dsk-devops-toolchains/helm/teleport-cluster/tests/proxy_deployment_test.yaml

suite: Proxy Deployment
templates:
  - proxy/deployment.yaml
  - proxy/config.yaml
tests:
  - it: sets Deployment annotations when specified
    template: proxy/deployment.yaml
    values:
      - ../.lint/annotations.yaml
    asserts:
      - equal:
          path: metadata.annotations.kubernetes\.io/deployment
          value: test-annotation
      - equal:
          path: metadata.annotations.kubernetes\.io/deployment-different
          value: 3

  - it: sets Pod annotations when specified
    template: proxy/deployment.yaml
    values:
      - ../.lint/annotations.yaml
    asserts:
      - equal:
          path: spec.template.metadata.annotations.kubernetes\.io/pod
          value: test-annotation
      - equal:
          path: spec.template.metadata.annotations.kubernetes\.io/pod-different
          value: 4

  - it: should not have more than one replica if no certificate is passed
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - equal:
          path: spec.replicas
          value: 1

  - it: should have multiple replicas by default when a certificate is passed through a secret
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      tls:
        existingSecretName: my-certs
    asserts:
      - equal:
          path: spec.replicas
          value: 2

  - it: should have multiple replicas by default when certManager is configured
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      highAvailability:
        certManager:
          enabled: true
    asserts:
      - equal:
          path: spec.replicas
          value: 2

  - it: should have multiple replicas when global replicaCount is set and a certificate is passed
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      highAvailability:
        replicaCount: 3
        certManager:
          enabled: true
    asserts:
      - equal:
          path: spec.replicas
          value: 3

  - it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      highAvailability:
        certManager:
          enabled: true
      proxy:
        highAvailability:
          replicaCount: 1
    asserts:
      - equal:
          path: spec.replicas
          value: 1

  - it: should set affinity when set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      highAvailability:
        replicaCount: 3
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: gravitational.io/dedicated
                    operator: In
                    values:
                      - teleport
    asserts:
      - isNotNull:
          path: spec.template.spec.affinity
      - matchSnapshot:
          path: spec.template.spec.affinity

  - it: should set required affinity when highAvailability.requireAntiAffinity is set
    template: proxy/deployment.yaml
    values:
      - ../.lint/aws-ha-antiaffinity.yaml
    asserts:
      - isNotNull:
          path: spec.template.spec.affinity
      - isNotNull:
          path: spec.template.spec.affinity.podAntiAffinity
      - isNotNull:
          path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
      - matchSnapshot:
          path: spec.template.spec.affinity

  - it: should set tolerations when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/tolerations.yaml
    asserts:
      - isNotNull:
          path: spec.template.spec.tolerations
      - matchSnapshot:
          path: spec.template.spec.tolerations

  - it: should set resources when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/resources.yaml
    asserts:
      - equal:
          path: spec.template.spec.containers[0].resources.limits.cpu
          value: 2
      - equal:
          path: spec.template.spec.containers[0].resources.limits.memory
          value: 4Gi
      - equal:
          path: spec.template.spec.containers[0].resources.requests.cpu
          value: 1
      - equal:
          path: spec.template.spec.containers[0].resources.requests.memory
          value: 2Gi
      - matchSnapshot:
          path: spec.template.spec

  - it: should set securityContext when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/security-context.yaml
    asserts:
      - equal:
          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
          value: false
      - equal:
          path: spec.template.spec.containers[0].securityContext.privileged
          value: false
      - equal:
          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
          value: false
      - equal:
          path: spec.template.spec.containers[0].securityContext.runAsGroup
          value: 99
      - equal:
          path: spec.template.spec.containers[0].securityContext.runAsNonRoot
          value: true
      - equal:
          path: spec.template.spec.containers[0].securityContext.runAsUser
          value: 99
      - matchSnapshot:
          path: spec.template.spec

  - it: should not set securityContext when is empty object (default value)
    template: proxy/deployment.yaml
    values:
      - ../.lint/security-context-empty.yaml
    asserts:
      - isNull:
          path: spec.template.spec.containers[0].securityContext

