diff --git a/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go b/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go index bf3f5624f77..fe6313d3a5b 100644 --- a/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go +++ b/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go @@ -85,9 +85,9 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() { It("verifies that toolchain versions have the expected values", func() { // These variables need to be maintained according to the component matrix: https://spaces.redhat.com/display/GITOPS/GitOps+Component+Matrix - expected_kustomizeVersion := "v5.7.0" - expected_helmVersion := "v3.18.4" - expected_argocdVersion := "v3.1.5" + expected_kustomizeVersion := "v5.7.1" + expected_helmVersion := "v3.18.6" + expected_argocdVersion := "v3.1.13" var expected_dexVersion string var expected_redisVersion string @@ -99,8 +99,8 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() { } else { // when running against RC/ released version of gitops - expected_dexVersion = "v2.43.0" - expected_redisVersion = "7.2.10" + expected_dexVersion = "v2.43.1" + expected_redisVersion = "7.2.11" } By("locating pods containing toolchain in openshift-gitops") diff --git a/test/openshift/e2e/ginkgo/parallel/1-090_validate_permissions_test.go b/test/openshift/e2e/ginkgo/parallel/1-090_validate_permissions_test.go index a47de6eb3fa..1c01a21540b 100644 --- a/test/openshift/e2e/ginkgo/parallel/1-090_validate_permissions_test.go +++ b/test/openshift/e2e/ginkgo/parallel/1-090_validate_permissions_test.go @@ -19,6 +19,8 @@ package parallel import ( "context" "fmt" + "os" + "path/filepath" "strings" . "github.com/onsi/ginkgo/v2" @@ -59,652 +61,6 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() { return } - By("checking that the expected CSV matches the actual CSV on the cluster") - - csvString := ` -apiVersion: operators.coreos.com/v1alpha1 -kind: ClusterServiceVersion -metadata: - name: openshift-gitops-operator.v1.16.0 - namespace: openshift-operators -spec: - install: - spec: - clusterPermissions: - - rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - persistentvolumeclaims - - pods - - secrets - - serviceaccounts - - services - - services/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - resourcequotas - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create - - apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - apiGroups: - - "" - resources: - - podtemplates - verbs: - - get - - list - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - apiGroups: - - appmesh.k8s.aws - resources: - - virtualnodes - - virtualrouters - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - appmesh.k8s.aws - resources: - - virtualservices - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - deployments - - podtemplates - - replicasets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - apps - resourceNames: - - gitops-operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - apps.openshift.io - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - analysisruns - - analysisruns/finalizers - - experiments - - experiments/finalizers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - analysistemplates - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - applications - - appprojects - - argocds - - argocds/finalizers - - argocds/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - clusteranalysistemplates - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - notificationsconfigurations - - notificationsconfigurations/finalizers - verbs: - - '*' - - apiGroups: - - argoproj.io - resources: - - rolloutmanagers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - argoproj.io - resources: - - rolloutmanagers/finalizers - verbs: - - update - - apiGroups: - - argoproj.io - resources: - - rolloutmanagers/status - verbs: - - get - - patch - - update - - apiGroups: - - argoproj.io - resources: - - rollouts - - rollouts/finalizers - - rollouts/scale - - rollouts/status - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - config.openshift.io - resources: - - clusterversions - verbs: - - get - - list - - watch - - apiGroups: - - console.openshift.io - resources: - - consoleclidownloads - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - console.openshift.io - resources: - - consolelinks - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - console.openshift.io - resources: - - consoleplugins - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - - apiGroups: - - elbv2.k8s.aws - resources: - - targetgroupbindings - verbs: - - get - - list - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - create - - get - - list - - patch - - watch - - apiGroups: - - getambassador.io - resources: - - ambassadormappings - - mappings - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - monitoring.coreos.com - resources: - - prometheuses - - prometheusrules - - servicemonitors - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.istio.io - resources: - - destinationrules - - virtualservices - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - create - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - networkpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - oauth.openshift.io - resources: - - oauthclients - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - - operatorgroups - - subscriptions - verbs: - - create - - get - - list - - watch - - apiGroups: - - pipelines.openshift.io - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - pipelines.openshift.io - resources: - - gitopsservices - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - pipelines.openshift.io - resources: - - gitopsservices/finalizers - verbs: - - update - - apiGroups: - - pipelines.openshift.io - resources: - - gitopsservices/status - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - '*' - verbs: - - bind - - create - - delete - - deletecollection - - escalate - - get - - list - - patch - - update - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - - clusterroles - verbs: - - bind - - create - - delete - - deletecollection - - escalate - - get - - list - - patch - - update - - watch - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - route.openshift.io - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - route.openshift.io - resources: - - routes - - routes/custom-host - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - split.smi-spec.io - resources: - - trafficsplits - verbs: - - create - - get - - patch - - update - - watch - - apiGroups: - - template.openshift.io - resources: - - templateconfigs - - templateinstances - - templates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - traefik.containo.us - resources: - - traefikservices - verbs: - - get - - update - - watch - - apiGroups: - - x.getambassador.io - resources: - - ambassadormappings - - mappings - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create` - - expectedCsv := &olmv1alpha1.ClusterServiceVersion{} - - Expect(yaml.UnmarshalStrict([]byte(csvString), expectedCsv)).To(Succeed()) - By("looking for a ClusterServiceVersion for openshift-gitops across all namespaces") gitopsCSVsFound := []olmv1alpha1.ClusterServiceVersion{} var csvList olmv1alpha1.ClusterServiceVersionList @@ -712,6 +68,10 @@ spec: for index := range csvList.Items { csv := csvList.Items[index] if strings.Contains(csv.Name, "openshift-gitops-operator") { + // OLM copies CSVs to other namespaces; skip those copies + if _, copied := csv.Labels["olm.copiedFrom"]; copied { + continue + } gitopsCSVsFound = append(gitopsCSVsFound, csv) } } @@ -730,9 +90,25 @@ spec: Expect(actualCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions).To(HaveLen(1)) actualCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions[0].ServiceAccountName = "" - Expect(expectedCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions).To(HaveLen(1)) + snapshotPath := "../snapshots/valid_csv_permissions.yaml" + + if os.Getenv("E2E_UPDATE_SNAPSHOTS") == "1" { + By("updating snapshot file with actual CSV cluster permissions") + data, marshalErr := yaml.Marshal(actualCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions) + Expect(marshalErr).NotTo(HaveOccurred()) + Expect(os.MkdirAll(filepath.Dir(snapshotPath), 0755)).To(Succeed()) + Expect(os.WriteFile(snapshotPath, data, 0644)).To(Succeed()) + } + + By("checking that the expected CSV cluster permissions match the actual CSV on the cluster") + + snapshotData, readErr := os.ReadFile(snapshotPath) + Expect(readErr).NotTo(HaveOccurred(), "snapshot file not found at %s; run with E2E_UPDATE_SNAPSHOTS=1 to create it", snapshotPath) + + var snapshotPermissions []olmv1alpha1.StrategyDeploymentPermissions + Expect(yaml.Unmarshal(snapshotData, &snapshotPermissions)).To(Succeed()) - Expect(actualCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions).To(Equal(expectedCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions)) + Expect(actualCsv.Spec.InstallStrategy.StrategySpec.ClusterPermissions).To(Equal(snapshotPermissions)) By("checking that the specific fields in gitopsservices.pipelines.openshift.io CRD that we are looking for are present and have the expected values") diff --git a/test/openshift/e2e/ginkgo/snapshots/valid_csv_permissions.yaml b/test/openshift/e2e/ginkgo/snapshots/valid_csv_permissions.yaml new file mode 100644 index 00000000000..c172cd894d3 --- /dev/null +++ b/test/openshift/e2e/ginkgo/snapshots/valid_csv_permissions.yaml @@ -0,0 +1,469 @@ +- rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - persistentvolumeclaims + - pods + - secrets + - serviceaccounts + - services + - services/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - deployments + - podtemplates + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - "" + resources: + - resourcequotas + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - apiGroups: + - appmesh.k8s.aws + resources: + - virtualnodes + - virtualrouters + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - appmesh.k8s.aws + resources: + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - podtemplates + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - apps + resourceNames: + - gitops-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - apps.openshift.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - argoproj.io + resources: + - analysisruns + - analysisruns/finalizers + - analysistemplates + - clusteranalysistemplates + - experiments + - experiments/finalizers + - namespacemanagements + - namespacemanagements/status + - rollouts + - rollouts/finalizers + - rollouts/scale + - rollouts/status + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - argoproj.io + resources: + - applications + - appprojects + - argocds + - argocds/finalizers + - argocds/status + - rolloutmanagers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - argoproj.io + resources: + - notificationsconfigurations + - notificationsconfigurations/finalizers + verbs: + - '*' + - apiGroups: + - argoproj.io + resources: + - rolloutmanagers/finalizers + verbs: + - update + - apiGroups: + - argoproj.io + resources: + - rolloutmanagers/status + verbs: + - get + - patch + - update + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - config.openshift.io + resources: + - clusterversions + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - console.openshift.io + resources: + - consoleclidownloads + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - console.openshift.io + resources: + - consolelinks + - consoleplugins + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - elbv2.k8s.aws + resources: + - targetgroupbindings + verbs: + - get + - list + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - create + - get + - list + - patch + - watch + - apiGroups: + - getambassador.io + - x.getambassador.io + resources: + - ambassadormappings + - mappings + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - prometheuses + - prometheusrules + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.istio.io + resources: + - destinationrules + - virtualservices + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - oauth.openshift.io + resources: + - oauthclients + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - operatorgroups + - subscriptions + verbs: + - create + - get + - list + - watch + - apiGroups: + - pipelines.openshift.io + resources: + - '*' + - gitopsservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - pipelines.openshift.io + resources: + - gitopsservices/finalizers + verbs: + - update + - apiGroups: + - pipelines.openshift.io + resources: + - gitopsservices/status + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - '*' + - clusterrolebindings + - clusterroles + verbs: + - bind + - create + - delete + - deletecollection + - escalate + - get + - list + - patch + - update + - watch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - route.openshift.io + resources: + - '*' + - routes + - routes/custom-host + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - split.smi-spec.io + resources: + - trafficsplits + verbs: + - create + - get + - patch + - update + - watch + - apiGroups: + - template.openshift.io + resources: + - templateconfigs + - templateinstances + - templates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - traefik.containo.us + resources: + - traefikservices + verbs: + - get + - update + - watch + - nonResourceURLs: + - /metrics + verbs: + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + serviceAccountName: ""