Support creating ConfigMaps in acceptance tests

Also namespaces, since we want the ConfigMap in a particular
namespace. An RBAC is created also so the ConfigMap is readable by
every service account.

This will be used in the acceptance test added in an upcoming
commit.

Ref: https://issues.redhat.com/browse/EC-1695
Co-authored-by: Claude Code <noreply@anthropic.com>

Author: simonbaird

acceptance/kubernetes/kind/kubernetes.go

@@ -32,6 +32,8 @@ import (
 	pipeline "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	tekton "github.com/tektoncd/pipeline/pkg/client/clientset/versioned/typed/pipeline/v1"
 	v1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -189,6 +191,137 @@ func (k *kindCluster) CreateNamedSnapshot(ctx context.Context, name string, spec
 	return k.createSnapshot(ctx, snapshot)
 }
 
+// CreateConfigMap creates a ConfigMap with the given name and namespace with the provided content
+// Also creates necessary RBAC permissions for cross-namespace access
+func (k *kindCluster) CreateConfigMap(ctx context.Context, name, namespace, content string) error {
+	var data map[string]string
+
+	// Parse JSON content and extract individual fields as ConfigMap data keys
+	if strings.HasPrefix(strings.TrimSpace(content), "{") {
+		// Parse JSON content
+		var jsonData map[string]interface{}
+		if err := json.Unmarshal([]byte(content), &jsonData); err != nil {
+			return fmt.Errorf("failed to parse JSON content: %w", err)
+		}
+
+		// Convert to string map for ConfigMap data
+		data = make(map[string]string)
+		for key, value := range jsonData {
+			if value != nil {
+				data[key] = fmt.Sprintf("%v", value)
+			}
+		}
+	} else {
+		// For non-JSON content, store as-is under a single key
+		data = map[string]string{
+			"content": content,
+		}
+	}
+
+	configMap := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: data,
+	}
+
+	// Create the ConfigMap (or update if it already exists)
+	if _, err := k.client.CoreV1().ConfigMaps(namespace).Create(ctx, configMap, metav1.CreateOptions{}); err != nil {
+		if apierrors.IsAlreadyExists(err) {
+			// ConfigMap exists, so get the existing one to retrieve its ResourceVersion
+			existing, err := k.client.CoreV1().ConfigMaps(namespace).Get(ctx, name, metav1.GetOptions{})
+			if err != nil {
+				return fmt.Errorf("failed to get existing ConfigMap: %w", err)
+			}
+			// Set the ResourceVersion from the existing ConfigMap
+			configMap.ResourceVersion = existing.ResourceVersion
+			// Now update with the proper ResourceVersion
+			if _, err := k.client.CoreV1().ConfigMaps(namespace).Update(ctx, configMap, metav1.UpdateOptions{}); err != nil {
+				return fmt.Errorf("failed to update existing ConfigMap: %w", err)
+			}
+		} else {
+			return err
+		}
+	}
+
+	// Create RBAC permissions for cross-namespace ConfigMap access
+	// This allows any service account to read ConfigMaps from any namespace
+	if err := k.ensureConfigMapRBAC(ctx); err != nil {
+		return fmt.Errorf("failed to create RBAC permissions: %w", err)
+	}
+
+	return nil
+}
+
+// ensureConfigMapRBAC creates necessary RBAC permissions for ConfigMap access across namespaces
+func (k *kindCluster) ensureConfigMapRBAC(ctx context.Context) error {
+	// Create ClusterRole for ConfigMap reading (idempotent)
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "acceptance-configmap-reader",
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"configmaps"},
+				Verbs:     []string{"get", "list"},
+			},
+		},
+	}
+
+	if _, err := k.client.RbacV1().ClusterRoles().Create(ctx, clusterRole, metav1.CreateOptions{}); err != nil {
+		// Ignore error if ClusterRole already exists
+		if !strings.Contains(err.Error(), "already exists") {
+			return fmt.Errorf("failed to create ClusterRole: %w", err)
+		}
+	}
+
+	// Create ClusterRoleBinding for all service accounts (idempotent)
+	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "acceptance-configmap-reader-binding",
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "acceptance-configmap-reader",
+		},
+		Subjects: []rbacv1.Subject{
+			{
+				Kind:     "Group",
+				Name:     "system:serviceaccounts",
+				APIGroup: "rbac.authorization.k8s.io",
+			},
+		},
+	}
+
+	if _, err := k.client.RbacV1().ClusterRoleBindings().Create(ctx, clusterRoleBinding, metav1.CreateOptions{}); err != nil {
+		// Ignore error if ClusterRoleBinding already exists
+		if !strings.Contains(err.Error(), "already exists") {
+			return fmt.Errorf("failed to create ClusterRoleBinding: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// CreateNamedNamespace creates a namespace with the specified name
+func (k *kindCluster) CreateNamedNamespace(ctx context.Context, name string) error {
+	_, err := k.client.CoreV1().Namespaces().Create(ctx, &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+	}, metav1.CreateOptions{})
+
+	// Ignore error if namespace already exists
+	if err != nil && strings.Contains(err.Error(), "already exists") {
+		return nil
+	}
+
+	return err
+}
+
 // CreateNamespace creates a randomly-named namespace for the test to execute in
 // and stores it in the test context
 func (k *kindCluster) CreateNamespace(ctx context.Context) (context.Context, error) {

