fix: add write permission for leases (#191)

* fix：BUGFIX #182 ,add write permisson of resource:leases in apisix_view_clusterrole.yaml

* fix：BUGFIX #182 , add _clusterRole reference in test\e2e\scaffold\ingress.go

* fix：BUGFIX #182 , add  namespace

* fix：BUGFIX #182 , fix format

* fix：BUGFIX #182 , fix format

* fix

* fix

* fix: reset finializers

Co-authored-by: 周宇 <[email protected]>
Co-authored-by: Alex Zhang <[email protected]>

Author: 3 people

charts/apisix-ingress-controller/templates/rbac.yaml

@@ -142,6 +142,12 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

samples/deploy/rbac/apisix_view_clusterrole.yaml

@@ -142,3 +142,9 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - '*'

test/e2e/scaffold/ingress.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/onsi/ginkgo"
+	"github.com/stretchr/testify/assert"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
@@ -28,7 +29,142 @@ import (
 )
 
 const (
-	_serviceAccount     = "ingress-apisix-e2e-test-service-account"
+	_serviceAccount = "ingress-apisix-e2e-test-service-account"
+	_clusterRole    = `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: %s-apisix-view-clusterrole
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - persistentvolumeclaims
+      - pods
+      - replicationcontrollers
+      - replicationcontrollers/scale
+      - serviceaccounts
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - bindings
+      - events
+      - limitranges
+      - namespaces/status
+      - pods/log
+      - pods/status
+      - replicationcontrollers/status
+      - resourcequotas
+      - resourcequotas/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - replicasets
+      - replicasets/scale
+      - statefulsets
+      - statefulsets/scale
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - ingresses
+      - networkpolicies
+      - replicasets
+      - replicasets/scale
+      - replicationcontrollers/scale
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - metrics.k8s.io
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apisix.apache.org
+    resources:
+      - apisixroutes
+      - apisixupstreams
+      - apisixservices
+      - apisixtlses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+    - coordination.k8s.io
+    resources:
+    - leases
+    verbs:
+    - '*'
+`
 	_clusterRoleBinding = `
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -37,7 +173,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: %s-apisix-view-clusterrole
 subjects:
 - kind: ServiceAccount
   name: ingress-apisix-e2e-test-service-account
@@ -120,10 +256,23 @@ func (s *Scaffold) newIngressAPISIXController() error {
 		return err
 	}
 
-	crb := fmt.Sprintf(_clusterRoleBinding, s.namespace, s.namespace)
+	cr := fmt.Sprintf(_clusterRole, s.namespace)
+	if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions, cr); err != nil {
+		return err
+	}
+
+	crb := fmt.Sprintf(_clusterRoleBinding, s.namespace, s.namespace, s.namespace)
 	if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions, crb); err != nil {
 		return err
 	}
+	s.addFinializer(func() {
+		err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, crb)
+		assert.Nil(s.t, err, "deleting ClusterRoleBinding")
+	})
+	s.addFinializer(func() {
+		err := k8s.KubectlDeleteFromStringE(s.t, s.kubectlOptions, cr)
+		assert.Nil(s.t, err, "deleting ClusterRole")
+	})
 	if err := k8s.KubectlApplyFromStringE(s.t, s.kubectlOptions, ingressAPISIXDeployment); err != nil {
 		return err
 	}

test/e2e/scaffold/scaffold.go

@@ -184,6 +184,7 @@ func (s *Scaffold) beforeEach() {
 		ConfigPath: s.opts.Kubeconfig,
 		Namespace:  s.namespace,
 	}
+	s.finializers = nil
 	k8s.CreateNamespace(s.t, s.kubectlOptions, s.namespace)
 
 	s.nodes, err = k8s.GetReadyNodesE(s.t, s.kubectlOptions)