create a ServiceAccount which won't be tied to the artifactgc role and attempt to use that service account in the GC Pod Want to verify that this causes the ArtifactGCError Condition in the Workflow
()
| 773 | // create a ServiceAccount which won't be tied to the artifactgc role and attempt to use that service account in the GC Pod |
| 774 | // Want to verify that this causes the ArtifactGCError Condition in the Workflow |
| 775 | func (s *ArtifactsSuite) TestInsufficientRole() { |
| 776 | ctx := logging.TestContext(s.T().Context()) |
| 777 | _ = s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Delete(ctx, "artgc-role-test-sa", metav1.DeleteOptions{}) |
| 778 | _, err := s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Create(ctx, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "artgc-role-test-sa"}}, metav1.CreateOptions{}) |
| 779 | s.Require().NoError(err) |
| 780 | s.T().Cleanup(func() { |
| 781 | _ = s.KubeClient.CoreV1().ServiceAccounts(fixtures.Namespace).Delete(ctx, "artgc-role-test-sa", metav1.DeleteOptions{}) |
| 782 | }) |
| 783 | |
| 784 | // We can test this failure case in 2 ways |
| 785 | // 1. Workflow sets ForceFinalizerRemoval to false, so finalizer is still present after failure |
| 786 | // 2. Workflow sets ForceFinalizerRemoval to true, so finalizer isn't present after failure |
| 787 | tests := []struct { // I suppose this could just be a slice of bool, but making it a struct in case we want to expand it |
| 788 | forceFinalizerRemoval bool |
| 789 | }{ |
| 790 | { |
| 791 | forceFinalizerRemoval: true, |
| 792 | }, |
| 793 | { |
| 794 | forceFinalizerRemoval: false, |
| 795 | }, |
| 796 | } |
| 797 | |
| 798 | for _, tt := range tests { |
| 799 | // unmarshal and marshal the yaml so we can modify the Workflow spec |
| 800 | var workflow wfv1.Workflow |
| 801 | err = yaml.Unmarshal([]byte(insufficientRoleWorkflow), &workflow) |
| 802 | if err != nil { |
| 803 | s.Fail(err.Error()) |
| 804 | } |
| 805 | |
| 806 | workflow.Spec.ArtifactGC.ForceFinalizerRemoval = tt.forceFinalizerRemoval |
| 807 | modifiedWorkflow, err := yaml.Marshal(&workflow) |
| 808 | if err != nil { |
| 809 | s.Fail(err.Error()) |
| 810 | } |
| 811 | |
| 812 | // Submit the Workflow |
| 813 | when := s.Given().Workflow(string(modifiedWorkflow)). |
| 814 | When(). |
| 815 | SubmitWorkflow(). |
| 816 | WaitForWorkflow(fixtures.ToBeCompleted) |
| 817 | |
| 818 | // if the Workflow fails for some reason outside of our control, we can't complete this test |
| 819 | if when.WorkflowCondition(func(wf *wfv1.Workflow) bool { |
| 820 | return wf.Status.Phase == wfv1.WorkflowFailed || wf.Status.Phase == wfv1.WorkflowError |
| 821 | }) { |
| 822 | fmt.Println("can't reliably verify Artifact GC (Insufficient Role test) since workflow failed") |
| 823 | when.RemoveFinalizers(false) |
| 824 | return |
| 825 | } |
| 826 | |
| 827 | // Once Workflow completes, check its result |
| 828 | when.WaitForWorkflow( |
| 829 | fixtures.WorkflowCompletionOkay(true), |
| 830 | fixtures.Condition(func(wf *wfv1.Workflow) (bool, string) { |
| 831 | return wf.Status.ArtifactGCStatus != nil && |
| 832 | len(wf.Status.ArtifactGCStatus.PodsRecouped) == 1, "for pod to have been recouped" |
nothing calls this directly
no test coverage detected