From 19bd8d9923283314ab800b7dd5459dc43bd202f2 Mon Sep 17 00:00:00 2001 From: Phil Gebhardt Date: Tue, 10 Feb 2026 11:30:28 -0800 Subject: [PATCH] chao: ensure volumeMounts key present when tls identity supplied without this, it's possible to get an invalid yaml document when `ssl.certDir` is not supplied, but values under `chao.tls.identity` are supplied. It's not yet clear to me why the unit tests don't catch this. --- gremlin/Chart.yaml | 2 +- gremlin/templates/chao-deployment.yaml | 2 +- gremlin/tests/chao_deployment_auth_test.yaml | 85 ++++ ...aml => chao_deployment_certauth_test.yaml} | 79 +--- .../chao_deployment_secretauth_test.yaml | 303 ++++++++++++++ gremlin/tests/daemonset_auth_test.yaml | 111 +++++ ...test.yaml => daemonset_certauth_test.yaml} | 106 +---- gremlin/tests/daemonset_secretauth_test.yaml | 383 ++++++++++++++++++ gremlin/tests/values-certauth-test.yaml | 30 ++ gremlin/tests/values-secretauth-test.yaml | 7 + 10 files changed, 929 insertions(+), 179 deletions(-) create mode 100644 gremlin/tests/chao_deployment_auth_test.yaml rename gremlin/tests/{chao_deployment_test.yaml => chao_deployment_certauth_test.yaml} (80%) create mode 100644 gremlin/tests/chao_deployment_secretauth_test.yaml create mode 100644 gremlin/tests/daemonset_auth_test.yaml rename gremlin/tests/{daemonset_test.yaml => daemonset_certauth_test.yaml} (80%) create mode 100644 gremlin/tests/daemonset_secretauth_test.yaml create mode 100644 gremlin/tests/values-certauth-test.yaml create mode 100644 gremlin/tests/values-secretauth-test.yaml diff --git a/gremlin/Chart.yaml b/gremlin/Chart.yaml index ffb7478..9fc398b 100644 --- a/gremlin/Chart.yaml +++ b/gremlin/Chart.yaml @@ -1,5 +1,5 @@ name: gremlin -version: 0.25.0 +version: 0.25.1 description: The Gremlin Inc client application apiVersion: v1 home: https://www.gremlin.com diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml index 58ec101..994b3ec 100644 --- a/gremlin/templates/chao-deployment.yaml +++ b/gremlin/templates/chao-deployment.yaml @@ -129,7 +129,7 @@ spec: {{- end }} imagePullPolicy: {{ .Values.chaoimage.pullPolicy }} name: chao -{{- if (or ((eq (include "gremlin.secretType" .) "certificate")) .Values.ssl.certFile) }} +{{- if (or ((eq (include "gremlin.secretType" .) "certificate")) .Values.ssl.certFile (include "chaoTlsIdentityVolumeMounts" .)) }} volumeMounts: {{- end }} {{- if (eq (include "gremlin.secretType" .) "certificate") }} diff --git a/gremlin/tests/chao_deployment_auth_test.yaml b/gremlin/tests/chao_deployment_auth_test.yaml new file mode 100644 index 0000000..8ef7b3e --- /dev/null +++ b/gremlin/tests/chao_deployment_auth_test.yaml @@ -0,0 +1,85 @@ +suite: Test Chao deployment auth +templates: + - chao-deployment.yaml +release: + name: my-release + namespace: my-namespace + revision: 1 + upgrade: true + +tests: + - it: should specify a team ID in the environment when not managed by a secret + set: + gremlin.secret.managed: false + gremlin.teamID: "01719721-1be8-4315-b197-211be83315a4" + asserts: + - equal: + path: spec.template.spec.containers[0].env[0].name + value: "GREMLIN_TEAM_ID" + - equal: + path: spec.template.spec.containers[0].env[0].value + value: "01719721-1be8-4315-b197-211be83315a4" + - it: should populate the team ID from the managed secret when managed secret is set + set: + gremlin.secret.managed: true + gremlin.secret.teamID: "01719721-1be8-4315-b197-211be83315a4" + asserts: + - equal: + path: spec.template.spec.containers[0].env[0].name + value: "GREMLIN_TEAM_ID" + - equal: + path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name + value: "gremlin-secret" + - it: should specify a cluster ID in the environment when not managed by a secret + set: + gremlin.secret.managed: false + gremlin.clusterID: "my-cluster" + asserts: + - equal: + path: spec.template.spec.containers[0].env[1].name + value: "GREMLIN_CLUSTER_ID" + - equal: + path: spec.template.spec.containers[0].env[1].value + value: "my-cluster" + - it: should populate the cluster ID from the managed secret when managed secret is set + set: + gremlin.secret.managed: true + gremlin.secret.clusterID: "my-cluster" + asserts: + - equal: + path: spec.template.spec.containers[0].env[1].name + value: "GREMLIN_CLUSTER_ID" + - equal: + path: spec.template.spec.containers[0].env[1].valueFrom.secretKeyRef.name + value: "gremlin-secret" + - it: should set GREMLIN_TEAM_SECRET when secret type is set to secret and secret is managed + set: + gremlin.secret.managed: true + gremlin.secret.type: secret + asserts: + - equal: + path: spec.template.spec.containers[0].env[2].name + value: "GREMLIN_TEAM_SECRET" + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: "gremlin-secret" + - it: should set the secret name to gremlin-team-cert when not managed and no custom secret name is set + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: "gremlin-team-cert" + - it: should set the secret name to the gremlin-secret when managed and no custom secret name is set + set: + gremlin.secret.managed: true + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: "gremlin-secret" + - it: should set the secret name to the custom secret name when set + set: + gremlin.secret.managed: true + gremlin.secret.name: "my-custom-secret" + asserts: + - equal: + path: spec.template.spec.volumes[0].secret.secretName + value: "my-custom-secret" diff --git a/gremlin/tests/chao_deployment_test.yaml b/gremlin/tests/chao_deployment_certauth_test.yaml similarity index 80% rename from gremlin/tests/chao_deployment_test.yaml rename to gremlin/tests/chao_deployment_certauth_test.yaml index a8b8e55..b006fd4 100644 --- a/gremlin/tests/chao_deployment_test.yaml +++ b/gremlin/tests/chao_deployment_certauth_test.yaml @@ -6,6 +6,10 @@ release: namespace: my-namespace revision: 1 upgrade: true + +values: + - values-certauth-test.yaml + tests: - it: should create a deployment set: @@ -34,61 +38,6 @@ tests: - equal: path: spec.template.spec.imagePullSecrets[0].name value: "my-pull-secret" - - it: should specify a team ID in the environment when not managed by a secret - set: - gremlin.secret.managed: false - gremlin.teamID: "01719721-1be8-4315-b197-211be83315a4" - asserts: - - equal: - path: spec.template.spec.containers[0].env[0].name - value: "GREMLIN_TEAM_ID" - - equal: - path: spec.template.spec.containers[0].env[0].value - value: "01719721-1be8-4315-b197-211be83315a4" - - it: should populate the team ID from the managed secret when managed secret is set - set: - gremlin.secret.managed: true - gremlin.secret.teamID: "01719721-1be8-4315-b197-211be83315a4" - asserts: - - equal: - path: spec.template.spec.containers[0].env[0].name - value: "GREMLIN_TEAM_ID" - - equal: - path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name - value: "gremlin-secret" - - it: should specify a cluster ID in the environment when not managed by a secret - set: - gremlin.secret.managed: false - gremlin.clusterID: "my-cluster" - asserts: - - equal: - path: spec.template.spec.containers[0].env[1].name - value: "GREMLIN_CLUSTER_ID" - - equal: - path: spec.template.spec.containers[0].env[1].value - value: "my-cluster" - - it: should populate the cluster ID from the managed secret when managed secret is set - set: - gremlin.secret.managed: true - gremlin.secret.clusterID: "my-cluster" - asserts: - - equal: - path: spec.template.spec.containers[0].env[1].name - value: "GREMLIN_CLUSTER_ID" - - equal: - path: spec.template.spec.containers[0].env[1].valueFrom.secretKeyRef.name - value: "gremlin-secret" - - it: should set GREMLIN_TEAM_SECRET when secret type is set to secret and secret is managed - set: - gremlin.secret.managed: true - gremlin.secret.type: secret - asserts: - - equal: - path: spec.template.spec.containers[0].env[2].name - value: "GREMLIN_TEAM_SECRET" - - equal: - path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name - value: "gremlin-secret" - it: should mount the gremlin-team-cert volume when a certificate is used and secret is not managed set: gremlin.secret.managed: false @@ -143,26 +92,6 @@ tests: name: gremlin-cert secret: secretName: gremlin-secret - - it: should set the secret name to gremlin-team-cert when not managed and no custom secret name is set - asserts: - - equal: - path: spec.template.spec.volumes[0].secret.secretName - value: "gremlin-team-cert" - - it: should set the secret name to the gremlin-secret when managed and no custom secret name is set - set: - gremlin.secret.managed: true - asserts: - - equal: - path: spec.template.spec.volumes[0].secret.secretName - value: "gremlin-secret" - - it: should set the secret name to the custom secret name when set - set: - gremlin.secret.managed: true - gremlin.secret.name: "my-custom-secret" - asserts: - - equal: - path: spec.template.spec.volumes[0].secret.secretName - value: "my-custom-secret" # chao.tls.identity tests diff --git a/gremlin/tests/chao_deployment_secretauth_test.yaml b/gremlin/tests/chao_deployment_secretauth_test.yaml new file mode 100644 index 0000000..8bb1df8 --- /dev/null +++ b/gremlin/tests/chao_deployment_secretauth_test.yaml @@ -0,0 +1,303 @@ +suite: Test Chao deployment +templates: + - chao-deployment.yaml +release: + name: my-release + namespace: my-namespace + revision: 1 + upgrade: true + +values: + - values-secretauth-test.yaml + +tests: + - it: should create a deployment + set: + chao.create: true + asserts: + - isKind: + of: Deployment + - equal: + path: metadata.name + value: chao + - equal: + path: metadata.namespace + value: my-namespace + - it: should allow specifying a custom registry and tag + set: + chaoimage.tag: "0.0.1" + chaoimage.repository: "docker.io/my/custom/repository" + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: "docker.io/my/custom/repository:0.0.1" + - it: should allow specifying a custom pull secret + set: + chaoimage.pullSecret: "my-pull-secret" + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "my-pull-secret" + - it: should mount the gremlin-team-cert volume when a certificate is used and secret is not managed + set: + gremlin.secret.managed: false + gremlin.secret.type: certificate + asserts: + - equal: + path: spec.template.spec.containers[0].args + value: + - -api_url + - https://api.gremlin.com/v1/kubernetes + - -cert_path + - /var/lib/gremlin/cert/gremlin.cert + - -key_path + - /var/lib/gremlin/cert/gremlin.key + - equal: + path: spec.template.spec.containers[0].volumeMounts[0] + value: + name: gremlin-cert + mountPath: /var/lib/gremlin/cert + readOnly: true + - equal: + path: spec.template.spec.volumes[0] + value: + name: gremlin-cert + secret: + secretName: gremlin-team-cert + - it: should mount the certificate volumes when the secret is managed and a certificate is specified + set: + gremlin.secret.managed: true + gremlin.secret.type: certificate + gremlin.secret.certificate: "-----BEGIN CERTIFICATE-----\ndummy-cert\n-----END CERTIFICATE-----" + gremlin.secret.key: "-----BEGIN PRIVATE KEY-----\ndummy-key\n-----END PRIVATE KEY-----" + asserts: + - equal: + path: spec.template.spec.containers[0].args + value: + - -api_url + - https://api.gremlin.com/v1/kubernetes + - -cert_path + - /var/lib/gremlin/cert/gremlin.cert + - -key_path + - /var/lib/gremlin/cert/gremlin.key + - equal: + path: spec.template.spec.containers[0].volumeMounts[0] + value: + name: gremlin-cert + mountPath: /var/lib/gremlin/cert + readOnly: true + - equal: + path: spec.template.spec.volumes[0] + value: + name: gremlin-cert + secret: + secretName: gremlin-secret + + # chao.tls.identity tests + + - it: should not include TLS identity args when tls identity is not enabled + set: + chao.create: true + asserts: + - notContains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_cert" + + - it: should set TLS identity args to ARN values when remoteSecret is configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + chao.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_cert" + - contains: + path: spec.template.spec.containers[0].args + content: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_key" + - contains: + path: spec.template.spec.containers[0].args + content: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + + - it: should not mount TLS identity volumes when remoteSecret is configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + chao.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: chao-tls-identity + any: true + + - it: should set TLS identity args to file paths when createSecret is configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.createSecret.name: chao-tls-identity + chao.tls.identity.createSecret.cert: | + -----BEGIN CERTIFICATE----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END CERTIFICATE----- + chao.tls.identity.createSecret.key: + -----BEGIN PRIVATE KEY----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END PRIVATE KEY----- + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_cert" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/cert" + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_key" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/key" + + - it: should mount TLS identity volume when createSecret is configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.createSecret.name: chao-tls-identity + chao.tls.identity.createSecret.cert: | + -----BEGIN CERTIFICATE----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END CERTIFICATE----- + chao.tls.identity.createSecret.key: + -----BEGIN PRIVATE KEY----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END PRIVATE KEY----- + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: chao-tls-identity + mountPath: /var/lib/gremlin/tls/identity + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: chao-tls-identity + secret: + secretName: chao-tls-identity + + - it: should set TLS identity args to file paths when existingSecret is configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.existingSecret.name: my-existing-secret + chao.tls.identity.existingSecret.cert: tls.crt + chao.tls.identity.existingSecret.key: tls.key + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_cert" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/tls.crt" + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_key" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/tls.key" + + - it: should set TLS identity args to file paths when existingSecret is customized + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.existingSecret.name: my-existing-secret + chao.tls.identity.existingSecret.cert: custom.crt + chao.tls.identity.existingSecret.key: custom.key + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_cert" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/custom.crt" + - contains: + path: spec.template.spec.containers[0].args + content: "-tls_identity_key" + - contains: + path: spec.template.spec.containers[0].args + content: "/var/lib/gremlin/tls/identity/custom.key" + + - it: should mount TLS identity volume from existingSecret when configured + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.existingSecret.name: my-existing-secret + chao.tls.identity.existingSecret.cert: tls.crt + chao.tls.identity.existingSecret.key: tls.key + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: chao-tls-identity + mountPath: /var/lib/gremlin/tls/identity + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: chao-tls-identity + secret: + secretName: my-existing-secret + + - it: should fail when multiple TLS identity strategies are configured for chao + set: + chao.create: true + chao.tls.identity.enabled: true + chao.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + chao.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + chao.tls.identity.createSecret.name: chao-tls-identity + chao.tls.identity.createSecret.cert: "dummy-cert" + chao.tls.identity.createSecret.key: "dummy-key" + asserts: + - failedTemplate: + errorMessage: "chao.tls.identity: only one of remoteSecret, createSecret, or existingSecret should be fully configured" diff --git a/gremlin/tests/daemonset_auth_test.yaml b/gremlin/tests/daemonset_auth_test.yaml new file mode 100644 index 0000000..a946b7f --- /dev/null +++ b/gremlin/tests/daemonset_auth_test.yaml @@ -0,0 +1,111 @@ +suite: Test daemonset auth +templates: + - daemonset.yaml +release: + name: my-release + namespace: my-namespace + revision: 1 + upgrade: true +tests: + - it: should specify a team ID in the environment when not managed by a secret + set: + gremlin.secret.managed: false + gremlin.teamID: 01719721-1be8-4315-b197-211be83315a4 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TEAM_ID + value: 01719721-1be8-4315-b197-211be83315a4 + - it: should populate the team ID from the managed secret when managed secret is set + set: + gremlin.secret.managed: true + gremlin.secret.teamID: 01719721-1be8-4315-b197-211be83315a4 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TEAM_ID + valueFrom: + secretKeyRef: + key: GREMLIN_TEAM_ID + name: gremlin-secret + - it: should set GREMLIN_TEAM_SECRET when secret type is set to secret and secret is managed + set: + gremlin.secret.managed: true + gremlin.secret.type: secret + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TEAM_SECRET + valueFrom: + secretKeyRef: + key: GREMLIN_TEAM_SECRET + name: gremlin-secret + - it: should mount the gremlin-team-cert volume when a certificate is used and secret is not managed + set: + gremlin.secret.managed: false + gremlin.secret.type: certificate + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: gremlin-cert + mountPath: /var/lib/gremlin/cert + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-cert + secret: + secretName: gremlin-team-cert + - it: should mount the certificate volumes when the secret is managed and a certificate is specified + set: + gremlin.secret.managed: true + gremlin.secret.type: certificate + gremlin.secret.certificate: "-----BEGIN CERTIFICATE-----\ndummy-cert\n-----END CERTIFICATE-----" + gremlin.secret.key: "-----BEGIN PRIVATE KEY-----\ndummy-key\n-----END PRIVATE KEY-----" + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: gremlin-cert + mountPath: /var/lib/gremlin/cert + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-cert + secret: + secretName: gremlin-secret + - it: should set the secret name to gremlin-team-cert when not managed and no custom