Add tier1 tests for cluster-level RBAC subject types#588
Open
RanWurmbrand wants to merge 2 commits into
Open
Conversation
Add e2e tests covering ClusterRoleBinding subject variations: - MTA-857: ServiceAccount subject type - MTA-858: User subject type - MTA-859: Group subject type Signed-off-by: Ran Wurmbrand <rwurmbra@redhat.com>
|
Warning Review limit reached
Next review available in: 27 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughAdds a ChangesCRB Subject E2E Tests
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Test Coverage ReportTotal: 47.6% Per-package coverage
Full function-level detailsPosted by CI |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
e2e-tests/framework/resources.go (1)
75-82: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winInclude the subject in the create error context.
A bad
--user/--group/--serviceaccountvalue will currently fail as onlyfailed to create ClusterRoleBinding <name>, which is thin for debugging this new path. Please includecrb.ClusterRoleNameandcrb.Subjectin the wrapped error. As per coding guidelines, "Prefer explicit error messages with context in Go code" and "Do not skip error context - include resource names and types".🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@e2e-tests/framework/resources.go` around lines 75 - 82, The ClusterRoleBinding create error message is missing key context for the subject-related failure path. Update ClusterRoleBinding.Create to include both crb.ClusterRoleName and crb.Subject in the wrapped error returned after k.Run fails, so the failure context matches the arguments used to build the create command. Keep the fix localized to the Create method and preserve the existing error wrapping with fmt.Errorf.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@e2e-tests/tests/tier1/mta_857_service_account_subject_test.go`:
- Around line 35-40: Use unique cluster-scoped names for the ClusterRole and
ClusterRoleBinding in this spec instead of reusing crane-cr and crane-crb.
Update the ClusterRole and ClusterRoleBinding setup in the test code that
creates cr and crb so each Tier1 spec has distinct names (for example by
deriving them from the namespace or subjectName) to avoid collisions during
parallel runs and cleanup failures.
- Around line 94-97: The current ClusterRoleBinding assertion in the service
account subject test only checks subject name via ValidateClusterRBAC, so it can
miss an incorrect kind or namespace. Update the
mta_857_service_account_subject_test flow to explicitly verify the
ClusterRoleBinding subject has kind ServiceAccount and the expected namespace,
and add a separate check that the target serviceaccount/crane-sa exists. Use the
existing crb, subjectName, kubectlTgt, and ValidateClusterRBAC references to
locate the test logic and extend it with these ServiceAccount-specific
assertions.
In `@e2e-tests/tests/tier1/mta_858_user_subject_test.go`:
- Around line 94-97: The target ClusterRoleBinding check in the migration test
only validates the subject name, so it can miss a wrong subject type. Update the
assertion around ValidateClusterRBAC in mta_858_user_subject_test.go to also
verify the ClusterRoleBinding subject kind is User for the target binding, using
the existing subjectName/ClusterRoleBindingName setup so the test fails if the
migrated subject is emitted as anything else.
In `@e2e-tests/tests/tier1/mta_859_group_subject_test.go`:
- Around line 95-98: The ClusterRoleBinding validation in the MTA group-subject
test only verifies the subject name, so it can’t prove the subject is a Group.
Update the test around ValidateClusterRBAC and the existing CRB assertion to
also inspect the target ClusterRoleBinding’s .subjects entry and explicitly
assert kind is Group, with namespace unset or empty, alongside the current name
check.
---
Nitpick comments:
In `@e2e-tests/framework/resources.go`:
- Around line 75-82: The ClusterRoleBinding create error message is missing key
context for the subject-related failure path. Update ClusterRoleBinding.Create
to include both crb.ClusterRoleName and crb.Subject in the wrapped error
returned after k.Run fails, so the failure context matches the arguments used to
build the create command. Keep the fix localized to the Create method and
preserve the existing error wrapping with fmt.Errorf.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 122a4b4f-ea8b-4ce5-9d07-eeaf0849affb
📒 Files selected for processing (4)
e2e-tests/framework/resources.goe2e-tests/tests/tier1/mta_857_service_account_subject_test.goe2e-tests/tests/tier1/mta_858_user_subject_test.goe2e-tests/tests/tier1/mta_859_group_subject_test.go
Signed-off-by: Ran Wurmbrand <rwurmbra@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #587, closes #582 closes #583
Summary
Test plan
ginkgo -v --label-filter="tier1" ./e2e-tests/tests/tier1/to verify new tests passSummary by CodeRabbit