---
suite: rbac - validations
templates:
  - common.yaml
values:
  - ../_values/rbac_values.yaml
tests:
  - it: role type must be valid
    set:
      rbac:
        roles:
          invalidRole:
            type: InvalidRole
            rules: {}
    asserts:
      - failedTemplate:
          errorPattern: "values don't meet the specifications of the schema"

  - it: rolebinding type must be valid
    set:
      rbac:
        bindings:
          invalidRole:
            type: InvalidRole
    asserts:
      - failedTemplate:
          errorPattern: "values don't meet the specifications of the schema"

  - it: role rules can't be empty
    set:
      rbac:
        roles:
          invalidRole:
            type: Role
            rules: []
    asserts:
      - failedTemplate:
          errorMessage: "Rules can't be empty"

  - it: roleBinding requires roleRef
    set:
      rbac:
        bindings:
          invalidBinding:
            type: RoleBinding
            roleRef: {}
    asserts:
      - failedTemplate:
          errorPattern: "values don't meet the specifications of the schema"

  - it: serviceAccount reference to non-existing serviceAccount should fail
    set:
      rbac.bindings.defaultBinding.subjects:
        - identifier: main
    asserts:
      - failedTemplate:
          errorMessage: "No enabled ServiceAccount found with this identifier. (rolebinding: 'defaultBinding', identifier: 'main')"