sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c9e7552dece01dfa919f1f0fbdc3ef6e55f2b748
dsk-devops-toolchains/helm/teleport-cluster/tests/proxy_deployment_test.yaml
ByeonJungHun 7c1afcf6d7 Teleport Chart 업데이트
2024-01-22 12:12:36 +09:00

930 lines
28 KiB
YAML
Raw Blame History

suite: Proxy Deployment
templates:
- proxy/deployment.yaml
- proxy/config.yaml
tests:
- it: sets Deployment annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: metadata.annotations.kubernetes\.io/deployment
value: test-annotation
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- it: sets Pod annotations when specified
template: proxy/deployment.yaml
values:
- ../.lint/annotations.yaml
asserts:
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod
value: test-annotation
- equal:
path: spec.template.metadata.annotations.kubernetes\.io/pod-different
value: 4
- it: should not have more than one replica if no certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- equal:
path: spec.replicas
value: 1
- it: should have multiple replicas by default when a certificate is passed through a secret
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
tls:
existingSecretName: my-certs
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas by default when certManager is configured
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 2
- it: should have multiple replicas when global replicaCount is set and a certificate is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
certManager:
enabled: true
asserts:
- equal:
path: spec.replicas
value: 3
- it: should have a single replica when proxy-specific replicaCount is set to 1 and a cert is passed
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
certManager:
enabled: true
proxy:
highAvailability:
replicaCount: 1
asserts:
- equal:
path: spec.replicas
value: 1
- it: should set affinity when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
highAvailability:
replicaCount: 3
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
asserts:
- isNotNull:
path: spec.template.spec.affinity
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set required affinity when highAvailability.requireAntiAffinity is set
template: proxy/deployment.yaml
values:
- ../.lint/aws-ha-antiaffinity.yaml
asserts:
- isNotNull:
path: spec.template.spec.affinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity
- isNotNull:
path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution
- matchSnapshot:
path: spec.template.spec.affinity
- it: should set tolerations when set in values
template: proxy/deployment.yaml
values:
- ../.lint/tolerations.yaml
asserts:
- isNotNull:
path: spec.template.spec.tolerations
- matchSnapshot:
path: spec.template.spec.tolerations
- it: should set resources when set in values
template: proxy/deployment.yaml
values:
- ../.lint/resources.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.containers[0].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.containers[0].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.containers[0].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec
- it: should set securityContext when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.containers[0].securityContext
- it: should set securityContext for initContainers when set in values
template: proxy/deployment.yaml
values:
- ../.lint/security-context.yaml
asserts:
- equal:
path: spec.template.spec.initContainers[0].securityContext.allowPrivilegeEscalation
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.privileged
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.readOnlyRootFilesystem
value: false
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsGroup
value: 99
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsNonRoot
value: true
- equal:
path: spec.template.spec.initContainers[0].securityContext.runAsUser
value: 99
- matchSnapshot:
path: spec.template.spec
- it: should not set securityContext for initContainers when is empty object (default value)
template: proxy/deployment.yaml
values:
- ../.lint/security-context-empty.yaml
asserts:
- isNull:
path: spec.template.spec.initContainers[0].securityContext
# we can't use the dynamic chart version or appVersion as a variable in the tests,
# so we override it manually and check that gets set instead
# this saves us having to update the test every time we cut a new release
- it: should use enterprise image when enterprise is set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-ent-distroless:12.2.1
- it: should use OSS image when enterprise is not set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint
teleportVersionOverride: 12.2.1
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: public.ecr.aws/gravitational/teleport-distroless:12.2.1
- it: should mount TLS certs when cert-manager is enabled
template: proxy/deployment.yaml
values:
- ../.lint/gcp-ha-acme.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /etc/teleport-tls
name: "teleport-tls"
readOnly: true
- it: should mount ConfigMap containing Teleport config
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport
name: "config"
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: config
configMap:
name: RELEASE-NAME-proxy
- it: should mount extraVolumes and extraVolumeMounts on container and initContainers
template: proxy/deployment.yaml
values:
- ../.lint/volumes.yaml
- ../.lint/initcontainers.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[1].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.initContainers[2].volumeMounts
content:
mountPath: /path/to/mount
name: my-mount
- contains:
path: spec.template.spec.volumes
content:
name: my-mount
secret:
secretName: mySecret
- it: should set imagePullPolicy when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
imagePullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should have only one container when no `extraContainers` is set in values
template: proxy/deployment.yaml
set:
extraContainers: []
clusterName: helm-lint.example.com
asserts:
- isNotNull:
path: spec.template.spec.containers[0]
- isNull:
path: spec.template.spec.containers[1]
- it: should add one more container when `extraContainers` is set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-containers.yaml
asserts:
- equal:
path: spec.template.spec.containers[1]
value:
name: nscenter
command:
- /bin/bash
- -c
- sleep infinity & wait
image: praqma/network-multitool
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsNonRoot: false
- it: should set environment when extraEnv set in values
template: proxy/deployment.yaml
values:
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: "some-value"
- it: should set imagePullSecrets when set in values
template: proxy/deployment.yaml
values:
- ../.lint/imagepullsecrets.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: myRegistryKeySecretName
- matchSnapshot:
path: spec.template.spec.imagePullSecrets
- it: should provision initContainer correctly when set in values
template: proxy/deployment.yaml
values:
- ../.lint/initcontainers.yaml
- ../.lint/resources.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.initContainers[1].args
content: "echo test"
- equal:
path: spec.template.spec.initContainers[1].name
value: "teleport-init"
- equal:
