MCPcopy
hub / github.com/argoproj/argo-workflows / TestInsufficientRole

Method TestInsufficientRole

test/e2e/artifacts_test.go:775–854  ·  view source on GitHub ↗

create a ServiceAccount which won't be tied to the artifactgc role and attempt to use that service account in the GC Pod Want to verify that this causes the ArtifactGCError Condition in the Workflow

()

Source from the content-addressed store, hash-verified

773// create a ServiceAccount which won't be tied to the artifactgc role and attempt to use that service account in the GC Pod
774// Want to verify that this causes the ArtifactGCError Condition in the Workflow
775func (s *ArtifactsSuite) TestInsufficientRole() {
776 ctx := logging.TestContext(s.T().Context())
777 _ = s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Delete(ctx, "artgc-role-test-sa", metav1.DeleteOptions{})
778 _, err := s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Create(ctx, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "artgc-role-test-sa"}}, metav1.CreateOptions{})
779 s.Require().NoError(err)
780 s.T().Cleanup(func() {
781 _ = s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Delete(ctx, "artgc-role-test-sa", metav1.DeleteOptions{})
782 })
783
784 // We can test this failure case in 2 ways
785 // 1. Workflow sets ForceFinalizerRemoval to false, so finalizer is still present after failure
786 // 2. Workflow sets ForceFinalizerRemoval to true, so finalizer isn't present after failure
787 tests := []struct { // I suppose this could just be a slice of bool, but making it a struct in case we want to expand it
788 forceFinalizerRemoval bool
789 }{
790 {
791 forceFinalizerRemoval: true,
792 },
793 {
794 forceFinalizerRemoval: false,
795 },
796 }
797
798 for _, tt := range tests {
799 // unmarshal and marshal the yaml so we can modify the Workflow spec
800 var workflow wfv1.Workflow
801 err = yaml.Unmarshal([]byte(insufficientRoleWorkflow), &workflow)
802 if err != nil {
803 s.Fail(err.Error())
804 }
805
806 workflow.Spec.ArtifactGC.ForceFinalizerRemoval = tt.forceFinalizerRemoval
807 modifiedWorkflow, err := yaml.Marshal(&workflow)
808 if err != nil {
809 s.Fail(err.Error())
810 }
811
812 // Submit the Workflow
813 when := s.Given().Workflow(string(modifiedWorkflow)).
814 When().
815 SubmitWorkflow().
816 WaitForWorkflow(fixtures.ToBeCompleted)
817
818 // if the Workflow fails for some reason outside of our control, we can't complete this test
819 if when.WorkflowCondition(func(wf *wfv1.Workflow) bool {
820 return wf.Status.Phase == wfv1.WorkflowFailed || wf.Status.Phase == wfv1.WorkflowError
821 }) {
822 fmt.Println("can't reliably verify Artifact GC (Insufficient Role test) since workflow failed")
823 when.RemoveFinalizers(false)
824 return
825 }
826
827 // Once Workflow completes, check its result
828 when.WaitForWorkflow(
829 fixtures.WorkflowCompletionOkay(true),
830 fixtures.Condition(func(wf *wfv1.Workflow) (bool, string) {
831 return wf.Status.ArtifactGCStatus != nil &&
832 len(wf.Status.ArtifactGCStatus.PodsRecouped) == 1, "for pod to have been recouped"

Callers

nothing calls this directly

Calls 15

TestContextFunction · 0.92
WorkflowCompletionOkayTypeAlias · 0.92
ConditionFuncType · 0.92
WaitForWorkflowMethod · 0.80
WorkflowMethod · 0.80
WorkflowConditionMethod · 0.80
RemoveFinalizersMethod · 0.80
ExpectWorkflowMethod · 0.80
ThenMethod · 0.80
ContextMethod · 0.65
DeleteMethod · 0.65
CreateMethod · 0.65

Tested by

no test coverage detected