def test_db_scc(self, teardown):
"""
Test noobaa db is assigned with scc(anyuid) after changing the default noobaa SCC
"""
scc_name = constants.NOOBAA_DB_SERVICE_ACCOUNT_NAME
service_account = constants.NOOBAA_DB_SERVICE_ACCOUNT
pod_obj = pod.Pod(**pod.get_pods_having_label(
label=self.labels_map["noobaa_db"],
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
)[0])
ocp_scc = ocp.OCP(kind=constants.SCC,
namespace=defaults.ROOK_CLUSTER_NAMESPACE)
pod_data = pod_obj.get()
log.info(f"Verifying current SCC is {scc_name} in db pod")
assert (pod_data.get("metadata").get("annotations").get(
"openshift.io/scc") == scc_name), "Invalid default scc"
log.info("Deleting the user array from the Noobaa scc")
ocp_scc.patch(
resource_name=scc_name,
params='[{"op": "remove", "path": "/users/0", '
f'"value":{service_account}}}]',
format_type="json",
)
assert not helpers.validate_scc_policy(
sa_name=scc_name,
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
scc_name=scc_name,
), "SA name is present in noobaa scc"
log.info("Adding the noobaa system sa user to anyuid scc")
ocp_scc.patch(
resource_name=constants.ANYUID,
params='[{"op": "add", "path": "/users/0", '
f'"value":{service_account}}}]',
format_type="json",
)
assert helpers.validate_scc_policy(
sa_name=scc_name,
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
scc_name=constants.ANYUID,
), "SA name is not present in anyuid scc"
pod_obj.delete(force=True)
# Verify that the new pod has reached a 'RUNNNING' status
assert pod_obj.ocp.wait_for_resource(
condition=constants.STATUS_RUNNING,
selector=self.labels_map["noobaa_db"],
resource_count=1,
timeout=300,
), "Noobaa pod did not reach running state"
pod_data = pod_obj.get()
log.info("Verifying SCC is now anyuid in the db pod")
assert (pod_data.get("metadata").get("annotations").get(
"openshift.io/scc") == constants.ANYUID), "Invalid scc"
# Check the NB status to verify the system is healthy
self.cl_obj.wait_for_noobaa_health_ok()
def finalizer():
scc_name = constants.NOOBAA_DB_SERVICE_ACCOUNT_NAME
service_account = constants.NOOBAA_DB_SERVICE_ACCOUNT
pod_obj = pod.Pod(**pod.get_pods_having_label(
label=self.labels_map["noobaa_db"],
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
)[0])
pod_data_list = pod_obj.get()
ocp_scc = ocp.OCP(kind=constants.SCC,
namespace=defaults.ROOK_CLUSTER_NAMESPACE)
if helpers.validate_scc_policy(
sa_name=scc_name,
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
scc_name=constants.ANYUID,
):
ocp_scc.patch(
resource_name=constants.ANYUID,
params='[{"op": "remove", "path": "/users/0", '
f'"value":{service_account}}}]',
format_type="json",
)
if not helpers.validate_scc_policy(
sa_name=scc_name,
namespace=defaults.ROOK_CLUSTER_NAMESPACE,
scc_name=scc_name,
):
ocp_scc.patch(
resource_name=scc_name,
params='[{"op": "add", "path": "/users/0", '
f'"value":{service_account}}}]',
format_type="json",
)
if (pod_data_list.get("metadata").get("annotations").get(
"openshift.io/scc") == constants.ANYUID):
pod_obj.delete(force=True)
assert pod_obj.ocp.wait_for_resource(
condition=constants.STATUS_RUNNING,
selector=self.labels_map["noobaa_db"],
resource_count=1,
timeout=300,
), "Noobaa pod did not reach running state"
pod_data_list = pod_obj.get()
assert (pod_data_list.get("metadata").get("annotations").get(
"openshift.io/scc") == scc_name), "Invalid scc"