beppe/cicdTest
1
0
Fork 0
mirror of https://github.com/bvanroll/cicdTest.git synced 2025-08-29 20:12:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

helm consul toegevoegd ma nie als submodule?

Browse Source
This commit is contained in:
Beppe Vanrolleghem
2020-03-09 12:27:10 +01:00
parent 31368e50b2
commit 3432492589
157 changed files with 14508 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
consul-helm/test/acceptance/_helpers.bash Normal file
View File

@@ -0,0 +1,56 @@
# name_prefix returns the prefix of the resources within Kubernetes.
name_prefix() {
printf "consul"
}
# helm_install installs the Consul chart. This will source overridable
# values from the "values.yaml" file in this directory. This can be set
# by CI or other environments to do test-specific overrides. Note that its
# easily possible to break tests this way so be careful.
helm_install() {
local values="${BATS_TEST_DIRNAME}/values.yaml"
if [ ! -f "${values}" ]; then
touch $values
fi
helm install -f ${values} \
--name consul \
--wait \
${BATS_TEST_DIRNAME}/../..
}
# helm_delete deletes the Consul chart and all resources.
helm_delete() {
helm delete --purge consul
kubectl delete --all pvc
}
# wait for a pod to be ready
wait_for_ready() {
POD_NAME=$1
check() {
# This requests the pod and checks whether the status is running
# and the ready state is true. If so, it outputs the name. Otherwise
# it outputs empty. Therefore, to check for success, check for nonzero
# string length.
kubectl get pods $1 -o json | \
jq -r 'select(
.status.phase == "Running" and
([ .status.conditions[] | select(.type == "Ready" and .status == "True") ] | length) == 1
) | .metadata.namespace + "/" + .metadata.name'
}
for i in $(seq 30); do
if [ -n "$(check ${POD_NAME})" ]; then
echo "${POD_NAME} is ready."
return
fi
echo "Waiting for ${POD_NAME} to be ready..."
sleep 2
done
echo "${POD_NAME} never became ready."
exit 1
}

19
consul-helm/test/acceptance/server.bats Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env bats
load _helpers
@test "server: default, comes up healthy" {
helm_install
wait_for_ready $(name_prefix)-consul-server-0
# Verify there are three servers
local server_count=$(kubectl exec "$(name_prefix)-consul-server-0" consul members |
grep server |
wc -l)
[ "${server_count}" -eq "3" ]
helm test consul
# Clean up
helm_delete
}

51
consul-helm/test/docker/Test.dockerfile Normal file
View File

@@ -0,0 +1,51 @@
# This Dockerfile installs all the dependencies necessary to run the unit and
# acceptance tests. This image also contains gcloud so you can run tests
# against a GKE cluster easily.
#
# This image has no automatic entrypoint. It is expected that you'll run
# a script to configure kubectl, potentially install Helm, and run the tests
# manually. This image only has the dependencies pre-installed.
FROM alpine:latest
WORKDIR /root
ENV BATS_VERSION "1.1.0"
ENV TERRAFORM_VERSION "0.12.10"
# base packages
RUN apk update && apk add --no-cache --virtual .build-deps \
ca-certificates \
curl \
tar \
bash \
openssl \
python \
py-pip \
git \
jq
# yq
RUN pip install yq
# gcloud
RUN curl -OL https://dl.google.com/dl/cloudsdk/channels/rapid/install_google_cloud_sdk.bash && \
bash install_google_cloud_sdk.bash --disable-prompts --install-dir='/root/' && \
ln -s /root/google-cloud-sdk/bin/gcloud /usr/local/bin/gcloud
# terraform
RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o /tmp/tf.zip \
&& unzip /tmp/tf.zip \
&& ln -s /root/terraform /usr/local/bin/terraform
# kubectl
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
chmod +x ./kubectl && \
mv ./kubectl /usr/local/bin/kubectl
# helm
RUN curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
# bats
RUN curl -sSL https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz -o /tmp/bats.tgz \
&& tar -zxf /tmp/bats.tgz -C /tmp \
&& /bin/bash /tmp/bats-core-${BATS_VERSION}/install.sh /usr/local

71
consul-helm/test/terraform/main.tf Normal file
View File

@@ -0,0 +1,71 @@
locals {
service_account_path = "${path.module}/service-account.yaml"
}
provider "google" {
project = var.project
}
resource "random_id" "suffix" {
byte_length = 4
}
data "google_container_engine_versions" "main" {
location = var.zone
}
resource "google_container_cluster" "cluster" {
name = "consul-k8s-${random_id.suffix.dec}"
project = var.project
enable_legacy_abac = true
initial_node_count = 3
location = var.zone
min_master_version = data.google_container_engine_versions.main.latest_master_version
node_version = data.google_container_engine_versions.main.latest_node_version
}
resource "null_resource" "kubectl" {
count = var.init_cli ? 1 : 0
triggers = {
cluster = google_container_cluster.cluster.id
}
# On creation, we want to setup the kubectl credentials. The easiest way
# to do this is to shell out to gcloud.
provisioner "local-exec" {
command = "gcloud container clusters get-credentials --zone=${var.zone} ${google_container_cluster.cluster.name}"
}
# On destroy we want to try to clean up the kubectl credentials. This
# might fail if the credentials are already cleaned up or something so we
# want this to continue on failure. Generally, this works just fine since
# it only operates on local data.
provisioner "local-exec" {
when = "destroy"
on_failure = "continue"
command = "kubectl config get-clusters | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-cluster"
}
provisioner "local-exec" {
when = "destroy"
on_failure = "continue"
command = "kubectl config get-contexts | grep ${google_container_cluster.cluster.name} | xargs -n1 kubectl config delete-context"
}
}
resource "null_resource" "helm" {
count = var.init_cli ? 1 : 0
depends_on = ["null_resource.kubectl"]
triggers = {
cluster = google_container_cluster.cluster.id
}
provisioner "local-exec" {
command = <<EOF
kubectl apply -f '${local.service_account_path}'
helm init --service-account helm --wait
EOF
}
}

7
consul-helm/test/terraform/outputs.tf Normal file
View File

@@ -0,0 +1,7 @@
output "cluster_id" {
value = google_container_cluster.cluster.id
}
output "cluster_name" {
value = google_container_cluster.cluster.name
}

18
consul-helm/test/terraform/service-account.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: helm
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: helm
namespace: kube-system

17
consul-helm/test/terraform/variables.tf Normal file
View File

@@ -0,0 +1,17 @@
variable "project" {
description = <<EOF
Google Cloud Project to launch resources in. This project must have GKE
enabled and billing activated. We can't use the GOOGLE_PROJECT environment
variable since we need to access the project for other uses.
EOF
}
variable "zone" {
default = "us-central1-a"
description = "The zone to launch all the GKE nodes in."
}
variable "init_cli" {
default = false
description = "Whether to init the CLI tools kubectl, helm, etc. or not."
}

4
consul-helm/test/unit/_helpers.bash Normal file
View File

@@ -0,0 +1,4 @@
# chart_dir returns the directory for the chart
chart_dir() {
echo ${BATS_TEST_DIRNAME}/../..
}

104
consul-helm/test/unit/client-clusterrole.bats Normal file
View File

@@ -0,0 +1,104 @@
#!/usr/bin/env bats
load _helpers
@test "client/ClusterRole: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ClusterRole: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ClusterRole: can be enabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ClusterRole: disabled with client.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ClusterRole: enabled with client.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
# The rules key must always be set (#178).
@test "client/ClusterRole: rules empty with client.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq '.rules' | tee /dev/stderr)
[ "${actual}" = "[]" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "client/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "podsecuritypolicies" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "client/ClusterRole: allows secret access with global.bootsrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}
@test "client/ClusterRole: allows secret access with global.bootsrapACLs=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrole.yaml \
--set 'client.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[1].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}

53
consul-helm/test/unit/client-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "client/ClusterRoleBinding: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ClusterRoleBinding: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrolebinding.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ClusterRoleBinding: disabled with client disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrolebinding.yaml \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ClusterRoleBinding: enabled with client enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrolebinding.yaml \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ClusterRoleBinding: enabled with client enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-clusterrolebinding.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

77
consul-helm/test/unit/client-configmap.bats Executable file
View File

@@ -0,0 +1,77 @@
#!/usr/bin/env bats
load _helpers
@test "client/ConfigMap: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ConfigMap: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ConfigMap: disable with client.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ConfigMap: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ConfigMap: extraConfig is set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'client.extraConfig="{\"hello\": \"world\"}"' \
. | tee /dev/stderr |
yq '.data["extra-from-values.json"] | match("world") | length' | tee /dev/stderr)
[ ! -z "${actual}" ]
}
#--------------------------------------------------------------------
# connectInject.centralConfig
@test "client/ConfigMap: centralConfig is enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.data["central-config.json"] | contains("enable_central_service_config")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ConfigMap: centralConfig can be disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.enabled=false' \
. | tee /dev/stderr |
yq '.data["central-config.json"] | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

