Correct test values precedence over suite values, including updated t…

…ests.

.editorconfig

@@ -20,6 +20,6 @@ eclint_indent_style = unset
 [Dockerfile]
 indent_size = 4
 
-[*.yml]
+[{*.yml,*.yaml}]
 indent_style = space
 indent_size = 2

pkg/unittest/.snapshots/TestV3RunnerWithTestsInSubchart

@@ -17,7 +17,7 @@
 
 Charts:      1 passed, 1 total
 Test Suites: 11 passed, 11 total
-Tests:       23 passed, 23 total
+Tests:       24 passed, 24 total
 Snapshot:    10 passed, 10 total
 Time:        XX.XXXms
 

pkg/unittest/test_suite.go

@@ -242,7 +242,7 @@ func (s *TestSuite) polishTestJobsPathInfo() {
 		test.globalSet = copySet(s.Set)
 
 		if len(s.Values) > 0 {
-			test.Values = append(test.Values, s.Values...)
+			test.Values = append(s.Values, test.Values...)
 		}
 
 		if len(s.Templates) > 0 {

test/data/v3/with-subchart/charts/child-chart/templates/_helpers.tpl

@@ -24,3 +24,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
   {{- end -}}
   {{- printf "%s" $ingressClass -}}
 {{- end -}}
+
+{{- define "sec.containerSeccompProfile" -}}
+{{- $profile := . -}}
+{{/*- fail (printf "%s-%s" "my-error: " ($profile.type)) -*/}}
+{{- if and $profile $profile.type -}}
+seccompProfile:
+  type: {{ $profile.type }}
+{{- if eq $profile.type "Localhost" }}
+{{- if (empty $profile.localhostProfile) }}
+  {{- fail "The 'Localhost' seccomp profile requires a profile name to be provided in localhostProfile parameter." -}}
+{{- else }}
+  localhostProfile: {{ $profile.localhostProfile }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}

test/data/v3/with-subchart/charts/child-chart/templates/deployment.yaml

@@ -17,9 +17,18 @@ spec:
         release: {{ .Release.Name }}
     spec:
       containers:
-        - name: {{ .Chart.Name }}
+        - name: {{ .Chart.Name }}-nginx
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - all
+    {{- include "sec.containerSeccompProfile" .Values.seccompProfile.nginx | nindent 12 }}
           ports:
             - containerPort: {{ .Values.service.internalPort }}
           livenessProbe:

test/data/v3/with-subchart/charts/child-chart/tests/__snapshot__/deployment_test.yaml.snap

@@ -14,11 +14,19 @@ should pass all kinds of assertion:
               httpGet:
                 path: /
                 port: 8080
-            name: child-chart
+            name: child-chart-nginx
             ports:
               - containerPort: 8080
             readinessProbe:
               httpGet:
                 path: /
                 port: 8080
             resources: {}
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - all
+              privileged: false
+              readOnlyRootFilesystem: false
+              runAsNonRoot: true

test/data/v3/with-subchart/charts/child-chart/tests/deployment_test.yaml

@@ -1,10 +1,10 @@
 suite: test deployment
 templates:
   - templates/deployment.yaml
+values:
+  - ./values/image.yaml
 tests:
   - it: should pass all kinds of assertion
-    values:
-      - ./values/image.yaml
     set:
       service.internalPort: 8080
     asserts:
@@ -47,3 +47,14 @@ tests:
           count: 1
       - matchSnapshot:
           path: spec
+  - it: should have seccompProfile configured for container
+    values:
+      - ./values/seccomp.yaml
+    asserts:
+      - exists:
+          path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.seccompProfile
+      - exists:
+          path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.capabilities.drop
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.seccompProfile.localhostProfile
+          value: nginxProfileCustomized

test/data/v3/with-subchart/charts/child-chart/tests/values/image.yaml

@@ -4,3 +4,10 @@ image:
   repository: apache
   tag: latest
   pullPolicy: Always
+
+seccompProfile:
+  type: ""
+  localhostProfile: ""
+  nginx:
+    type: ""
+    localhostProfile: ""

test/data/v3/with-subchart/charts/child-chart/tests/values/seccomp.yaml

@@ -0,0 +1,13 @@
+global:
+  namespace: "region1"
+image:
+  repository: apache
+  tag: latest
+  pullPolicy: Always
+
+seccompProfile:
+  type: "Localhost"
+  localhostProfile: "RuntimeDefault"
+  nginx:
+    type: "Localhost"
+    localhostProfile: "nginxProfileCustomized"

test/data/v3/with-subchart/tests/deployment_test.yaml

@@ -1,46 +1,48 @@
 suite: test deployment
 templates:
-  - templates/deployment.yaml
+    - templates/deployment.yaml
+values:
+    - ./values/image.yaml
 tests:
-  - it: should pass all kinds of assertion
-    values:
-      - ./values/image.yaml
-    set:
-      service.internalPort: 8080
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: apache:latest
-      - notEqual:
-          path: spec.template.spec.containers[0].image
-          value: nginx:stable
-      - matchRegex:
-          path: metadata.name
-          pattern: ^.*-with-subchart$
-      - notMatchRegex:
-          path: metadata.name
-          pattern: ^.*-foobar$
-      - contains:
-          path: spec.template.spec.containers[0].ports
-          content:
-            containerPort: 8080
-      - notContains:
-          path: spec.template.spec.containers[0].ports
-          content:
-            containerPort: 80
-      - notExists:
-          path: spec.template.nodeSelector
-      - exists:
-          path: spec.template
-      - isNullOrEmpty:
-          path: spec.template.spec.containers[0].resources
-      - isNotNullOrEmpty:
-          path: spec.template.spec.containers[0]
-      - isKind:
-          of: Deployment
-      - isAPIVersion:
-          of: extensions/v1beta1
-      - hasDocuments:
-          count: 1
-      - matchSnapshot:
-          path: spec
+    - it: should pass all kinds of assertion
+      values:
+          - ./values/image.yaml
+      set:
+          service.internalPort: 8080
+      asserts:
+          - equal:
+                path: spec.template.spec.containers[0].image
+                value: apache:latest
+          - notEqual:
+                path: spec.template.spec.containers[0].image
+                value: nginx:stable
+          - matchRegex:
+                path: metadata.name
+                pattern: ^.*-with-subchart$
+          - notMatchRegex:
+                path: metadata.name
+                pattern: ^.*-foobar$
+          - contains:
+                path: spec.template.spec.containers[0].ports
+                content:
+                    containerPort: 8080
+          - notContains:
+                path: spec.template.spec.containers[0].ports
+                content:
+                    containerPort: 80
+          - notExists:
+                path: spec.template.nodeSelector
+          - exists:
+                path: spec.template
+          - isNullOrEmpty:
+                path: spec.template.spec.containers[0].resources
+          - isNotNullOrEmpty:
+                path: spec.template.spec.containers[0]
+          - isKind:
+                of: Deployment
+          - isAPIVersion:
+                of: extensions/v1beta1
+          - hasDocuments:
+                count: 1
+          - matchSnapshot:
+                path: spec