From 9254c8f076a6a91e53435c7d09cde245a2f07550 Mon Sep 17 00:00:00 2001
From: Thy Ton <maithytonn@gmail.com>
Date: Wed, 3 Jan 2024 10:19:16 -0800
Subject: [PATCH] scaffold integ test for custom metadata assignment

---
 integrationtest/integration_test.go           | 19 +++++++
 .../serviceAccountControllerBinding.yaml      | 50 +++++++++----------
 2 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/integrationtest/integration_test.go b/integrationtest/integration_test.go
index 77e3c72f..4087047a 100644
--- a/integrationtest/integration_test.go
+++ b/integrationtest/integration_test.go
@@ -220,6 +220,25 @@ func TestFailWithBadTokenReviewerJwt(t *testing.T) {
 	}
 }
 
+func TestAuthAliasCustomMetadataAssignment(t *testing.T) {
+	// TODO annotate serviceaccount with "auth-metadata.vault.hashicorp.com/foo" : "bar"
+
+	client, cleanup := setupKubernetesAuth(t, "vault", nil, nil)
+	defer cleanup()
+
+	_, err := client.Logical().Write("auth/kubernetes/login", map[string]interface{}{
+		"role": "test-role",
+		"jwt":  createToken(t, "vault", nil),
+	})
+	if err != nil {
+		t.Fatalf("Expected successful login but got: %v", err)
+	}
+
+	// TODO query the alias that has the entity ID matching the service account uid
+
+	// TODO compare its custom metadata to the vault auth annotations
+}
+
 func TestUnauthorizedServiceAccountErrorCode(t *testing.T) {
 	client, cleanup := setupKubernetesAuth(t, "badServiceAccount", nil, nil)
 	defer cleanup()
diff --git a/integrationtest/vault/serviceAccountControllerBinding.yaml b/integrationtest/vault/serviceAccountControllerBinding.yaml
index eb909202..9e9d3873 100644
--- a/integrationtest/vault/serviceAccountControllerBinding.yaml
+++ b/integrationtest/vault/serviceAccountControllerBinding.yaml
@@ -1,30 +1,30 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: test-service-account-getter-account-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:controller:service-account-controller
-subjects:
-  - kind: ServiceAccount
-    name: test-token-reviewer-account
-    namespace: test
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: test-service-account-getter-account-binding-vault
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:controller:service-account-controller
-subjects:
-  - kind: ServiceAccount
-    name: vault
-    namespace: test
+#apiVersion: rbac.authorization.k8s.io/v1
+#kind: ClusterRoleBinding
+#metadata:
+#  name: test-service-account-getter-account-binding
+#roleRef:
+#  apiGroup: rbac.authorization.k8s.io
+#  kind: ClusterRole
+#  name: system:controller:service-account-controller
+#subjects:
+#  - kind: ServiceAccount
+#    name: test-token-reviewer-account
+#    namespace: test
+#---
+#apiVersion: rbac.authorization.k8s.io/v1
+#kind: ClusterRoleBinding
+#metadata:
+#  name: test-service-account-getter-account-binding-vault
+#roleRef:
+#  apiGroup: rbac.authorization.k8s.io
+#  kind: ClusterRole
+#  name: system:controller:service-account-controller
+#subjects:
+#  - kind: ServiceAccount
+#    name: vault
+#    namespace: test