From 2a4827fcace911fb174f566144748817e27b0e40 Mon Sep 17 00:00:00 2001 From: Quintus van Houdt Date: Mon, 29 Apr 2024 23:21:28 +0200 Subject: [PATCH] Correct test values precedence over suite values, including updated tests. --- .editorconfig | 2 +- .../TestV3RunnerWithTestsInSubchart | 2 +- pkg/unittest/test_suite.go | 2 +- .../charts/child-chart/templates/_helpers.tpl | 16 ++++ .../child-chart/templates/deployment.yaml | 11 ++- .../__snapshot__/deployment_test.yaml.snap | 10 ++- .../child-chart/tests/deployment_test.yaml | 15 +++- .../child-chart/tests/values/image.yaml | 7 ++ .../child-chart/tests/values/seccomp.yaml | 13 +++ .../with-subchart/tests/deployment_test.yaml | 88 ++++++++++--------- 10 files changed, 116 insertions(+), 50 deletions(-) create mode 100644 test/data/v3/with-subchart/charts/child-chart/tests/values/seccomp.yaml diff --git a/.editorconfig b/.editorconfig index 748e22817..cdfeacac4 100644 --- a/.editorconfig +++ b/.editorconfig @@ -20,6 +20,6 @@ eclint_indent_style = unset [Dockerfile] indent_size = 4 -[*.yml] +[{*.yml,*.yaml}] indent_style = space indent_size = 2 diff --git a/pkg/unittest/.snapshots/TestV3RunnerWithTestsInSubchart b/pkg/unittest/.snapshots/TestV3RunnerWithTestsInSubchart index 16fd8803c..401650bc0 100644 --- a/pkg/unittest/.snapshots/TestV3RunnerWithTestsInSubchart +++ b/pkg/unittest/.snapshots/TestV3RunnerWithTestsInSubchart @@ -17,7 +17,7 @@ Charts: 1 passed, 1 total Test Suites: 11 passed, 11 total -Tests: 23 passed, 23 total +Tests: 24 passed, 24 total Snapshot: 10 passed, 10 total Time: XX.XXXms diff --git a/pkg/unittest/test_suite.go b/pkg/unittest/test_suite.go index b053210fe..8d433662a 100644 --- a/pkg/unittest/test_suite.go +++ b/pkg/unittest/test_suite.go @@ -242,7 +242,7 @@ func (s *TestSuite) polishTestJobsPathInfo() { test.globalSet = copySet(s.Set) if len(s.Values) > 0 { - test.Values = append(test.Values, s.Values...) + test.Values = append(s.Values, test.Values...) } if len(s.Templates) > 0 { diff --git a/test/data/v3/with-subchart/charts/child-chart/templates/_helpers.tpl b/test/data/v3/with-subchart/charts/child-chart/templates/_helpers.tpl index 36659b671..1e5c9b39a 100644 --- a/test/data/v3/with-subchart/charts/child-chart/templates/_helpers.tpl +++ b/test/data/v3/with-subchart/charts/child-chart/templates/_helpers.tpl @@ -24,3 +24,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- printf "%s" $ingressClass -}} {{- end -}} + +{{- define "sec.containerSeccompProfile" -}} +{{- $profile := . -}} +{{/*- fail (printf "%s-%s" "my-error: " ($profile.type)) -*/}} +{{- if and $profile $profile.type -}} +seccompProfile: + type: {{ $profile.type }} +{{- if eq $profile.type "Localhost" }} +{{- if (empty $profile.localhostProfile) }} + {{- fail "The 'Localhost' seccomp profile requires a profile name to be provided in localhostProfile parameter." -}} +{{- else }} + localhostProfile: {{ $profile.localhostProfile }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/test/data/v3/with-subchart/charts/child-chart/templates/deployment.yaml b/test/data/v3/with-subchart/charts/child-chart/templates/deployment.yaml index c21c30874..c3b791a0c 100644 --- a/test/data/v3/with-subchart/charts/child-chart/templates/deployment.yaml +++ b/test/data/v3/with-subchart/charts/child-chart/templates/deployment.yaml @@ -17,9 +17,18 @@ spec: release: {{ .Release.Name }} spec: containers: - - name: {{ .Chart.Name }} + - name: {{ .Chart.Name }}-nginx image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + capabilities: + drop: + - all + {{- include "sec.containerSeccompProfile" .Values.seccompProfile.nginx | nindent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} livenessProbe: diff --git a/test/data/v3/with-subchart/charts/child-chart/tests/__snapshot__/deployment_test.yaml.snap b/test/data/v3/with-subchart/charts/child-chart/tests/__snapshot__/deployment_test.yaml.snap index 5eaca87a2..7c5588895 100644 --- a/test/data/v3/with-subchart/charts/child-chart/tests/__snapshot__/deployment_test.yaml.snap +++ b/test/data/v3/with-subchart/charts/child-chart/tests/__snapshot__/deployment_test.yaml.snap @@ -14,7 +14,7 @@ should pass all kinds of assertion: httpGet: path: / port: 8080 - name: child-chart + name: child-chart-nginx ports: - containerPort: 8080 readinessProbe: @@ -22,3 +22,11 @@ should pass all kinds of assertion: path: / port: 8080 resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true diff --git a/test/data/v3/with-subchart/charts/child-chart/tests/deployment_test.yaml