Merge pull request #89 from pikasTech/fix/issue28-provider-secret-rbac
fix: 补齐 provider profile Secret RBAC
This commit is contained in:
@@ -358,6 +358,30 @@ roleRef:
|
|||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: Role
|
kind: Role
|
||||||
name: agentrun-v01-mgr-runner-job-controller
|
name: agentrun-v01-mgr-runner-job-controller
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: agentrun-v01-mgr-provider-secret-manager
|
||||||
|
namespace: ${namespace}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3"]
|
||||||
|
verbs: ["get", "patch", "update"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: agentrun-v01-mgr-provider-secret-manager
|
||||||
|
namespace: ${namespace}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: agentrun-v01-mgr
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: agentrun-v01-mgr-provider-secret-manager
|
||||||
`;
|
`;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -376,7 +400,7 @@ metadata:
|
|||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek"]
|
resourceNames: ["agentrun-v01-provider-codex", "agentrun-v01-provider-deepseek", "agentrun-v01-provider-minimax-m3"]
|
||||||
verbs: ["get"]
|
verbs: ["get"]
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
|||||||
@@ -10,6 +10,13 @@ import { assertNoSecretLeak, type SelfTestCase } from "../harness.js";
|
|||||||
const secretText = "sk-selftest-provider-profile-secret";
|
const secretText = "sk-selftest-provider-profile-secret";
|
||||||
|
|
||||||
const selfTest: SelfTestCase = async (context) => {
|
const selfTest: SelfTestCase = async (context) => {
|
||||||
|
const gitopsRenderer = await readFile(path.join(context.root, "scripts/src/gitops-render.ts"), "utf8");
|
||||||
|
assert.equal(gitopsRenderer.includes("agentrun-v01-mgr-provider-secret-manager"), true);
|
||||||
|
assert.equal(gitopsRenderer.includes('verbs: ["get", "patch", "update"]'), true);
|
||||||
|
for (const profile of ["codex", "deepseek", "minimax-m3"]) {
|
||||||
|
assert.equal(gitopsRenderer.includes(`agentrun-v01-provider-${profile}`), true);
|
||||||
|
}
|
||||||
|
|
||||||
const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js");
|
const fakeKubectl = path.join(context.tmp, "fake-provider-kubectl.js");
|
||||||
const appliedManifestPath = path.join(context.tmp, "provider-secret-apply.json");
|
const appliedManifestPath = path.join(context.tmp, "provider-secret-apply.json");
|
||||||
const createdJobPath = path.join(context.tmp, "provider-validation-job.json");
|
const createdJobPath = path.join(context.tmp, "provider-validation-job.json");
|
||||||
@@ -102,7 +109,7 @@ process.exit(1);
|
|||||||
assert.equal(finalValidation.status, "completed");
|
assert.equal(finalValidation.status, "completed");
|
||||||
assert.equal(JSON.stringify(finalValidation).includes(secretText), false);
|
assert.equal(JSON.stringify(finalValidation).includes(secretText), false);
|
||||||
assertNoSecretLeak(finalValidation);
|
assertNoSecretLeak(finalValidation);
|
||||||
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-validation-runner-job"] };
|
return { name: "provider-profile-management", tests: ["provider-profiles-list-redacted", "provider-profile-set-key-redacted", "provider-profile-deepseek-moon-bridge", "provider-profile-manager-secret-rbac", "provider-profile-validation-runner-job"] };
|
||||||
} finally {
|
} finally {
|
||||||
await new Promise<void>((resolve) => server.server.close(() => resolve()));
|
await new Promise<void>((resolve) => server.server.close(() => resolve()));
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user