Merge pull request #76 from shruthis4/sparkApplicationRBAC

Add OpenShift RBAC checks and smoke tests; update cluster role permis…

Author: alimaredia

.github/workflows/scheduledspark-smoke.yaml

@@ -0,0 +1,52 @@
+name: ScheduledSpark Smoke
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'examples/openshift/**'
+      - 'config/**'
+      - '.github/workflows/scheduledspark-smoke.yaml'
+  pull_request:
+    paths:
+      - 'examples/openshift/**'
+      - 'config/**'
+      - '.github/workflows/scheduledspark-smoke.yaml'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  smoke:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Kind cluster
+        uses: ./.github/actions/kind-cluster-setup
+
+      - name: Install oc
+        uses: redhat-actions/oc-installer@35b60c3f9757ae4301521556e1b75ff6f59f8d7c
+        with:
+          oc_version: 'latest'
+
+      - name: Install Spark Operator (keep installed)
+        run: CLEANUP=false make -C examples/openshift operator-install
+
+      - name: RBAC preflight
+        env:
+          NAMESPACE: spark-operator
+          CONTROLLER_SA: spark-operator-controller
+        run: make -C examples/openshift scheduledspark-rbac-check
+
+      - name: ScheduledSparkApplication smoke
+        env:
+          NAMESPACE: spark-operator
+          SCHED_NAME: rbac-scheduled-smoke
+          TIMEOUT_SECONDS: "180"
+        run: make -C examples/openshift scheduledspark-smoke
+

config/rbac/clusterrole.yaml

@@ -40,6 +40,9 @@ rules:
 - apiGroups: [sparkoperator.k8s.io]
   resources: [scheduledsparkapplications]
   verbs: [get, list, watch]
+- apiGroups: [sparkoperator.k8s.io]
+  resources: [scheduledsparkapplications/finalizers]
+  verbs: [update, patch]
 - apiGroups: [sparkoperator.k8s.io]
   resources: [sparkconnects]
   verbs: [get, list, watch]

examples/openshift/Makefile

@@ -17,6 +17,10 @@ export PATH := $(LOCALBIN):$(PATH)
 # Configuration
 KIND_CLUSTER_NAME ?= spark-operator
 CLEANUP ?= true
+NAMESPACE ?= spark-operator
+CONTROLLER_SA ?= spark-operator-controller
+SCHED_NAME ?= rbac-scheduled-smoke
+TIMEOUT_SECONDS ?= 180
 
 ##@ General
 
@@ -84,11 +88,32 @@ e2e-kustomize-test: ## Run Go e2e tests using Kustomize manifests for operator i
 	@echo "Running Go e2e tests with Kustomize installation..."
 	cd $(REPO_ROOT) && INSTALL_METHOD=kustomize go test ./examples/openshift/tests/e2e/ -v -ginkgo.v -timeout 30m
 
+.PHONY: scheduledspark-rbac-check
+scheduledspark-rbac-check: ## RBAC preflight for ScheduledSparkApplication.
+	@echo "Running RBAC preflight for ScheduledSparkApplication..."
+	chmod +x $(TESTS_DIR)/check-scheduledspark-rbac.sh
+	NAMESPACE=$(NAMESPACE) CONTROLLER_SA=$(CONTROLLER_SA) \
+		$(TESTS_DIR)/check-scheduledspark-rbac.sh
+
+.PHONY: scheduledspark-smoke
+scheduledspark-smoke: ## ScheduledSparkApplication smoke test.
+	@echo "Running ScheduledSparkApplication smoke test..."
+	chmod +x $(TESTS_DIR)/test-scheduledspark-smoke.sh
+	NAMESPACE=$(NAMESPACE) SCHED_NAME=$(SCHED_NAME) TIMEOUT_SECONDS=$(TIMEOUT_SECONDS) \
+		$(TESTS_DIR)/test-scheduledspark-smoke.sh
+
+.PHONY: scheduledspark-verify
+scheduledspark-verify: ## RBAC + ScheduledSparkApplication combined verification.
+	$(MAKE) scheduledspark-rbac-check
+	$(MAKE) scheduledspark-smoke
+
 .PHONY: test-all
-test-all: ## Run all tests (operator-install, spark-pi, docling).
+test-all: ## Run all tests (operator-install, spark-pi, docling, scheduledspark).
 	@echo "Running all OpenShift/KIND tests..."
 	$(MAKE) operator-install CLEANUP=false
 	$(MAKE) test-spark-pi CLEANUP=false
+	$(MAKE) test-docling-spark CLEANUP=false
+	$(MAKE) scheduledspark-verify CLEANUP=false
 	$(MAKE) test-docling-spark
 
 ##@ Image Build/Load (CI and local)

examples/openshift/tests/check-scheduledspark-rbac.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# RBAC preflight for ScheduledSparkApplication
+# Env (override as needed):
+#   NAMESPACE (default: redhat-ods-applications)
+#   CONTROLLER_SA (default: spark-operator-controller)
+
+NAMESPACE="${NAMESPACE:-redhat-ods-applications}"
+CONTROLLER_SA="${CONTROLLER_SA:-spark-operator-controller}"
+
+fail() { echo "ERROR: $*" >&2; exit 1; }
+
+check() {
+  local verb="$1" res="$2" sub="${3:-}"
+  local cmd=(oc auth can-i "$verb" "$res" --as="system:serviceaccount:${NAMESPACE}:${CONTROLLER_SA}" -n "$NAMESPACE")
+  [[ -n "$sub" ]] && cmd+=(--subresource="$sub")
+  local out; out="$("${cmd[@]}")"
+  echo "can-i $verb $res${sub:+/$sub} => $out"
+  [[ "$out" == "yes" ]] || fail "Missing RBAC: $verb $res${sub:+/$sub}"
+}
+
+echo "RBAC preflight for $NAMESPACE/$CONTROLLER_SA"
+check update scheduledsparkapplications finalizers
+check patch  scheduledsparkapplications finalizers
+check create sparkapplications
+check update sparkapplications status
+echo "RBAC OK"
+