b/test/data/v3/with-subchart/charts/child-chart/tests/deployment_test.yaml index 0d666210f..595ee6809 100644 --- a/test/data/v3/with-subchart/charts/child-chart/tests/deployment_test.yaml +++ b/test/data/v3/with-subchart/charts/child-chart/tests/deployment_test.yaml @@ -1,10 +1,10 @@ suite: test deployment templates: - templates/deployment.yaml +values: + - ./values/image.yaml tests: - it: should pass all kinds of assertion - values: - - ./values/image.yaml set: service.internalPort: 8080 asserts: @@ -47,3 +47,14 @@ tests: count: 1 - matchSnapshot: path: spec + - it: should have seccompProfile configured for container + values: + - ./values/seccomp.yaml + asserts: + - exists: + path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.seccompProfile + - exists: + path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.capabilities.drop + - equal: + path: spec.template.spec.containers[?(@.name=='child-chart-nginx')].securityContext.seccompProfile.localhostProfile + value: nginxProfileCustomized \ No newline at end of file diff --git a/test/data/v3/with-subchart/charts/child-chart/tests/values/image.yaml b/test/data/v3/with-subchart/charts/child-chart/tests/values/image.yaml index 2cad114ce..1c2eda0f0 100644 --- a/test/data/v3/with-subchart/charts/child-chart/tests/values/image.yaml +++ b/test/data/v3/with-subchart/charts/child-chart/tests/values/image.yaml @@ -4,3 +4,10 @@ image: repository: apache tag: latest pullPolicy: Always + +seccompProfile: + type: "" + localhostProfile: "" + nginx: + type: "" + localhostProfile: "" diff --git a/test/data/v3/with-subchart/charts/child-chart/tests/values/seccomp.yaml b/test/data/v3/with-subchart/charts/child-chart/tests/values/seccomp.yaml new file mode 100644 index 000000000..3c5539292 --- /dev/null +++ b/test/data/v3/with-subchart/charts/child-chart/tests/values/seccomp.yaml @@ -0,0 +1,13 @@ +global: + namespace: "region1" +image: + repository: apache + tag: latest + pullPolicy: Always + +seccompProfile: + type: "Localhost" + localhostProfile: "RuntimeDefault" + nginx: + type: "Localhost" + localhostProfile: "nginxProfileCustomized" diff --git a/test/data/v3/with-subchart/tests/deployment_test.yaml b/test/data/v3/with-subchart/tests/deployment_test.yaml index 40ccd7540..286d9cf43 100644 --- a/test/data/v3/with-subchart/tests/deployment_test.yaml +++ b/test/data/v3/with-subchart/tests/deployment_test.yaml @@ -1,46 +1,48 @@ suite: test deployment templates: - - templates/deployment.yaml + - templates/deployment.yaml +values: + - ./values/image.yaml tests: - - it: should pass all kinds of assertion - values: - - ./values/image.yaml - set: - service.internalPort: 8080 - asserts: - - equal: - path: spec.template.spec.containers[0].image - value: apache:latest - - notEqual: - path: spec.template.spec.containers[0].image - value: nginx:stable - - matchRegex: - path: metadata.name - pattern: ^.*-with-subchart$ - - notMatchRegex: - path: metadata.name - pattern: ^.*-foobar$ - - contains: - path: spec.template.spec.containers[0].ports - content: - containerPort: 8080 - - notContains: - path: spec.template.spec.containers[0].ports - content: - containerPort: 80 - - notExists: - path: spec.template.nodeSelector - - exists: - path: spec.template - - isNullOrEmpty: - path: spec.template.spec.containers[0].resources - - isNotNullOrEmpty: - path: spec.template.spec.containers[0] - - isKind: - of: Deployment - - isAPIVersion: - of: extensions/v1beta1 - - hasDocuments: - count: 1 - - matchSnapshot: - path: spec + - it: should pass all kinds of assertion + values: + - ./values/image.yaml + set: + service.internalPort: 8080 + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: apache:latest + - notEqual: + path: spec.template.spec.containers[0].image + value: nginx:stable + - matchRegex: + path: metadata.name + pattern: ^.*-with-subchart$ + - notMatchRegex: + path: metadata.name + pattern: ^.*-foobar$ + - contains: + path: spec.template.spec.containers[0].ports + content: + containerPort: 8080 + - notContains: + path: spec.template.spec.containers[0].ports + content: + containerPort: 80 + - notExists: + path: spec.template.nodeSelector + - exists: + path: spec.template + - isNullOrEmpty: + path: spec.template.spec.containers[0].resources + - isNotNullOrEmpty: + path: spec.template.spec.containers[0] + - isKind: + of: Deployment + - isAPIVersion: + of: extensions/v1beta1 + - hasDocuments: + count: 1 + - matchSnapshot: + path: spec