suite: Proxy Ingress templates: - proxy/ingress.yaml tests: - it: does not create an Ingress by default set: clusterName: teleport.example.com asserts: - hasDocuments: count: 0 - it: creates an Ingress when ingress.enabled=true and proxyListenerMode=multiplex values: - ../.lint/ingress.yaml asserts: - hasDocuments: count: 1 - isKind: of: Ingress - it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode is not set values: - ../.lint/ingress.yaml set: proxyListenerMode: "" asserts: - failedTemplate: errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" - it: fails to deploy an Ingress when ingress.enabled=true and proxyListenerMode=separate values: - ../.lint/ingress.yaml set: proxyListenerMode: separate asserts: - failedTemplate: errorMessage: "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" - it: wears annotations when set values: - ../.lint/ingress.yaml set: annotations: ingress: test-annotation: test-annotation-value another-annotation: some-other-value asserts: - hasDocuments: count: 1 - isKind: of: Ingress - equal: path: metadata.annotations.test-annotation value: test-annotation-value - equal: path: metadata.annotations.another-annotation value: some-other-value - it: sets the clusterName and wildcard of clusterName as hostnames when Ingress is enabled values: - ../.lint/ingress.yaml asserts: - equal: path: spec.tls[0].hosts[0] value: "teleport.example.com" - contains: path: spec.tls content: hosts: - "teleport.example.com" - "*.teleport.example.com" - equal: path: spec.rules[0].host value: "teleport.example.com" - contains: path: spec.rules content: host: "teleport.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - equal: path: spec.rules[1].host value: "*.teleport.example.com" - contains: path: spec.rules content: host: "*.teleport.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: does not set a wildcard of clusterName as a hostname when Ingress is enabled and ingress.suppressAutomaticWildcards is true values: - ../.lint/ingress.yaml set: ingress: suppressAutomaticWildcards: true asserts: - equal: path: spec.tls[0].hosts[0] value: "teleport.example.com" - contains: path: spec.tls content: hosts: - "teleport.example.com" - equal: path: spec.rules[0].host value: "teleport.example.com" - contains: path: spec.rules content: host: "teleport.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - notContains: path: spec.rules content: host: "*.teleport.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: sets the publicAddr and wildcard of publicAddr as hostnames when Ingress is enabled and publicAddr is set values: - ../.lint/ingress.yaml set: publicAddr: ["helm-lint.example.com"] asserts: - equal: path: spec.tls[0].hosts[0] value: "helm-lint.example.com" - contains: path: spec.tls content: hosts: - "helm-lint.example.com" - "*.helm-lint.example.com" - equal: path: spec.rules[0].host value: helm-lint.example.com - contains: path: spec.rules content: host: "helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - equal: path: spec.rules[1].host value: "*.helm-lint.example.com" - contains: path: spec.rules content: host: "*.helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: does not set a wildcard of publicAddr as a hostname when Ingress is enabled, publicAddr is set and ingress.suppressAutomaticWildcards is true values: - ../.lint/ingress.yaml set: publicAddr: ["helm-lint.example.com"] ingress: suppressAutomaticWildcards: true asserts: - equal: path: spec.tls[0].hosts[0] value: "helm-lint.example.com" - contains: path: spec.tls content: hosts: - "helm-lint.example.com" - equal: path: spec.rules[0].host value: helm-lint.example.com - contains: path: spec.rules content: host: "helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - notContains: path: spec.rules content: host: "*.helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: trims ports from publicAddr and uses it as the hostname when Ingress is enabled and publicAddr is set values: - ../.lint/ingress.yaml set: publicAddr: ["helm-lint.example.com:443"] asserts: - equal: path: spec.tls[0].hosts[0] value: "helm-lint.example.com" - contains: path: spec.tls content: hosts: - "helm-lint.example.com" - "*.helm-lint.example.com" - equal: path: spec.rules[0].host value: "helm-lint.example.com" - contains: path: spec.rules content: host: helm-lint.example.com http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - equal: path: spec.rules[1].host value: "*.helm-lint.example.com" - contains: path: spec.rules content: host: "*.helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: exposes all publicAddrs and wildcard publicAddrs as hostnames when Ingress is enabled and multiple publicAddrs are set values: - ../.lint/ingress.yaml set: publicAddr: ["helm-lint.example.com", "helm-lint-second-domain.example.com"] asserts: - equal: path: spec.tls[0].hosts[0] value: "helm-lint.example.com" - equal: path: spec.tls[0].hosts[1] value: "helm-lint-second-domain.example.com" - contains: path: spec.tls content: hosts: - "helm-lint.example.com" - "helm-lint-second-domain.example.com" - "*.helm-lint.example.com" - "*.helm-lint-second-domain.example.com" - equal: path: spec.rules[0].host value: "helm-lint.example.com" - equal: path: spec.rules[1].host value: "helm-lint-second-domain.example.com" - equal: path: spec.rules[2].host value: "*.helm-lint.example.com" - equal: path: spec.rules[3].host value: "*.helm-lint-second-domain.example.com" - contains: path: spec.rules content: host: "helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "helm-lint-second-domain.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "*.helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "*.helm-lint-second-domain.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls # this is a very contrived example which wouldn't even work in reality # it's just to test the logic in the hostname generation code - it: does not add additional wildcard publicAddrs when Ingress is enabled and a publicAddr already contains a wildcard values: - ../.lint/ingress.yaml set: publicAddr: ["helm-lint.example.com", "*.helm-lint.example.com", "helm-lint-second-domain.example.com:443"] asserts: - equal: path: spec.tls[0].hosts[0] value: "helm-lint.example.com" - equal: path: spec.tls[0].hosts[1] value: "*.helm-lint.example.com" - equal: path: spec.tls[0].hosts[2] value: "helm-lint-second-domain.example.com" - equal: path: spec.tls[0].hosts[3] value: "*.helm-lint-second-domain.example.com" - contains: path: spec.tls content: hosts: - "helm-lint.example.com" - "*.helm-lint.example.com" - "helm-lint-second-domain.example.com" - "*.helm-lint-second-domain.example.com" - equal: path: spec.rules[0].host value: "helm-lint.example.com" - equal: path: spec.rules[1].host value: "*.helm-lint.example.com" - equal: path: spec.rules[2].host value: "helm-lint-second-domain.example.com" - equal: path: spec.rules[3].host value: "*.helm-lint-second-domain.example.com" - contains: path: spec.rules content: host: "helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "*.helm-lint.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "helm-lint-second-domain.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - contains: path: spec.rules content: host: "*.helm-lint-second-domain.example.com" http: paths: - backend: service: name: RELEASE-NAME port: number: 443 path: / pathType: Prefix - matchSnapshot: path: spec.tls - it: sets spec when passed values: - ../.lint/ingress.yaml set: ingress: spec: ingressClassName: nginx otherSpecStuff: lint asserts: - hasDocuments: count: 1 - isKind: of: Ingress - equal: path: spec.ingressClassName value: nginx - equal: path: spec.otherSpecStuff value: lint - it: does not set tls.secretName by default values: - ../.lint/ingress.yaml asserts: - isEmpty: path: spec.tls[0].secretName - matchSnapshot: path: spec.tls - it: sets tls.secretName when cert-manager is enabled values: - ../.lint/ingress.yaml set: highAvailability: certManager: enabled: true asserts: - equal: path: spec.tls[0].secretName value: teleport-tls - matchSnapshot: path: spec.tls - it: sets tls.secretName the value of tls.existingSecretName when set values: - ../.lint/ingress.yaml set: tls: existingSecretName: helm-lint-tls-secret asserts: - equal: path: spec.tls[0].secretName value: helm-lint-tls-secret - matchSnapshot: path: spec.tls