examples/openshift/tests/manifests/scheduledspark-smoke-app.yaml

@@ -0,0 +1,24 @@
+apiVersion: sparkoperator.k8s.io/v1beta2
+kind: ScheduledSparkApplication
+metadata:
+  name: ${SCHED_NAME}
+  namespace: ${NAMESPACE}
+spec:
+  schedule: "@every 1m"
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid
+  successfulRunHistoryLimit: 1
+  failedRunHistoryLimit: 1
+  template:
+    type: Scala
+    mode: cluster
+    image: ${SPARK_IMAGE}
+    imagePullPolicy: IfNotPresent
+    mainClass: org.apache.spark.examples.SparkPi
+    mainApplicationFile: local:///opt/spark/examples/jars/spark-examples_2.12-3.5.7.jar
+    arguments: ["10"]
+    sparkVersion: "3.5.7"
+    restartPolicy: { type: Never }
+    driver: { cores: 1, memory: "512m", serviceAccount: spark-operator-spark, securityContext: {} }
+    executor: { cores: 1, instances: 1, memory: "512m", securityContext: {} }
+

…amples/openshift/tests/spark-pi-app.yaml …nshift/tests/manifests/spark-pi-app.yamlexamples/openshift/tests/spark-pi-app.yaml renamed to examples/openshift/tests/manifests/spark-pi-app.yaml examples/openshift/tests/spark-pi-app.yaml renamed to examples/openshift/tests/manifests/spark-pi-app.yaml

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ScheduledSparkApplication smoke test (no RBAC checks here)
+# Env (override as needed):
+#   NAMESPACE (default: redhat-ods-applications)
+#   SCHED_NAME (default: rbac-scheduled-smoke)
+#   TIMEOUT_SECONDS (default: 180)
+#   SPARK_IMAGE (default: quay.io/ssankepe/spark-openshift:3.5.7)
+#   APP_YAML (default: script_dir/manifests/scheduledspark-smoke-app.yaml)
+
+NAMESPACE="${NAMESPACE:-redhat-ods-applications}"
+SCHED_NAME="${SCHED_NAME:-rbac-scheduled-smoke}"
+TIMEOUT_SECONDS="${TIMEOUT_SECONDS:-180}"
+SPARK_IMAGE="${SPARK_IMAGE:-quay.io/ssankepe/spark-openshift:3.5.7}"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_YAML="${APP_YAML:-$SCRIPT_DIR/manifests/scheduledspark-smoke-app.yaml}"
+
+apply_sched() {
+  if [[ ! -f "$APP_YAML" ]]; then
+    echo "ScheduledSparkApplication YAML not found: $APP_YAML" >&2
+    exit 1
+  fi
+  export NAMESPACE SCHED_NAME SPARK_IMAGE
+  envsubst < "$APP_YAML" | oc apply -f -
+}
+
+cleanup() {
+  oc delete scheduledsparkapplication "${SCHED_NAME}" -n "${NAMESPACE}" --ignore-not-found || true
+}
+trap cleanup EXIT
+
+echo "Apply ScheduledSparkApplication ${SCHED_NAME}"
+# Ensure we always test a fresh object, not stale status from a prior run.
+oc delete scheduledsparkapplication "${SCHED_NAME}" -n "${NAMESPACE}" --ignore-not-found || true
+apply_sched
+
+echo "Wait for child SparkApplication (<= ${TIMEOUT_SECONDS}s)"
+start=$(date +%s)
+while true; do
+  child="$(oc get scheduledsparkapplication "${SCHED_NAME}" -n "${NAMESPACE}" \
+    -o jsonpath='{.status.lastRunName}' 2>/dev/null || true)"
+  if [[ -n "$child" ]]; then
+    if oc get sparkapplication "$child" -n "${NAMESPACE}" >/dev/null 2>&1; then
+      echo "Spawned: $child"
+      break
+    fi
+  fi
+  (( $(date +%s) - start > TIMEOUT_SECONDS )) && {
+    echo "Timed out after ${TIMEOUT_SECONDS}s"
+    oc describe scheduledsparkapplication "${SCHED_NAME}" -n "${NAMESPACE}" || true
+    oc logs deploy/spark-operator-controller -n "${NAMESPACE}" --since=5m || true
+    exit 1
+  }
+  sleep 5
+done
+
+oc get scheduledsparkapplication "${SCHED_NAME}" -n "${NAMESPACE}" \
+  -o jsonpath='{.status.lastRun}{" "}{.status.lastRunName}{" "}{.status.scheduleState}{"\n"}' || true
+oc get sparkapplication "$child" -n "${NAMESPACE}" -o wide || true
+echo "Smoke test succeeded"
+

examples/openshift/tests/test-scheduledspark-smoke.sh

@@ -106,7 +106,7 @@ echo "  Image:     $SPARK_IMAGE"
 kubectl delete sparkapplication "$APP_NAME" -n "$APP_NAMESPACE" --ignore-not-found 2>/dev/null || true
 
 # Apply the SparkApplication from YAML file (using envsubst for variable substitution)
-APP_YAML="${APP_YAML:-$SCRIPT_DIR/spark-pi-app.yaml}"
+APP_YAML="${APP_YAML:-$SCRIPT_DIR/manifests/spark-pi-app.yaml}"
 if [ ! -f "$APP_YAML" ]; then
     fail "SparkApplication YAML not found: $APP_YAML"
 fi