path: spec.template.spec.initContainers[1].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[1].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[1].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[1].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[1].resources.requests.memory
value: 2Gi
- contains:
path: spec.template.spec.initContainers[2].args
content: "echo test2"
- equal:
path: spec.template.spec.initContainers[2].name
value: "teleport-init2"
- equal:
path: spec.template.spec.initContainers[2].image
value: "alpine"
- equal:
path: spec.template.spec.initContainers[2].resources.limits.cpu
value: 2
- equal:
path: spec.template.spec.initContainers[2].resources.limits.memory
value: 4Gi
- equal:
path: spec.template.spec.initContainers[2].resources.requests.cpu
value: 1
- equal:
path: spec.template.spec.initContainers[2].resources.requests.memory
value: 2Gi
- matchSnapshot:
path: spec.template.spec.initContainers
- it: should add insecureSkipProxyTLSVerify to args when set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
insecureSkipProxyTLSVerify: true
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--insecure"
- it: should expose diag port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: diag
containerPort: 3000
protocol: TCP
- it: should expose tls port
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should expose tls port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: tls
containerPort: 3080
protocol: TCP
- it: should not expose proxy peering port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose proxy peering port when enterprise is true
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
enterprise: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: proxypeering
containerPort: 3021
protocol: TCP
- it: should expose sshproxy port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should not expose sshproxy port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshproxy
containerPort: 3023
protocol: TCP
- it: should expose sshtun port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should not expose sshtun port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: sshtun
containerPort: 3024
protocol: TCP
- it: should expose k8s port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should not expose k8s port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: kube
containerPort: 3026
protocol: TCP
- it: should expose mysql port by default
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should not expose mysql port when proxyListenerMode is multiplex
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mysql
containerPort: 3036
protocol: TCP
- it: should expose postgres port when separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separatePostgresListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should not expose postgres port when proxyListenerMode is multiplex and separate postgres listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separatePostgresListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: postgres
containerPort: 5432
protocol: TCP
- it: should expose mongo port when separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
separateMongoListener: true
asserts:
- contains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should not expose mongo port when when proxyListenerMode is multiplex and separate mongo listener is enabled
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
proxyListenerMode: multiplex
separateMongoListener: true
asserts:
- notContains:
path: spec.template.spec.containers[0].ports
content:
name: mongo
containerPort: 27017
protocol: TCP
- it: should set postStart command if set in values
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
postStart:
command: ["/bin/echo", "test"]
asserts:
- equal:
path: spec.template.spec.containers[0].lifecycle.postStart.exec.command
value: ["/bin/echo", "test"]
- it: should add and mount emptyDir for data
template: proxy/deployment.yaml
set:
clusterName: helm-lint.example.com
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/lib/teleport
name: data
- contains:
path: spec.template.spec.volumes
content:
name: data
emptyDir: {}
- it: should set priorityClassName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/priority-class-name.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: system-cluster-critical
- it: should set probeTimeoutSeconds when set in values
template: proxy/deployment.yaml
values:
- ../.lint/probe-timeout-seconds.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
value: 5
- equal:
path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
value: 5
- it: should not mount TLS secrets when when highAvailability.certManager.enabled is false and tls.existingSecretName is not set
template: proxy/deployment.yaml
set:
clusterName: helm-lint-test-cluster
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount cert-manager TLS secret when highAvailability.certManager.enabled is true
template: proxy/deployment.yaml
values:
- ../.lint/cert-manager.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: teleport-tls
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingSecretName when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls
secret:
secretName: helm-lint-existing-tls-secret
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls
name: teleport-tls
readOnly: true
- it: should mount tls.existingCASecretName and set environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: proxy/deployment.yaml
values:
- ../.lint/existing-tls-secret-with-ca.yaml
- ../.lint/extra-env.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: teleport-tls-ca
secret:
secretName: helm-lint-existing-tls-secret-ca
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
value: /etc/teleport-tls-ca/ca.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: SOME_ENVIRONMENT_VARIABLE
value: some-value
- it: should set minReadySeconds when replicaCount > 1
template: proxy/deployment.yaml
set:
clusterName: helm-lint
highAvailability:
certManager:
enabled: true
replicaCount: 3
minReadySeconds: 60
asserts:
- equal:
path: spec.minReadySeconds
value: 60
- it: should not set minReadySeconds when replicaCount = 1
template: proxy/deployment.yaml
set:
chartMode: scratch
highAvailability:
minReadySeconds: 60
replicaCount: 1
asserts:
- equal:
path: spec.minReadySeconds
value: null
- it: should set nodeSelector when set in values
template: proxy/deployment.yaml
set:
chartMode: scratch
clusterName: helm-lint.example.com
nodeSelector:
role: bastion
environment: security
asserts:
- isNotNull:
path: spec.template.spec.nodeSelector
- matchSnapshot:
path: spec.template.spec
- it: mounts regular tokens on older Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 18
asserts:
- notEqual:
path: spec.template.spec.automountServiceAccountToken
value: false
- notContains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
- it: mounts tokens through projected volumes on newer Kubernetes versions
template: proxy/deployment.yaml
set:
clusterName: helm-lint
capabilities:
majorVersion: 1
minorVersion: 21
asserts:
- equal:
path: spec.template.spec.automountServiceAccountToken
value: false
- contains:
path: spec.template.spec.volumes
content:
name: proxy-serviceaccount-token
projected:
sources:
- serviceAccountToken:
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: proxy-serviceaccount-token
readOnly: true
Reference in New Issue View Git Blame Copy Permalink