855
consul-helm/test/unit/client-daemonset.bats Executable file
View File

@@ -0,0 +1,855 @@
#!/usr/bin/env bats
load _helpers
@test "client/DaemonSet: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: disable with client.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/DaemonSet: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/DaemonSet: image defaults to global.image" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.image=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}
@test "client/DaemonSet: image can be overridden with client.image" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.image=foo' \
--set 'client.image=bar' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "client/DaemonSet: no updateStrategy when not updating" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
#--------------------------------------------------------------------
# retry-join
@test "client/DaemonSet: retry join gets populated" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'server.replicas=3' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | any(contains("-retry-join"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# grpc
@test "client/DaemonSet: grpc is enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("grpc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: grpc can be disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.grpc=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("grpc"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# resources
@test "client/DaemonSet: no resources defined by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/DaemonSet: resources can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.resources=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}
#--------------------------------------------------------------------
# extraVolumes
@test "client/DaemonSet: adds extra volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.configMap.name' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(echo $object |
yq -r '.configMap.secretName' | tee /dev/stderr)
[ "${actual}" = "null" ]
# Test that it mounts it
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/userconfig/foo" ]
# Doesn't load it
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "client/DaemonSet: adds extra secret volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=secret' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.secret.name' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(echo $object |
yq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo" ]
# Test that it mounts it
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/userconfig/foo" ]
# Doesn't load it
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "client/DaemonSet: adds loadable volume" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraVolumes[0].type=configMap' \
--set 'client.extraVolumes[0].name=foo' \
--set 'client.extraVolumes[0].load=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(contains("/consul/userconfig/foo"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "client/DaemonSet: nodeSelector is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/DaemonSet: specified nodeSelector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.nodeSelector=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# affinity
@test "client/DaemonSet: affinity not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: specified affinity" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.affinity=foobar' \
. | tee /dev/stderr |
yq '.spec.template.spec | .affinity == "foobar"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# priorityClassName
@test "client/DaemonSet: priorityClassName is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/DaemonSet: specified priorityClassName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.priorityClassName=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# annotations
@test "client/DaemonSet: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}
@test "client/DaemonSet: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# tolerations
@test "client/DaemonSet: tolerations not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: tolerations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.tolerations=foobar' \
. | tee /dev/stderr |
yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# gossip encryption
@test "client/DaemonSet: gossip encryption disabled in client DaemonSet by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "client/DaemonSet: gossip encryption disabled in client DaemonSet when clients are disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.enabled=false' \
--set 'global.gossipEncryption.secretName=foo' \
--set 'global.gossipEncryption.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/DaemonSet: gossip encryption disabled in client DaemonSet when secretName is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.gossipEncryption.secretKey=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "client/DaemonSet: gossip encryption disabled in client DaemonSet when secretKey is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.gossipEncryption.secretName=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "client/DaemonSet: gossip environment variable present in client DaemonSet when all config is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.gossipEncryption.secretKey=foo' \
--set 'global.gossipEncryption.secretName=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: encrypt CLI option not present in client DaemonSet when encryption disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | join(" ") | contains("encrypt")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/DaemonSet: encrypt CLI option present in client DaemonSet when all config is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.gossipEncryption.secretKey=foo' \
--set 'global.gossipEncryption.secretName=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | join(" ") | contains("encrypt")' | tee /dev/stderr)
[ "${actual}" == "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "client/DaemonSet: CA volume present when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "client/DaemonSet: client certificate volume present when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name == "tls-client-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "client/DaemonSet: port 8501 is not exposed when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8501)' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "client/DaemonSet: port 8501 is exposed when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8501)' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "client/DaemonSet: port 8500 is still exposed when httpsOnly is not enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8500)' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "client/DaemonSet: port 8500 is not exposed when httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8500)' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "client/DaemonSet: readiness checks are over HTTP TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("http://127.0.0.1:8500")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: readiness checks are over HTTPS when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("https://127.0.0.1:8501")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: readiness checks use CA certificate when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("--cacert /consul/tls/ca/tls.crt")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: HTTP port is disabled when global.tls.httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ") | contains("ports { http = -1 }")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: init container is created when global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[] | select(.name == "client-tls-init") | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: both ACL and TLS init containers are created when global.tls.enabled=true and global.bootstrapACLs=true" {
cd `chart_dir`
local has_acl_init_container=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[] | select(.name == "client-acl-init") | length > 0' | tee /dev/stderr)
[ "${has_acl_init_container}" = "true" ]
local has_tls_init_container=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[] | select(.name == "client-acl-init") | length > 0' | tee /dev/stderr)
[ "${has_tls_init_container}" = "true" ]
}
@test "client/DaemonSet: sets Consul environment variables when global.tls.enabled" {
cd `chart_dir`
local env=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = "https://localhost:8501" ]
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "client/DaemonSet: sets verify_* flags to true by default when global.tls.enabled" {
cd `chart_dir`
local command=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)
local actual
actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: doesn't set the verify_* flags by default when global.tls.enabled and global.tls.verify is false" {
cd `chart_dir`
local command=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.verify=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)
local actual
actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/DaemonSet: can overwrite CA secret with the provided one" {
cd `chart_dir`
local spec=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-cert") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the provided ca key secret is attached as volume
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-key") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-key" ]
# check that the volumes pulls the provided secret keys as a CA cert
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-cert") | .secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
# check that the volumes pulls the provided secret keys as a CA key
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-key") | .secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}
#--------------------------------------------------------------------
# extraEnvironmentVariables
@test "client/DaemonSet: custom environment variables" {
cd `chart_dir`
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.extraEnvironmentVars.custom_proxy=fakeproxy' \
--set 'client.extraEnvironmentVars.no_proxy=custom_no_proxy' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[3].name' | tee /dev/stderr)
[ "${actual}" = "custom_proxy" ]
local actual=$(echo $object |
yq -r '.[3].value' | tee /dev/stderr)
[ "${actual}" = "fakeproxy" ]
local actual=$(echo $object |
yq -r '.[4].name' | tee /dev/stderr)
[ "${actual}" = "no_proxy" ]
local actual=$(echo $object |
yq -r '.[4].value' | tee /dev/stderr)
[ "${actual}" = "custom_no_proxy" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "client/DaemonSet: aclconfig volume is created when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[2].name == "aclconfig"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: aclconfig volumeMount is created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[2]' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "aclconfig" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/aclconfig" ]
}
@test "client/DaemonSet: command includes aclconfig dir when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("/consul/aclconfig"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: init container is created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/client-daemonset.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[] | select(.name == "client-acl-init")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# client.exposeGossipPorts
@test "client/DaemonSet: client uses podIP when client.exposeGossipPorts=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'client.exposeGossipPorts=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers | map(select(.name=="consul")) | .[0].env | map(select(.name=="ADVERTISE_IP")) | .[0] | .valueFrom.fieldRef.fieldPath' |
tee /dev/stderr)
[ "${actual}" = "status.podIP" ]
}
@test "client/DaemonSet: client uses hostIP when client.exposeGossipPorts=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'client.exposeGossipPorts=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers | map(select(.name=="consul")) | .[0].env | map(select(.name=="ADVERTISE_IP")) | .[0] | .valueFrom.fieldRef.fieldPath' |
tee /dev/stderr)
[ "${actual}" = "status.hostIP" ]
}
@test "client/DaemonSet: client doesn't expose hostPorts when client.exposeGossipPorts=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'server.enabled=true' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers | map(select(.name=="consul")) | .[0].ports | map(select(.containerPort==8301)) | .[0].hostPort' |
tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/DaemonSet: client exposes hostPorts when client.exposeGossipPorts=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.enabled=true' \
--set 'client.exposeGossipPorts=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers | map(select(.name=="consul")) | .[0].ports | map(select(.containerPort==8301)) | .[0].hostPort' |
tee /dev/stderr)
[ "${actual}" = "8301" ]
}
#--------------------------------------------------------------------
# dataDirectoryHostPath
@test "client/DaemonSet: data directory is emptyDir by defaut" {
cd `chart_dir`
# Test that hostPath is set to null.
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[0].hostPath == null' | tee /dev/stderr )
[ "${actual}" = "true" ]
# Test that emptyDir is set instead.
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[0].emptyDir == {}' | tee /dev/stderr )
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: hostPath data directory can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.dataDirectoryHostPath=/opt/consul' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[0].hostPath.path == "/opt/consul"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# dnsPolicy
@test "client/DaemonSet: dnsPolicy not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.dnsPolicy == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: dnsPolicy can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set 'client.dnsPolicy=ClusterFirstWithHostNet' \
. | tee /dev/stderr |
yq '.spec.template.spec.dnsPolicy == "ClusterFirstWithHostNet"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# updateStrategy
@test "client/DaemonSet: updateStrategy not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-daemonset.yaml \
. | tee /dev/stderr | \
yq '.spec.updateStrategy == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/DaemonSet: updateStrategy can be set" {
cd `chart_dir`
local updateStrategy="type: RollingUpdate
rollingUpdate:
maxUnavailable: 5
"
local actual=$(helm template \
-x templates/client-daemonset.yaml \
--set "client.updateStrategy=${updateStrategy}" \
. | tee /dev/stderr | \
yq -c '.spec.updateStrategy == {"type":"RollingUpdate","rollingUpdate":{"maxUnavailable":5}}' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

131
consul-helm/test/unit/client-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,131 @@
#!/usr/bin/env bats
load _helpers
@test "client/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/PodSecurityPolicy: disabled with client disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'client.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/PodSecurityPolicy: only http and grpc ports are allowed as hostPorts by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -c '.spec.hostPorts' | tee /dev/stderr)
[ "${actual}" = '[{"min":8500,"max":8500},{"min":8502,"max":8502}]' ]
}
#--------------------------------------------------------------------
# client.grpc
@test "client/PodSecurityPolicy: hostPort 8502 is not allowed when client.grpc=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'client.grpc=false' \
. | tee /dev/stderr |
yq -c '.spec.hostPorts' | tee /dev/stderr)
[ "${actual}" = '[{"min":8500,"max":8500}]' ]
}
#--------------------------------------------------------------------
# client.exposeGossipPorts
@test "client/PodSecurityPolicy: hostPort 8301 allowed when exposeGossipPorts=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'client.exposeGossipPorts=true' \
. | tee /dev/stderr |
yq -c '.spec.hostPorts' | tee /dev/stderr)
[ "${actual}" = '[{"min":8500,"max":8500},{"min":8502,"max":8502},{"min":8301,"max":8301}]' ]
}
#--------------------------------------------------------------------
# client.dataDirectoryHostPath
@test "client/PodSecurityPolicy: disallows hostPath volume by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq '.spec.volumes | any(contains("hostPath"))' | tee /dev/stderr)
[ "${actual}" = 'false' ]
}
@test "client/PodSecurityPolicy: allows hostPath volume when dataDirectoryHostPath is set" {
cd `chart_dir`
# Test that hostPath is an allowed volume type.
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'client.dataDirectoryHostPath=/opt/consul' \
. | tee /dev/stderr |
yq '.spec.volumes | any(contains("hostPath"))' | tee /dev/stderr)
[ "${actual}" = 'true' ]
# Test that the path we're allowed to write to is the right one.
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'client.dataDirectoryHostPath=/opt/consul' \
. | tee /dev/stderr |
yq -r '.spec.allowedHostPaths[0].pathPrefix' | tee /dev/stderr)
[ "${actual}" = '/opt/consul' ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "client/PodSecurityPolicy: hostPort 8501 is allowed when global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -c '.spec.hostPorts' | tee /dev/stderr)
[ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
}
@test "client/PodSecurityPolicy: hostPort 8500 is not allowed when global.tls.enabled=true and global.tls.httpsOnly=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq -c '.spec.hostPorts' | tee /dev/stderr)
[ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
}

53
consul-helm/test/unit/client-serviceaccount.bats Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "client/ServiceAccount: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ServiceAccount: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-serviceaccount.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ServiceAccount: disabled with client disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-serviceaccount.yaml \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/ServiceAccount: enabled with client enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-serviceaccount.yaml \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/ServiceAccount: enabled with client enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-serviceaccount.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

87
consul-helm/test/unit/client-snapshot-agent-clusterrole.bats Normal file
View File

@@ -0,0 +1,87 @@
#!/usr/bin/env bats
load _helpers
@test "client/SnapshotAgentClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentClusterRole: enabled with client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentClusterRole: enabled with client.enabled=true and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.enabled=true' \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentClusterRole: disabled with client=false and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "client/SnapshotAgentClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "podsecuritypolicies" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "client/SnapshotAgentClusterRole: allows secret access with global.bootsrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}
@test "client/SnapshotAgentClusterRole: allows secret access with global.bootsrapACLs=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrole.yaml \
--set 'client.enabled=true' \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[1].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}

44
consul-helm/test/unit/client-snapshot-agent-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "client/SnapshotAgentClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentClusterRoleBinding: enabled with client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrolebinding.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentClusterRoleBinding: enabled with client.enabled=true and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrolebinding.yaml \
--set 'client.enabled=true' \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentClusterRoleBinding: disabled with client=false and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-clusterrolebinding.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

271
consul-helm/test/unit/client-snapshot-agent-deployment.bats Normal file
View File

