add cert mount and test

This commit is contained in:
Stavros kois
2022-12-13 20:05:25 +02:00
parent 55d91d5533
commit 2197ce7847
2 changed files with 391 additions and 10 deletions

View File

@@ -0,0 +1,335 @@
suite: certificate secret mount test
templates:
- common.yaml
release:
revision: 2
tests:
- it: should pass with 1 secret created
documentIndex: &secretDoc 0
set:
scaleCerts:
cert-name:
id: 1
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
asserts:
- isKind:
of: Secret
- isAPIVersion:
of: v1
- equal:
path: type
value: kubernetes.io/tls
- equal:
path: metadata.name
value: RELEASE-NAME-common-test-cert-name-ixcert-1-2
- isNotEmpty:
path: data.tls\.crt
- isNotEmpty:
path: data.tls\.key
- it: should pass with mounted secret both certificate and private key
documentIndex: &deploymentDoc 1
set:
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
scaleCerts:
cert-name:
id: 1
cert:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
asserts:
- isKind:
of: Deployment
- matchRegex:
path: spec.template.spec.volumes[0].name
pattern: &patternCert '^ix-certificate-cert-([0-9]+)-([a-z0-9]){5}$'
- equal:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[0]
content:
mountPath: /some/path/crt.key
subPath: tls.crt
readOnly: true
- matchRegex:
path: spec.template.spec.volumes[1].name
pattern: &patternKey '^ix-certificate-key-([0-9]+)-([a-z0-9]){5}$'
- equal:
path: spec.template.spec.volumes[1].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[1].name
pattern: *patternKey
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[1]
content:
mountPath: /some/path/key.key
subPath: tls.key
readOnly: true
- it: should pass with mounted secret only certificate
documentIndex: *deploymentDoc
set:
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
scaleCerts:
cert-name:
id: 1
cert:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
key:
enabled: false
path: /some/path/key.key
readOnly: true
defaultMode: 700
asserts:
- isKind:
of: Deployment
- matchRegex:
path: spec.template.spec.volumes[0].name
pattern: *patternCert
- equal:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[0]
content:
mountPath: /some/path/crt.key
subPath: tls.crt
readOnly: true
- it: should pass with mounted secret only private key
documentIndex: *deploymentDoc
set:
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
scaleCerts:
cert-name:
id: 1
cert:
enabled: false
path: /some/path/crt.key
readOnly: true
defaultMode: 700
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
asserts:
- matchRegex:
path: spec.template.spec.volumes[0].name
pattern: *patternKey
- equal:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternKey
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[0]
content:
mountPath: /some/path/key.key
subPath: tls.key
readOnly: true
- it: should pass with 2 mounted secret both certificate and private key
documentIndex: &secondDeploymentDoc 2
set:
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
"2":
certificate: cert_content
privatekey: some_key
scaleCerts:
cert-name:
id: 1
cert:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
cert-name2:
id: 2
cert:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
asserts:
- isKind:
of: Deployment
- matchRegex:
path: spec.template.spec.volumes[0].name
pattern: *patternCert
- equal:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[0]
content:
mountPath: /some/path/crt.key
subPath: tls.crt
readOnly: true
- matchRegex:
path: spec.template.spec.volumes[1].name
pattern: *patternCert
- equal:
path: spec.template.spec.volumes[1].secret
value:
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[1].name
pattern: *patternCert
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[1]
content:
mountPath: /some/path/crt.key
subPath: tls.crt
readOnly: true
- matchRegex:
path: spec.template.spec.volumes[2].name
pattern: *patternKey
- equal:
path: spec.template.spec.volumes[2].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[2].name
pattern: *patternKey
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[2]
content:
mountPath: /some/path/key.key
subPath: tls.key
readOnly: true
- matchRegex:
path: spec.template.spec.volumes[3].name
pattern: *patternKey
- equal:
path: spec.template.spec.volumes[3].secret
value:
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
defaultMode: 700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[3].name
pattern: *patternKey
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[3]
content:
mountPath: /some/path/key.key
subPath: tls.key
readOnly: true
- it: should pass with mounted secret both certificate and private key without extra options
documentIndex: *deploymentDoc
set:
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
scaleCerts:
cert-name:
id: 1
cert:
enabled: true
path: /some/path/crt.key
key:
enabled: true
path: /some/path/key.key
asserts:
- isKind:
of: Deployment
- matchRegex:
path: spec.template.spec.volumes[0].name
pattern: *patternCert
- equal:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[0]
content:
mountPath: /some/path/crt.key
subPath: tls.crt
- matchRegex:
path: spec.template.spec.volumes[1].name
pattern: *patternKey
- equal:
path: spec.template.spec.volumes[1].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[1].name
pattern: *patternKey
- isSubset:
path: spec.template.spec.containers[0].volumeMounts[1]
content:
mountPath: /some/path/key.key
subPath: tls.key

View File

@@ -1,6 +1,8 @@
{{- define "ix.v1.common.class.certificate" -}}
{{- $cert := .cert -}}
{{- $root := .root -}}
{{- $tlsCrtKey := "tls.crt" -}}
{{- $tlsPrivateKey := "tls.key" -}}
{{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}}
{{- fail (printf "Certificate (%s) has no <id> key" $cert.nameOverride) -}}
@@ -17,17 +19,61 @@
{{- end -}}
{{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
{{- if (hasKey $cert "certPath") -}}
{{- if $cert.certPath -}}
{{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
{{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
{{- if (hasKey $cert "cert") -}}
{{/* Create the dict */}}
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
{{/* If cert is enabled */}}
{{- if $cert.cert.enabled -}}
{{/* And has a path... */}}
{{- if $cert.cert.path -}}
{{/* Append mountPath and subPath */}}
{{- $_ := set $persistenceDict "mountPath" $cert.cert.path -}}
{{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}}
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
{{- if (hasKey $cert.cert "readOnly") -}}
{{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}}
{{- end -}}
{{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}}
{{- if (hasKey $cert.cert "defaultMode") -}}
{{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}}
{{- end -}}
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
{{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $cert "keyPath") -}}
{{- if $cert.keyPath -}}
{{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
{{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
{{- if (hasKey $cert "key") -}}
{{/* Create the dict */}}
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
{{/* If key is enabled */}}
{{- if $cert.key.enabled -}}
{{/* And has a path... */}}
{{- if $cert.key.path -}}
{{/* Append mountPath and subPath */}}
{{- $_ := set $persistenceDict "mountPath" $cert.key.path -}}
{{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}}
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
{{- if (hasKey $cert.key "readOnly") -}}
{{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}}
{{- end -}}
{{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}}
{{- if (hasKey $cert.key "defaultMode") -}}
{{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}}
{{- end -}}
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
{{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
{{- end -}}
{{- end -}}
{{- end }}
---
@@ -47,7 +93,7 @@ metadata:
{{- . | nindent 4 }}
{{- end }}
data:
tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
{{ $tlsCrtKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
{{ $tlsPrivateKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
{{- end -}}
{{- end -}}