add manager role extra rules

2026-01-18 01:33:32 +08:00 · 2026-01-16 18:46:21 +01:00
parent d28d439597
commit 4f3f663603
4 changed files with 206 additions and 0 deletions
--- a/charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml
+++ b/charts/gha-runner-scale-set-dev/tests/manager_role_extra_rules_test.yaml
@@ -0,0 +1,76 @@
+suite: "Test Manager Role Extra Rules"
+templates:
+  - manager_role.yaml
+tests:
+  - it: should render base role metadata
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    chart:
+      appVersion: "0.14.0"
+    asserts:
+      - equal:
+          path: apiVersion
+          value: "rbac.authorization.k8s.io/v1"
+      - equal:
+          path: kind
+          value: "Role"
+      - equal:
+          path: metadata.name
+          value: "test-name-manager-role"
+      - equal:
+          path: metadata.namespace
+          value: "test-namespace"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "manager-role"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+      - equal:
+          path: metadata.finalizers[0]
+          value: "actions.github.com/cleanup-protection"
+
+  - it: should append extra RBAC policy rules
+    set:
+      resource:
+        managerRole:
+          extraRules:
+            - apiGroups:
+                - ""
+              resources:
+                - "events"
+              verbs:
+                - "create"
+                - "patch"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: rules[6].apiGroups[0]
+          value: ""
+      - equal:
+          path: rules[6].resources[0]
+          value: "events"
+      - equal:
+          path: rules[6].verbs[0]
+          value: "create"
+      - equal:
+          path: rules[6].verbs[1]
+          value: "patch"
+
+  - it: should fail when extraRules is not a list
+    set:
+      resource:
+        managerRole:
+          extraRules: "not-a-list"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - failedTemplate:
+          errorMessage: ".Values.resource.managerRole.extraRules must be a list of RBAC policy rules"