@@ -0,0 +1,271 @@
#!/usr/bin/env bats
load _helpers
@test "client/SnapshotAgentDeployment: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentDeployment: enabled with client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: enabled with client.enabled=true and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.enabled=true' \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: disabled with client=false and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# tolerations
@test "client/SnapshotAgentDeployment: no tolerations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.tolerations | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentDeployment: populates tolerations when client.tolerations is populated" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.tolerations=allow' \
. | tee /dev/stderr |
yq '.spec.template.spec.tolerations | contains("allow")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# priorityClassName
@test "client/SnapshotAgentDeployment: no priorityClassName by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.priorityClassName | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentDeployment: populates priorityClassName when client.priorityClassName is populated" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.priorityClassName=allow' \
. | tee /dev/stderr |
yq '.spec.template.spec.priorityClassName | contains("allow")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs and snapshotAgent.configSecret
@test "client/SnapshotAgentDeployment: no initContainer by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/SnapshotAgentDeployment: populates initContainer when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: no volumes by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/SnapshotAgentDeployment: populates volumes when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: populates volumes when client.snapshotAgent.configSecret.secretName and client.snapshotAgent.configSecret secretKey are defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.snapshotAgent.configSecret.secretName=secret' \
--set 'client.snapshotAgent.configSecret.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: no container volumeMounts by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "client/SnapshotAgentDeployment: populates container volumeMounts when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: populates container volumeMounts when client.snapshotAgent.configSecret.secretName and client.snapshotAgent.configSecret secretKey are defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.snapshotAgent.configSecret.secretName=secret' \
--set 'client.snapshotAgent.configSecret.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "client/SnapshotAgentDeployment: no nodeSelector by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentDeployment: populates nodeSelector when client.nodeSelector is populated" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.nodeSelector=allow' \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector | contains("allow")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "client/SnapshotAgentDeployment: sets TLS env vars when global.tls.enabled" {
cd `chart_dir`
local env=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = 'https://$(HOST_IP):8501' ]
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "client/SnapshotAgentDeployment: populates volumes when global.tls.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: populates container volumeMounts when global.tls.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentDeployment: can overwrite CA with the provided secret" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that it uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}

34
consul-helm/test/unit/client-snapshot-agent-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,34 @@
#!/usr/bin/env bats
load _helpers
@test "client/SnapshotAgentPodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentPodSecurityPolicy: disabled with snapshot agent disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-podsecuritypolicy.yaml \
--set 'client.snapshotAgent.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentPodSecurityPolicy: enabled with snapshot agent enabled global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-podsecuritypolicy.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/client-snapshot-agent-serviceaccount.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "client/SnapshotAgentServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "client/SnapshotAgentServiceAccount: enabled with client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-serviceaccount.yaml \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentServiceAccount: enabled with client.enabled=true and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-serviceaccount.yaml \
--set 'client.enabled=true' \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "client/SnapshotAgentServiceAccount: disabled with client=false and client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/client-snapshot-agent-serviceaccount.yaml \
--set 'client.snapshotAgent.enabled=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

46
consul-helm/test/unit/connect-inject-authmethod-clusterrole.bats Normal file
View File

@@ -0,0 +1,46 @@
#!/usr/bin/env bats
load _helpers
@test "connectInjectAuthMethod/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ClusterRole: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrole.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInjectAuthMethod/ClusterRole: disabled with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrole.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ClusterRole: enabled with global.bootstrapACLs.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

46
consul-helm/test/unit/connect-inject-authmethod-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,46 @@
#!/usr/bin/env bats
load _helpers
@test "connectInjectAuthMethod/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrolebinding.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInjectAuthMethod/ClusterRoleBinding: disabled with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrolebinding.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ClusterRoleBinding: enabled with global.bootstrapACLs.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-clusterrolebinding.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

46
consul-helm/test/unit/connect-inject-authmethod-serviceaccount.bats Normal file
View File

@@ -0,0 +1,46 @@
#!/usr/bin/env bats
load _helpers
@test "connectInjectAuthMethod/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ServiceAccount: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-serviceaccount.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInjectAuthMethod/ServiceAccount: disabled with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-serviceaccount.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInjectAuthMethod/ServiceAccount: enabled with global.bootstrapACLs.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-authmethod-serviceaccount.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

119
consul-helm/test/unit/connect-inject-clusterrole.bats Normal file
View File

@@ -0,0 +1,119 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRole: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/ClusterRole: disabled with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRole: disabled with connectInject.certs.secretName set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.certs.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRole: enabled with connectInject.certs.secretName not set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "connectInject/ClusterRole: no podsecuritypolicies access with global.enablePodSecurityPolicies=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enablePodSecurityPolicies=false' \
. | tee /dev/stderr |
yq -r '.rules | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "connectInject/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[1].resources[0]' | tee /dev/stderr)
[ "${actual}" = "podsecuritypolicies" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs for namespaces
@test "connectInject/ClusterRole: does not allow secret access with global.bootsrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "connectInject/ClusterRole: allow secret access with global.bootsrapACLs=true and global.enableConsulNamespaces=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq -r '.rules[1].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}
@test "connectInject/ClusterRole: allows secret access with bootsrapACLs, enablePodSecurityPolicies and enableConsulNamespaces all true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrole.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq -r '.rules[2].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}

55
consul-helm/test/unit/connect-inject-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRoleBinding: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrolebinding.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/ClusterRoleBinding: disabled with connectInject.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrolebinding.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRoleBinding: disabled with connectInject.certs.secretName set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrolebinding.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.certs.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ClusterRoleBinding: enabled with connectInject.certs.secretName not set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-clusterrolebinding.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

783
consul-helm/test/unit/connect-inject-deployment.bats Executable file
View File

@@ -0,0 +1,783 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/Deployment: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: enable with global.enabled false, client.enabled true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: disable with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: fails if global.enabled=false" {
cd `chart_dir`
run helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enabled=false' \
--set 'connectInject.enabled=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "clients must be enabled for connect injection" ]]
}
@test "connectInject/Deployment: fails if global.enabled=true and client.enabled=false" {
cd `chart_dir`
run helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enabled=true' \
--set 'client.enabled=false' \
--set 'connectInject.enabled=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "clients must be enabled for connect injection" ]]
}
@test "connectInject/Deployment: fails if global.enabled=false and client.enabled=false" {
cd `chart_dir`
run helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=false' \
--set 'connectInject.enabled=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "clients must be enabled for connect injection" ]]
}
@test "connectInject/Deployment: fails if client.grpc=false" {
cd `chart_dir`
run helm template \
-x templates/connect-inject-deployment.yaml \
--set 'client.grpc=false' \
--set 'connectInject.enabled=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "client.grpc must be true for connect injection" ]]
}
#--------------------------------------------------------------------
# consul and envoy images
@test "connectInject/Deployment: container image is global default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.imageK8S=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
}
@test "connectInject/Deployment: container image overrides" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.imageK8S=foo' \
--set 'connectInject.image=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "\"bar\"" ]
}
@test "connectInject/Deployment: consul-image defaults to global" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.image=foo' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-image=\"foo\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: consul-image can be overridden" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.image=foo' \
--set 'connectInject.enabled=true' \
--set 'connectInject.imageConsul=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-image=\"bar\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: envoy-image is not set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: envoy-image can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.imageEnvoy=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-envoy-image=\"foo\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# cert secrets
@test "connectInject/Deployment: no secretName: no tls-{cert,key}-file set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-file"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-key-file"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-auto"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: with secretName: tls-{cert,key}-file set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.certs.secretName=foo' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-file"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.certs.secretName=foo' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-key-file"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.certs.secretName=foo' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-tls-auto"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# service account name
@test "connectInject/Deployment: with secretName: no serviceAccountName set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.certs.secretName=foo' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.serviceAccountName | has("serviceAccountName")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: no secretName: serviceAccountName set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.serviceAccountName | contains("connect-injector-webhook-svc-account")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "connectInject/Deployment: nodeSelector is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "connectInject/Deployment: nodeSelector is not set by default with sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "connectInject/Deployment: specified nodeSelector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.nodeSelector=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# centralConfig
@test "connectInject/Deployment: centralConfig is enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-enable-central-config"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: centralConfig can be disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-enable-central-config"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: defaultProtocol is disabled by default with centralConfig enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-default-protocol"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: defaultProtocol can be enabled with centralConfig enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.enabled=true' \
--set 'connectInject.centralConfig.defaultProtocol=grpc' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-default-protocol=\"grpc\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# authMethod
@test "connectInject/Deployment: -acl-auth-method is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-acl-auth-method="))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: -acl-auth-method is set when global.bootstrapACLs is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-acl-auth-method=\"release-name-consul-k8s-auth-method\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: -acl-auth-method is set to connectInject.overrideAuthMethodName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.overrideAuthMethodName=override' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-acl-auth-method=\"override\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: -acl-auth-method is overridden by connectInject.overrideAuthMethodName if global.bootstrapACLs is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'connectInject.overrideAuthMethodName=override' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-acl-auth-method=\"override\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "connectInject/Deployment: Adds tls-ca-cert volume when global.tls.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "connectInject/Deployment: Adds both tls-ca-cert and certs volumes when global.tls.enabled is true and connectInject.certs.secretName is set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'connectInject.certs.secretName=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "connectInject/Deployment: Adds tls-ca-cert volumeMounts when global.tls.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "connectInject/Deployment: Adds both tls-ca-cert and certs volumeMounts when global.tls.enabled is true and connectInject.certs.secretName is set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'connectInject.certs.secretName=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "connectInject/Deployment: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}
#--------------------------------------------------------------------
# k8sAllowNamespaces & k8sDenyNamespaces
@test "connectInject/Deployment: default is allow '*', deny nothing" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'map(select(test("allow-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'any(contains("allow-k8s-namespace=\"*\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'map(select(test("deny-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "connectInject/Deployment: can set allow and deny" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.k8sAllowNamespaces[0]=allowNamespace' \
--set 'connectInject.k8sDenyNamespaces[0]=denyNamespace' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'map(select(test("allow-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'map(select(test("deny-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'any(contains("allow-k8s-namespace=\"allowNamespace\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("deny-k8s-namespace=\"denyNamespace\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces
@test "connectInject/Deployment: namespace options disabled by default" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: namespace options set with .global.enableConsulNamespaces=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: mirroring options set with .connectInject.consulNamespaces.mirroringK8S=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.consulNamespaces.mirroringK8S=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: prefix can be set with .connectInject.consulNamespaces.mirroringK8SPrefix" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.consulNamespaces.mirroringK8S=true' \
--set 'connectInject.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix=k8s-"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces + acl token
@test "connectInject/Deployment: aclInjectToken disabled when namespaces not enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.aclInjectToken.secretKey=bar' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: aclInjectToken disabled when secretName is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.aclInjectToken.secretKey=bar' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: aclInjectToken disabled when secretKey is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.aclInjectToken.secretName=foo' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: aclInjectToken enabled when secretName and secretKey is provided" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.aclInjectToken.secretName=foo' \
--set 'connectInject.aclInjectToken.secretKey=bar' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name]' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'map(select(test("CONSUL_HTTP_TOKEN"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
#--------------------------------------------------------------------
# namespaces + global.bootstrapACLs
@test "connectInject/Deployment: CONSUL_HTTP_TOKEN env variable created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] ' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'map(select(test("CONSUL_HTTP_TOKEN"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "connectInject/Deployment: init container is created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "injector-acl-init" ]
local actual=$(echo $object |
yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: cross namespace policy is not added when global.bootstrapACLs=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-cross-namespace-acl-policy"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: cross namespace policy is added when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-cross-namespace-acl-policy"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces + http address
@test "connectInject/Deployment: CONSUL_HTTP_ADDR env variable not set when namespaces are disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: CONSUL_HTTP_ADDR env variable set when namespaces are enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Deployment: CONSUL_HTTP_ADDR and CONSUL_CACERT env variables set when namespaces are enabled" {
cd `chart_dir`
local object=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] ' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("CONSUL_CACERT"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces + host ip
@test "connectInject/Deployment: HOST_IP env variable not set when namespaces are disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Deployment: HOST_IP env variable set when namespaces are enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

