From 0f67acd07e5e9f8f87d31da4777947f902fee5be Mon Sep 17 00:00:00 2001 From: Abhijeet Dargude Date: Wed, 14 Aug 2024 06:41:01 +0000 Subject: [PATCH] Update permission and e2e test. --- test/e2e/mount_test.go | 40 +++++++++---------- .../secretmanager-csi-build/iam-policy.yaml | 12 ++++++ 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/test/e2e/mount_test.go b/test/e2e/mount_test.go index 5214864..012ae99 100644 --- a/test/e2e/mount_test.go +++ b/test/e2e/mount_test.go @@ -161,42 +161,42 @@ func setupTestSuite(isTokenPassed bool) { "--data-file", secretFile, "--project", f.testProjectID))) } else { type metadataStruct struct { - name string `yaml:"name"` + Name string `yaml:"name"` } type audienceStruct struct { - audience string `yaml:"audience"` + Audience string `yaml:"audience"` } type specStruct struct { - podInfoOnMount bool `yaml:"podInfoOnMount"` - attachRequired bool `yaml:"attachRequired"` - volumeLifecycleModes []string `yaml:"volumeLifecycleModes"` - tokenRequests []audienceStruct `yaml:"tokenRequests"` + PodInfoOnMount bool `yaml:"podInfoOnMount"` + AttachRequired bool `yaml:"attachRequired"` + VolumeLifecycleModes []string `yaml:"volumeLifecycleModes"` + TokenRequests []audienceStruct `yaml:"tokenRequests"` } type driver struct { - apiVersion string `yaml:"apiVersion"` - kind string `yaml:"kind"` - metadata metadataStruct `yaml:"metadata"` - spec specStruct `yaml:"spec"` + ApiVersion string `yaml:"apiVersion"` + Kind string `yaml:"kind"` + Metadata metadataStruct `yaml:"metadata"` + Spec specStruct `yaml:"spec"` } aud := audienceStruct{ - audience: "secretmanager-csi-build.svc.id.goog", // audience value is set as idPool for GCP project secretmanager-csi-build + Audience: "secretmanager-csi-build.svc.id.goog", // audience value is set as idPool for GCP project secretmanager-csi-build } csiDriver := driver{ - apiVersion: "storage.k8s.io/v1", - kind: "CSIDriver", - metadata: metadataStruct{ - name: "secrets-store.csi.k8s.io", + ApiVersion: "storage.k8s.io/v1", + Kind: "CSIDriver", + Metadata: metadataStruct{ + Name: "secrets-store.csi.k8s.io", }, - spec: specStruct{ - podInfoOnMount: true, - attachRequired: false, - volumeLifecycleModes: []string{"Ephemeral"}, - tokenRequests: []audienceStruct{aud}, + Spec: specStruct{ + PodInfoOnMount: true, + AttachRequired: false, + VolumeLifecycleModes: []string{"Ephemeral"}, + TokenRequests: []audienceStruct{aud}, }, } diff --git a/test/infra/managed/namespaces/secretmanager-csi-build/iam-policy.yaml b/test/infra/managed/namespaces/secretmanager-csi-build/iam-policy.yaml index 89bf72d..7791abb 100644 --- a/test/infra/managed/namespaces/secretmanager-csi-build/iam-policy.yaml +++ b/test/infra/managed/namespaces/secretmanager-csi-build/iam-policy.yaml @@ -35,6 +35,12 @@ spec: - members: - serviceAccount:gh-e2e-runner@secretmanager-csi-build.iam.gserviceaccount.com role: roles/viewer + - members: + - serviceAccount:service-735463103342@gcp-sa-artifactregistry.iam.gserviceaccount.com + role: roles/storage.objectViewer + - members: + - serviceAccount:service-735463103342@gcp-sa-artifactregistry.iam.gserviceaccount.com + role: roles/storage.objectViewer # cnrm controller permissions (manage all test/infra/managed resources) - members: - serviceAccount:cnrm-system@secretmanager-csi-build.iam.gserviceaccount.com @@ -60,6 +66,12 @@ spec: - members: - serviceAccount:cnrm-system@secretmanager-csi-build.iam.gserviceaccount.com role: roles/monitoring.metricWriter + - members: + - serviceAccount:735463103342-compute@developer.gserviceaccount.com + role: roles/artifactregistry.reader + - members: + - serviceAccount:service-735463103342@compute-system.iam.gserviceaccount.com + role: roles/artifactregistry.writer # for e2e tests to manage test clusters and administer secrets - members: - serviceAccount:e2e-test-sa@secretmanager-csi-build.iam.gserviceaccount.com