diff --git a/library/common-test/tests/cert/cert_secret_mount_test.yaml b/library/common-test/tests/cert/cert_secret_mount_test.yaml new file mode 100644 index 00000000..b176525e --- /dev/null +++ b/library/common-test/tests/cert/cert_secret_mount_test.yaml @@ -0,0 +1,335 @@ +suite: certificate secret mount test +templates: + - common.yaml +release: + revision: 2 +tests: + - it: should pass with 1 secret created + documentIndex: &secretDoc 0 + set: + scaleCerts: + cert-name: + id: 1 + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: type + value: kubernetes.io/tls + - equal: + path: metadata.name + value: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + - isNotEmpty: + path: data.tls\.crt + - isNotEmpty: + path: data.tls\.key + + - it: should pass with mounted secret both certificate and private key + documentIndex: &deploymentDoc 1 + set: + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: true + path: /some/path/crt.key + readOnly: true + defaultMode: 700 + key: + enabled: true + path: /some/path/key.key + readOnly: true + defaultMode: 700 + asserts: + - isKind: + of: Deployment + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: &patternCert '^ix-certificate-cert-([0-9]+)-([a-z0-9]){5}$' + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + readOnly: true + - matchRegex: + path: spec.template.spec.volumes[1].name + pattern: &patternKey '^ix-certificate-key-([0-9]+)-([a-z0-9]){5}$' + - equal: + path: spec.template.spec.volumes[1].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[1].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[1] + content: + mountPath: /some/path/key.key + subPath: tls.key + readOnly: true + + - it: should pass with mounted secret only certificate + documentIndex: *deploymentDoc + set: + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: true + path: /some/path/crt.key + readOnly: true + defaultMode: 700 + key: + enabled: false + path: /some/path/key.key + readOnly: true + defaultMode: 700 + asserts: + - isKind: + of: Deployment + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: *patternCert + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + readOnly: true + + - it: should pass with mounted secret only private key + documentIndex: *deploymentDoc + set: + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: false + path: /some/path/crt.key + readOnly: true + defaultMode: 700 + key: + enabled: true + path: /some/path/key.key + readOnly: true + defaultMode: 700 + asserts: + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: *patternKey + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/key.key + subPath: tls.key + readOnly: true + + - it: should pass with 2 mounted secret both certificate and private key + documentIndex: &secondDeploymentDoc 2 + set: + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + "2": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: true + path: /some/path/crt.key + readOnly: true + defaultMode: 700 + key: + enabled: true + path: /some/path/key.key + readOnly: true + defaultMode: 700 + cert-name2: + id: 2 + cert: + enabled: true + path: /some/path/crt.key + readOnly: true + defaultMode: 700 + key: + enabled: true + path: /some/path/key.key + readOnly: true + defaultMode: 700 + asserts: + - isKind: + of: Deployment + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: *patternCert + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + readOnly: true + + - matchRegex: + path: spec.template.spec.volumes[1].name + pattern: *patternCert + - equal: + path: spec.template.spec.volumes[1].secret + value: + secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[1].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[1] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + readOnly: true + + - matchRegex: + path: spec.template.spec.volumes[2].name + pattern: *patternKey + - equal: + path: spec.template.spec.volumes[2].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[2].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[2] + content: + mountPath: /some/path/key.key + subPath: tls.key + readOnly: true + + - matchRegex: + path: spec.template.spec.volumes[3].name + pattern: *patternKey + - equal: + path: spec.template.spec.volumes[3].secret + value: + secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2 + defaultMode: 700 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[3].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[3] + content: + mountPath: /some/path/key.key + subPath: tls.key + readOnly: true + + - it: should pass with mounted secret both certificate and private key without extra options + documentIndex: *deploymentDoc + set: + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: true + path: /some/path/crt.key + key: + enabled: true + path: /some/path/key.key + asserts: + - isKind: + of: Deployment + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: *patternCert + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + - matchRegex: + path: spec.template.spec.volumes[1].name + pattern: *patternKey + - equal: + path: spec.template.spec.volumes[1].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[1].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[1] + content: + mountPath: /some/path/key.key + subPath: tls.key diff --git a/library/common/1.0.0/templates/class/_certifcate.tpl b/library/common/1.0.0/templates/class/_certifcate.tpl index d0c91687..fab7b5fc 100644 --- a/library/common/1.0.0/templates/class/_certifcate.tpl +++ b/library/common/1.0.0/templates/class/_certifcate.tpl @@ -1,6 +1,8 @@ {{- define "ix.v1.common.class.certificate" -}} {{- $cert := .cert -}} {{- $root := .root -}} + {{- $tlsCrtKey := "tls.crt" -}} + {{- $tlsPrivateKey := "tls.key" -}} {{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}} {{- fail (printf "Certificate (%s) has no key" $cert.nameOverride) -}} @@ -17,17 +19,61 @@ {{- end -}} {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}} - {{- if (hasKey $cert "certPath") -}} - {{- if $cert.certPath -}} - {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} - {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} + {{- if (hasKey $cert "cert") -}} + {{/* Create the dict */}} + {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} + + {{/* If cert is enabled */}} + {{- if $cert.cert.enabled -}} + {{/* And has a path... */}} + {{- if $cert.cert.path -}} + + {{/* Append mountPath and subPath */}} + {{- $_ := set $persistenceDict "mountPath" $cert.cert.path -}} + {{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}} + + {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.cert "readOnly") -}} + {{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}} + {{- end -}} + + {{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.cert "defaultMode") -}} + {{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}} + {{- end -}} + + {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} + {{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} + {{- end -}} {{- end -}} {{- end -}} - {{- if (hasKey $cert "keyPath") -}} - {{- if $cert.keyPath -}} - {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}} - {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}} + {{- if (hasKey $cert "key") -}} + {{/* Create the dict */}} + {{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}} + + {{/* If key is enabled */}} + {{- if $cert.key.enabled -}} + {{/* And has a path... */}} + {{- if $cert.key.path -}} + + {{/* Append mountPath and subPath */}} + {{- $_ := set $persistenceDict "mountPath" $cert.key.path -}} + {{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}} + + {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.key "readOnly") -}} + {{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}} + {{- end -}} + + {{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}} + {{- if (hasKey $cert.key "defaultMode") -}} + {{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}} + {{- end -}} + + {{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}} + {{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}} + {{- end -}} {{- end -}} {{- end }} --- @@ -47,7 +93,7 @@ metadata: {{- . | nindent 4 }} {{- end }} data: - tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }} - tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }} + {{ $tlsCrtKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }} + {{ $tlsPrivateKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }} {{- end -}} {{- end -}}