secret name is set + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-cert + secret: + secretName: gremlin-team-cert + - it: should set the secret name to the gremlin-secret when managed and no custom secret name is set + set: + gremlin.secret.managed: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-cert + secret: + secretName: gremlin-secret + - it: should set the secret name to the custom secret name when set + set: + gremlin.secret.managed: true + gremlin.secret.name: "my-custom-secret" + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-cert + secret: + secretName: my-custom-secret + diff --git a/gremlin/tests/daemonset_test.yaml b/gremlin/tests/daemonset_certauth_test.yaml similarity index 80% rename from gremlin/tests/daemonset_test.yaml rename to gremlin/tests/daemonset_certauth_test.yaml index 57b47e6..c5b87bb 100644 --- a/gremlin/tests/daemonset_test.yaml +++ b/gremlin/tests/daemonset_certauth_test.yaml @@ -6,6 +6,10 @@ release: namespace: my-namespace revision: 1 upgrade: true + +values: + - values-certauth-test.yaml + tests: - it: should create a daemonset asserts: @@ -33,108 +37,6 @@ tests: path: spec.template.spec.imagePullSecrets value: - name: my-pull-secret - - it: should specify a team ID in the environment when not managed by a secret - set: - gremlin.secret.managed: false - gremlin.teamID: 01719721-1be8-4315-b197-211be83315a4 - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: GREMLIN_TEAM_ID - value: 01719721-1be8-4315-b197-211be83315a4 - - it: should populate the team ID from the managed secret when managed secret is set - set: - gremlin.secret.managed: true - gremlin.secret.teamID: 01719721-1be8-4315-b197-211be83315a4 - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: GREMLIN_TEAM_ID - valueFrom: - secretKeyRef: - key: GREMLIN_TEAM_ID - name: gremlin-secret - - it: should set GREMLIN_TEAM_SECRET when secret type is set to secret and secret is managed - set: - gremlin.secret.managed: true - gremlin.secret.type: secret - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: GREMLIN_TEAM_SECRET - valueFrom: - secretKeyRef: - key: GREMLIN_TEAM_SECRET - name: gremlin-secret - - it: should mount the gremlin-team-cert volume when a certificate is used and secret is not managed - set: - gremlin.secret.managed: false - gremlin.secret.type: certificate - asserts: - - contains: - path: spec.template.spec.containers[0].volumeMounts - content: - name: gremlin-cert - mountPath: /var/lib/gremlin/cert - readOnly: true - - contains: - path: spec.template.spec.volumes - content: - name: gremlin-cert - secret: - secretName: gremlin-team-cert - - it: should mount the certificate volumes when the secret is managed and a certificate is specified - set: - gremlin.secret.managed: true - gremlin.secret.type: certificate - gremlin.secret.certificate: "-----BEGIN CERTIFICATE-----\ndummy-cert\n-----END CERTIFICATE-----" - gremlin.secret.key: "-----BEGIN PRIVATE KEY-----\ndummy-key\n-----END PRIVATE KEY-----" - asserts: - - contains: - path: spec.template.spec.containers[0].volumeMounts - content: - name: gremlin-cert - mountPath: /var/lib/gremlin/cert - readOnly: true - - contains: - path: spec.template.spec.volumes - content: - name: gremlin-cert - secret: - secretName: gremlin-secret - - it: should set the secret name to gremlin-team-cert when not managed and no custom secret name is set - asserts: - - contains: - path: spec.template.spec.volumes - content: - name: gremlin-cert - secret: - secretName: gremlin-team-cert - - it: should set the secret name to the gremlin-secret when managed and no custom secret name is set - set: - gremlin.secret.managed: true - asserts: - - contains: - path: spec.template.spec.volumes - content: - name: gremlin-cert - secret: - secretName: gremlin-secret - - it: should set the secret name to the custom secret name when set - set: - gremlin.secret.managed: true - gremlin.secret.name: "my-custom-secret" - asserts: - - contains: - path: spec.template.spec.volumes - content: - name: gremlin-cert - secret: - secretName: my-custom-secret - - it: should mount all container sockets when driver is `any` set: gremlin.container.driver: any diff --git a/gremlin/tests/daemonset_secretauth_test.yaml b/gremlin/tests/daemonset_secretauth_test.yaml new file mode 100644 index 0000000..4e96a96 --- /dev/null +++ b/gremlin/tests/daemonset_secretauth_test.yaml @@ -0,0 +1,383 @@ +suite: Test daemonset +templates: + - daemonset.yaml +release: + name: my-release + namespace: my-namespace + revision: 1 + upgrade: true + +values: + - values-secretauth-test.yaml + +tests: + - it: should create a daemonset + asserts: + - isKind: + of: DaemonSet + - equal: + path: metadata.name + value: my-release-gremlin + - equal: + path: metadata.namespace + value: my-namespace + - it: should allow specifying a custom registry and tag + set: + image.tag: "0.0.1" + image.repository: docker.io/my/custom/repository + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: docker.io/my/custom/repository:0.0.1 + - it: should allow specifying a custom pull secret + set: + image.pullSecret: "my-pull-secret" + asserts: + - equal: + path: spec.template.spec.imagePullSecrets + value: + - name: my-pull-secret + - it: should mount all container sockets when driver is `any` + set: + gremlin.container.driver: any + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: crio-sock + hostPath: + path: /run/crio/crio.sock + - contains: + path: spec.template.spec.volumes + content: + name: containerd-sock + hostPath: + path: /run/containerd/containerd.sock + - contains: + path: spec.template.spec.volumes + content: + name: docker-sock + hostPath: + path: /var/run/docker.sock + + - it: should mount all container sockets when driver is `linux` + set: + gremlin.container.driver: linux + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: crio-sock + hostPath: + path: /run/crio/crio.sock + - contains: + path: spec.template.spec.volumes + content: + name: containerd-sock + hostPath: + path: /run/containerd/containerd.sock + - contains: + path: spec.template.spec.volumes + content: + name: docker-sock + hostPath: + path: /var/run/docker.sock + + - it: should mount containerd sockets when driver is `containerd-linux` + set: + gremlin.container.driver: containerd-linux + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: containerd-sock + hostPath: + path: /run/containerd/containerd.sock + - notContains: + path: spec.template.spec.volumes + content: + name: crio-sock + hostPath: + path: /run/crio/crio.sock + - notContains: + path: spec.template.spec.volumes + content: + name: docker-sock + hostPath: + path: /var/run/docker.sock + + - it: should mount containerd sockets when driver is `crio-linux` + set: + gremlin.container.driver: crio-linux + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: containerd-sock + hostPath: + path: /run/containerd/containerd.sock + - contains: + path: spec.template.spec.volumes + content: + name: crio-sock + hostPath: + path: /run/crio/crio.sock + - notContains: + path: spec.template.spec.volumes + content: + name: docker-sock + hostPath: + path: /var/run/docker.sock + + - it: should mount containerd sockets when driver is `docker-linux` + set: + gremlin.container.driver: docker-linux + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: containerd-sock + hostPath: + path: /run/containerd/containerd.sock + - notContains: + path: spec.template.spec.volumes + content: + name: crio-sock + hostPath: + path: /run/crio/crio.sock + - contains: + path: spec.template.spec.volumes + content: + name: docker-sock + hostPath: + path: /var/run/docker.sock + - it: should not explicitly set environment variables by default + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_PUSH_POD_CIDR_TAGS + value: "false" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_PUSH_ZONE_CIDR_TAGS + value: "false" + - it: should explicitly set environment variables when features.pushCIDRTags.enabled=false + set: + gremlin.features.pushCIDRTags.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_PUSH_POD_CIDR_TAGS + value: "false" + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_PUSH_ZONE_CIDR_TAGS + value: "false" + + # gremlin.tls.identity tests + + - it: should not include TLS identity env vars when tls identity is not enabled + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_CERTIFICATE + any: true + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY + any: true + + - it: should set TLS identity env vars to ARN values when remoteSecret is configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_CERTIFICATE + value: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY + value: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + + - it: should not mount TLS identity volumes when remoteSecret is configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + asserts: + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: gremlin-tls-identity + mountPath: /var/lib/gremlin/tls/identity + readOnly: true + - notContains: + path: spec.template.spec.volumes + content: + name: gremlin-tls-identity + any: true + + - it: should set TLS identity env vars to