suite: ClusterRoleBinding templates: - clusterrole.yaml tests: - it: disable by default asserts: - hasDocuments: count: 0 - it: force enable set: rbac: clusterRole: enabled: true asserts: - hasDocuments: count: 1 - it: force disable set: rbac: clusterRole: enabled: false extraRules: - apiGroups: [""] resources: ["test123"] verbs: ["test123"] overwriteRules: - apiGroups: [""] resources: ["test"] verbs: ["test"] asserts: - hasDocuments: count: 0 - it: enable isolated control plane set: experimental: isolatedControlPlane: enabled: true asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "" ] resources: [ "nodes" ] verbs: [ "get", "watch", "list" ] - it: enable scheduler set: controlPlane: advanced: virtualScheduler: enabled: true asserts: - hasDocuments: count: 1 - contains: path: rules content: apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses", "csinodes", "csidrivers", "csistoragecapacities" ] verbs: [ "get", "watch", "list" ] - it: enable csinodes set: sync: fromHost: csiNodes: enabled: true asserts: - hasDocuments: count: 1 - contains: path: rules content: apiGroups: [ "storage.k8s.io" ] resources: [ "csinodes" ] verbs: [ "get", "watch", "list" ] - it: enable by multi namespace mode set: rbac: clusterRole: enabled: auto experimental: multiNamespaceMode: enabled: true asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "" ] resources: [ "namespaces", "serviceaccounts" ] verbs: [ "create", "delete", "patch", "update", "get", "watch", "list" ] - it: override rules set: rbac: clusterRole: extraRules: - apiGroups: [""] resources: ["test123"] verbs: ["test123"] overwriteRules: - apiGroups: [""] resources: ["test"] verbs: ["test"] asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "" ] resources: [ "test" ] verbs: [ "test" ] - it: extra rules set: sync: toHost: priorityClasses: enabled: true rbac: clusterRole: extraRules: - apiGroups: [ "" ] resources: [ "test123" ] verbs: [ "test123" ] asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 2 - contains: path: rules content: apiGroups: [ "" ] resources: [ "test123" ] verbs: [ "test123" ] - it: plugin rules set: plugin: myTest: rbac: clusterRole: extraRules: - apiGroups: [ "" ] resources: [ "test123" ] verbs: [ "test123" ] plugins: myTest2: rbac: clusterRole: extraRules: - apiGroups: [ "" ] resources: [ "test1234" ] verbs: [ "test1234" ] asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 2 - contains: path: rules content: apiGroups: [ "" ] resources: [ "test123" ] verbs: [ "test123" ] - contains: path: rules content: apiGroups: [ "" ] resources: [ "test1234" ] verbs: [ "test1234" ] - it: replicate services set: networking: replicateServices: fromHost: - from: test to: other-test asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "" ] resources: [ "services", "endpoints" ] verbs: [ "get", "watch", "list" ] - it: real nodes set: sync: fromHost: nodes: enabled: true asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "" ] resources: [ "pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy" ] verbs: [ "get", "watch", "list" ] - it: virtual scheduler set: controlPlane: advanced: virtualScheduler: enabled: true asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: ["storage.k8s.io"] resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"] verbs: ["get", "watch", "list"] - it: legacy pro set: pro: true asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 3 - contains: path: rules content: apiGroups: [ "" ] resources: [ "pods", "nodes", "nodes/status", "nodes/metrics", "nodes/stats", "nodes/proxy" ] verbs: [ "get", "watch", "list" ] - contains: path: rules content: apiGroups: [ "cluster.loft.sh", "storage.loft.sh" ] resources: [ "features", "virtualclusters" ] verbs: [ "get", "list", "watch" ] - contains: path: rules content: apiGroups: ["management.loft.sh"] resources: ["virtualclusterinstances"] verbs: ["get"] - it: metrics proxy set: integrations: metricsServer: enabled: true nodes: true release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - contains: path: rules content: apiGroups: [ "metrics.k8s.io" ] resources: [ "nodes" ] verbs: [ "get", "list" ] - it: externalSecrets set: integrations: externalSecrets: enabled: true webhook: enabled: false release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - it: kubeVirt set: integrations: kubeVirt: enabled: true release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 2 - contains: path: rules content: apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - contains: path: rules content: apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - it: crd sync to host set: sync: toHost: customResources: test.test-group: enabled: true release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 1 - contains: path: rules content: apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch" ] - it: crd sync from host set: sync: fromHost: customResources: test.test-group: enabled: true scope: Cluster release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - lengthEqual: path: rules count: 2 - contains: path: rules content: apiGroups: [ "test-group" ] resources: [ "test" ] verbs: [ "get", "list", "watch" ] - contains: path: rules content: apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch" ] - it: eso clusterstore sync set: integrations: externalSecrets: enabled: true webhook: enabled: true sync: clusterStores: enabled: true release: name: my-release namespace: my-namespace asserts: - hasDocuments: count: 1 - contains: path: rules content: apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - contains: path: rules content: apiGroups: [ "external-secrets.io" ] resources: [ "clustersecretstores" ] verbs: ["get", "list", "watch"]