add env list and split tests more

This commit is contained in:
Stavros kois
2022-11-15 01:41:51 +02:00
parent 3af68eed05
commit f9c06db955
8 changed files with 537 additions and 309 deletions

View File

@@ -0,0 +1,177 @@
suite: deployment container env test
templates:
- common.yaml
tests:
- it: should pass with default values
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- it: should fail with envList missing name
set:
envList:
- value: some_value
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Please specify both name and value for environment variable
- it: should fail with envList missing value
set:
envList:
- name: some_name
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Please specify both name and value for environment variable
- it: should fail with envList name as a map
set:
envList:
- name:
some_key: some_value
value: some_value
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Name in envList cannot be a map or slice
- it: should fail with envList name as a slice
set:
envList:
- name:
- some_key: some_value
value: some_value
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Name in envList cannot be a map or slice
- it: should fail with envList value as a map
set:
envList:
- name: some_name
value:
some_key: some_value
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Value in envList cannot be a map or slice
- it: should fail with envList value as a slice
set:
envList:
- name: some_name
value:
- some_key: some_value
asserts:
- failedTemplate:
documentIndex: *deploymentDoc
errorMessage: Value in envList cannot be a map or slice
- it: should pass with envList entry added
set:
envList:
- name: some_name
value: some_value
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- name: some_name
value: some_value
- it: should pass with envList entries added
set:
envList:
- name: some_name
value: some_value
- name: some_name2
value: some_value2
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- name: some_name
value: some_value
- name: some_name2
value: some_value2
- it: should pass with envList entry added from tpl
set:
some_name: a_name
some_value: a_value
envList:
- name: "{{ .Values.some_name }}"
value: "{{ .Values.some_value }}"
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- name: a_name
value: a_value
- it: should pass with envList entries added
set:
some_name: a_name
some_value: a_value
some_name2: a_name2
some_value2: a_value2
envList:
- name: "{{ .Values.some_name }}"
value: "{{ .Values.some_value }}"
- name: "{{ .Values.some_name2 }}"
value: "{{ .Values.some_value2 }}"
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- name: a_name
value: a_value
- name: a_name2
value: a_value2

View File

@@ -7,249 +7,6 @@ tests:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- it: should pass with injectFixedEnvs false
set:
injectFixedEnvs: false
asserts:
- isNull:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
- it: should pass with TZ and UMASK changed
set:
TZ: ETC
security:
UMASK: 3
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: ETC
- name: UMASK
value: "3"
- name: UMASK_SET
value: "3"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass without S6_READ_ONLY_ROOT
set:
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- it: should pass with scaleGPU set
set:
scaleGPU: true
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: all
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as user root
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "568"
- name: USER_ID
value: "568"
- name: UID
value: "568"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "568"
- name: USER_ID
value: "568"
- name: UID
value: "568"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as user root and PUID 0
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root and PUID 0
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root and fsGroup 0 and PUID 0
set:
podSecurityContext:
runAsGroup: 0
fsGroup: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "0"
- name: GROUP_ID
value: "0"
- name: GID
value: "0"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should fail with envs defined as a list
set:
@@ -598,44 +355,3 @@ tests:
optional: false
name: some_name
key: some_key
- it: should pass with envs defined with scaleGPU
set:
scaleGPU: true
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: "UTC"
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: "all"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs defined with scaleGPU and custom capabilities
set:
scaleGPU: true
nvidiaCaps:
- compute
- utility
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: "UTC"
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: "compute,utility"
- name: S6_READ_ONLY_ROOT
value: "1"

View File

@@ -0,0 +1,295 @@
suite: deployment container env test
templates:
- common.yaml
tests:
- it: should pass with default values
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- it: should pass with injectFixedEnvs false
set:
injectFixedEnvs: false
asserts:
- isNull:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
- it: should pass with TZ and UMASK changed
set:
TZ: ETC
security:
UMASK: 3
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: ETC
- name: UMASK
value: "3"
- name: UMASK_SET
value: "3"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass without S6_READ_ONLY_ROOT
set:
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- it: should pass with scaleGPU set
set:
scaleGPU: true
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: all
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as user root
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "568"
- name: USER_ID
value: "568"
- name: UID
value: "568"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsNonRoot: false
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "568"
- name: USER_ID
value: "568"
- name: UID
value: "568"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as user root and PUID 0
set:
podSecurityContext:
runAsUser: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root and PUID 0
set:
podSecurityContext:
runAsGroup: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs changed because run as group root and fsGroup 0 and PUID 0
set:
podSecurityContext:
runAsGroup: 0
fsGroup: 0
securityContext:
runAsNonRoot: false
security:
PUID: 0
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: UTC
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "0"
- name: USER_ID
value: "0"
- name: UID
value: "0"
- name: PGID
value: "0"
- name: GROUP_ID
value: "0"
- name: GID
value: "0"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs defined with scaleGPU
set:
scaleGPU: true
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: "UTC"
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: "all"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with envs defined with scaleGPU and custom capabilities
set:
scaleGPU: true
nvidiaCaps:
- compute
- utility
asserts:
- equal:
documentIndex: *deploymentDoc
path: spec.template.spec.containers[0].env
value:
- name: TZ
value: "UTC"
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: NVIDIA_DRIVER_CAPABILITIES
value: "compute,utility"
- name: S6_READ_ONLY_ROOT
value: "1"