  - it: should set securityContext for initContainers when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/security-context.yaml
    asserts:
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation
          value: false
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.privileged
          value: false
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem
          value: false
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.runAsGroup
          value: 99
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
          value: true
      - equal:
          path: spec.template.spec.initContainers[0].securityContext.runAsUser
          value: 99
      - matchSnapshot:
          path: spec.template.spec


  - it: should not set securityContext for initContainers when is empty object (default value)
    template: proxy/deployment.yaml
    values:
      - ../.lint/security-context-empty.yaml
    asserts:
      - isNull:
          path: spec.template.spec.initContainers[0].securityContext

  # we can't use the dynamic chart version or appVersion as a variable in the tests,
  # so we override it manually and check that gets set instead
  # this saves us having to update the test every time we cut a new release
  - it: should use enterprise image when enterprise is set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      enterprise: true
      teleportVersionOverride: 12.2.1
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1

  - it: should use OSS image when enterprise is not set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint
      teleportVersionOverride: 12.2.1
    asserts:
      - equal:
          path: spec.template.spec.containers[0].image
          value: public.ecr.aws/gravitational/teleport-distroless:12.2.1

  - it: should mount TLS certs when cert-manager is enabled
    template: proxy/deployment.yaml
    values:
      - ../.lint/gcp-ha-acme.yaml
      - ../.lint/initcontainers.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: "teleport-tls"
            readOnly: true
      - contains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls
            secret:
              secretName: teleport-tls
      - contains:
          path: spec.template.spec.initContainers[1].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: "teleport-tls"
            readOnly: true
      - contains:
          path: spec.template.spec.initContainers[2].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: "teleport-tls"
            readOnly: true

  - it: should mount ConfigMap containing Teleport config
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport
            name: "config"
            readOnly: true
      - contains:
          path: spec.template.spec.volumes
          content:
            name: config
            configMap:
              name: RELEASE-NAME-proxy

  - it: should mount extraVolumes and extraVolumeMounts on container and initContainers
    template: proxy/deployment.yaml
    values:
      - ../.lint/volumes.yaml
      - ../.lint/initcontainers.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /path/to/mount
            name: my-mount
      - contains:
          path: spec.template.spec.initContainers[1].volumeMounts
          content:
            mountPath: /path/to/mount
            name: my-mount
      - contains:
          path: spec.template.spec.initContainers[2].volumeMounts
          content:
            mountPath: /path/to/mount
            name: my-mount
      - contains:
          path: spec.template.spec.volumes
          content:
            name: my-mount
            secret:
              secretName: mySecret

  - it: should set imagePullPolicy when set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      imagePullPolicy: Always
    asserts:
      - equal:
          path: spec.template.spec.containers[0].imagePullPolicy
          value: Always

  - it: should set environment when extraEnv set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/extra-env.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SOME_ENVIRONMENT_VARIABLE
            value: "some-value"

  - it: should set imagePullSecrets when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/imagepullsecrets.yaml
    asserts:
      - equal:
          path: spec.template.spec.imagePullSecrets[0].name
          value: myRegistryKeySecretName
      - matchSnapshot:
          path: spec.template.spec.imagePullSecrets

  - it: should provision initContainer correctly when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/initcontainers.yaml
      - ../.lint/resources.yaml
      - ../.lint/extra-env.yaml
    asserts:
      - contains:
          path: spec.template.spec.initContainers[1].args
          content: "echo test"
      - equal:
          path: spec.template.spec.initContainers[1].name
          value: "teleport-init"
      - equal:
          path: spec.template.spec.initContainers[1].image
          value: "alpine"
      - equal:
          path: spec.template.spec.initContainers[1].resources.limits.cpu
          value: 2
      - equal:
          path: spec.template.spec.initContainers[1].resources.limits.memory
          value: 4Gi
      - equal:
          path: spec.template.spec.initContainers[1].resources.requests.cpu
          value: 1
      - equal:
          path: spec.template.spec.initContainers[1].resources.requests.memory
          value: 2Gi
      - contains:
          path: spec.template.spec.initContainers[2].args
          content: "echo test2"
      - equal:
          path: spec.template.spec.initContainers[2].name
          value: "teleport-init2"
      - equal:
          path: spec.template.spec.initContainers[2].image
          value: "alpine"
      - equal:
          path: spec.template.spec.initContainers[2].resources.limits.cpu
          value: 2
      - equal:
          path: spec.template.spec.initContainers[2].resources.limits.memory
          value: 4Gi
      - equal:
          path: spec.template.spec.initContainers[2].resources.requests.cpu
          value: 1
      - equal:
          path: spec.template.spec.initContainers[2].resources.requests.memory
          value: 2Gi
      - matchSnapshot:
          path: spec.template.spec.initContainers