55
consul-helm/test/unit/connect-inject-mutatingwebhook.bats Executable file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/MutatingWebhookConfiguration: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-mutatingwebhook.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/MutatingWebhookConfiguration: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-mutatingwebhook.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/MutatingWebhookConfiguration: disable with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-mutatingwebhook.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/MutatingWebhookConfiguration: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-mutatingwebhook.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/MutatingWebhookConfiguration: namespace is set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-mutatingwebhook.yaml \
--set 'connectInject.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
}

44
consul-helm/test/unit/connect-inject-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/PodSecurityPolicy: disabled by default with connectInject enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-podsecuritypolicy.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/PodSecurityPolicy: disabled with connectInject disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-podsecuritypolicy.yaml \
--set 'connectInject.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/PodSecurityPolicy: enabled with connectInject enabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-podsecuritypolicy.yaml \
--set 'connectInject.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/connect-inject-service.bats Executable file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/Service: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-service.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Service: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-service.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/Service: disable with connectInject.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-service.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/Service: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-service.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

55
consul-helm/test/unit/connect-inject-serviceaccount.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "connectInject/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ServiceAccount: enabled with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-serviceaccount.yaml \
--set 'global.enabled=false' \
--set 'client.enabled=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "connectInject/ServiceAccount: disabled with connectInject.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-serviceaccount.yaml \
--set 'connectInject.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ServiceAccount: disabled with connectInject.certs.secretName set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-serviceaccount.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.certs.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "connectInject/ServiceAccount: enabled with connectInject.certs.secretName not set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/connect-inject-serviceaccount.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

89
consul-helm/test/unit/dns-service.bats Executable file
View File

@@ -0,0 +1,89 @@
#!/usr/bin/env bats
load _helpers
@test "dns/Service: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "dns/Service: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'global.enabled=false' \
--set 'dns.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "dns/Service: disable with dns.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'dns.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "dns/Service: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# annotations
@test "dns/Service: no annotations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'dns.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "dns/Service: can set annotations" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'dns.enabled=true' \
--set 'dns.annotations=key: value' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}
#--------------------------------------------------------------------
# clusterIP
@test "dns/Service: clusterIP not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
. | tee /dev/stderr |
yq '.spec | .clusterIP? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "dns/Service: specified clusterIP" {
cd `chart_dir`
local actual=$(helm template \
-x templates/dns-service.yaml \
--set 'dns.clusterIP=192.168.1.1' \
. | tee /dev/stderr |
yq '.spec | .clusterIP == "192.168.1.1"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

97
consul-helm/test/unit/enterprise-license-clusterrole.bats Normal file
View File

@@ -0,0 +1,97 @@
#!/usr/bin/env bats
load _helpers
@test "enterpriseLicense/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRole: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRole: enabled when ent license defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "enterpriseLicense/ClusterRole: rules are empty if global.bootstrapACLs and global.enablePodSecurityPolicies are false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq '.rules | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "enterpriseLicense/ClusterRole: allows acl token when global.bootstrapACLs is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resourceNames[0] == "release-name-consul-enterprise-license-acl-token")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "enterpriseLicense/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

55
consul-helm/test/unit/enterprise-license-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "enterpriseLicense/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ClusterRoleBinding: enabled when ent license defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

201
consul-helm/test/unit/enterprise-license-job.bats Normal file
View File

@@ -0,0 +1,201 @@
#!/usr/bin/env bats
load _helpers
@test "server/EnterpriseLicense: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/EnterpriseLicense: disabled when servers are disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/EnterpriseLicense: disabled when secretName is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/EnterpriseLicense: disabled when secretKey is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/EnterpriseLicense: enabled when secretName and secretKey is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "server/EnterpriseLicense: CONSUL_HTTP_TOKEN env variable created when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/EnterpriseLicense: init container is created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "ent-license-acl-init" ]
local actual=$(echo $object |
yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "server/EnterpriseLicense: no volumes when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "server/EnterpriseLicense: volumes present when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "server/EnterpriseLicense: no volumes mounted when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "server/EnterpriseLicense: volumes mounted when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "server/EnterpriseLicense: URL is http when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = "http://release-name-consul-server:8500" ]
}
@test "server/EnterpriseLicense: URL is https when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = "https://release-name-consul-server:8501" ]
}
@test "server/EnterpriseLicense: CA certificate is specified when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "server/EnterpriseLicense: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
-x templates/enterprise-license-job.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}

68
consul-helm/test/unit/enterprise-license-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,68 @@
#!/usr/bin/env bats
load _helpers
@test "enterpriseLicense/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/PodSecurityPolicy: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/PodSecurityPolicy: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/PodSecurityPolicy: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/PodSecurityPolicy: disabled when enablePodSecurityPolicies=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.enablePodSecurityPolicies=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/PodSecurityPolicy: enabled when ent license defined and enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-podsecuritypolicy.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

55
consul-helm/test/unit/enterprise-license-serviceaccount.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "enterpriseLicense/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ServiceAccount: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-serviceaccount.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ServiceAccount: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-serviceaccount.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ServiceAccount: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-serviceaccount.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "enterpriseLicense/ServiceAccount: enabled when ent license defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-serviceaccount.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

102
consul-helm/test/unit/helpers.bats Normal file
View File

@@ -0,0 +1,102 @@
#!/usr/bin/env bats
# This file tests the helpers in _helpers.tpl.
load _helpers
#--------------------------------------------------------------------
# consul.fullname
# These tests use test-runner.yaml to test the consul.fullname helper
# since we need an existing template that calls the consul.fullname helper.
@test "helper/consul.fullname: defaults to release-name-consul" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-consul-test" ]
}
@test "helper/consul.fullname: fullnameOverride overrides the name" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set fullnameOverride=override \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "override-test" ]
}
@test "helper/consul.fullname: fullnameOverride is truncated to 63 chars" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set fullnameOverride=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk-test" ]
}
@test "helper/consul.fullname: fullnameOverride has trailing '-' trimmed" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set fullnameOverride=override- \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "override-test" ]
}
@test "helper/consul.fullname: global.name overrides the name" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set global.name=override \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "override-test" ]
}
@test "helper/consul.fullname: global.name is truncated to 63 chars" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set global.name=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk-test" ]
}
@test "helper/consul.fullname: global.name has trailing '-' trimmed" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set global.name=override- \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "override-test" ]
}
@test "helper/consul.fullname: nameOverride is supported" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set nameOverride=override \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-override-test" ]
}
# This test ensures that we use {{ template "consul.fullname" }} everywhere instead of
# {{ .Release.Name }} because that's required in order to support the name
# override settings fullnameOverride and global.name. In some cases, we need to
# use .Release.Name. In those cases, add your exception to this list.
#
# If this test fails, you're likely using {{ .Release.Name }} where you should
# be using {{ template "consul.fullname" }}
@test "helper/consul.fullname: used everywhere" {
cd `chart_dir`
# Grep for uses of .Release.Name that aren't using it as a label.
local actual=$(grep -r '{{ .Release.Name }}' templates/*.yaml | grep -v 'release: ' | tee /dev/stderr )
[ "${actual}" = 'templates/server-acl-init-job.yaml: -server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \' ]
}

76
consul-helm/test/unit/mesh-gateway-clusterrole.bats Normal file
View File

@@ -0,0 +1,76 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/ClusterRole: enabled with meshGateway, connectInject and client.grpc enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "meshGateway/ClusterRole: rules for PodSecurityPolicy" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "podsecuritypolicies" ]
}
@test "meshGateway/ClusterRole: rules for global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules[0].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}
@test "meshGateway/ClusterRole: rules is empty if no ACLs or PSPs" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.rules' | tee /dev/stderr)
[ "${actual}" = "[]" ]
}
@test "meshGateway/ClusterRole: rules for both ACLs and PSPs" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrole.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules | length' | tee /dev/stderr)
[ "${actual}" = "2" ]
}

38
consul-helm/test/unit/mesh-gateway-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,38 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/ClusterRoleBinding: enabled with meshGateway, connectInject and client.grpc enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrolebinding.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "meshGateway/ClusterRoleBinding: subject name is correct" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-clusterrolebinding.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--name 'release-name' \
. | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "release-name-consul-mesh-gateway" ]
}

