This is an automated email from the ASF dual-hosted git repository.
kvn pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new e1ed503 fix: add write permission for leases (#191)
e1ed503 is described below
commit e1ed5038549bb73e47b56f11d63c9d7e03921cca
Author: liodo <[email protected]>
AuthorDate: Thu Feb 4 16:18:55 2021 +0800
fix: add write permission for leases (#191)
* fix:BUGFIX #182 ,add write permisson of resource:leases in
apisix_view_clusterrole.yaml
* fix:BUGFIX #182 , add _clusterRole reference in
test\e2e\scaffold\ingress.go
* fix:BUGFIX #182 , add namespace
* fix:BUGFIX #182 , fix format
* fix:BUGFIX #182 , fix format
* fix
* fix
* fix: reset finializers
Co-authored-by: 周宇 <[email protected]>
Co-authored-by: Alex Zhang <[email protected]>
---
.../apisix-ingress-controller/templates/rbac.yaml | 6 +
samples/deploy/rbac/apisix_view_clusterrole.yaml | 6 +
test/e2e/scaffold/ingress.go | 155 ++++++++++++++++++++-
test/e2e/scaffold/scaffold.go | 1 +
4 files changed, 165 insertions(+), 3 deletions(-)
diff --git a/charts/apisix-ingress-controller/templates/rbac.yaml
b/charts/apisix-ingress-controller/templates/rbac.yaml
index e6133e0..b81eec0 100644
--- a/charts/apisix-ingress-controller/templates/rbac.yaml
+++ b/charts/apisix-ingress-controller/templates/rbac.yaml
@@ -142,6 +142,12 @@ rules:
- get
- list
- watch
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
diff --git a/samples/deploy/rbac/apisix_view_clusterrole.yaml
b/samples/deploy/rbac/apisix_view_clusterrole.yaml
index 756f415..edb232c 100644
--- a/samples/deploy/rbac/apisix_view_clusterrole.yaml
+++ b/samples/deploy/rbac/apisix_view_clusterrole.yaml
@@ -142,3 +142,9 @@ rules:
- get
- list
- watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - '*'
diff --git a/test/e2e/scaffold/ingress.go b/test/e2e/scaffold/ingress.go
index 546e1f2..abaa7af 100644
--- a/test/e2e/scaffold/ingress.go
+++ b/test/e2e/scaffold/ingress.go
@@ -20,6 +20,7 @@ import (
"github.com/gruntwork-io/terratest/modules/k8s"
"github.com/onsi/ginkgo"
+ "github.com/stretchr/testify/assert"
coordinationv1 "k8s.io/api/coordination/v1"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
@@ -28,7 +29,142 @@ import (
)
const (
- _serviceAccount = "ingress-apisix-e2e-test-service-account"
+ _serviceAccount = "ingress-apisix-e2e-test-service-account"
+ _clusterRole = `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: %s-apisix-view-clusterrole
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - endpoints
+ - persistentvolumeclaims
+ - pods
+ - replicationcontrollers
+ - replicationcontrollers/scale
+ - serviceaccounts
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - bindings
+ - events
+ - limitranges
+ - namespaces/status
+ - pods/log
+ - pods/status
+ - replicationcontrollers/status
+ - resourcequotas
+ - resourcequotas/status
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - controllerrevisions
+ - daemonsets
+ - deployments
+ - deployments/scale
+ - replicasets
+ - replicasets/scale
+ - statefulsets
+ - statefulsets/scale
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - batch
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - daemonsets
+ - deployments
+ - deployments/scale
+ - ingresses
+ - networkpolicies
+ - replicasets
+ - replicasets/scale
+ - replicationcontrollers/scale
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ - networkpolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - metrics.k8s.io
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apisix.apache.org
+ resources:
+ - apisixroutes
+ - apisixupstreams
+ - apisixservices
+ - apisixtlses
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - '*'
+`
_clusterRoleBinding = `
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
@@ -37,7 +173,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: cluster-admin
+ name: %s-apisix-view-clusterrole
subjects:
- kind: ServiceAccount
name: ingress-apisix-e2e-test-service-account
@@ -120,10 +256,23 @@ func (s *Scaffold) newIngressAPISIXController() error {
return err
}
- crb := fmt.Sprintf(_clusterRoleBinding, s.namespace, s.namespace)
+ cr := fmt.Sprintf(_clusterRole, s.namespace)
+ if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions, cr); err
!= nil {
+ return err
+ }
+
+ crb := fmt.Sprintf(_clusterRoleBinding, s.namespace, s.namespace,
s.namespace)
if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions, crb); err
!= nil {
return err
}
+ s.addFinializer(func() {
+ err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, crb)
+ assert.Nil(s.t, err, "deleting ClusterRoleBinding")
+ })
+ s.addFinializer(func() {
+ err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, cr)
+ assert.Nil(s.t, err, "deleting ClusterRole")
+ })
if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions,
ingressAPISIXDeployment); err != nil {
return err
}
diff --git a/test/e2e/scaffold/scaffold.go b/test/e2e/scaffold/scaffold.go
index acaf19c..ecdb83f 100644
--- a/test/e2e/scaffold/scaffold.go
+++ b/test/e2e/scaffold/scaffold.go
@@ -184,6 +184,7 @@ func (s *Scaffold) beforeEach() {
ConfigPath: s.opts.Kubeconfig,
Namespace: s.namespace,
}
+ s.finializers = nil
k8s.CreateNamespace(s.t, s.kubectlOptions, s.namespace)
s.nodes, err = k8s.GetReadyNodesE(s.t, s.kubectlOptions)
