mirror of
https://github.com/truecharts/library-charts.git
synced 2026-07-05 19:26:23 -03:00
add cert mount and test
This commit is contained in:
335
library/common-test/tests/cert/cert_secret_mount_test.yaml
Normal file
335
library/common-test/tests/cert/cert_secret_mount_test.yaml
Normal file
@@ -0,0 +1,335 @@
|
||||
suite: certificate secret mount test
|
||||
templates:
|
||||
- common.yaml
|
||||
release:
|
||||
revision: 2
|
||||
tests:
|
||||
- it: should pass with 1 secret created
|
||||
documentIndex: &secretDoc 0
|
||||
set:
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Secret
|
||||
- isAPIVersion:
|
||||
of: v1
|
||||
- equal:
|
||||
path: type
|
||||
value: kubernetes.io/tls
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
- isNotEmpty:
|
||||
path: data.tls\.crt
|
||||
- isNotEmpty:
|
||||
path: data.tls\.key
|
||||
|
||||
- it: should pass with mounted secret both certificate and private key
|
||||
documentIndex: &deploymentDoc 1
|
||||
set:
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
cert:
|
||||
enabled: true
|
||||
path: /some/path/crt.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
key:
|
||||
enabled: true
|
||||
path: /some/path/key.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Deployment
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[0].name
|
||||
pattern: &patternCert '^ix-certificate-cert-([0-9]+)-([a-z0-9]){5}$'
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[0].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0].name
|
||||
pattern: *patternCert
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0]
|
||||
content:
|
||||
mountPath: /some/path/crt.key
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[1].name
|
||||
pattern: &patternKey '^ix-certificate-key-([0-9]+)-([a-z0-9]){5}$'
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[1].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1].name
|
||||
pattern: *patternKey
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1]
|
||||
content:
|
||||
mountPath: /some/path/key.key
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
|
||||
- it: should pass with mounted secret only certificate
|
||||
documentIndex: *deploymentDoc
|
||||
set:
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
cert:
|
||||
enabled: true
|
||||
path: /some/path/crt.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
key:
|
||||
enabled: false
|
||||
path: /some/path/key.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Deployment
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[0].name
|
||||
pattern: *patternCert
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[0].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0].name
|
||||
pattern: *patternCert
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0]
|
||||
content:
|
||||
mountPath: /some/path/crt.key
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
|
||||
- it: should pass with mounted secret only private key
|
||||
documentIndex: *deploymentDoc
|
||||
set:
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
cert:
|
||||
enabled: false
|
||||
path: /some/path/crt.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
key:
|
||||
enabled: true
|
||||
path: /some/path/key.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
asserts:
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[0].name
|
||||
pattern: *patternKey
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[0].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0].name
|
||||
pattern: *patternKey
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0]
|
||||
content:
|
||||
mountPath: /some/path/key.key
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
|
||||
- it: should pass with 2 mounted secret both certificate and private key
|
||||
documentIndex: &secondDeploymentDoc 2
|
||||
set:
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
"2":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
cert:
|
||||
enabled: true
|
||||
path: /some/path/crt.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
key:
|
||||
enabled: true
|
||||
path: /some/path/key.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
cert-name2:
|
||||
id: 2
|
||||
cert:
|
||||
enabled: true
|
||||
path: /some/path/crt.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
key:
|
||||
enabled: true
|
||||
path: /some/path/key.key
|
||||
readOnly: true
|
||||
defaultMode: 700
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Deployment
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[0].name
|
||||
pattern: *patternCert
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[0].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0].name
|
||||
pattern: *patternCert
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0]
|
||||
content:
|
||||
mountPath: /some/path/crt.key
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[1].name
|
||||
pattern: *patternCert
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[1].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1].name
|
||||
pattern: *patternCert
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1]
|
||||
content:
|
||||
mountPath: /some/path/crt.key
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[2].name
|
||||
pattern: *patternKey
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[2].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[2].name
|
||||
pattern: *patternKey
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[2]
|
||||
content:
|
||||
mountPath: /some/path/key.key
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[3].name
|
||||
pattern: *patternKey
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[3].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
|
||||
defaultMode: 700
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[3].name
|
||||
pattern: *patternKey
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[3]
|
||||
content:
|
||||
mountPath: /some/path/key.key
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
|
||||
- it: should pass with mounted secret both certificate and private key without extra options
|
||||
documentIndex: *deploymentDoc
|
||||
set:
|
||||
# Simulating middleware injection
|
||||
ixCertificates:
|
||||
"1":
|
||||
certificate: cert_content
|
||||
privatekey: some_key
|
||||
scaleCerts:
|
||||
cert-name:
|
||||
id: 1
|
||||
cert:
|
||||
enabled: true
|
||||
path: /some/path/crt.key
|
||||
key:
|
||||
enabled: true
|
||||
path: /some/path/key.key
|
||||
asserts:
|
||||
- isKind:
|
||||
of: Deployment
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[0].name
|
||||
pattern: *patternCert
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[0].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0].name
|
||||
pattern: *patternCert
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[0]
|
||||
content:
|
||||
mountPath: /some/path/crt.key
|
||||
subPath: tls.crt
|
||||
- matchRegex:
|
||||
path: spec.template.spec.volumes[1].name
|
||||
pattern: *patternKey
|
||||
- equal:
|
||||
path: spec.template.spec.volumes[1].secret
|
||||
value:
|
||||
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
|
||||
- matchRegex:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1].name
|
||||
pattern: *patternKey
|
||||
- isSubset:
|
||||
path: spec.template.spec.containers[0].volumeMounts[1]
|
||||
content:
|
||||
mountPath: /some/path/key.key
|
||||
subPath: tls.key
|
||||
@@ -1,6 +1,8 @@
|
||||
{{- define "ix.v1.common.class.certificate" -}}
|
||||
{{- $cert := .cert -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $tlsCrtKey := "tls.crt" -}}
|
||||
{{- $tlsPrivateKey := "tls.key" -}}
|
||||
|
||||
{{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}}
|
||||
{{- fail (printf "Certificate (%s) has no <id> key" $cert.nameOverride) -}}
|
||||
@@ -17,17 +19,61 @@
|
||||
{{- end -}}
|
||||
{{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
|
||||
|
||||
{{- if (hasKey $cert "certPath") -}}
|
||||
{{- if $cert.certPath -}}
|
||||
{{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
|
||||
{{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
|
||||
{{- if (hasKey $cert "cert") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If cert is enabled */}}
|
||||
{{- if $cert.cert.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.cert.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" $cert.cert.path -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (hasKey $cert "keyPath") -}}
|
||||
{{- if $cert.keyPath -}}
|
||||
{{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
|
||||
{{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
|
||||
{{- if (hasKey $cert "key") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If key is enabled */}}
|
||||
{{- if $cert.key.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.key.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" $cert.key.path -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
---
|
||||
@@ -47,7 +93,7 @@ metadata:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
|
||||
tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
|
||||
{{ $tlsCrtKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
|
||||
{{ $tlsPrivateKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
Reference in New Issue
Block a user