suite: "Test Kubernetes Mode RoleBinding" templates: - kube_mode_role_binding.yaml tests: - it: should render base rolebinding metadata in kubernetes mode set: runner: mode: "kubernetes" kubernetesMode: default: true serviceAccountName: "" release: name: "test-name" namespace: "test-namespace" chart: appVersion: "0.14.0" asserts: - equal: path: apiVersion value: "rbac.authorization.k8s.io/v1" - equal: path: kind value: "RoleBinding" - equal: path: metadata.name value: "test-name-kube-mode" - equal: path: metadata.namespace value: "test-namespace" - equal: path: metadata.labels["app.kubernetes.io/component"] value: "kube-mode-role-binding" - equal: path: metadata.labels["actions.github.com/scale-set-name"] value: "test-name" - equal: path: metadata.labels["actions.github.com/scale-set-namespace"] value: "test-namespace" - equal: path: metadata.finalizers[0] value: "actions.github.com/cleanup-protection" - equal: path: roleRef.kind value: "Role" - equal: path: roleRef.name value: "test-name-kube-mode" - equal: path: subjects[0].kind value: "ServiceAccount" - equal: path: subjects[0].name value: "test-name-kube-mode" - equal: path: subjects[0].namespace value: "test-namespace" - it: should not render when runner mode is not kubernetes set: runner: mode: "dind" release: name: "test-name" namespace: "test-namespace" asserts: - hasDocuments: count: 0 - it: should not render when serviceAccountName is provided set: runner: mode: "kubernetes" kubernetesMode: default: true serviceAccountName: "custom-sa" release: name: "test-name" namespace: "test-namespace" asserts: - hasDocuments: count: 0 - it: should include global and resource labels set: runner: mode: "kubernetes" kubernetesMode: default: true serviceAccountName: "" resource: all: metadata: labels: global-team: "platform" kubernetesModeRoleBinding: metadata: labels: rb-team: "arc" release: name: "test-name" namespace: "test-namespace" asserts: - equal: path: metadata.labels["global-team"] value: "platform" - equal: path: metadata.labels["rb-team"] value: "arc" - equal: path: metadata.labels["app.kubernetes.io/component"] value: "kube-mode-role-binding" - it: should drop actions.github.com custom labels from config set: runner: mode: "kubernetes" kubernetesMode: default: true serviceAccountName: "" resource: all: metadata: labels: owner: "devops" actions.github.com/global-custom: "global-value" kubernetesModeRoleBinding: metadata: labels: actions.github.com/rb-custom: "rb-value" release: name: "test-name" namespace: "test-namespace" asserts: - equal: path: metadata.labels["owner"] value: "devops" - notExists: path: metadata.labels["actions.github.com/global-custom"] - notExists: path: metadata.labels["actions.github.com/rb-custom"] - it: should not allow overriding reserved labels set: runner: mode: "kubernetes" kubernetesMode: default: true serviceAccountName: "" resource: all: metadata: labels: helm.sh/chart: "bad" app.kubernetes.io/name: "bad" app.kubernetes.io/instance: "bad" app.kubernetes.io/component: "bad" actions.github.com/scale-set-name: "bad" actions.github.com/scale-set-namespace: "bad" release: name: "test-name" namespace: "test-namespace" chart: appVersion: "0.14.0" asserts: - equal: path: metadata.labels["helm.sh/chart"] value: "gha-rs-0.14.0" - equal: path: metadata.labels["app.kubernetes.io/name"] value: "test-name" - equal: path: metadata.labels["app.kubernetes.io/instance"] value: "test-name" - equal: path: metadata.labels["app.kubernetes.io/component"] value: "kube-mode-role-binding" - equal: path: metadata.labels["actions.github.com/scale-set-name"] value: "test-name" - equal: path: metadata.labels["actions.github.com/scale-set-namespace"] value: "test-namespace"