sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Teleport Chart 업데이트

Browse Source
This commit is contained in:
ByeonJungHun
2024-01-22 12:12:36 +09:00
parent fde2f5f8a7
commit 7c1afcf6d7
163 changed files with 15784 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
helm/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap
View File

@@ -1,6 +1,6 @@
should add an operator side-car when operator is enabled:
1: |
image: public.ecr.aws/gravitational/teleport-operator:13.3.9
image: public.ecr.aws/gravitational/teleport-operator:14.2.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -9,6 +9,13 @@ should add an operator side-car when operator is enabled:
initialDelaySeconds: 15
periodSeconds: 20
name: operator
ports:
- containerPort: 8080
name: op-metrics
protocol: TCP
- containerPort: 8081
name: op-health
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
@@ -34,7 +41,7 @@ should add an operator side-car when operator is enabled:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -167,7 +174,7 @@ should set nodeSelector when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -264,7 +271,7 @@ should set resources when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -350,7 +357,7 @@ should set securityContext when set in values:
- args:
- --diag-addr=0.0.0.0:3000
- --apply-on-startup=/etc/teleport/apply-on-startup.yaml
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:

52
helm/teleport-cluster/tests/__snapshot__/proxy_certificate_test.yaml.snap
View File

@@ -1,3 +1,55 @@
? should not request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
? should not request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
2: |
group: cert-manager.io
kind: Issuer
name: letsencrypt
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: cert-manager.io
kind: Issuer
name: letsencrypt
? should request a certificate for cluster name and publicAddrs when cert-manager
is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing
duplicates
: 1: |
- test-cluster
- '*.test-cluster'
- teleport.test.com
- teleport.shared-services.old-domain.com
2: |
group: custom.cert-manager.io
kind: CustomClusterIssuer
name: custom
should request a certificate for cluster name when cert-manager is enabled (cert-manager.yaml):
1: |
- test-cluster

8
helm/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap
View File

@@ -1,4 +1,4 @@
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled is not set:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
@@ -28,7 +28,7 @@ generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled=true:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:
@@ -54,7 +54,7 @@ generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version
output: stderr
severity: INFO
version: v3
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled is not set:
generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set:
1: |
|-
auth_service:
@@ -141,7 +141,7 @@ generates a config with proxy_service.trust_x_forwarded_for=true when version =
output: stderr
severity: INFO
version: v3
generates a config with proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled=true:
generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true:
1: |
|-
auth_service:

28
helm/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap
View File

@@ -4,8 +4,8 @@ should provision initContainer correctly when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
- args:
- echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -122,8 +122,8 @@ should set nodeSelector when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
nodeSelector:
environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -241,8 +241,8 @@ should set resources when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
serviceAccountName: RELEASE-NAME-proxy
terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -342,8 +342,8 @@ should set securityContext for initContainers when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
containers:
- args:
- --diag-addr=0.0.0.0:3000
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@@ -450,8 +450,8 @@ should set securityContext when set in values:
- teleport
- wait
- no-resolve
- RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:13.3.9
- RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
image: public.ecr.aws/gravitational/teleport-distroless:14.2.0
name: wait-auth-update
securityContext:
allowPrivilegeEscalation: false

31
helm/teleport-cluster/tests/auth_deployment_test.yaml
View File

@@ -304,6 +304,7 @@ tests:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: auth/deployment.yaml
set:
@@ -314,6 +315,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: auth/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: auth/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: auth/deployment.yaml
values:

165
helm/teleport-cluster/tests/proxy_certificate_test.yaml
View File

@@ -14,6 +14,9 @@ tests:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- it: should request a certificate for cluster name when cert-manager is enabled (cert-secret.yaml)
values:
@@ -27,3 +30,165 @@ tests:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-manager.yaml)
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: false
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should not request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is not set (cert-secret.yaml)
values:
- ../.lint/cert-secret.yaml
set:
publicAddr: ['teleport.test.com:443', 'teleport.shared-services.old-domain.com:443']
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- notEqual:
path: spec.commonName
value: test-cluster
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "teleport.test.com"
- notEqual:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- it: should request a certificate for cluster name and publicAddrs when cert-manager is enabled and proxy.highAvailability.certManager.addPublicAddrs is set, removing duplicates
values:
- ../.lint/cert-manager.yaml
set:
publicAddr: ['test-cluster:443', 'teleport.test.com:443', 'teleport.shared-services.old-domain.com:443', 'teleport.test.com:443']
highAvailability:
certManager:
addPublicAddrs: true
asserts:
- hasDocuments:
count: 1
- isKind:
of: Certificate
- matchSnapshot:
path: spec.dnsNames
- matchSnapshot:
path: spec.issuerRef
- equal:
path: spec.dnsNames[0]
value: "test-cluster"
- equal:
path: spec.dnsNames[1]
value: "*.test-cluster"
- notEqual:
path: spec.dnsNames[2]
value: "test-cluster"
- equal:
path: spec.dnsNames[2]
value: "teleport.test.com"
- equal:
path: spec.dnsNames[3]
value: "teleport.shared-services.old-domain.com"
- notEqual:
path: spec.dnsNames[4]
value: "teleport.test.com"

37
helm/teleport-cluster/tests/proxy_config_test.yaml
View File

@@ -163,9 +163,9 @@ tests:
- failedTemplate:
errorMessage: "clusterName must not contain a colon, you can override the cluster's public address with publicAddr"
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled=true
- it: generates a config with proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled=true
chart:
version: 13.2.0
version: 14.0.0
values:
- ../.lint/ingress.yaml
set:
@@ -193,9 +193,9 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=13.2.0 and ingress.enabled is not set
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version >=14.0.0 and ingress.enabled is not set
chart:
version: 13.2.0
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
@@ -206,7 +206,7 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled=true
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled=true
chart:
version: 13.1.5
values:
@@ -221,9 +221,9 @@ tests:
- matchSnapshot:
path: data.teleport\.yaml
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 13.2.0 and ingress.enabled is not set
- it: generates a config WITHOUT proxy_service.trust_x_forwarded_for=true when version < 14.0.0 and ingress.enabled is not set
chart:
version: 13.1.5
version: 14.0.0
set:
clusterName: "helm-test.example.com"
asserts:
@@ -233,3 +233,26 @@ tests:
of: ConfigMap
- matchSnapshot:
path: data.teleport\.yaml
- it: sets "proxy_protocol" to "on"
set:
proxyProtocol: "on"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "on"'
- it: sets "proxy_protocol" to "off"
set:
proxyProtocol: "off"
clusterName: teleport.example.com
asserts:
- matchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol: "off"'
- it: does not set "proxy_protocol"
set:
clusterName: teleport.example.com
asserts:
- notMatchRegex:
path: data.teleport\.yaml
pattern: 'proxy_protocol:'

30
helm/teleport-cluster/tests/proxy_deployment_test.yaml
View File

@@ -332,6 +332,36 @@ tests:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: proxy/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values: