scaffold integ test for custom metadata assignment

hashicorp · Jan 3, 2024 · 9254c8f · 9254c8f
1 parent 19556d7
commit 9254c8f
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 25 deletions.
diff --git a/integrationtest/integration_test.go b/integrationtest/integration_test.go
@@ -220,6 +220,25 @@ func TestFailWithBadTokenReviewerJwt(t *testing.T) {
 	}
 }
 
+func TestAuthAliasCustomMetadataAssignment(t *testing.T) {
+	// TODO annotate serviceaccount with "auth-metadata.vault.hashicorp.com/foo" : "bar"
+
+	client, cleanup := setupKubernetesAuth(t, "vault", nil, nil)
+	defer cleanup()
+
+	_, err := client.Logical().Write("auth/kubernetes/login", map[string]interface{}{
+		"role": "test-role",
+		"jwt":  createToken(t, "vault", nil),
+	})
+	if err != nil {
+		t.Fatalf("Expected successful login but got: %v", err)
+	}
+
+	// TODO query the alias that has the entity ID matching the service account uid
+
+	// TODO compare its custom metadata to the vault auth annotations
+}
+
 func TestUnauthorizedServiceAccountErrorCode(t *testing.T) {
 	client, cleanup := setupKubernetesAuth(t, "badServiceAccount", nil, nil)
 	defer cleanup()

diff --git a/integrationtest/vault/serviceAccountControllerBinding.yaml b/integrationtest/vault/serviceAccountControllerBinding.yaml
@@ -1,30 +1,30 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: test-service-account-getter-account-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:controller:service-account-controller
-subjects:
-  - kind: ServiceAccount
-    name: test-token-reviewer-account
-    namespace: test
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: test-service-account-getter-account-binding-vault
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:controller:service-account-controller
-subjects:
-  - kind: ServiceAccount
-    name: vault
-    namespace: test
+#apiVersion: rbac.authorization.k8s.io/v1
+#kind: ClusterRoleBinding
+#metadata:
+#  name: test-service-account-getter-account-binding
+#roleRef:
+#  apiGroup: rbac.authorization.k8s.io
+#  kind: ClusterRole
+#  name: system:controller:service-account-controller
+#subjects:
+#  - kind: ServiceAccount
+#    name: test-token-reviewer-account
+#    namespace: test
+#---
+#apiVersion: rbac.authorization.k8s.io/v1
+#kind: ClusterRoleBinding
+#metadata:
+#  name: test-service-account-getter-account-binding-vault
+#roleRef:
+#  apiGroup: rbac.authorization.k8s.io
+#  kind: ClusterRole
+#  name: system:controller:service-account-controller
+#subjects:
+#  - kind: ServiceAccount
+#    name: vault
+#    namespace: test