Merge pull request #625 from element-hq/gaelg/service-account-access-token

test automount service account policy against jobs

Author: gaelgatelement

newsfragments/625.internal.md

@@ -0,0 +1 @@
+Check automount service account policy against Job in tests.

tests/manifests/__init__.py

@@ -97,6 +97,7 @@ class DeployableDetails(abc.ABC):
     has_db: bool = field(default=False, hash=False)
     has_image: bool = field(default=None, hash=False)  # type: ignore[assignment]
     has_ingress: bool = field(default=True, hash=False)
+    has_automount_service_account_token: bool = field(default=False, hash=False)
     has_workloads: bool = field(default=True, hash=False)
     has_replicas: bool = field(default=None, hash=False)  # type: ignore[assignment]
     has_service_monitor: bool = field(default=None, hash=False)  # type: ignore[assignment]
@@ -410,6 +411,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
         },
         has_image=False,
         has_ingress=False,
+        has_automount_service_account_token=True,
         has_replicas=False,
         has_service_monitor=False,
         has_topology_spread_constraints=False,
@@ -429,6 +431,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
         },
         has_image=False,
         has_ingress=False,
+        has_automount_service_account_token=True,
         has_replicas=False,
         has_service_monitor=False,
         has_topology_spread_constraints=False,
@@ -531,6 +534,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
                     PropertyType.StartupProbe: ValuesFilePath.not_supported(),
                 },
                 has_ingress=False,
+                has_automount_service_account_token=True,
                 has_replicas=False,
                 has_service_monitor=False,
                 has_topology_spread_constraints=False,

tests/manifests/test_serviceaccounts.py

@@ -7,16 +7,18 @@
 import pytest
 
 from . import DeployableDetails, PropertyType, all_deployables_details, values_files_to_test
-from .utils import iterate_deployables_workload_parts, template_id
+from .utils import iterate_deployables_workload_parts, template_id, template_to_deployable_details
 
 
 @pytest.mark.parametrize("values_file", values_files_to_test)
 @pytest.mark.asyncio_cooperative
-async def test_dont_automount_serviceaccount_tokens(templates):
+async def test_automount_serviceaccount_tokens_as_appropriate(templates):
     for template in templates:
-        if template["kind"] in ["Deployment", "StatefulSet"]:
-            assert not template["spec"]["template"]["spec"]["automountServiceAccountToken"], (
-                f"ServiceAccount token automounted for {template_id(template)}"
+        deployable_details = template_to_deployable_details(template)
+        if template["kind"] in ["Deployment", "StatefulSet", "Job"]:
+            assert (
+                deployable_details.has_automount_service_account_token
+                == template["spec"]["template"]["spec"]["automountServiceAccountToken"]
             )