Merge pull request #15162 from mfojtik/deploy-check-ist-sar

Automatic merge from submit-queue (batch tested with PRs 15162, 14901, 15195) deploy: verify the deployer SA has perms to update tags fixes: #10663 [test]
openshift · Aug 1, 2017 · 0cb7fc4 · 0cb7fc4
2 parents 8533888 + e9546e4
commit 0cb7fc4
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/test/extended/deployments/deployments.go b/test/extended/deployments/deployments.go
@@ -373,12 +373,19 @@ var _ = g.Describe("deploymentconfigs", func() {
 		})
 
 		g.It("should successfully tag the deployed image", func() {
+			g.By("creating the deployment config fixture")
 			_, name, err := createFixture(oc, tagImagesFixture)
 			o.Expect(err).NotTo(o.HaveOccurred())
 
 			g.By("verifying the deployment is marked complete")
 			o.Expect(waitForLatestCondition(oc, name, deploymentRunTimeout, deploymentReachedCompletion)).NotTo(o.HaveOccurred())
 
+			g.By("verifying the deployer service account can update imagestreamtags and user can get them")
+			err = exutil.WaitForUserBeAuthorized(oc, oc.Username(), "get", "imagestreamtags")
+			o.Expect(err).NotTo(o.HaveOccurred())
+			err = exutil.WaitForUserBeAuthorized(oc, "system:serviceaccount:"+oc.Namespace()+":deployer", "update", "imagestreamtags")
+			o.Expect(err).NotTo(o.HaveOccurred())
+
 			g.By("verifying the post deployment action happened: tag is set")
 			var istag *imageapi.ImageStreamTag
 			pollErr := wait.PollImmediate(100*time.Millisecond, 1*time.Minute, func() (bool, error) {

diff --git a/test/extended/util/framework.go b/test/extended/util/framework.go
@@ -35,6 +35,7 @@ import (
 	"k8s.io/kubernetes/pkg/quota"
 	"k8s.io/kubernetes/test/e2e/framework"
 
+	authapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
 	"github.com/openshift/origin/pkg/client"
 	deployapi "github.com/openshift/origin/pkg/deploy/apis/apps"
@@ -1314,3 +1315,23 @@ func (r *podExecutor) Exec(script string) (string, error) {
 	})
 	return out, waitErr
 }
+
+// WaitForUserBeAuthorized waits a minute until the cluster bootstrap roles are available
+// and the provided user is authorized to perform the action on the resource.
+func WaitForUserBeAuthorized(oc *CLI, user, verb, resource string) error {
+	sar := authapi.SubjectAccessReview{
+		User: user,
+		Action: authapi.Action{
+			Namespace: oc.Namespace(),
+			Verb:      verb,
+			Resource:  resource,
+		},
+	}
+	return wait.PollImmediate(1*time.Second, 1*time.Minute, func() (bool, error) {
+		resp, err := oc.AdminClient().SubjectAccessReviews().Create(&sar)
+		if err == nil && resp != nil && resp.Allowed {
+			return true, nil
+		}
+		return false, err
+	})
+}