---
suite: rbac - presence
templates:
  - common.yaml
tests:
  - it: role and rolebinding can be configured are not created by default
    asserts:
      - not: true
        containsDocument:
          kind: Role
          apiVersion: rbac.authorization.k8s.io/v1
          any: true
      - not: true
        containsDocument:
          kind: RoleBinding
          apiVersion: rbac.authorization.k8s.io/v1
          any: true

  - it: role and rolebinding can be configured
    values:
      - ../_values/rbac_values.yaml
    asserts:
      - documentSelector:
          path: $[?(@.kind == "Role")].metadata.name
          value: release-name
        equal:
          path: rules[0].verbs
          value: ["get", "list"]
      - documentSelector:
          path: $[?(@.kind == "RoleBinding")].metadata.name
          value: release-name
        equal:
          path: subjects[0].name
          value: "release-name"

  - it: role and rolebinding can be disabled
    values:
      - ../_values/rbac_values.yaml
    set:
      rbac.roles.defaultRole:
        enabled: false
      rbac.bindings.defaultBinding:
        enabled: false
    asserts:
      - not: true
        containsDocument:
          kind: Role
          apiVersion: rbac.authorization.k8s.io/v1
          any: true
      - not: true
        containsDocument:
          kind: RoleBinding
          apiVersion: rbac.authorization.k8s.io/v1
          any: true

  - it: multiple role and rolebinding can be configured
    values:
      - ../_values/rbac_values.yaml
    set:
      rbac.roles.customRole:
        type: ClusterRole
        rules:
          - apiGroups: ["*"]
            resources: ["*"]
            verbs: ["get", "list", "watch"]
    asserts:
      - documentSelector:
          path: $[?(@.kind == "ClusterRole")].metadata.name
          value: release-name-customrole
        equal:
          path: rules[0].verbs
          value: ["get", "list", "watch"]