESPACE
               value: "{{ .Release.Namespace }}"
             - name: JOB_SERVICE_ACCOUNT_NAME
-              value: "{{ .Values.jobServiceAccountName }}"
+              value: {{ if .Values.jobServiceAccountName }}"{{ .Values.jobServiceAccountName }}"{{ else if .Values.testServiceAccount.create }}{{ include "testkube-api.testServiceAccountName" . }}{{ else }}""{{ end }}
             - name: APISERVER_FULLNAME
               value: "{{ include "testkube-api.fullname" . }}"
             - name: APISERVER_CONFIG

diff --git a/charts/testkube-api/templates/role.yaml b/charts/testkube-api/templates/role.yaml
@@ -45,16 +45,6 @@ metadata:
   annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
   {{- end }}
 rules:
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
-    verbs:
-      - get
-      - watch
-      - list
-      - create
-      - delete
   - apiGroups:
       - ""
     resources:
@@ -610,4 +600,39 @@ rules:
       - get
       - patch
       - update
-{{ end }}
+
+---
+apiVersion: {{ include "global.capabilities.rbac.apiVersion" . }}
+kind: Role
+metadata:
+  name: tests-job-role-{{ .Release.Name }}
+  labels: {{- include "testkube-api.labels" . | nindent 4 }}
+    {{- if .Values.global.labels }}
+    {{- include "global.tplvalues.render" ( dict "value" .Values.global.labels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.global.annotations}}
+  annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - get
+      - watch
+      - list
+      - create
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - watch
+      - list
+      - create
+      - delete
+{{- end }}
diff --git a/charts/testkube-api/templates/rolebinding.yaml b/charts/testkube-api/templates/rolebinding.yaml
@@ -197,6 +197,28 @@ subjects:
 
 ---
 
+apiVersion: {{ include "global.capabilities.rbac.apiVersion" . }}
+kind: RoleBinding
+metadata:
+  name: tests-job-crb-{{ .Release.Name }}
+  labels: {{- include "testkube-api.labels" . | nindent 4 }}
+    {{- if .Values.global.labels }}
+    {{- include "global.tplvalues.render" ( dict "value" .Values.global.labels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.global.annotations}}
+  annotations: {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tests-job-{{ .Release.Name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "testkube-api.testServiceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+
+---
+
 apiVersion: {{ include "global.capabilities.rbac.apiVersion" . }}
 kind: RoleBinding
 metadata:

diff --git a/charts/testkube-api/templates/serviceaccount.yaml b/charts/testkube-api/templates/serviceaccount.yaml
@@ -15,4 +15,24 @@ metadata:
     {{- if .Values.global.annotations }}
     {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
     {{- end }}
-  {{- end }}
+{{- end }}
+
+{{- if .Values.testServiceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "testkube-api.testServiceAccountName" . }}
+  labels:
+    {{- include "global.labels.standard" . | nindent 4 }}
+    {{- if .Values.global.labels }}
+    {{- include "global.tplvalues.render" ( dict "value" .Values.global.labels "context" $ ) | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.global.annotations }}
+    {{- include "global.tplvalues.render" ( dict "value" .Values.global.annotations "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml
@@ -105,8 +105,6 @@ templates:
   ## Base64 encoded PVC Container template
   pvcContainer: ""
 
-jobServiceAccountName: ""
-
 ## base64 encoded executors.json alike data
 executors: ""
 
@@ -204,6 +202,16 @@ serviceAccount:
   ## If not set and create is true, a name is generated using the fullname template
   name: ""
 
+## Test Job ServiceAccount parameters
+testServiceAccount:
+  ## Specifies whether a service account should be created
+  create: true
+  ## Annotations to add to the service account
+  annotations: {}
+
+## Test Job ServiceAccount name
+jobServiceAccountName: ""
+
 ## Security Context
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 podSecurityContext: {}