656
consul-helm/test/unit/mesh-gateway-deployment.bats Executable file
View File

@@ -0,0 +1,656 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/Deployment: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/Deployment: enabled with meshGateway, connectInject and client.grpc enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# prerequisites
@test "meshGateway/Deployment: fails if connectInject.enabled=false" {
cd `chart_dir`
run helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=false' \
--set 'client.grpc=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "connectInject.enabled must be true" ]]
}
@test "meshGateway/Deployment: fails if client.grpc=false" {
cd `chart_dir`
run helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'client.grpc=false' \
--set 'connectInject.enabled=true' .
[ "$status" -eq 1 ]
[[ "$output" =~ "client.grpc must be true" ]]
}
@test "meshGateway/Deployment: fails if global.enabled is false and clients are not explicitly enabled" {
cd `chart_dir`
run helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'client.grpc=true' \
--set 'connectInject.enabled=true' \
--set 'global.enabled=false' .
[ "$status" -eq 1 ]
[[ "$output" =~ "clients must be enabled" ]]
}
@test "meshGateway/Deployment: fails if global.enabled is true but clients are explicitly disabled" {
cd `chart_dir`
run helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'client.grpc=true' \
--set 'connectInject.enabled=true' \
--set 'global.enabled=true' \
--set 'client.enabled=false' .
[ "$status" -eq 1 ]
[[ "$output" =~ "clients must be enabled" ]]
}
#--------------------------------------------------------------------
# annotations
@test "meshGateway/Deployment: no extra annotations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "meshGateway/Deployment: extra annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.annotations=key1: value1
key2: value2' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | length' | tee /dev/stderr)
[ "${actual}" = "3" ]
}
#--------------------------------------------------------------------
# replicas
@test "meshGateway/Deployment: replicas defaults to 2" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.replicas' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "meshGateway/Deployment: replicas can be overridden" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.replicas=3' \
. | tee /dev/stderr |
yq -r '.spec.replicas' | tee /dev/stderr)
[ "${actual}" = "3" ]
}
#--------------------------------------------------------------------
# affinity
@test "meshGateway/Deployment: affinity defaults to one per node" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey' | tee /dev/stderr)
[ "${actual}" = "kubernetes.io/hostname" ]
}
@test "meshGateway/Deployment: affinity can be overridden" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.affinity=key: value' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.affinity.key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}
#--------------------------------------------------------------------
# tolerations
@test "meshGateway/Deployment: no tolerations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.tolerations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: tolerations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.tolerations=- key: value' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.tolerations[0].key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}
#--------------------------------------------------------------------
# hostNetwork
@test "meshGateway/Deployment: hostNetwork is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: hostNetwork can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.hostNetwork=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.hostNetwork' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# dnsPolicy
@test "meshGateway/Deployment: no dnsPolicy by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: dnsPolicy can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.dnsPolicy=ClusterFirst' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.dnsPolicy' | tee /dev/stderr)
[ "${actual}" = "ClusterFirst" ]
}
#--------------------------------------------------------------------
# BootstrapACLs
@test "meshGateway/Deployment: global.BootstrapACLs enabled creates init container and secret" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr )
local init_container=$(echo "${actual}" | yq -r '.spec.template.spec.initContainers[1].name' | tee /dev/stderr)
[ "${init_container}" = "mesh-gateway-acl-init" ]
local secret=$(echo "${actual}" | yq -r '.spec.template.spec.containers[0].env[2].name' | tee /dev/stderr)
[ "${secret}" = "CONSUL_HTTP_TOKEN" ]
}
#--------------------------------------------------------------------
# envoyImage
@test "meshGateway/Deployment: envoy image has default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "envoyproxy/envoy:v1.13.0" ]
}
@test "meshGateway/Deployment: envoy image can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.imageEnvoy=new/image' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "new/image" ]
}
#--------------------------------------------------------------------
# resources
@test "meshGateway/Deployment: resources has default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
[ $(echo "${actual}" | yq -r '.requests.memory') = "128Mi" ]
[ $(echo "${actual}" | yq -r '.requests.cpu') = "250m" ]
[ $(echo "${actual}" | yq -r '.limits.memory') = "256Mi" ]
[ $(echo "${actual}" | yq -r '.limits.cpu') = "500m" ]
}
@test "meshGateway/Deployment: resources can be overridden" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.resources=requests: yadayada' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources.requests' | tee /dev/stderr)
[ "${actual}" = "yadayada" ]
}
#--------------------------------------------------------------------
# containerPort
@test "meshGateway/Deployment: containerPort defaults to 443" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr)
[[ $(echo "$actual" | yq -r '.command[2]') =~ '-address="${POD_IP}:443"' ]]
[ $(echo "$actual" | yq -r '.ports[0].containerPort') = "443" ]
[ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "443" ]
[ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "443" ]
}
@test "meshGateway/Deployment: containerPort can be overridden" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.containerPort=8443' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr)
[[ $(echo "$actual" | yq -r '.command[2]') =~ '-address="${POD_IP}:8443"' ]]
[ $(echo "$actual" | yq -r '.ports[0].containerPort') = "8443" ]
[ $(echo "$actual" | yq -r '.livenessProbe.tcpSocket.port') = "8443" ]
[ $(echo "$actual" | yq -r '.readinessProbe.tcpSocket.port') = "8443" ]
}
#--------------------------------------------------------------------
# wanAddress
@test "meshGateway/Deployment: wanAddress.port defaults to 443" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.wanAddress.useNodeIP=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command[2]' | tee /dev/stderr)
[[ "${actual}" =~ '-wan-address="${HOST_IP}:443"' ]]
}
@test "meshGateway/Deployment: wanAddress uses NodeIP by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command[2]' | tee /dev/stderr)
[[ "${actual}" =~ '-wan-address="${HOST_IP}:443"' ]]
}
@test "meshGateway/Deployment: wanAddress.useNodeIP" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.wanAddress.useNodeIP=true' \
--set 'meshGateway.wanAddress.port=4444' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command[2]' | tee /dev/stderr)
[[ "${actual}" =~ '-wan-address="${HOST_IP}:4444"' ]]
}
@test "meshGateway/Deployment: wanAddress.useNodeName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.wanAddress.useNodeIP=false' \
--set 'meshGateway.wanAddress.useNodeName=true' \
--set 'meshGateway.wanAddress.port=4444' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command[2]' | tee /dev/stderr)
[[ "${actual}" =~ '-wan-address="${NODE_NAME}:4444"' ]]
}
@test "meshGateway/Deployment: wanAddress.host" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.wanAddress.useNodeIP=false' \
--set 'meshGateway.wanAddress.useNodeName=false' \
--set 'meshGateway.wanAddress.host=myhost' \
--set 'meshGateway.wanAddress.port=4444' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command[2]' | tee /dev/stderr)
[[ "${actual}" =~ '-wan-address="myhost:4444"' ]]
}
#--------------------------------------------------------------------
# consulServiceName
@test "meshGateway/Deployment: fails if consulServiceName is set and bootstrapACLs is true" {
cd `chart_dir`
run helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.consulServiceName=override' \
--set 'global.bootstrapACLs=true' \
.
[ "$status" -eq 1 ]
[[ "$output" =~ "if global.bootstrapACLs is true, meshGateway.consulServiceName cannot be set" ]]
}
@test "meshGateway/Deployment: does not fail if consulServiceName is set to mesh-gateway and bootstrapACLs is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.consulServiceName=mesh-gateway' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr )
[[ $(echo "${actual}" | yq -r '.command[2]' ) =~ '-service="mesh-gateway"' ]]
[[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"mesh-gateway\"' ]]
}
@test "meshGateway/Deployment: consulServiceName can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.consulServiceName=overridden' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr )
[[ $(echo "${actual}" | yq -r '.command[2]' ) =~ '-service="overridden"' ]]
[[ $(echo "${actual}" | yq -r '.lifecycle.preStop.exec.command' ) =~ '-id=\"overridden\"' ]]
}
#--------------------------------------------------------------------
# healthchecks
@test "meshGateway/Deployment: healthchecks are on by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr )
local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr)
[ "${liveness}" = "true" ]
local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr)
[ "${readiness}" = "true" ]
}
@test "meshGateway/Deployment: can disable healthchecks" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.enableHealthChecks=false' \
. | tee /dev/stderr \
| yq '.spec.template.spec.containers[0]' | tee /dev/stderr )
local liveness=$(echo "${actual}" | yq -r '.livenessProbe | length > 0' | tee /dev/stderr)
[ "${liveness}" = "false" ]
local readiness=$(echo "${actual}" | yq -r '.readinessProbe | length > 0' | tee /dev/stderr)
[ "${readiness}" = "false" ]
}
#--------------------------------------------------------------------
# hostPort
@test "meshGateway/Deployment: no hostPort by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: can set a hostPort" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.hostPort=443' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].ports[0].hostPort' | tee /dev/stderr)
[ "${actual}" = "443" ]
}
#--------------------------------------------------------------------
# priorityClassName
@test "meshGateway/Deployment: no priorityClassName by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: can set a priorityClassName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.priorityClassName=name' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "name" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "meshGateway/Deployment: no nodeSelector by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Deployment: can set a nodeSelector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.nodeSelector=key: value' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector.key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "meshGateway/Deployment: sets TLS flags when global.tls.enabled" {
cd `chart_dir`
local env=$(helm template \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = 'https://$(HOST_IP):8501' ]
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_GRPC_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = 'https://$(HOST_IP):8502' ]
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "meshGateway/Deployment: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/client-snapshot-agent-deployment.yaml \
-x templates/mesh-gateway-deployment.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}

25
consul-helm/test/unit/mesh-gateway-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/PodSecurityPolicy: enabled with meshGateway, connectInject and client.grpc enabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-podsecuritypolicy.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

204
consul-helm/test/unit/mesh-gateway-service.bats Executable file
View File

@@ -0,0 +1,204 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/Service: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/Service: disabled by default with meshGateway, connectInject and client.grpc enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/Service: enabled with meshGateway.enabled=true meshGateway.service.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# annotations
@test "meshGateway/Service: no annotations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Service: can set annotations" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.service.annotations=key: value' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}
#--------------------------------------------------------------------
# port
@test "meshGateway/Service: has default port" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].port' | tee /dev/stderr)
[ "${actual}" = "443" ]
}
@test "meshGateway/Service: can set port" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.service.port=8443' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].port' | tee /dev/stderr)
[ "${actual}" = "8443" ]
}
#--------------------------------------------------------------------
# targetPort
@test "meshGateway/Service: has default targetPort" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
[ "${actual}" = "443" ]
}
@test "meshGateway/Service: uses targetPort from containerPort" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.containerPort=8443' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].targetPort' | tee /dev/stderr)
[ "${actual}" = "8443" ]
}
#--------------------------------------------------------------------
# nodePort
@test "meshGateway/Service: no nodePort by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "meshGateway/Service: can set a nodePort" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.service.nodePort=8443' \
. | tee /dev/stderr |
yq -r '.spec.ports[0].nodePort' | tee /dev/stderr)
[ "${actual}" = "8443" ]
}
#--------------------------------------------------------------------
# Service type
@test "meshGateway/Service: defaults to type ClusterIP" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "ClusterIP" ]
}
@test "meshGateway/Service: can set type" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.service.type=LoadBalancer' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "LoadBalancer" ]
}
#--------------------------------------------------------------------
# additionalSpec
@test "meshGateway/Service: can add additionalSpec" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-service.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
--set 'meshGateway.service.enabled=true' \
--set 'meshGateway.service.additionalSpec=key: value' \
. | tee /dev/stderr |
yq -r '.spec.key' | tee /dev/stderr)
[ "${actual}" = "value" ]
}

25
consul-helm/test/unit/mesh-gateway-serviceaccount.bats Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env bats
load _helpers
@test "meshGateway/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "meshGateway/ServiceAccount: enabled with meshGateway, connectInject and client.grpc enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/mesh-gateway-serviceaccount.yaml \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

58
consul-helm/test/unit/server-acl-init-cleanup-clusterrole.bats Normal file
View File

@@ -0,0 +1,58 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInitCleanup/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ClusterRole: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInitCleanup/ClusterRole: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ClusterRole: enabled with client=true and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "serverACLInitCleanup/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

44
consul-helm/test/unit/server-acl-init-cleanup-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInitCleanup/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ClusterRoleBinding: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInitCleanup/ClusterRoleBinding: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ClusterRoleBinding: enabled with client=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

65
consul-helm/test/unit/server-acl-init-cleanup-job.bats Normal file
View File

@@ -0,0 +1,65 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInitCleanup/Job: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/Job: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInitCleanup/Job: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/Job: enabled with client=true and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInitCleanup/Job: disabled when server.updatePartition > 0" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.updatePartition=1' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/Job: consul-k8s delete-completed-job is called with correct arguments" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -c '.spec.template.spec.containers[0].args' | tee /dev/stderr)
[ "${actual}" = '["delete-completed-job","-k8s-namespace=default","release-name-consul-server-acl-init"]' ]
}