  - it: should add insecureSkipProxyTLSVerify to args when set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      insecureSkipProxyTLSVerify: true
    asserts:
      - contains:
          path: spec.template.spec.containers[0].args
          content: "--insecure"

  - it: should expose diag port
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: diag
            containerPort: 3000
            protocol: TCP

  - it: should expose tls port
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: tls
            containerPort: 3080
            protocol: TCP

  - it: should expose tls port when proxyListenerMode is multiplex
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: tls
            containerPort: 3080
            protocol: TCP

  - it: should not expose proxy peering port by default
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: proxypeering
            containerPort: 3021
            protocol: TCP

  - it: should expose proxy peering port when enterprise is true
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      enterprise: true
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: proxypeering
            containerPort: 3021
            protocol: TCP

  - it: should expose sshproxy port by default
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: sshproxy
            containerPort: 3023
            protocol: TCP

  - it: should not expose sshproxy port when proxyListenerMode is multiplex
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: sshproxy
            containerPort: 3023
            protocol: TCP

  - it: should expose sshtun port by default
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: sshtun
            containerPort: 3024
            protocol: TCP

  - it: should not expose sshtun port when proxyListenerMode is multiplex
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: sshtun
            containerPort: 3024
            protocol: TCP

  - it: should expose k8s port by default
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: kube
            containerPort: 3026
            protocol: TCP

  - it: should not expose k8s port when proxyListenerMode is multiplex
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: kube
            containerPort: 3026
            protocol: TCP

  - it: should expose mysql port by default
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: mysql
            containerPort: 3036
            protocol: TCP

  - it: should not expose mysql port when proxyListenerMode is multiplex
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: mysql
            containerPort: 3036
            protocol: TCP

  - it: should expose postgres port when separate postgres listener is enabled
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      separatePostgresListener: true
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: postgres
            containerPort: 5432
            protocol: TCP

  - it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
      separatePostgresListener: true
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: postgres
            containerPort: 5432
            protocol: TCP

  - it: should expose mongo port when separate mongo listener is enabled
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      separateMongoListener: true
    asserts:
      - contains:
          path: spec.template.spec.containers[0].ports
          content:
            name: mongo
            containerPort: 27017
            protocol: TCP

  - it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      proxyListenerMode: multiplex
      separateMongoListener: true
    asserts:
      - notContains:
          path: spec.template.spec.containers[0].ports
          content:
            name: mongo
            containerPort: 27017
            protocol: TCP

  - it: should set postStart command if set in values
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
      postStart:
        command: ["/bin/echo", "test"]
    asserts:
      - equal:
          path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
          value: ["/bin/echo", "test"]

  - it: should add and mount emptyDir for data
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint.example.com
    asserts:
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /var/lib/teleport
            name: data
      - contains:
          path: spec.template.spec.volumes
          content:
            name: data
            emptyDir: {}

  - it: should set priorityClassName when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/priority-class-name.yaml
    asserts:
      - equal:
          path: spec.template.spec.priorityClassName
          value: system-cluster-critical

  - it: should set probeTimeoutSeconds when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/probe-timeout-seconds.yaml
    asserts:
      - equal:
          path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
          value: 5
      - equal:
          path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
          value: 5

