opendatahub-tests/tests/model_explainability/evalhub/conftest.py at 04a3b59d03193fd2653a334bb2e62b43f53fbf84 · ruivieira/opendatahub-tests · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
import shlex
from collections.abc import Generator
from typing import Any

import pytest
from kubernetes.dynamic import DynamicClient
from ocp_resources.deployment import Deployment
from ocp_resources.namespace import Namespace
from ocp_resources.role_binding import RoleBinding
from ocp_resources.route import Route
from ocp_resources.service_account import ServiceAccount
from pyhelper_utils.shell import run_command
from simple_logger.logger import get_logger

from tests.model_explainability.evalhub.constants import EVALHUB_PROVIDERS_ACCESS_CLUSTER_ROLE
from utilities.certificates_utils import create_ca_bundle_file
from utilities.constants import Timeout
from utilities.resources.evalhub import EvalHub

LOGGER = get_logger(name=__name__)


@pytest.fixture(scope="class")
def evalhub_cr(
    admin_client: DynamicClient,
    model_namespace: Namespace,
) -> Generator[EvalHub, Any, Any]:
    """Create an EvalHub custom resource and wait for it to be ready."""
    with EvalHub(
        client=admin_client,
        name="evalhub",
        namespace=model_namespace.name,
        wait_for_resource=True,
    ) as evalhub:
        yield evalhub


@pytest.fixture(scope="class")
def evalhub_deployment(
    admin_client: DynamicClient,
    model_namespace: Namespace,
    evalhub_cr: EvalHub,
) -> Deployment:
    """Wait for the EvalHub deployment to become available."""
    deployment = Deployment(
        client=admin_client,
        name=evalhub_cr.name,
        namespace=model_namespace.name,
    )
    deployment.wait_for_replicas(timeout=Timeout.TIMEOUT_5MIN)
    return deployment


@pytest.fixture(scope="class")
def evalhub_route(
    admin_client: DynamicClient,
    model_namespace: Namespace,
    evalhub_deployment: Deployment,
) -> Route:
    """Get the Route created by the operator for the EvalHub service."""
    return Route(
        client=admin_client,
        name=evalhub_deployment.name,
        namespace=model_namespace.name,
        ensure_exists=True,
    )


@pytest.fixture(scope="class")
def evalhub_ca_bundle_file(
    admin_client: DynamicClient,
) -> str:
    """Create a CA bundle file for verifying the EvalHub route TLS certificate."""
    return create_ca_bundle_file(client=admin_client)


@pytest.fixture(scope="class")
def evalhub_scoped_sa(
    admin_client: DynamicClient,
    model_namespace: Namespace,
    evalhub_deployment: Deployment,
) -> Generator[ServiceAccount, Any, Any]:
    """ServiceAccount with providers access in the test namespace."""
    with ServiceAccount(
        client=admin_client,
        name="evalhub-test-user",
        namespace=model_namespace.name,
    ) as sa:
        yield sa


@pytest.fixture(scope="class")
def evalhub_providers_role_binding(
    admin_client: DynamicClient,
    model_namespace: Namespace,
    evalhub_scoped_sa: ServiceAccount,
) -> Generator[RoleBinding, Any, Any]:
    """RoleBinding granting the scoped SA providers access via the ClusterRole."""
    with RoleBinding(
        client=admin_client,
        name="evalhub-test-providers-access",
        namespace=model_namespace.name,
        role_ref_kind="ClusterRole",
        role_ref_name=EVALHUB_PROVIDERS_ACCESS_CLUSTER_ROLE,
        subjects_kind="ServiceAccount",
        subjects_name=evalhub_scoped_sa.name,
    ) as rb:
        yield rb


@pytest.fixture(scope="class")
def evalhub_scoped_token(
    evalhub_scoped_sa: ServiceAccount,
    model_namespace: Namespace,
) -> str:
    """Short-lived token for the scoped ServiceAccount."""
    return run_command(
        shlex.split(f"oc create token -n {model_namespace.name} {evalhub_scoped_sa.name} --duration=30m")
    )[1].strip()


@pytest.fixture(scope="class")
def evalhub_unauthorised_sa(
    admin_client: DynamicClient,
    model_namespace: Namespace,
    evalhub_deployment: Deployment,
) -> Generator[ServiceAccount, Any, Any]:
    """ServiceAccount without any EvalHub RBAC in the test namespace."""
    with ServiceAccount(
        client=admin_client,
        name="evalhub-no-access-user",
        namespace=model_namespace.name,
    ) as sa:
        yield sa


@pytest.fixture(scope="class")
def evalhub_unauthorised_token(
    evalhub_unauthorised_sa: ServiceAccount,
    model_namespace: Namespace,
) -> str:
    """Short-lived token for the unauthorised ServiceAccount."""
    return run_command(
        shlex.split(f"oc create token -n {model_namespace.name} {evalhub_unauthorised_sa.name} --duration=30m")
    )[1].strip()