34
consul-helm/test/unit/server-acl-init-cleanup-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,34 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInitCleanup/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/PodSecurityPolicy: disabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/PodSecurityPolicy: enabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-podsecuritypolicy.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/server-acl-init-cleanup-serviceaccount.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInitCleanup/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ServiceAccount: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInitCleanup/ServiceAccount: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInitCleanup/ServiceAccount: enabled with client=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-cleanup-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

72
consul-helm/test/unit/server-acl-init-clusterrole.bats Normal file
View File

@@ -0,0 +1,72 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInit/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ClusterRole: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/ClusterRole: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ClusterRole: enabled with client=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# connectInject.enabled
@test "serverACLInit/ClusterRole: allows service accounts when connectInject.enabled is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "serviceaccounts")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "serverACLInit/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrole.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

44
consul-helm/test/unit/server-acl-init-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInit/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ClusterRoleBinding: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/ClusterRoleBinding: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ClusterRoleBinding: enabled with client=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-clusterrolebinding.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

660
consul-helm/test/unit/server-acl-init-job.bats Normal file
View File

@@ -0,0 +1,660 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInit/Job: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: enabled with client=false global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: disabled when server.updatePartition > 0" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.updatePartition=1' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: does not set -create-client-token=false when client is enabled (the default)" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command[2] | contains("-create-client-token=false")' |
tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: sets -create-client-token=false when client is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command[2] | contains("-create-client-token=false")' |
tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# dns
@test "serverACLInit/Job: dns acl option enabled with .dns.enabled=-" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("allow-dns"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: dns acl option enabled with .dns.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'dns.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("allow-dns"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: dns acl option disabled with .dns.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'dns.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("allow-dns"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# aclBindingRuleSelector/global.bootstrapACLs
@test "serverACLInit/Job: no acl-binding-rule-selector flag by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'connectInject.aclBindingRuleSlector=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: can specify acl-binding-rule-selector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'connectInject.enabled=true' \
--set 'global.bootstrapACLs=true' \
--set 'connectInject.aclBindingRuleSelector="foo"' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-acl-binding-rule-selector=\"foo\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# enterpriseLicense
@test "serverACLInit/Job: ent license acl option enabled with server.enterpriseLicense.secretName and server.enterpriseLicense.secretKey set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-enterprise-license-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: ent license acl option disabled missing server.enterpriseLicense.secretName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-enterprise-license-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: ent license acl option disabled missing server.enterpriseLicense.secretKey" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-enterprise-license-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# client.snapshotAgent
@test "serverACLInit/Job: snapshot agent acl option disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-snapshot-agent-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: snapshot agent acl option enabled with .client.snapshotAgent.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.snapshotAgent.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-snapshot-agent-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: mesh gateway acl option enabled with .meshGateway.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'meshGateway.enabled=true' \
--set 'connectInject.enabled=true' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-create-mesh-gateway-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "serverACLInit/Job: sets TLS flags when global.tls.enabled" {
cd `chart_dir`
local command=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual
actual=$(echo $command | jq -r '. | any(contains("-use-https"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | any(contains("-consul-ca-cert=/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | any(contains("-consul-tls-server-name=server.dc1.consul"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/Job: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}
#--------------------------------------------------------------------
# namespaces
@test "serverACLInit/Job: namespace options disabled by default" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# namespaces + sync
@test "serverACLInit/Job: sync namespace options not set with namespaces enabled, sync disabled" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8S=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: sync namespace options set with .global.enableConsulNamespaces=true and sync enabled" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: sync mirroring options set with .syncCatalog.consulNamespaces.mirroringK8S=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8S=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: sync prefix can be set with .syncCatalog.consulNamespaces.mirroringK8SPrefix" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8S=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix=k8s-"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# namespaces + inject
@test "serverACLInit/Job: inject namespace options not set with namespaces enabled, inject disabled" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.consulNamespaces.mirroringK8S=true' \
--set 'connectInject.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: inject namespace options set with .global.enableConsulNamespaces=true and inject enabled" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: inject mirroring options set with .connectInject.consulNamespaces.mirroringK8S=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.consulNamespaces.mirroringK8S=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/Job: inject prefix can be set with .connectInject.consulNamespaces.mirroringK8SPrefix" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-acl-init-job.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'connectInject.enabled=true' \
--set 'connectInject.consulNamespaces.mirroringK8S=true' \
--set 'connectInject.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-sync-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-sync-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("sync-k8s-namespace-mirroring-prefix=k8s-"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("create-inject-namespace-token"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-inject-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-inject-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("inject-k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

34
consul-helm/test/unit/server-acl-init-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,34 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInit/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/PodSecurityPolicy: disabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-podsecuritypolicy.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/PodSecurityPolicy: enabled with global.bootstrapACLs=true and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-podsecuritypolicy.yaml \
--set 'global.bootstrapACLs=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/server-acl-init-serviceaccount.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "serverACLInit/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ServiceAccount: enabled with global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "serverACLInit/ServiceAccount: disabled with server=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "serverACLInit/ServiceAccount: enabled with client=false and global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-acl-init-serviceaccount.yaml \
--set 'global.bootstrapACLs=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

78
consul-helm/test/unit/server-clusterrole.bats Normal file
View File

@@ -0,0 +1,78 @@
#!/usr/bin/env bats
load _helpers
@test "server/ClusterRole: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ClusterRole: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ClusterRole: can be enabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ClusterRole: disabled with server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ClusterRole: enabled with server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
# The rules key must always be set (#178).
@test "server/ClusterRole: rules empty with server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq '.rules' | tee /dev/stderr)
[ "${actual}" = "[]" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "server/ClusterRole: podsecuritypolicies are added when global.enablePodSecurityPolicies is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrole.yaml \
--set 'server.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}

53
consul-helm/test/unit/server-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "server/ClusterRoleBinding: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ClusterRoleBinding: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrolebinding.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ClusterRoleBinding: disabled with server disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrolebinding.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ClusterRoleBinding: enabled with server enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrolebinding.yaml \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ClusterRoleBinding: enabled with server enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-clusterrolebinding.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

167
consul-helm/test/unit/server-configmap.bats Executable file
View File

@@ -0,0 +1,167 @@
#!/usr/bin/env bats
load _helpers
@test "server/ConfigMap: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ConfigMap: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ConfigMap: disable with server.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ConfigMap: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ConfigMap: extraConfig is set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.extraConfig="{\"hello\": \"world\"}"' \
. | tee /dev/stderr |
yq '.data["extra-from-values.json"] | match("world") | length' | tee /dev/stderr)
[ ! -z "${actual}" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "server/ConfigMap: creates acl config with .global.bootstrapACLs enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.data["acl-config.json"] | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# connectInject.centralConfig
@test "server/ConfigMap: centralConfig is enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.data["central-config.json"] | contains("enable_central_service_config")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ConfigMap: centralConfig can be disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.enabled=false' \
. | tee /dev/stderr |
yq '.data["central-config.json"] | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ConfigMap: proxyDefaults disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
. | tee /dev/stderr |
yq '.data["proxy-defaults-config.json"] | length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ConfigMap: proxyDefaults can be enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \
. | tee /dev/stderr |
yq '.data["proxy-defaults-config.json"] | match("world") | length' | tee /dev/stderr)
[ ! -z "${actual}" ]
}
@test "server/ConfigMap: proxyDefaults and meshGateways can be enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \
--set 'meshGateway.enabled=true' \
--set 'meshGateway.globalMode=remote' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.data["proxy-defaults-config.json"]' | yq -r '.config_entries.bootstrap[0].mesh_gateway.mode' | tee /dev/stderr)
[ "${actual}" = "remote" ]
}
@test "server/ConfigMap: proxyDefaults should have no gateway mode if set to empty string" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \
--set 'meshGateway.enabled=true' \
--set 'meshGateway.globalMode=' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.data["proxy-defaults-config.json"]' | yq '.config_entries.bootstrap[0].mesh_gateway' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/ConfigMap: proxyDefaults should have no gateway mode if set to null" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.proxyDefaults="{\"hello\": \"world\"}"' \
--set 'meshGateway.enabled=true' \
--set 'meshGateway.globalMode=null' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.data["proxy-defaults-config.json"]' | yq '.config_entries.bootstrap[0].mesh_gateway' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/ConfigMap: global gateway mode is set even if there are no proxyDefaults" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'connectInject.enabled=true' \
--set 'connectInject.centralConfig.proxyDefaults=""' \
--set 'meshGateway.enabled=true' \
--set 'meshGateway.globalMode=remote' \
--set 'client.grpc=true' \
. | tee /dev/stderr |
yq -r '.data["proxy-defaults-config.json"]' | yq -r '.config_entries.bootstrap[0].mesh_gateway.mode' | tee /dev/stderr)
[ "${actual}" = "remote" ]
}

127
consul-helm/test/unit/server-disruptionbudget.bats Executable file
View File

@@ -0,0 +1,127 @@
#!/usr/bin/env bats
load _helpers
@test "server/DisruptionBudget: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/DisruptionBudget: enabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/DisruptionBudget: disabled with server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/DisruptionBudget: disabled with server.disruptionBudget.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.disruptionBudget.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/DisruptionBudget: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# maxUnavailable
@test "server/DisruptionBudget: correct maxUnavailable with replicas=1" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=1' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=3" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=3' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=4" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=4' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=5" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=5' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=6" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=6' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=7" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=7' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with replicas=8" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-disruptionbudget.yaml \
--set 'server.replicas=8' \
. | tee /dev/stderr |
yq '.spec.maxUnavailable' | tee /dev/stderr)
[ "${actual}" = "3" ]
}

33
consul-helm/test/unit/server-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env bats
load _helpers
@test "server/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PodSecurityPolicy: disabled with server disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-podsecuritypolicy.yaml \
--set 'server.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-podsecuritypolicy.yaml \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

105
consul-helm/test/unit/server-service.bats Executable file
View File

@@ -0,0 +1,105 @@
#!/usr/bin/env bats
load _helpers
@test "server/Service: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/Service: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/Service: disable with server.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/Service: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
# This can be seen as testing just what we put into the YAML raw, but
# this is such an important part of making everything work we verify it here.
@test "server/Service: tolerates unready endpoints" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
. | tee /dev/stderr |
yq -r '.metadata.annotations["service.alpha.kubernetes.io/tolerate-unready-endpoints"]' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/server-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "server/Service: no HTTPS listener when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "https") | .port' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "server/Service: HTTPS listener set when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "https") | .port' | tee /dev/stderr)
[ "${actual}" == "8501" ]
}
@test "server/Service: HTTP listener still active when httpsOnly is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=false' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "http") | .port' | tee /dev/stderr)
[ "${actual}" == "8500" ]
}
@test "server/Service: no HTTP listener when httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-service.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "http") | .port' | tee /dev/stderr)
[ "${actual}" == "" ]
}

53
consul-helm/test/unit/server-serviceaccount.bats Normal file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "server/ServiceAccount: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ServiceAccount: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-serviceaccount.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ServiceAccount: disabled with server disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-serviceaccount.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/ServiceAccount: enabled with server enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-serviceaccount.yaml \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ServiceAccount: enabled with server enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-serviceaccount.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