  - it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint-test-cluster
    asserts:
      - notContains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls
            secret:
              secretName: teleport-tls
      - notContains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: teleport-tls
            readOnly: true

  - it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true
    template: proxy/deployment.yaml
    values:
      - ../.lint/cert-manager.yaml
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls
            secret:
              secretName: teleport-tls
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: teleport-tls
            readOnly: true

  - it: should mount tls.existingSecretName when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/existing-tls-secret.yaml
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls
            secret:
              secretName: helm-lint-existing-tls-secret
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls
            name: teleport-tls
            readOnly: true

  - it: should mount tls.existingCASecretName and set environment when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/existing-tls-secret-with-ca.yaml
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls-ca
            secret:
              secretName: helm-lint-existing-tls-secret-ca
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls-ca
            name: teleport-tls-ca
            readOnly: true
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSL_CERT_FILE
            value: /etc/teleport-tls-ca/ca.pem

  - it: should mount tls.existingCASecretName and set extra environment when set in values
    template: proxy/deployment.yaml
    values:
      - ../.lint/existing-tls-secret-with-ca.yaml
      - ../.lint/extra-env.yaml
    asserts:
      - contains:
          path: spec.template.spec.volumes
          content:
            name: teleport-tls-ca
            secret:
              secretName: helm-lint-existing-tls-secret-ca
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /etc/teleport-tls-ca
            name: teleport-tls-ca
            readOnly: true
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SSL_CERT_FILE
            value: /etc/teleport-tls-ca/ca.pem
      - contains:
          path: spec.template.spec.containers[0].env
          content:
            name: SOME_ENVIRONMENT_VARIABLE
            value: some-value

  - it: should set minReadySeconds when replicaCount > 1
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint
      highAvailability:
        certManager:
          enabled: true
        replicaCount: 3
        minReadySeconds: 60
    asserts:
      - equal:
          path: spec.minReadySeconds
          value: 60

  - it: should not set minReadySeconds when replicaCount = 1
    template: proxy/deployment.yaml
    set:
      chartMode: scratch
      highAvailability:
        minReadySeconds: 60
        replicaCount: 1
    asserts:
      - equal:
          path: spec.minReadySeconds
          value: null

  - it: should set nodeSelector when set in values
    template: proxy/deployment.yaml
    set:
      chartMode: scratch
      clusterName: helm-lint.example.com
      nodeSelector:
        role: bastion
        environment: security
    asserts:
      - isNotNull:
          path: spec.template.spec.nodeSelector
      - matchSnapshot:
          path: spec.template.spec

  - it: mounts regular tokens on older Kubernetes versions
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint
    capabilities:
      majorVersion: 1
      minorVersion: 18
    asserts:
      - notEqual:
          path: spec.template.spec.automountServiceAccountToken
          value: false
      - notContains:
          path: spec.template.spec.volumes
          content:
            name: proxy-serviceaccount-token
            projected:
              sources:
                - serviceAccountToken:
                    path: token
                - configMap:
                    items:
                      - key: ca.crt
                        path: ca.crt
                    name: kube-root-ca.crt
                - downwardAPI:
                    items:
                      - path: "namespace"
                        fieldRef:
                          fieldPath: metadata.namespace
      - notContains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
            name: proxy-serviceaccount-token
            readOnly: true

  - it: mounts tokens through projected volumes on newer Kubernetes versions
    template: proxy/deployment.yaml
    set:
      clusterName: helm-lint
    capabilities:
      majorVersion: 1
      minorVersion: 21
    asserts:
      - equal:
          path: spec.template.spec.automountServiceAccountToken
          value: false
      - contains:
          path: spec.template.spec.volumes
          content:
            name: proxy-serviceaccount-token
            projected:
              sources:
                - serviceAccountToken:
                    path: token
                - configMap:
                    items:
                      - key: ca.crt
                        path: ca.crt
                    name: kube-root-ca.crt
                - downwardAPI:
                    items:
                      - path: "namespace"
                        fieldRef:
                          fieldPath: metadata.namespace
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
            name: proxy-serviceaccount-token
            readOnly: true