mirror of
https://github.com/bvanroll/cicdTest.git
synced 2025-08-29 12:02:47 +00:00
132 lines
4.8 KiB
Bash
132 lines
4.8 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load _helpers
|
|
|
|
@test "client/PodSecurityPolicy: disabled by default" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
. | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
}
|
|
|
|
@test "client/PodSecurityPolicy: disabled with client disabled and global.enablePodSecurityPolicies=true" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'client.enabled=false' \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
. | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
}
|
|
|
|
@test "client/PodSecurityPolicy: enabled with global.enablePodSecurityPolicies=true" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
. | tee /dev/stderr |
|
|
yq -s 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "true" ]
|
|
}
|
|
|
|
@test "client/PodSecurityPolicy: only http and grpc ports are allowed as hostPorts by default" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
. | tee /dev/stderr |
|
|
yq -c '.spec.hostPorts' | tee /dev/stderr)
|
|
[ "${actual}" = '[{"min":8500,"max":8500},{"min":8502,"max":8502}]' ]
|
|
}
|
|
|
|
#--------------------------------------------------------------------
|
|
# client.grpc
|
|
|
|
@test "client/PodSecurityPolicy: hostPort 8502 is not allowed when client.grpc=false" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'client.grpc=false' \
|
|
. | tee /dev/stderr |
|
|
yq -c '.spec.hostPorts' | tee /dev/stderr)
|
|
[ "${actual}" = '[{"min":8500,"max":8500}]' ]
|
|
}
|
|
|
|
#--------------------------------------------------------------------
|
|
# client.exposeGossipPorts
|
|
|
|
@test "client/PodSecurityPolicy: hostPort 8301 allowed when exposeGossipPorts=true" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'client.exposeGossipPorts=true' \
|
|
. | tee /dev/stderr |
|
|
yq -c '.spec.hostPorts' | tee /dev/stderr)
|
|
[ "${actual}" = '[{"min":8500,"max":8500},{"min":8502,"max":8502},{"min":8301,"max":8301}]' ]
|
|
}
|
|
|
|
#--------------------------------------------------------------------
|
|
# client.dataDirectoryHostPath
|
|
|
|
@test "client/PodSecurityPolicy: disallows hostPath volume by default" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
. | tee /dev/stderr |
|
|
yq '.spec.volumes | any(contains("hostPath"))' | tee /dev/stderr)
|
|
[ "${actual}" = 'false' ]
|
|
}
|
|
|
|
@test "client/PodSecurityPolicy: allows hostPath volume when dataDirectoryHostPath is set" {
|
|
cd `chart_dir`
|
|
# Test that hostPath is an allowed volume type.
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'client.dataDirectoryHostPath=/opt/consul' \
|
|
. | tee /dev/stderr |
|
|
yq '.spec.volumes | any(contains("hostPath"))' | tee /dev/stderr)
|
|
[ "${actual}" = 'true' ]
|
|
|
|
# Test that the path we're allowed to write to is the right one.
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'client.dataDirectoryHostPath=/opt/consul' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.spec.allowedHostPaths[0].pathPrefix' | tee /dev/stderr)
|
|
[ "${actual}" = '/opt/consul' ]
|
|
}
|
|
|
|
#--------------------------------------------------------------------
|
|
# global.tls.enabled
|
|
|
|
@test "client/PodSecurityPolicy: hostPort 8501 is allowed when global.tls.enabled=true" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'global.tls.enabled=true' \
|
|
. | tee /dev/stderr |
|
|
yq -c '.spec.hostPorts' | tee /dev/stderr)
|
|
[ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
|
|
}
|
|
|
|
@test "client/PodSecurityPolicy: hostPort 8500 is not allowed when global.tls.enabled=true and global.tls.httpsOnly=true" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
-x templates/client-podsecuritypolicy.yaml \
|
|
--set 'global.enablePodSecurityPolicies=true' \
|
|
--set 'global.tls.enabled=true' \
|
|
--set 'global.tls.httpsOnly=true' \
|
|
. | tee /dev/stderr |
|
|
yq -c '.spec.hostPorts' | tee /dev/stderr)
|
|
[ "${actual}" = '[{"min":8501,"max":8501},{"min":8502,"max":8502}]' ]
|
|
}
|