acceptance/kubernetes/kubernetes.go

@@ -174,6 +174,26 @@ func createNamedSnapshot(ctx context.Context, name string, specification *godog.
 	return c.cluster.CreateNamedSnapshot(ctx, name, specification.Content)
 }
 
+func createConfigMap(ctx context.Context, name, namespace string, content *godog.DocString) error {
+	c := testenv.FetchState[ClusterState](ctx)
+
+	if err := mustBeUp(ctx, *c); err != nil {
+		return err
+	}
+
+	return c.cluster.CreateConfigMap(ctx, name, namespace, content.Content)
+}
+
+func createNamedNamespace(ctx context.Context, name string) error {
+	c := testenv.FetchState[ClusterState](ctx)
+
+	if err := mustBeUp(ctx, *c); err != nil {
+		return err
+	}
+
+	return c.cluster.CreateNamedNamespace(ctx, name)
+}
+
 func createNamedSnapshotWithManyComponents(ctx context.Context, name string, amount int, key string) (context.Context, error) {
 	c := testenv.FetchState[ClusterState](ctx)
 
@@ -493,6 +513,8 @@ func AddStepsTo(sc *godog.ScenarioContext) {
 	sc.Step(`^the task results should match the snapshot$`, taskResultsShouldMatchTheSnapshot)
 	sc.Step(`^the task result "([^"]*)" should equal "([^"]*)"$`, taskResultShouldEqual)
 	sc.Step(`^policy configuration named "([^"]*)" with (\d+) policy sources from "([^"]*)"(?:, patched with)$`, createNamedPolicyWithManySources)
+	sc.Step(`^a namespace named "([^"]*)" exists$`, createNamedNamespace)
+	sc.Step(`^a ConfigMap "([^"]*)" in namespace "([^"]*)" with content:$`, createConfigMap)
 	// stop usage of the cluster once a test is done, godog will call this
 	// function on failure and on the last step, so more than once if the
 	// failure is not on the last step and once if there was no failure or the

acceptance/kubernetes/stub/stub.go

@@ -135,6 +135,14 @@ func (s stubCluster) CreateNamedSnapshot(ctx context.Context, name string, speci
 		}))).WithHeaders(map[string]string{"Content-Type": "application/json"}).WithStatus(200)))
 }
 
+func (s stubCluster) CreateConfigMap(_ context.Context, _, _, _ string) error {
+	return errors.New("ConfigMap creation is not supported when using the stub Kubernetes")
+}
+
+func (s stubCluster) CreateNamedNamespace(_ context.Context, _ string) error {
+	return errors.New("Named namespace creation is not supported when using the stub Kubernetes")
+}
+
 func (s stubCluster) CreatePolicy(_ context.Context, _ string) error {
 	return errors.New("use `Given policy configuration named \"<name>\" with specification` when using the stub Kubernetes")
 }

acceptance/kubernetes/types/types.go

@@ -31,6 +31,8 @@ type Cluster interface {
 	AwaitUntilTaskIsDone(context.Context) (bool, error)
 	TaskInfo(context.Context) (*TaskInfo, error)
 	CreateNamedSnapshot(context.Context, string, string) error
+	CreateNamedNamespace(context.Context, string) error
+	CreateConfigMap(context.Context, string, string, string) error
 	Registry(context.Context) (string, error)
 	BuildSnapshotArtifact(context.Context, string) (context.Context, error)
 }