From a3c3a69bbfc608ec1f21df34d7d12f1557b8bdca Mon Sep 17 00:00:00 2001
From: Mike Graves <mgraves@redhat.com>
Date: Fri, 2 May 2025 04:30:38 -0400
Subject: [PATCH] Update tests for newer version of openshift (#254)

* Update tests for newer version of openshift

More recent versions of ocp no longer automatically create tokens for
service accounts. This updates the tests to manually create the tokens.

* Update nginx template version

The old image was EOL and the deployment was failing to deploy.

* Fix nginx version for all tasks

* Add missing var
---
 molecule/default/files/nginx.env              |  1 +
 .../openshift_adm_prune_auth_clusterroles.yml | 34 ++++++++-----------
 .../tasks/openshift_adm_prune_auth_roles.yml  | 32 +++++++----------
 molecule/default/tasks/openshift_process.yml  |  4 +++
 molecule/default/verify.yml                   |  1 +
 tests/sanity/ignore-2.18.txt                  |  3 ++
 tests/sanity/ignore-2.19.txt                  |  3 ++
 7 files changed, 39 insertions(+), 39 deletions(-)
 create mode 100644 tests/sanity/ignore-2.18.txt
 create mode 100644 tests/sanity/ignore-2.19.txt

diff --git a/molecule/default/files/nginx.env b/molecule/default/files/nginx.env
index 939ad0d..e6bcb3a 100644
--- a/molecule/default/files/nginx.env
+++ b/molecule/default/files/nginx.env
@@ -1,6 +1,7 @@
 # Want to make sure comments don't break it
 export NAME=test123
 NAMESPACE=openshift
+NGINX_VERSION=1.22-ubi8
 
 
 
diff --git a/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml b/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml
index bac18bf..e46ec40 100644
--- a/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml
+++ b/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml
@@ -3,6 +3,7 @@
     - set_fact:
         test_sa: "clusterrole-sa"
         test_ns: "clusterrole-ns"
+        test_tn: "clusterrole-tn"
 
     - name: Ensure namespace
       kubernetes.core.k8s:
@@ -26,34 +27,27 @@
             name: "{{ test_sa }}"
             namespace: "{{ test_ns }}"
 
-    - name: Read Service Account
-      kubernetes.core.k8s_info:
-        kind: ServiceAccount
-        namespace: "{{ test_ns }}"
-        name: "{{ test_sa }}"
-      register: result
-
-    - set_fact:
-        secret_token: "{{ result.resources[0]['secrets'][0]['name'] }}"
+    - name: Create SA token
+      kubernetes.core.k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ test_tn }}"
+            namespace: "{{ test_ns }}"
+            annotations:
+              kubernetes.io/service-account.name: "{{ test_sa }}"
+          type: kubernetes.io/service-account-token
 
     - name: Get secret details
       kubernetes.core.k8s_info:
         kind: Secret
-        namespace: '{{ test_ns }}'
-        name: '{{ secret_token }}'
+        namespace: "{{ test_ns }}"
+        name: "{{ test_tn }}"
       register: _secret
-      retries: 10
-      delay: 10
-      until:
-        - ("'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']") or ("'token' in _secret.resources[0]['data']")
-
-    - set_fact:
-        api_token: "{{ _secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}"
-      when: "'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']"
 
     - set_fact:
         api_token: "{{ _secret.resources[0]['data']['token'] | b64decode }}"
-      when: "'token' in _secret.resources[0]['data']"
 
     - name: list Node should failed (forbidden user)
       kubernetes.core.k8s_info:
diff --git a/molecule/default/tasks/openshift_adm_prune_auth_roles.yml b/molecule/default/tasks/openshift_adm_prune_auth_roles.yml
index 652c423..c9913f1 100644
--- a/molecule/default/tasks/openshift_adm_prune_auth_roles.yml
+++ b/molecule/default/tasks/openshift_adm_prune_auth_roles.yml
@@ -4,6 +4,7 @@
         test_ns: "prune-roles"
         sa_name: "roles-sa"
         pod_name: "pod-prune"
+        tn_name: "roles-sa-token"
         role_definition:
           - name: pod-list
             labels:
@@ -50,34 +51,27 @@
             name: '{{ sa_name }}'
             namespace: '{{ test_ns }}'
 
-    - name: Read Service Account
-      kubernetes.core.k8s_info:
-        kind: ServiceAccount
-        namespace: '{{ test_ns }}'
-        name: '{{ sa_name }}'
-      register: sa_out
-
-    - set_fact:
-        secret_token: "{{ sa_out.resources[0]['secrets'][0]['name'] }}"
+    - name: Create SA secret
+      kubernetes.core.k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ tn_name }}"
+            namespace: "{{ test_ns }}"
+            annotations:
+              kubernetes.io/service-account.name: "{{ sa_name }}"
+          type: kubernetes.io/service-account-token
 
     - name: Get secret details
       kubernetes.core.k8s_info:
         kind: Secret
         namespace: '{{ test_ns }}'
-        name: '{{ secret_token }}'
+        name: '{{ tn_name }}'
       register: r_secret
-      retries: 10
-      delay: 10
-      until:
-        - ("'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']") or ("'token' in r_secret.resources[0]['data']")
-
-    - set_fact:
-        api_token: "{{ r_secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}"
-      when: "'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']"
 
     - set_fact:
         api_token: "{{ r_secret.resources[0]['data']['token'] | b64decode }}"
-      when: "'token' in r_secret.resources[0]['data']"
 
     - name: list resources using service account
       kubernetes.core.k8s_info:
diff --git a/molecule/default/tasks/openshift_process.yml b/molecule/default/tasks/openshift_process.yml
index 4341bf2..feb1208 100644
--- a/molecule/default/tasks/openshift_process.yml
+++ b/molecule/default/tasks/openshift_process.yml
@@ -7,6 +7,7 @@
     parameters:
       NAMESPACE: openshift
       NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
   register: result
 
 - name: Create the rendered resources
@@ -32,6 +33,7 @@
     parameters:
       NAMESPACE: openshift
       NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
     state: present
     namespace_target: process-test
   register: result
@@ -44,6 +46,7 @@
       NAMESPACE: openshift
       NAME: test123
       MEMORY_LIMIT: 1Gi
+      NGINX_VERSION: "{{ nginx_version }}"
     state: present
     namespace_target: process-test
   register: result
@@ -55,6 +58,7 @@
     parameters:
       NAMESPACE: openshift
       NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
     state: absent
     namespace_target: process-test
   register: result
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index b787062..f714183 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -77,6 +77,7 @@
         - import_tasks: tasks/openshift_process.yml
           vars:
             files_dir: '{{ playbook_dir }}/files'
+            nginx_version: 1.22-ubi8
       always:
         - name: Delete namespace
           community.okd.k8s:
diff --git a/tests/sanity/ignore-2.18.txt b/tests/sanity/ignore-2.18.txt
new file mode 100644
index 0000000..2fd2bdc
--- /dev/null
+++ b/tests/sanity/ignore-2.18.txt
@@ -0,0 +1,3 @@
+plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc
+plugins/modules/k8s.py validate-modules:return-syntax-error
+plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc
\ No newline at end of file
diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt
new file mode 100644
index 0000000..2fd2bdc
--- /dev/null
+++ b/tests/sanity/ignore-2.19.txt
@@ -0,0 +1,3 @@
+plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc
+plugins/modules/k8s.py validate-modules:return-syntax-error
+plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc
\ No newline at end of file