Add E2E test to verify roles/bindings are deleted

jgwest · jgwest · commit df262fe66d25 · 2024-10-19T13:43:05.000-04:00
Signed-off-by: Jonathan West &lt;jonwest@redhat.com&gt;
diff --git a/controllers/resources_test.go b/controllers/resources_test.go
@@ -1141,7 +1141,7 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(Succeed())
 
 			By("Verify existing Role is deleted")
-			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(HaveOccurred())
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).ToNot(Succeed())
 		})
 
 		It("Should delete existing ClusterRole when Role is reconciled", func() {
@@ -1161,7 +1161,7 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(role), role)).To(Succeed())
 
 			By("Verify existing ClusterRole is deleted")
-			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).ToNot(Succeed())
 		})
 
 		It("Should delete existing RoleBinding when ClusterRoleBinding is reconciled", func() {
@@ -1187,7 +1187,7 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRoleBinding), clusterRoleBinding)).To(Succeed())
 
 			By("Verify RoleBinding is deleted")
-			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(HaveOccurred())
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).ToNot(Succeed())
 		})
 
 		It("Should delete existing ClusterRoleBinding when RoleBinding is reconciled", func() {
@@ -1213,7 +1213,7 @@ var _ = Describe("Resource creation and cleanup tests", func() {
 			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(roleBinding), roleBinding)).To(Succeed())
 
 			By("Verify ClusterRoleBinding is deleted")
-			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).To(HaveOccurred())
+			Expect(r.Client.Get(ctx, client.ObjectKeyFromObject(clusterRole), clusterRole)).ToNot(Succeed())
 		})
 	})
 })
diff --git a/tests/e2e/rollout_tests_all.go b/tests/e2e/rollout_tests_all.go
@@ -595,5 +595,101 @@ func RunRolloutsTests(namespaceScopedParam bool) {
 
 			})
 		})
+
+		When("a namespace-scoped RolloutManager is installed into a namespace that previously contained a cluster-scoped RolloutManager, or vice versa", func() {
+
+			It("should cleanup any cluster/role/rolebinding resources that are present in the namespace, that do not match the current .spec.namespaceScoped value of the RolloutManager CR", func() {
+
+				var fakeRole rbacv1.Role
+				var fakeRoleBinding rbacv1.RoleBinding
+
+				var fakeClusterRole rbacv1.ClusterRole
+				var fakeClusterRoleBinding rbacv1.ClusterRoleBinding
+
+				By("creating ClusterRole/Binding in the namespace-scoped case, and Role/Binding in the cluster-scoped case")
+
+				if namespaceScopedParam {
+
+					fakeClusterRole = rbacv1.ClusterRole{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      controllers.DefaultArgoRolloutsResourceName,
+							Namespace: rolloutManager.Namespace,
+						},
+					}
+					Expect(k8sClient.Create(ctx, &fakeClusterRole)).To(Succeed())
+
+					fakeClusterRoleBinding = rbacv1.ClusterRoleBinding{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      controllers.DefaultArgoRolloutsResourceName,
+							Namespace: rolloutManager.Namespace,
+						},
+						RoleRef: rbacv1.RoleRef{
+							APIGroup: rbacv1.GroupName,
+							Kind:     "ClusterRole",
+							Name:     fakeClusterRole.Name,
+						},
+						Subjects: []rbacv1.Subject{
+							{
+								Kind:      rbacv1.ServiceAccountKind,
+								Name:      controllers.DefaultArgoRolloutsResourceName,
+								Namespace: rolloutManager.Namespace,
+							},
+						},
+					}
+					Expect(k8sClient.Create(ctx, &fakeClusterRoleBinding)).To(Succeed())
+
+				} else {
+
+					fakeRole = rbacv1.Role{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      controllers.DefaultArgoRolloutsResourceName,
+							Namespace: rolloutManager.Namespace,
+						},
+					}
+					Expect(k8sClient.Create(ctx, &fakeRole)).To(Succeed())
+
+					fakeRoleBinding = rbacv1.RoleBinding{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      controllers.DefaultArgoRolloutsResourceName,
+							Namespace: rolloutManager.Namespace,
+						},
+						RoleRef: rbacv1.RoleRef{
+							APIGroup: rbacv1.GroupName,
+							Kind:     "Role",
+							Name:     fakeRole.Name,
+						},
+						Subjects: []rbacv1.Subject{
+							{
+								Kind:      rbacv1.ServiceAccountKind,
+								Name:      controllers.DefaultArgoRolloutsResourceName,
+								Namespace: rolloutManager.Namespace,
+							},
+						},
+					}
+					Expect(k8sClient.Create(ctx, &fakeRoleBinding)).To(Succeed())
+
+				}
+
+				By("creating RolloutManager and waiting for it to be available")
+				Expect(k8sClient.Create(ctx, &rolloutManager)).To(Succeed())
+				Eventually(rolloutManager, "1m", "1s").Should(rolloutManagerFixture.HavePhase(rolloutsmanagerv1alpha1.PhaseAvailable))
+
+				if namespaceScopedParam {
+
+					By("verifying that in the namespace-scoped case, the cluster-scoped resources are deleted after reconciliation")
+					Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRole), &fakeClusterRole)).ToNot(Succeed())
+					Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeClusterRoleBinding), &fakeClusterRoleBinding)).ToNot(Succeed())
+
+				} else {
+
+					By("verifying that in the cluster-scoped case, the namespace-scoped resources are deleted after reconciliation")
+					Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRole), &fakeRole)).ToNot(Succeed())
+					Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(&fakeRoleBinding), &fakeRoleBinding)).ToNot(Succeed())
+
+				}
+
+			})
+		})
+
 	})
 }