664
consul-helm/test/unit/server-statefulset.bats Executable file
View File

@@ -0,0 +1,664 @@
#!/usr/bin/env bats
load _helpers
@test "server/StatefulSet: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: disable with server.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/StatefulSet: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# retry-join
@test "server/StatefulSet: retry join gets populated" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.replicas=3' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | any(contains("-retry-join"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# image
@test "server/StatefulSet: image defaults to global.image" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.image=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}
@test "server/StatefulSet: image can be overridden with server.image" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.image=foo' \
--set 'server.image=bar' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# resources
@test "server/StatefulSet: no resources defined by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/StatefulSet: resources can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.resources=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}
#--------------------------------------------------------------------
# updateStrategy (derived from updatePartition)
@test "server/StatefulSet: no updateStrategy when not updating" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/StatefulSet: updateStrategy during update" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.updatePartition=2' \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy.type' | tee /dev/stderr)
[ "${actual}" = "RollingUpdate" ]
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.updatePartition=2' \
. | tee /dev/stderr |
yq -r '.spec.updateStrategy.rollingUpdate.partition' | tee /dev/stderr)
[ "${actual}" = "2" ]
}
#--------------------------------------------------------------------
# storageClass
@test "server/StatefulSet: no storageClass on claim by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/StatefulSet: can set storageClass" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.storageClass=foo' \
. | tee /dev/stderr |
yq -r '.spec.volumeClaimTemplates[0].spec.storageClassName' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}
#--------------------------------------------------------------------
# extraVolumes
@test "server/StatefulSet: adds extra volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.configMap.name' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(echo $object |
yq -r '.configMap.secretName' | tee /dev/stderr)
[ "${actual}" = "null" ]
# Test that it mounts it
local object=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/userconfig/foo" ]
# Doesn't load it
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "server/StatefulSet: adds extra secret volume" {
cd `chart_dir`
# Test that it defines it
local object=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=secret' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.volumes[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.secret.name' | tee /dev/stderr)
[ "${actual}" = "null" ]
local actual=$(echo $object |
yq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo" ]
# Test that it mounts it
local object=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "userconfig-foo")' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.readOnly' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq -r '.mountPath' | tee /dev/stderr)
[ "${actual}" = "/consul/userconfig/foo" ]
# Doesn't load it
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(test("userconfig"))) | length' | tee /dev/stderr)
[ "${actual}" = "0" ]
}
@test "server/StatefulSet: adds loadable volume" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraVolumes[0].type=configMap' \
--set 'server.extraVolumes[0].name=foo' \
--set 'server.extraVolumes[0].load=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | map(select(test("/consul/userconfig/foo"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
}
#--------------------------------------------------------------------
# affinity
@test "server/StatefulSet: affinity not set with server.affinity=null" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.affinity=null' \
. | tee /dev/stderr |
yq '.spec.template.spec | .affinity? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: affinity set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.affinity | .podAntiAffinity? != null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "server/StatefulSet: nodeSelector is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/StatefulSet: specified nodeSelector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.nodeSelector=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# priorityClassName
@test "server/StatefulSet: priorityClassName is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "server/StatefulSet: specified priorityClassName" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.priorityClassName=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# annotations
@test "server/StatefulSet: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}
@test "server/StatefulSet: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# tolerations
@test "server/StatefulSet: tolerations not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec | .tolerations? == null' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: tolerations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.tolerations=foobar' \
. | tee /dev/stderr |
yq '.spec.template.spec.tolerations == "foobar"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# gossip encryption
@test "server/StatefulSet: gossip encryption disabled in server StatefulSet by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "server/StatefulSet: gossip encryption disabled in server StatefulSet when secretName is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.gossipEncryption.secretKey=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "server/StatefulSet: gossip encryption disabled in server StatefulSet when secretKey is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.gossipEncryption.secretName=foo' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "" ]
}
@test "server/StatefulSet: gossip environment variable present in server StatefulSet when all config is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.gossipEncryption.secretKey=foo' \
--set 'global.gossipEncryption.secretName=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .env[] | select(.name == "GOSSIP_KEY") | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: encrypt CLI option not present in server StatefulSet when encryption disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | join(" ") | contains("encrypt")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/StatefulSet: encrypt CLI option present in server StatefulSet when all config is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.gossipEncryption.secretKey=foo' \
--set 'global.gossipEncryption.secretName=bar' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[] | select(.name=="consul") | .command | join(" ") | contains("encrypt")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# extraEnvironmentVariables
@test "server/StatefulSet: custom environment variables" {
cd `chart_dir`
local object=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.extraEnvironmentVars.custom_proxy=fakeproxy' \
--set 'server.extraEnvironmentVars.no_proxy=custom_no_proxy' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[2].name' | tee /dev/stderr)
[ "${actual}" = "custom_proxy" ]
local actual=$(echo $object |
yq -r '.[2].value' | tee /dev/stderr)
[ "${actual}" = "fakeproxy" ]
local actual=$(echo $object |
yq -r '.[3].name' | tee /dev/stderr)
[ "${actual}" = "no_proxy" ]
local actual=$(echo $object |
yq -r '.[3].value' | tee /dev/stderr)
[ "${actual}" = "custom_no_proxy" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "server/StatefulSet: CA volume present when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: server volume present when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name == "tls-server-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: CA volume mounted when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: server certificate volume mounted when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "tls-server-cert")' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: port 8501 is not exposed when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8501)' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "server/StatefulSet: port 8501 is exposed when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8501)' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: port 8500 is still exposed when httpsOnly is not enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8500)' | tee /dev/stderr)
[ "${actual}" != "" ]
}
@test "server/StatefulSet: port 8500 is not exposed when httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].ports[] | select (.containerPort == 8500)' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "server/StatefulSet: readiness checks are over HTTP when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("http://127.0.0.1:8500")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: readiness checks are over HTTPS when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("https://127.0.0.1:8501")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: CA certificate is specified when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("--cacert /consul/tls/ca/tls.crt")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: HTTP is disabled in agent when httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ") | contains("ports { http = -1 }")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: sets Consul environment variables when global.tls.enabled" {
cd `chart_dir`
local env=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = "https://localhost:8501" ]
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "server/StatefulSet: sets verify_* flags to true by default when global.tls.enabled" {
cd `chart_dir`
local command=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)
local actual
actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/StatefulSet: doesn't set the verify_* flags by default when global.tls.enabled and global.tls.verify is false" {
cd `chart_dir`
local command=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.verify=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)
local actual
actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/StatefulSet: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}

106
consul-helm/test/unit/sync-catalog-clusterrole.bats Executable file
View File

@@ -0,0 +1,106 @@
#!/usr/bin/env bats
load _helpers
@test "syncCatalog/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRole: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRole: disabled with sync disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRole: enabled with sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/ClusterRole: enabled with sync enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies
@test "syncCatalog/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[2].resources[0]' | tee /dev/stderr)
[ "${actual}" = "podsecuritypolicies" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "syncCatalog/ClusterRole: allows secret access with global.bootsrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq -r '.rules[2].resources[0]' | tee /dev/stderr)
[ "${actual}" = "secrets" ]
}
#--------------------------------------------------------------------
# syncCatalog.toK8S={true,false}
@test "syncCatalog/ClusterRole: has reduced permissions if toK8s=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toK8S=false' \
. | tee /dev/stderr |
yq -c '.rules[0].verbs' | tee /dev/stderr)
[ "${actual}" = '["get","list","watch"]' ]
}
@test "syncCatalog/ClusterRole: has full permissions if toK8s=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrole.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toK8S=true' \
. | tee /dev/stderr |
yq -c '.rules[0].verbs' | tee /dev/stderr)
[ "${actual}" = '["get","list","watch","update","patch","delete","create"]' ]
}

53
consul-helm/test/unit/sync-catalog-clusterrolebinding.bats Executable file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "syncCatalog/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRoleBinding: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrolebinding.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRoleBinding: disabled with sync disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrolebinding.yaml \
--set 'syncCatalog.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ClusterRoleBinding: enabled with sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrolebinding.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/ClusterRoleBinding: enabled with sync enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-clusterrolebinding.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

630
consul-helm/test/unit/sync-catalog-deployment.bats Executable file
View File

@@ -0,0 +1,630 @@
#!/usr/bin/env bats
load _helpers
@test "syncCatalog/Deployment: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: disable with syncCatalog.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# image
@test "syncCatalog/Deployment: image defaults to global.imageK8S" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'global.imageK8S=bar' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "syncCatalog/Deployment: image can be overridden with server.image" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'global.imageK8S=foo' \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.image=bar' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].image' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# default sync
@test "syncCatalog/Deployment: default sync is true by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | any(contains("-k8s-default-sync=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: default sync can be turned off" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.default=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].command | any(contains("-k8s-default-sync=false"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# toConsul and toK8S
@test "syncCatalog/Deployment: bidirectional by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-consul"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-k8s"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: to-k8s only" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toConsul=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-consul=false"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toConsul=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-k8s"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: to-consul only" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toK8S=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-k8s=false"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.toK8S=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-to-consul"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# k8sPrefix
@test "syncCatalog/Deployment: no k8sPrefix by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-k8s-service-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: can specify k8sPrefix" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.k8sPrefix=foo-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-k8s-service-prefix=\"foo-\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# consulPrefix
@test "syncCatalog/Deployment: no consulPrefix by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-service-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: can specify consulPrefix" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.consulPrefix=foo-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-service-prefix=\"foo-\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# k8sTag
@test "syncCatalog/Deployment: no k8sTag flag by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-k8s-tag"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: can specify k8sTag" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.k8sTag=clusterB' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-k8s-tag=clusterB"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# serviceAccount
@test "syncCatalog/Deployment: serviceAccount set when sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.serviceAccountName | contains("sync-catalog")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# nodePortSyncType
@test "syncCatalog/Deployment: nodePortSyncType defaults to ExternalFirst" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-node-port-sync-type=ExternalFirst"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: can set nodePortSyncType to InternalOnly" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.nodePortSyncType=InternalOnly' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-node-port-sync-type=InternalOnly"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: can set nodePortSyncType to ExternalOnly" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.nodePortSyncType=ExternalOnly' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-node-port-sync-type=ExternalOnly"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# aclSyncToken
@test "syncCatalog/Deployment: aclSyncToken disabled when secretName is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.aclSyncToken.secretKey=bar' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: aclSyncToken disabled when secretKey is missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.aclSyncToken.secretName=foo' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: aclSyncToken enabled when secretName and secretKey is provided" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.aclSyncToken.secretName=foo' \
--set 'syncCatalog.aclSyncToken.secretKey=bar' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# nodeSelector
@test "syncCatalog/Deployment: nodeSelector is not set by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "syncCatalog/Deployment: nodeSelector is not set by default with sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "syncCatalog/Deployment: specified nodeSelector" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.nodeSelector=testing' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}
#--------------------------------------------------------------------
# global.bootstrapACLs
@test "syncCatalog/Deployment: CONSUL_HTTP_TOKEN env variable created when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: init container is created when global.bootstrapACLs=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.name' | tee /dev/stderr)
[ "${actual}" = "sync-acl-init" ]
local actual=$(echo $object |
yq -r '.command | any(contains("consul-k8s acl-init"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# addK8SNamespaceSuffix
@test "syncCatalog/Deployment: k8s namespace suffix enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-add-k8s-namespace-suffix"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: can set addK8SNamespaceSuffix to false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.addK8SNamespaceSuffix=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-add-k8s-namespace-suffix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "syncCatalog/Deployment: sets Consul environment variables when global.tls.enabled" {
cd `chart_dir`
local env=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)
local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr)
[ "${actual}" = 'https://$(HOST_IP):8501' ]
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}
@test "syncCatalog/Deployment: can overwrite CA secret with the provided one" {
cd `chart_dir`
local ca_cert_volume=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# check that the volume uses the provided secret key
actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
}
#--------------------------------------------------------------------
# k8sAllowNamespaces & k8sDenyNamespaces
@test "syncCatalog/Deployment: default is allow `*`, deny kube-system and kube-public" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'map(select(test("allow-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'any(contains("allow-k8s-namespace=\"*\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("deny-k8s-namespace=\"kube-system\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("deny-k8s-namespace=\"kube-public\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/Deployment: can set allow and deny namespaces {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'syncCatalog.k8sAllowNamespaces[0]=allowNamespace' \
--set 'syncCatalog.k8sDenyNamespaces[0]=denyNamespace' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'map(select(test("allow-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'map(select(test("deny-k8s-namespace"))) | length' | tee /dev/stderr)
[ "${actual}" = "1" ]
local actual=$(echo $object |
yq 'any(contains("allow-k8s-namespace=\"allowNamespace\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("deny-k8s-namespace=\"denyNamespace\""))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces
@test "syncCatalog/Deployment: namespace options disabled by default" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: namespace options set with .global.enableConsulNamespaces=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: mirroring options set with .syncCatalog.consulNamespaces.mirroringK8S=true" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8S=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: prefix can be set with .syncCatalog.consulNamespaces.mirroringK8SPrefix" {
cd `chart_dir`
local object=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8S=true' \
--set 'syncCatalog.consulNamespaces.mirroringK8SPrefix=k8s-' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
local actual=$(echo $object |
yq 'any(contains("enable-namespaces=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("consul-destination-namespace=default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("enable-k8s-namespace-mirroring=true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(echo $object |
yq 'any(contains("k8s-namespace-mirroring-prefix=k8s-"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
#--------------------------------------------------------------------
# namespaces + global.bootstrapACLs
@test "syncCatalog/Deployment: cross namespace policy is not added when global.bootstrapACLs=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-cross-namespace-acl-policy"))' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/Deployment: cross namespace policy is added when global.bootstrapACLs=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-deployment.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enableConsulNamespaces=true' \
--set 'global.bootstrapACLs=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-consul-cross-namespace-acl-policy"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/sync-catalog-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "syncCatalog/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/PodSecurityPolicy: disabled by default with syncCatalog enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-podsecuritypolicy.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/PodSecurityPolicy: disabled with syncCatalog disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-podsecuritypolicy.yaml \
--set 'syncCatalog.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/PodSecurityPolicy: enabled with syncCatalog enabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-podsecuritypolicy.yaml \
--set 'syncCatalog.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

