suite: Proxy Deployment templates: - proxy/deployment.yaml - proxy/config.yaml tests: - it: sets Deployment annotations when specified template: proxy/deployment.yaml values: - ../.lint/annotations.yaml asserts: - equal: path: metadata.annotations.kubernetes\.io/deployment value: test-annotation - equal: path: metadata.annotations.kubernetes\.io/deployment-different value: 3 - it: sets Pod annotations when specified template: proxy/deployment.yaml values: - ../.lint/annotations.yaml asserts: - equal: path: spec.template.metadata.annotations.kubernetes\.io/pod value: test-annotation - equal: path: spec.template.metadata.annotations.kubernetes\.io/pod-different value: 4 - it: should not have more than one replica if no certificate is passed template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - equal: path: spec.replicas value: 1 - it: should have multiple replicas by default when a certificate is passed through a secret template: proxy/deployment.yaml set: clusterName: helm-lint.example.com tls: existingSecretName: my-certs asserts: - equal: path: spec.replicas value: 2 - it: should have multiple replicas by default when certManager is configured template: proxy/deployment.yaml set: clusterName: helm-lint.example.com highAvailability: certManager: enabled: true asserts: - equal: path: spec.replicas value: 2 - it: should have multiple replicas when global replicaCount is set and a certificate is passed template: proxy/deployment.yaml set: clusterName: helm-lint.example.com highAvailability: replicaCount: 3 certManager: enabled: true asserts: - equal: path: spec.replicas value: 3 - it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed template: proxy/deployment.yaml set: clusterName: helm-lint.example.com highAvailability: certManager: enabled: true proxy: highAvailability: replicaCount: 1 asserts: - equal: path: spec.replicas value: 1 - it: should set affinity when set in values template: proxy/deployment.yaml set: clusterName: helm-lint.example.com highAvailability: replicaCount: 3 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: gravitational.io/dedicated operator: In values: - teleport asserts: - isNotNull: path: spec.template.spec.affinity - matchSnapshot: path: spec.template.spec.affinity - it: should set required affinity when highAvailability.requireAntiAffinity is set template: proxy/deployment.yaml values: - ../.lint/aws-ha-antiaffinity.yaml asserts: - isNotNull: path: spec.template.spec.affinity - isNotNull: path: spec.template.spec.affinity.podAntiAffinity - isNotNull: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - matchSnapshot: path: spec.template.spec.affinity - it: should set tolerations when set in values template: proxy/deployment.yaml values: - ../.lint/tolerations.yaml asserts: - isNotNull: path: spec.template.spec.tolerations - matchSnapshot: path: spec.template.spec.tolerations - it: should set resources when set in values template: proxy/deployment.yaml values: - ../.lint/resources.yaml asserts: - equal: path: spec.template.spec.containers[0].resources.limits.cpu value: 2 - equal: path: spec.template.spec.containers[0].resources.limits.memory value: 4Gi - equal: path: spec.template.spec.containers[0].resources.requests.cpu value: 1 - equal: path: spec.template.spec.containers[0].resources.requests.memory value: 2Gi - matchSnapshot: path: spec.template.spec - it: should set securityContext when set in values template: proxy/deployment.yaml values: - ../.lint/security-context.yaml asserts: - equal: path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation value: false - equal: path: spec.template.spec.containers[0].securityContext.privileged value: false - equal: path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem value: false - equal: path: spec.template.spec.containers[0].securityContext.runAsGroup value: 99 - equal: path: spec.template.spec.containers[0].securityContext.runAsNonRoot value: true - equal: path: spec.template.spec.containers[0].securityContext.runAsUser value: 99 - matchSnapshot: path: spec.template.spec - it: should not set securityContext when is empty object (default value) template: proxy/deployment.yaml values: - ../.lint/security-context-empty.yaml asserts: - isNull: path: spec.template.spec.containers[0].securityContext - it: should set securityContext for initContainers when set in values template: proxy/deployment.yaml values: - ../.lint/security-context.yaml asserts: - equal: path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation value: false - equal: path: spec.template.spec.initContainers[0].securityContext.privileged value: false - equal: path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem value: false - equal: path: spec.template.spec.initContainers[0].securityContext.runAsGroup value: 99 - equal: path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot value: true - equal: path: spec.template.spec.initContainers[0].securityContext.runAsUser value: 99 - matchSnapshot: path: spec.template.spec - it: should not set securityContext for initContainers when is empty object (default value) template: proxy/deployment.yaml values: - ../.lint/security-context-empty.yaml asserts: - isNull: path: spec.template.spec.initContainers[0].securityContext # we can't use the dynamic chart version or appVersion as a variable in the tests, # so we override it manually and check that gets set instead # this saves us having to update the test every time we cut a new release - it: should use enterprise image when enterprise is set in values template: proxy/deployment.yaml set: clusterName: helm-lint.example.com enterprise: true teleportVersionOverride: 12.2.1 asserts: - equal: path: spec.template.spec.containers[0].image value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1 - it: should use OSS image when enterprise is not set in values template: proxy/deployment.yaml set: clusterName: helm-lint teleportVersionOverride: 12.2.1 asserts: - equal: path: spec.template.spec.containers[0].image value: public.ecr.aws/gravitational/teleport-distroless:12.2.1 - it: should mount TLS certs when cert-manager is enabled template: proxy/deployment.yaml values: - ../.lint/gcp-ha-acme.yaml - ../.lint/initcontainers.yaml asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true - contains: path: spec.template.spec.volumes content: name: teleport-tls secret: secretName: teleport-tls - contains: path: spec.template.spec.initContainers[1].volumeMounts content: mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true - contains: path: spec.template.spec.initContainers[2].volumeMounts content: mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true - it: should mount ConfigMap containing Teleport config template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport name: "config" readOnly: true - contains: path: spec.template.spec.volumes content: name: config configMap: name: RELEASE-NAME-proxy - it: should mount extraVolumes and extraVolumeMounts on container and initContainers template: proxy/deployment.yaml values: - ../.lint/volumes.yaml - ../.lint/initcontainers.yaml asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /path/to/mount name: my-mount - contains: path: spec.template.spec.initContainers[1].volumeMounts content: mountPath: /path/to/mount name: my-mount - contains: path: spec.template.spec.initContainers[2].volumeMounts content: mountPath: /path/to/mount name: my-mount - contains: path: spec.template.spec.volumes content: name: my-mount secret: secretName: mySecret - it: should set imagePullPolicy when set in values template: proxy/deployment.yaml set: clusterName: helm-lint.example.com imagePullPolicy: Always asserts: - equal: path: spec.template.spec.containers[0].imagePullPolicy value: Always - it: should set environment when extraEnv set in values template: proxy/deployment.yaml values: - ../.lint/extra-env.yaml asserts: - contains: path: spec.template.spec.containers[0].env content: name: SOME_ENVIRONMENT_VARIABLE value: "some-value" - it: should set imagePullSecrets when set in values template: proxy/deployment.yaml values: - ../.lint/imagepullsecrets.yaml asserts: - equal: path: spec.template.spec.imagePullSecrets[0].name value: myRegistryKeySecretName - matchSnapshot: path: spec.template.spec.imagePullSecrets - it: should provision initContainer correctly when set in values template: proxy/deployment.yaml values: - ../.lint/initcontainers.yaml - ../.lint/resources.yaml - ../.lint/extra-env.yaml asserts: - contains: path: spec.template.spec.initContainers[1].args content: "echo test" - equal: path: spec.template.spec.initContainers[1].name value: "teleport-init" - equal: path: spec.template.spec.initContainers[1].image value: "alpine" - equal: path: spec.template.spec.initContainers[1].resources.limits.cpu value: 2 - equal: path: spec.template.spec.initContainers[1].resources.limits.memory value: 4Gi - equal: path: spec.template.spec.initContainers[1].resources.requests.cpu value: 1 - equal: path: spec.template.spec.initContainers[1].resources.requests.memory value: 2Gi - contains: path: spec.template.spec.initContainers[2].args content: "echo test2" - equal: path: spec.template.spec.initContainers[2].name value: "teleport-init2" - equal: path: spec.template.spec.initContainers[2].image