file paths when createSecret is configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.createSecret.name: gremlin-tls-identity + gremlin.tls.identity.createSecret.cert: | + -----BEGIN CERTIFICATE----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END CERTIFICATE----- + gremlin.tls.identity.createSecret.key: + -----BEGIN PRIVATE KEY----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END PRIVATE KEY----- + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_CERTIFICATE + value: /var/lib/gremlin/tls/identity/cert + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY + value: /var/lib/gremlin/tls/identity/key + + - it: should mount TLS identity volume when createSecret is configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.createSecret.name: gremlin-tls-identity + gremlin.tls.identity.createSecret.cert: | + -----BEGIN CERTIFICATE----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END CERTIFICATE----- + gremlin.tls.identity.createSecret.key: + -----BEGIN PRIVATE KEY----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 11111111111111111111111111111111111111111111111111== + -----END PRIVATE KEY----- + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: gremlin-tls-identity + mountPath: /var/lib/gremlin/tls/identity + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-tls-identity + secret: + secretName: gremlin-tls-identity + + - it: should set TLS identity env vars to file paths when existingSecret is configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.existingSecret.name: my-existing-secret + gremlin.tls.identity.existingSecret.cert: tls.crt + gremlin.tls.identity.existingSecret.key: tls.key + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_CERTIFICATE + value: /var/lib/gremlin/tls/identity/tls.crt + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY + value: /var/lib/gremlin/tls/identity/tls.key + + - it: should set TLS identity env vars to file paths when existingSecret is customized + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.existingSecret.name: my-existing-secret + gremlin.tls.identity.existingSecret.cert: custom.crt + gremlin.tls.identity.existingSecret.key: custom.key + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_CERTIFICATE + value: /var/lib/gremlin/tls/identity/custom.crt + - contains: + path: spec.template.spec.containers[0].env + content: + name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY + value: /var/lib/gremlin/tls/identity/custom.key + + - it: should mount TLS identity volume from existingSecret when configured + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.existingSecret.name: my-existing-secret + gremlin.tls.identity.existingSecret.cert: tls.crt + gremlin.tls.identity.existingSecret.key: tls.key + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: gremlin-tls-identity + mountPath: /var/lib/gremlin/tls/identity + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: gremlin-tls-identity + secret: + secretName: my-existing-secret + + - it: should fail when multiple TLS identity strategies are configured for gremlin + set: + gremlin.tls.identity.enabled: true + gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert" + gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key" + gremlin.tls.identity.createSecret.name: gremlin-tls-identity + gremlin.tls.identity.createSecret.cert: "dummy-cert" + gremlin.tls.identity.createSecret.key: "dummy-key" + asserts: + - failedTemplate: + errorMessage: "gremlin.tls.identity: only one of remoteSecret, createSecret, or existingSecret should be fully configured" diff --git a/gremlin/tests/values-certauth-test.yaml b/gremlin/tests/values-certauth-test.yaml new file mode 100644 index 0000000..0b12068 --- /dev/null +++ b/gremlin/tests/values-certauth-test.yaml @@ -0,0 +1,30 @@ +gremlin: + secret: + managed: true + type: certificate + teamID: test-team-id + clusterID: test-cluster-id + certificate: | + -----BEGIN CERTIFICATE----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + -----END CERTIFICATE----- + key: | + -----BEGIN PRIVATE KEY----- + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + 1111111111111111111111111111111111111111111111111111111111111111 + -----END PRIVATE KEY----- + + diff --git a/gremlin/tests/values-secretauth-test.yaml b/gremlin/tests/values-secretauth-test.yaml new file mode 100644 index 0000000..f2c1c8e --- /dev/null +++ b/gremlin/tests/values-secretauth-test.yaml @@ -0,0 +1,7 @@ +gremlin: + secret: + managed: true + type: secret + teamID: test-team-id + clusterID: test-cluster-id + teamSecret: test-team-secret