hashicorp · nathancoleman · May 24, 2024 · May 23, 2024
@@ -219,6 +219,7 @@ func (h *HelmCluster) Destroy(t *testing.T) {
 	// Retry because sometimes certain resources (like PVC) take time to delete
 	// in cloud providers.
 	retry.RunWith(&retry.Counter{Wait: 2 * time.Second, Count: 600}, t, func(r *retry.R) {
+
 		// Force delete any pods that have h.releaseName in their name because sometimes
 		// graceful termination takes a long time and since this is an uninstall
 		// we don't care that they're stopped gracefully.
@@ -239,9 +240,7 @@ func (h *HelmCluster) Destroy(t *testing.T) {
 		require.NoError(r, err)
 		for _, deployment := range deployments.Items {
 			if strings.Contains(deployment.Name, h.releaseName) {
-				err := h.kubernetesClient.AppsV1().
-					Deployments(h.helmOptions.KubectlOptions.Namespace).
-					Delete(context.Background(), deployment.Name, metav1.DeleteOptions{})
+				err := h.kubernetesClient.AppsV1().Deployments(h.helmOptions.KubectlOptions.Namespace).Delete(context.Background(), deployment.Name, metav1.DeleteOptions{})
 				if !errors.IsNotFound(err) {
 					require.NoError(r, err)
 				}
@@ -550,6 +549,7 @@ func (h *HelmCluster) SetupConsulClient(t *testing.T, secure bool, release ...st
 					require.NoError(r, err)
 				}
 			})
+
 		}
 	}
 
@@ -701,40 +701,47 @@ func configureNamespace(t *testing.T, client kubernetes.Interface, cfg *config.T
 }
 
 // configureSCCs creates RoleBindings that bind the default service account to cluster roles
-// allowing access to the privileged Security Context Constraints on OpenShift.
+// allowing access to the anyuid and privileged Security Context Constraints on OpenShift.
 func configureSCCs(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
+	const anyuidClusterRole = "system:openshift:scc:anyuid"
 	const privilegedClusterRole = "system:openshift:scc:privileged"
+	anyuidRoleBinding := "anyuid-test"
 	privilegedRoleBinding := "privileged-test"
 
 	// A role binding to allow default service account in the installation namespace access to the SCCs.
-	// Check if this cluster role binding already exists.
-	_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), privilegedRoleBinding, metav1.GetOptions{})
-
-	if errors.IsNotFound(err) {
-		roleBinding := &rbacv1.RoleBinding{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: privilegedRoleBinding,
-			},
-			Subjects: []rbacv1.Subject{
-				{
-					Kind:      rbacv1.ServiceAccountKind,
-					Name:      "default",
-					Namespace: namespace,
-				},
-			},
-			RoleRef: rbacv1.RoleRef{
-				Kind: "ClusterRole",
-				Name: privilegedClusterRole,
-			},
-		}
+	{
+		for clusterRoleName, roleBindingName := range map[string]string{anyuidClusterRole: anyuidRoleBinding, privilegedClusterRole: privilegedRoleBinding} {
+			// Check if this cluster role binding already exists.
+			_, err := client.RbacV1().RoleBindings(namespace).Get(context.Background(), roleBindingName, metav1.GetOptions{})
+
+			if errors.IsNotFound(err) {
+				roleBinding := &rbacv1.RoleBinding{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: roleBindingName,
+					},
+					Subjects: []rbacv1.Subject{
+						{
+							Kind:      rbacv1.ServiceAccountKind,
+							Name:      "default",
+							Namespace: namespace,
+						},
+					},
+					RoleRef: rbacv1.RoleRef{
+						Kind: "ClusterRole",
+						Name: clusterRoleName,
+					},
+				}
 
-		_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
-		require.NoError(t, err)
-	} else {
-		require.NoError(t, err)
+				_, err = client.RbacV1().RoleBindings(namespace).Create(context.Background(), roleBinding, metav1.CreateOptions{})
+				require.NoError(t, err)
+			} else {
+				require.NoError(t, err)
+			}
+		}
 	}
 
 	helpers.Cleanup(t, cfg.NoCleanupOnFailure, cfg.NoCleanup, func() {
+		_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), anyuidRoleBinding, metav1.DeleteOptions{})
 		_ = client.RbacV1().RoleBindings(namespace).Delete(context.Background(), privilegedRoleBinding, metav1.DeleteOptions{})
 	})
 }

@@ -142,10 +142,6 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
 		checkStatusCondition(r, gateway.Status.Conditions, trueCondition("ConsulAccepted", "Accepted"))
 		require.Len(r, gateway.Status.Listeners, 2)
 
-		// http route checks
-		err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
-		require.NoError(r, err)
-
 		require.EqualValues(r, int32(1), gateway.Status.Listeners[0].AttachedRoutes)
 		checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, trueCondition("Accepted", "Accepted"))
 		checkStatusCondition(r, gateway.Status.Listeners[0].Conditions, falseCondition("Conflicted", "NoConflicts"))
@@ -156,6 +152,10 @@ func TestAPIGateway_KitchenSink(t *testing.T) {
 		// now we know we have an address, set it so we can use it
 		gatewayAddress = gateway.Status.Addresses[0].Value
 
+		// http route checks
+		err = k8sClient.Get(context.Background(), types.NamespacedName{Name: "http-route", Namespace: "default"}, &httpRoute)
+		require.NoError(r, err)
+
 		// check our finalizers
 		require.Len(r, httpRoute.Finalizers, 1)
 		require.EqualValues(r, gatewayFinalizer, httpRoute.Finalizers[0])

@@ -0,0 +1,26 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: multiport-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: multiport
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: multiport-admin-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: multiport-admin
@@ -7,4 +7,5 @@ resources:
   - secret.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-client-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: static-client
@@ -6,4 +6,5 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: static-server
@@ -7,4 +7,5 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server-tcp-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: static-server-tcp
@@ -7,4 +7,5 @@ resources:
   - serviceaccount.yaml
   - servicedefaults.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml
@@ -0,0 +1,14 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: static-server-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: static-server
@@ -6,4 +6,5 @@ resources:
   - service.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: multiport-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: multiport
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: multiport-admin-openshift-anyuid
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:anyuid
+subjects:
+  - kind: ServiceAccount
+    name: multiport-admin
@@ -7,4 +7,5 @@ resources:
   - secret.yaml
   - serviceaccount.yaml
   - psp-rolebinding.yaml
-  - privileged-scc-rolebinding.yaml
+  - anyuid-scc-rolebinding.yaml
+  - privileged-scc-rolebinding.yaml