value: "alpine" - equal: path: spec.template.spec.initContainers[2].resources.limits.cpu value: 2 - equal: path: spec.template.spec.initContainers[2].resources.limits.memory value: 4Gi - equal: path: spec.template.spec.initContainers[2].resources.requests.cpu value: 1 - equal: path: spec.template.spec.initContainers[2].resources.requests.memory value: 2Gi - matchSnapshot: path: spec.template.spec.initContainers - it: should add insecureSkipProxyTLSVerify to args when set in values template: proxy/deployment.yaml set: clusterName: helm-lint.example.com insecureSkipProxyTLSVerify: true asserts: - contains: path: spec.template.spec.containers[0].args content: "--insecure" - it: should expose diag port template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: diag containerPort: 3000 protocol: TCP - it: should expose tls port template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: tls containerPort: 3080 protocol: TCP - it: should expose tls port when proxyListenerMode is multiplex template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex asserts: - contains: path: spec.template.spec.containers[0].ports content: name: tls containerPort: 3080 protocol: TCP - it: should not expose proxy peering port by default template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: proxypeering containerPort: 3021 protocol: TCP - it: should expose proxy peering port when enterprise is true template: proxy/deployment.yaml set: clusterName: helm-lint.example.com enterprise: true asserts: - contains: path: spec.template.spec.containers[0].ports content: name: proxypeering containerPort: 3021 protocol: TCP - it: should expose sshproxy port by default template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: sshproxy containerPort: 3023 protocol: TCP - it: should not expose sshproxy port when proxyListenerMode is multiplex template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: sshproxy containerPort: 3023 protocol: TCP - it: should expose sshtun port by default template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: sshtun containerPort: 3024 protocol: TCP - it: should not expose sshtun port when proxyListenerMode is multiplex template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: sshtun containerPort: 3024 protocol: TCP - it: should expose k8s port by default template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: kube containerPort: 3026 protocol: TCP - it: should not expose k8s port when proxyListenerMode is multiplex template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: kube containerPort: 3026 protocol: TCP - it: should expose mysql port by default template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].ports content: name: mysql containerPort: 3036 protocol: TCP - it: should not expose mysql port when proxyListenerMode is multiplex template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: mysql containerPort: 3036 protocol: TCP - it: should expose postgres port when separate postgres listener is enabled template: proxy/deployment.yaml set: clusterName: helm-lint.example.com separatePostgresListener: true asserts: - contains: path: spec.template.spec.containers[0].ports content: name: postgres containerPort: 5432 protocol: TCP - it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex separatePostgresListener: true asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: postgres containerPort: 5432 protocol: TCP - it: should expose mongo port when separate mongo listener is enabled template: proxy/deployment.yaml set: clusterName: helm-lint.example.com separateMongoListener: true asserts: - contains: path: spec.template.spec.containers[0].ports content: name: mongo containerPort: 27017 protocol: TCP - it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled template: proxy/deployment.yaml set: clusterName: helm-lint.example.com proxyListenerMode: multiplex separateMongoListener: true asserts: - notContains: path: spec.template.spec.containers[0].ports content: name: mongo containerPort: 27017 protocol: TCP - it: should set postStart command if set in values template: proxy/deployment.yaml set: clusterName: helm-lint.example.com postStart: command: ["/bin/echo", "test"] asserts: - equal: path: spec.template.spec.containers[0].lifecycle.postStart.exec.command value: ["/bin/echo", "test"] - it: should add and mount emptyDir for data template: proxy/deployment.yaml set: clusterName: helm-lint.example.com asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /var/lib/teleport name: data - contains: path: spec.template.spec.volumes content: name: data emptyDir: {} - it: should set priorityClassName when set in values template: proxy/deployment.yaml values: - ../.lint/priority-class-name.yaml asserts: - equal: path: spec.template.spec.priorityClassName value: system-cluster-critical - it: should set probeTimeoutSeconds when set in values template: proxy/deployment.yaml values: - ../.lint/probe-timeout-seconds.yaml asserts: - equal: path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds value: 5 - equal: path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds value: 5 - it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set template: proxy/deployment.yaml set: clusterName: helm-lint-test-cluster asserts: - notContains: path: spec.template.spec.volumes content: name: teleport-tls secret: secretName: teleport-tls - notContains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls name: teleport-tls readOnly: true - it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true template: proxy/deployment.yaml values: - ../.lint/cert-manager.yaml asserts: - contains: path: spec.template.spec.volumes content: name: teleport-tls secret: secretName: teleport-tls - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls name: teleport-tls readOnly: true - it: should mount tls.existingSecretName when set in values template: proxy/deployment.yaml values: - ../.lint/existing-tls-secret.yaml asserts: - contains: path: spec.template.spec.volumes content: name: teleport-tls secret: secretName: helm-lint-existing-tls-secret - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls name: teleport-tls readOnly: true - it: should mount tls.existingCASecretName and set environment when set in values template: proxy/deployment.yaml values: - ../.lint/existing-tls-secret-with-ca.yaml asserts: - contains: path: spec.template.spec.volumes content: name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true - contains: path: spec.template.spec.containers[0].env content: name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - it: should mount tls.existingCASecretName and set extra environment when set in values template: proxy/deployment.yaml values: - ../.lint/existing-tls-secret-with-ca.yaml - ../.lint/extra-env.yaml asserts: - contains: path: spec.template.spec.volumes content: name: teleport-tls-ca secret: secretName: helm-lint-existing-tls-secret-ca - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /etc/teleport-tls-ca name: teleport-tls-ca readOnly: true - contains: path: spec.template.spec.containers[0].env content: name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - contains: path: spec.template.spec.containers[0].env content: name: SOME_ENVIRONMENT_VARIABLE value: some-value - it: should set minReadySeconds when replicaCount > 1 template: proxy/deployment.yaml set: clusterName: helm-lint highAvailability: certManager: enabled: true replicaCount: 3 minReadySeconds: 60 asserts: - equal: path: spec.minReadySeconds value: 60 - it: should not set minReadySeconds when replicaCount = 1 template: proxy/deployment.yaml set: chartMode: scratch highAvailability: minReadySeconds: 60 replicaCount: 1 asserts: - equal: path: spec.minReadySeconds value: null - it: should set nodeSelector when set in values template: proxy/deployment.yaml set: chartMode: scratch clusterName: helm-lint.example.com nodeSelector: role: bastion environment: security asserts: - isNotNull: path: spec.template.spec.nodeSelector - matchSnapshot: path: spec.template.spec - it: mounts regular tokens on older Kubernetes versions template: proxy/deployment.yaml set: clusterName: helm-lint capabilities: majorVersion: 1 minorVersion: 18 asserts: - notEqual: path: spec.template.spec.automountServiceAccountToken value: false - notContains: path: spec.template.spec.volumes content: name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - path: "namespace" fieldRef: fieldPath: metadata.namespace - notContains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true - it: mounts tokens through projected volumes on newer Kubernetes versions template: proxy/deployment.yaml set: clusterName: helm-lint capabilities: majorVersion: 1 minorVersion: 21 asserts: - equal: path: spec.template.spec.automountServiceAccountToken value: false - contains: path: spec.template.spec.volumes content: name: proxy-serviceaccount-token projected: sources: - serviceAccountToken: path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - path: "namespace" fieldRef: fieldPath: metadata.namespace - contains: path: spec.template.spec.containers[0].volumeMounts content: mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: proxy-serviceaccount-token readOnly: true