eventshub RBAC resources independent to avoid deletion conflicts (#538)

By having [1] and the fact that: - eventshub's RBAC resources are namespace global - multiple parallel tests might run in a single namespace we end up removing resources that are in active use by other tests. [1] 8a5db1b Signed-off-by: Pierangelo Di Pilato <[email protected]> (cherry picked from commit cf14f44)
knative-extensions · Aug 3, 2023 · 4fa735e · 4fa735e
1 parent 288a740
commit 4fa735e
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 19 deletions.
diff --git a/pkg/eventshub/103-pod.yaml b/pkg/eventshub/103-pod.yaml
@@ -26,7 +26,7 @@ metadata:
       {{ end }}
   {{ end }}
 spec:
-  serviceAccountName: "{{ .namespace }}"
+  serviceAccountName: "{{ .name }}"
   restartPolicy: "OnFailure"
   {{ if .podSecurityContext }}
   securityContext:

diff --git a/pkg/eventshub/eventshub_test.go b/pkg/eventshub/eventshub_test.go
@@ -75,7 +75,7 @@ func Example() {
 	//   labels:
 	//     app: eventshub-hubhub
 	// spec:
-	//   serviceAccountName: "example"
+	//   serviceAccountName: "hubhub"
 	//   restartPolicy: "OnFailure"
 	//   containers:
 	//     - name: eventshub
@@ -152,7 +152,7 @@ func ExampleIstioAnnotation() {
 	//       sidecar.istio.io/inject: "true"
 	//       sidecar.istio.io/rewriteAppHTTPProbers: "true"
 	// spec:
-	//   serviceAccountName: "example"
+	//   serviceAccountName: "hubhub"
 	//   restartPolicy: "OnFailure"
 	//   containers:
 	//     - name: eventshub
@@ -223,7 +223,7 @@ func ExampleNoReadiness() {
 	//   labels:
 	//     app: eventshub-hubhub
 	// spec:
-	//   serviceAccountName: "example"
+	//   serviceAccountName: "hubhub"
 	//   restartPolicy: "OnFailure"
 	//   containers:
 	//     - name: eventshub

diff --git a/pkg/eventshub/rbac/100-sa.yaml b/pkg/eventshub/rbac/100-sa.yaml
@@ -15,5 +15,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .namespace }}
+  name: {{ .name }}
   namespace: {{ .namespace }}
diff --git a/pkg/eventshub/rbac/101-rbac.yaml b/pkg/eventshub/rbac/101-rbac.yaml
@@ -15,7 +15,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .namespace }}
+  name: {{ .name }}
   namespace: {{ .namespace }}
 rules:
   - apiGroups: [ "" ]
@@ -35,13 +35,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .namespace }}
+  name: {{ .name }}
   namespace: {{ .namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ .namespace }}
+  name: {{ .name }}
 subjects:
   - kind: ServiceAccount
-    name: {{ .namespace }}
+    name: {{ .name }}
     namespace: {{ .namespace }}
diff --git a/pkg/eventshub/rbac/rbac.go b/pkg/eventshub/rbac/rbac.go
@@ -31,9 +31,9 @@ var templates embed.FS
 
 // Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub.
 // The resources are named according to the current namespace defined in the environment.
-func Install() feature.StepFn {
+func Install(cfg map[string]interface{}) feature.StepFn {
 	return func(ctx context.Context, t feature.T) {
-		if _, err := manifest.InstallYamlFS(ctx, templates, map[string]interface{}{}); err != nil && !apierrors.IsAlreadyExists(err) {
+		if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) {
 			t.Fatal(err)
 		}
 	}

diff --git a/pkg/eventshub/rbac/rbac_test.go b/pkg/eventshub/rbac/rbac_test.go
@@ -31,6 +31,7 @@ func Example() {
 	ctx := testlog.NewContext()
 	files, err := manifest.ExecuteYAML(ctx, templates, nil,
 		map[string]interface{}{
+			"name":      "examplen",
 			"namespace": "example",
 		})
 	if err != nil {
@@ -42,13 +43,13 @@ func Example() {
 	// apiVersion: v1
 	// kind: ServiceAccount
 	// metadata:
-	//   name: example
+	//   name: examplen
 	//   namespace: example
 	// ---
 	// apiVersion: rbac.authorization.k8s.io/v1
 	// kind: Role
 	// metadata:
-	//   name: example
+	//   name: examplen
 	//   namespace: example
 	// rules:
 	//   - apiGroups: [ "" ]
@@ -66,14 +67,14 @@ func Example() {
 	// apiVersion: rbac.authorization.k8s.io/v1
 	// kind: RoleBinding
 	// metadata:
-	//   name: example
+	//   name: examplen
 	//   namespace: example
 	// roleRef:
 	//   apiGroup: rbac.authorization.k8s.io
 	//   kind: Role
-	//   name: example
+	//   name: examplen
 	// subjects:
 	//   - kind: ServiceAccount
-	//     name: example
+	//     name: examplen
 	//     namespace: example
 }
diff --git a/pkg/eventshub/resources.go b/pkg/eventshub/resources.go
@@ -67,9 +67,6 @@ func Install(name string, options ...EventsHubOption) feature.StepFn {
 		eventListener := k8s.EventListenerFromContext(ctx)
 		registerEventsHubStore(ctx, eventListener, name, namespace)
 
-		// Install ServiceAccount, Role, RoleBinding
-		eventshubrbac.Install()(ctx, t)
-
 		isReceiver := strings.Contains(envs["EVENT_GENERATORS"], "receiver")
 
 		cfg := map[string]interface{}{
@@ -79,6 +76,9 @@ func Install(name string, options ...EventsHubOption) feature.StepFn {
 			"withReadiness": isReceiver,
 		}
 
+		// Install ServiceAccount, Role, RoleBinding
+		eventshubrbac.Install(cfg)(ctx, t)
+
 		if ic := environment.GetIstioConfig(ctx); ic.Enabled {
 			manifest.WithIstioPodAnnotations(cfg)
 		}