NSFS noobaa-endpoint SCC workaround (red-hat-storage#7647)

Signed-off-by: Sagi Hirshfeld <shirshfe@redhat.com>
OdedViner · Jul 26, 2023 · 16733df · 16733df
1 parent bda6535
commit 16733df
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 1 deletion.
diff --git a/ocs_ci/ocs/constants.py b/ocs_ci/ocs/constants.py
@@ -1443,6 +1443,10 @@
 NB_SERVICE_ACCOUNT_BASE = "system:serviceaccount:openshift-storage:{}"
 NOOBAA_SERVICE_ACCOUNT_NAME = "noobaa"
 NOOBAA_DB_SERVICE_ACCOUNT_NAME = "noobaa-db"
+NOOBAA_ENDPOINT_SERVICE_ACCOUNT_NAME = "noobaa-endpoint"
+NOOBAA_ENDPOINT_SERVICE_ACCOUNT = NB_SERVICE_ACCOUNT_BASE.format(
+    NOOBAA_ENDPOINT_SERVICE_ACCOUNT_NAME
+)
 NOOBAA_SERVICE_ACCOUNT = NB_SERVICE_ACCOUNT_BASE.format(NOOBAA_SERVICE_ACCOUNT_NAME)
 NOOBAA_DB_SERVICE_ACCOUNT = NB_SERVICE_ACCOUNT_BASE.format(
     NOOBAA_DB_SERVICE_ACCOUNT_NAME

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -5442,6 +5442,17 @@ def nsfs_bucket_factory_implementation(nsfs_obj):
             )[0]
         )
         wait_for_pods_to_be_running(pod_names=[nsfs_interface_pod.name])
+
+        # Wait for the nooba-endpoint pods to reset and mount the PVC
+        nb_endpoint_pods = [
+            Pod(**pod_dict)
+            for pod_dict in get_pods_having_label(
+                constants.NOOBAA_ENDPOINT_POD_LABEL,
+                config.ENV_DATA["cluster_namespace"],
+            )
+        ]
+        wait_for_pods_to_be_running(pod_names=[pod.name for pod in nb_endpoint_pods])
+
         # Apply the necessary permissions on the filesystem
         nsfs_interface_pod.exec_cmd_on_pod(f"chmod -R 777 {nsfs_obj.mount_path}")
         nsfs_interface_pod.exec_cmd_on_pod(f"groupadd -g {nsfs_obj.gid} nsfs-group")
@@ -5541,6 +5552,93 @@ def nsfs_bucket_factory_cleanup():
     return nsfs_bucket_factory_implementation
 
 
+@pytest.fixture(scope="class")
+def revert_noobaa_endpoint_scc_class(request):
+    """
+    This fixture reverts the noobaa-endpoint SCC back to the way it was before ODF 4.12.
+    See https://url.corp.redhat.com/b92fd1d for details.
+
+    """
+    return revert_noobaa_endpoint_scc_fixture(request)
+
+
+def revert_noobaa_endpoint_scc_fixture(request):
+    """
+    This fixture reverts the noobaa-endpoint SCC back to the way it was before ODF 4.12.
+    See https://url.corp.redhat.com/b92fd1d for details.
+
+    """
+
+    ocp_scc = ocp.OCP(
+        kind=constants.SCC, namespace=config.ENV_DATA["cluster_namespace"]
+    )
+    nb_endpoint_scc_name = constants.NOOBAA_ENDPOINT_SERVICE_ACCOUNT_NAME
+    nb_endpoint_sa = constants.NOOBAA_ENDPOINT_SERVICE_ACCOUNT
+
+    # Abort if the noobaa-endpoint SCC has already been modified
+    scc_dict = ocp_scc.get(resource_name=nb_endpoint_scc_name)
+    if scc_dict["seLinuxContext"]["type"] == "MustRunAs" or scc_dict["users"]:
+        return
+
+    def revert_endpoint_scc_implementation():
+        """
+        1. Modify the noobaa-endpoint scc via oc patch
+        2. Verify that the changes were not reconciled
+
+        """
+        # Modify the noobaa-endpoint SCC
+        json_payload = [
+            {"op": "replace", "path": "/seLinuxContext/type", "value": "MustRunAs"},
+            {"op": "add", "path": "/users/0", "value": f"{nb_endpoint_sa}"},
+        ]
+
+        ocp_scc.patch(
+            resource_name=nb_endpoint_scc_name,
+            params=json_payload,
+            format_type="json",
+        )
+
+        # Verify the changes
+        scc_dict = ocp_scc.get(resource_name=nb_endpoint_scc_name)
+        assert (
+            scc_dict["seLinuxContext"]["type"] == "MustRunAs"
+        ), "Failed to modify the noobaa-db SCC seLinuxContext type"
+        assert (
+            constants.NOOBAA_ENDPOINT_SERVICE_ACCOUNT in scc_dict["users"]
+        ), "The noobaa-endpoint SA wasn't added to the noobaa-endpoint SCC"
+
+    def finalizer():
+        """
+        1. Restore the noobaa-endpoint SCC back to its default values
+        2. Verify that the changes were not reconciled
+
+        """
+
+        # Restore the noobaa-endpoint SCC back to it's default state
+        json_payload = [
+            {"op": "replace", "path": "/seLinuxContext/type", "value": "RunAsAny"},
+            {"op": "remove", "path": "/users/0", "value": f"{nb_endpoint_sa}"},
+        ]
+
+        ocp_scc.patch(
+            resource_name=nb_endpoint_scc_name,
+            params=json_payload,
+            format_type="json",
+        )
+
+        # Verify the changes
+        scc_dict = ocp_scc.get(resource_name=nb_endpoint_scc_name)
+        assert (
+            scc_dict["seLinuxContext"]["type"] == "RunAsAny"
+        ), "Failed to restore the default noobaa-endpoint SCC seLinuxContext type"
+        assert (
+            constants.NOOBAA_ENDPOINT_SERVICE_ACCOUNT not in scc_dict["users"]
+        ), "Failed to restore the default noobaa-endpoint SA status"
+
+    request.addfinalizer(finalizer)
+    revert_endpoint_scc_implementation()
+
+
 @pytest.fixture(scope="session", autouse=True)
 def patch_consumer_toolbox_with_secret():
     """

diff --git a/tests/manage/mcg/test_nsfs.py b/tests/manage/mcg/test_nsfs.py
@@ -1,5 +1,4 @@
 import logging
-
 import pytest
 
 from ocs_ci.framework.testlib import MCGTest, tier1, tier3
@@ -15,13 +14,15 @@
 
 from ocs_ci.ocs.resources.mcg_params import NSFS
 from ocs_ci.utility.retry import retry
+from tests.conftest import revert_noobaa_endpoint_scc_class
 
 logger = logging.getLogger(__name__)
 
 
 @skipif_mcg_only
 @skipif_ocs_version("<4.10")
 @ignore_leftover_label(constants.NOOBAA_ENDPOINT_POD_LABEL)
+@pytest.mark.usefixtures(revert_noobaa_endpoint_scc_class.__name__)
 class TestNSFSObjectIntegrity(MCGTest):
     """
     Test the integrity of IO operations on NSFS buckets