53
consul-helm/test/unit/sync-catalog-serviceaccount.bats Executable file
View File

@@ -0,0 +1,53 @@
#!/usr/bin/env bats
load _helpers
@test "syncCatalog/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ServiceAccount: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-serviceaccount.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ServiceAccount: disabled with sync disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-serviceaccount.yaml \
--set 'syncCatalog.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "syncCatalog/ServiceAccount: enabled with sync enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-serviceaccount.yaml \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "syncCatalog/ServiceAccount: enabled with sync enabled and global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/sync-catalog-serviceaccount.yaml \
--set 'global.enabled=false' \
--set 'syncCatalog.enabled=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

22
consul-helm/test/unit/test-runner.bats Normal file
View File

@@ -0,0 +1,22 @@
#!/usr/bin/env bats
load _helpers
@test "testRunner/Pod: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "testRunner/Pod: disabled when tests.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tests/test-runner.yaml \
--set 'tests.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

67
consul-helm/test/unit/tls-init-cleanup-clusterrole.bats Normal file
View File

@@ -0,0 +1,67 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInitCleanup/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRole: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRole: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRole: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInitCleanup/ClusterRole: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInitCleanup/ClusterRole: adds pod security polices with global.tls.enabled and global.enablePodSecurityPolicies" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[] | select(.resources==["podsecuritypolicies"]) | .resourceNames[0]' | tee /dev/stderr)
[ "${actual}" = "release-name-consul-tls-init-cleanup" ]
}

55
consul-helm/test/unit/tls-init-cleanup-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInitCleanup/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRoleBinding: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRoleBinding: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInitCleanup/ClusterRoleBinding: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ClusterRoleBinding: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

55
consul-helm/test/unit/tls-init-cleanup-job.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInitCleanup/Job: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-job.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/Job: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/Job: enabled with global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInitCleanup/Job: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/Job: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

44
consul-helm/test/unit/tls-init-cleanup-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInitCleanup/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/PodSecurityPolicy: disabled by default with TLS enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-podsecuritypolicy.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/PodSecurityPolicy: disabled with TLS disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-podsecuritypolicy.yaml \
--set 'global.tls.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/PodSecurityPolicy: enabled with TLS enabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-podsecuritypolicy.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

55
consul-helm/test/unit/tls-init-cleanup-serviceaccount.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInitCleanup/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ServiceAccount: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ServiceAccount: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInitCleanup/ServiceAccount: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInitCleanup/ServiceAccount: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-cleanup-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

67
consul-helm/test/unit/tls-init-clusterrole.bats Normal file
View File

@@ -0,0 +1,67 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInit/ClusterRole: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRole: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRole: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRole: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/ClusterRole: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/ClusterRole: adds pod security polices with global.tls.enabled and global.enablePodSecurityPolicies" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrole.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -r '.rules[] | select(.resources==["podsecuritypolicies"]) | .resourceNames[0]' | tee /dev/stderr)
[ "${actual}" = "release-name-consul-tls-init" ]
}

55
consul-helm/test/unit/tls-init-clusterrolebinding.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInit/ClusterRoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRoleBinding: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRoleBinding: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/ClusterRoleBinding: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ClusterRoleBinding: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-clusterrolebinding.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

112
consul-helm/test/unit/tls-init-job.bats Normal file
View File

@@ -0,0 +1,112 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInit/Job: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/Job: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/Job: enabled with global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/Job: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/Job: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/Job: sets additional IP SANs when provided and global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.serverAdditionalIPSANs[0]=1.1.1.1' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-additional-ipaddress=1.1.1.1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/Job: sets additional DNS SANs when provided and global.tls.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.serverAdditionalDNSSANs[0]=example.com' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-additional-dnsname=example.com"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/Job: can overwrite CA secret with the provided one" {
cd `chart_dir`
local spec=$(helm template \
-x templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo-ca-cert' \
--set 'global.tls.caCert.secretKey=key' \
--set 'global.tls.caKey.secretName=foo-ca-key' \
--set 'global.tls.caKey.secretKey=key' \
. | tee /dev/stderr |
yq '.spec.template.spec' | tee /dev/stderr)
# check that the provided ca cert secret is attached as a volume
local actual
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-cert") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-cert" ]
# uses the provided secret key for CA cert
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-cert") | .secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
# check that the provided ca key secret is attached as a volume
local actual
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-key") | .secret.secretName' | tee /dev/stderr)
[ "${actual}" = "foo-ca-key" ]
# uses the provided secret key for CA cert
actual=$(echo $spec | jq -r '.volumes[] | select(.name=="consul-ca-key") | .secret.items[0].key' | tee /dev/stderr)
[ "${actual}" = "key" ]
# check that it doesn't generate the CA
actual=$(echo $spec | jq -r '.containers[0].command | join(" ") | contains("consul tls ca create")' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

44
consul-helm/test/unit/tls-init-podsecuritypolicy.bats Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInit/PodSecurityPolicy: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-podsecuritypolicy.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/PodSecurityPolicy: disabled by default with TLS enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-podsecuritypolicy.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/PodSecurityPolicy: disabled with TLS disabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-podsecuritypolicy.yaml \
--set 'global.tls.enabled=false' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/PodSecurityPolicy: enabled with TLS enabled and global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-podsecuritypolicy.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enablePodSecurityPolicies=true' \
. | tee /dev/stderr |
yq -s 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

55
consul-helm/test/unit/tls-init-serviceaccount.bats Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bats
load _helpers
@test "tlsInit/ServiceAccount: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-serviceaccount.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ServiceAccount: disabled with global.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ServiceAccount: enabled with global.tls.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "tlsInit/ServiceAccount: disabled when server.enabled=false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "tlsInit/ServiceAccount: enabled when global.tls.enabled=true and server.enabled=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/tls-init-serviceaccount.yaml \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

183
consul-helm/test/unit/ui-service.bats Executable file
View File

@@ -0,0 +1,183 @@
#!/usr/bin/env bats
load _helpers
@test "ui/Service: enabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "ui/Service: enable with global.enabled false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
--set 'ui.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "ui/Service: disable with server.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'server.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "ui/Service: disable with ui.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "ui/Service: disable with ui.service.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.service.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "ui/Service: disable with global.enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.enabled=false' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "ui/Service: disable with global.enabled and server.enabled on" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.enabled=false' \
--set 'server.enabled=true' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "ui/Service: no type by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "ui/Service: specified type" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.service.type=LoadBalancer' \
. | tee /dev/stderr |
yq -r '.spec.type' | tee /dev/stderr)
[ "${actual}" = "LoadBalancer" ]
}
#--------------------------------------------------------------------
# annotations
@test "ui/Service: no annotations by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.metadata.annotations' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "ui/Service: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.service.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
#--------------------------------------------------------------------
# additionalSpec
@test "ui/Service: no additionalSpec by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
. | tee /dev/stderr |
yq -r '.spec.loadBalancerIP' | tee /dev/stderr)
[ "${actual}" = "null" ]
}
@test "ui/Service: additionalSpec can be set" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'ui.service.additionalSpec=loadBalancerIP: 1.2.3.4' \
. | tee /dev/stderr |
yq -r '.spec.loadBalancerIP' | tee /dev/stderr)
[ "${actual}" = "1.2.3.4" ]
}
#--------------------------------------------------------------------
# global.tls.enabled
@test "ui/Service: no HTTPS listener when TLS is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.tls.enabled=false' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "https") | .port' | tee /dev/stderr)
[ "${actual}" == "" ]
}
@test "ui/Service: HTTPS listener set when TLS is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "https") | .port' | tee /dev/stderr)
[ "${actual}" == "443" ]
}
@test "ui/Service: HTTP listener still active when httpsOnly is disabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=false' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "http") | .port' | tee /dev/stderr)
[ "${actual}" == "80" ]
}
@test "ui/Service: no HTTP listener when httpsOnly is enabled" {
cd `chart_dir`
local actual=$(helm template \
-x templates/ui-service.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.httpsOnly=true' \
. | tee /dev/stderr |
yq -r '.spec.ports[] | select(.name == "http") | .port' | tee /dev/stderr)
[ "${actual}" == "" ]
}