fix: proper construction of SA groups for tier lookup (opendatahub-io#136)

bartoszmajsak · SB159 · commit c30241aa443d · 2025-10-14T20:50:03.000-05:00
opendatahub-io#110 brought SA group construction so that they are not explictly required in the configmap. This PR fixes a stupid bug that this PR brought with better test coverage. Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
diff --git a/maas-api/internal/tier/mapper.go b/maas-api/internal/tier/mapper.go
@@ -109,7 +109,7 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 
 	for i := range tiers {
 		tier := &tiers[i]
-		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccount:%s", m.projectedNsName(tier)))
+		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier)))
 	}
 
 	return tiers, nil
diff --git a/maas-api/internal/tier/mapper_test.go b/maas-api/internal/tier/mapper_test.go
@@ -41,10 +41,16 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 		},
 		{
 			name:         "inferred SA group - free tier",
-			groups:       []string{"system:serviceaccount:test-tenant-tier-free"},
+			groups:       []string{"system:serviceaccounts:test-tenant-tier-free"},
 			expectedTier: "free",
 			description:  "User belongs to only free tier group",
 		},
+		{
+			name:         "inferred SA group - premium tier",
+			groups:       []string{"system:serviceaccounts:test-tenant-tier-premium"},
+			expectedTier: "premium",
+			description:  "User belongs to only premium tier group",
+		},
 		{
 			name:         "single group - premium tier",
 			groups:       []string{"premium-users"},
@@ -87,6 +93,12 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 			expectedTier: "developer",
 			description:  "User belongs to both premium and developer - developer has higher level (15 > 10)",
 		},
+		{
+			name:         "multiple groups - service account groups",
+			groups:       []string{"system:serviceaccounts", "system:serviceaccounts:test-tenant-tier-premium", "system:authenticated"},
+			expectedTier: "premium",
+			description:  "User belongs to both premium and developer - developer has higher level (15 > 10)",
+		},
 		{
 			name:         "three groups - enterprise wins",
 			groups:       []string{"free-users", "premium-users", "enterprise-users"},

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {`
`109`	`109`
`110`	`110`	`for i := range tiers {`
`111`	`111`	`tier := &tiers[i]`
`112`		`- tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccount:%s", m.projectedNsName(tier)))`
	`112`	`+ tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier)))`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`return tiers, nil`