test automount service account policy against jobs

gaelgatelement · gaelgatelement · commit e14b58900816 · 2025-07-23T17:35:34.000+02:00
diff --git a/newsfragments/625.internal.md b/newsfragments/625.internal.md
@@ -0,0 +1 @@
+Check automount service account policy against Job in tests.
diff --git a/tests/manifests/__init__.py b/tests/manifests/__init__.py
@@ -97,6 +97,7 @@ class DeployableDetails(abc.ABC):
     has_db: bool = field(default=False, hash=False)
     has_image: bool = field(default=None, hash=False)  # type: ignore[assignment]
     has_ingress: bool = field(default=True, hash=False)
+    has_automount_service_account_token: bool = field(default=False, hash=False)
     has_workloads: bool = field(default=True, hash=False)
     has_replicas: bool = field(default=None, hash=False)  # type: ignore[assignment]
     has_service_monitor: bool = field(default=None, hash=False)  # type: ignore[assignment]
@@ -410,6 +411,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
         },
         has_image=False,
         has_ingress=False,
+        has_automount_service_account_token=True,
         has_replicas=False,
         has_service_monitor=False,
         has_topology_spread_constraints=False,
@@ -429,6 +431,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
         },
         has_image=False,
         has_ingress=False,
+        has_automount_service_account_token=True,
         has_replicas=False,
         has_service_monitor=False,
         has_topology_spread_constraints=False,
@@ -531,6 +534,7 @@ def make_synapse_worker_sub_component(worker_name: str, worker_type: str) -> Sub
                     PropertyType.StartupProbe: ValuesFilePath.not_supported(),
                 },
                 has_ingress=False,
+                has_automount_service_account_token=True,
                 has_replicas=False,
                 has_service_monitor=False,
                 has_topology_spread_constraints=False,
diff --git a/tests/manifests/test_serviceaccounts.py b/tests/manifests/test_serviceaccounts.py
@@ -7,17 +7,18 @@
 import pytest
 
 from . import DeployableDetails, PropertyType, all_deployables_details, values_files_to_test
-from .utils import iterate_deployables_workload_parts, template_id
+from .utils import iterate_deployables_workload_parts, template_id, template_to_deployable_details
 
 
 @pytest.mark.parametrize("values_file", values_files_to_test)
 @pytest.mark.asyncio_cooperative
 async def test_dont_automount_serviceaccount_tokens(templates):
     for template in templates:
-        if template["kind"] in ["Deployment", "StatefulSet"]:
-            assert not template["spec"]["template"]["spec"]["automountServiceAccountToken"], (
-                f"ServiceAccount token automounted for {template_id(template)}"
-            )
+        deployable_details = template_to_deployable_details(template)
+        assert (
+            deployable_details.has_automount_service_account_token
+            == template["spec"]["template"]["spec"]["automountServiceAccountToken"]
+        )
 
 
 @pytest.mark.parametrize("values_file", values_files_to_test)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Check automount service account policy against Job in tests.`