View File

@@ -0,0 +1,29 @@
{{/* Environment Variables List included by the container */}}
{{- define "ix.v1.common.container.envList" -}}
{{- $envList := .envList -}}
{{- $root := .root -}}
{{- with $envList -}}
{{- range $envList -}}
{{- if and .name .value -}}
{{- if or (kindIs "map" .name) (kindIs "slice" .name) -}}
{{- fail "Name in envList cannot be a map or slice" -}}
{{- end -}}
{{- if or (kindIs "map" .value) (kindIs "slice" .value) -}}
{{- fail "Value in envList cannot be a map or slice" -}}
{{- end }}
- name: {{ tpl .name $root }}
value: {{ tpl .value $root | quote }}
{{- else -}}
{{- fail "Please specify both name and value for environment variable" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
A custom dict is expected with envList and root.
It's designed to work for mainContainer AND initContainers.
Calling this from an initContainer, wouldn't work, as it would have a different "root" context,
and "tpl" on "$" would cause erors.
That's why the custom dict is expected.
*/}}

View File

@@ -8,44 +8,44 @@
{{- $value := $v -}}
{{- if kindIs "int" $name -}}
{{- fail "Environment Variables as a list is not supported. Use key-value format." -}}
{{- end -}}
{{- end }}
- name: {{ $name | quote }}
{{- if not (kindIs "map" $value) }}
{{- if or (kindIs "string" $value) }} {{/* Single values are parsed as string (eg. int, bool) */}}
{{- $value = tpl $value $root }} {{/* Expand Value */}}
{{- if not (kindIs "map" $value) -}}
{{- if or (kindIs "string" $value) -}} {{/* Single values are parsed as string (eg. int, bool) */}}
{{- $value = tpl $value $root -}} {{/* Expand Value */}}
{{- end }}
value: {{ quote $value }}
{{- else if kindIs "map" $value }} {{/* If value is a dict... */}}
{{- if hasKey $value "valueFrom" }}
{{- fail "Please remove <valueFrom> and use directly configMapKeyRef or secretKeyRef" }}
{{- else if kindIs "map" $value -}} {{/* If value is a dict... */}}
{{- if hasKey $value "valueFrom" -}}
{{- fail "Please remove <valueFrom> and use directly configMapKeyRef or secretKeyRef" -}}
{{- end }}
valueFrom:
{{- if hasKey $value "configMapKeyRef" }} {{/* And contains configMapRef... */}}
configMapKeyRef:
{{- $_ := set $value "name" $value.configMapKeyRef.name -}} {{/* Extract name and key */}}
{{- $_ := set $value "key" $value.configMapKeyRef.key -}}
{{- if hasKey $value.configMapKeyRef "optional" }}
{{- fail "<optional> is not supported in configMapRefKey" }}
{{- end }}
{{- if hasKey $value.configMapKeyRef "optional" -}}
{{- fail "<optional> is not supported in configMapRefKey" -}}
{{- end -}}
{{- else if hasKey $value "secretKeyRef" }} {{/* And contains secretpRef... */}}
secretKeyRef:
{{- $_ := set $value "name" $value.secretKeyRef.name -}} {{/* Extract name and key */}}
{{- $_ := set $value "key" $value.secretKeyRef.key -}}
{{- if (hasKey $value.secretKeyRef "optional") }}
{{- if (hasKey $value.secretKeyRef "optional") -}}
{{- if (kindIs "bool" $value.secretKeyRef.optional) }}
optional: {{ $value.secretKeyRef.optional }}
{{- else }}
{{- else -}}
{{- fail (printf "<optional> in secretKeyRef must be a boolean on Environment Variable (%s)" $name) -}}
{{- end }}
{{- end }}
{{- else }}
{{- end -}}
{{- end -}}
{{- else -}}
{{- fail "Not a valid valueFrom reference. Valid options are (configMapKeyRef and secretKeyRef)" -}}
{{- end }}
name: {{ tpl (required (printf "<name> for the keyRef is not defined in (%s)" $name) $value.name) $root }} {{/* Expand name and key */}}
key: {{ tpl (required (printf "<key> for the keyRef is not defined in (%s)" $name) $value.key) $root }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*

View File

@@ -11,7 +11,7 @@
{{- else }}
- name: NVIDIA_DRIVER_CAPABILITIES
value: {{ join "," .Values.nvidiaCaps | quote }}
{{- end }}
{{- end -}}
{{- if and (or (not .Values.podSecurityContext.runAsUser) (not .Values.podSecurityContext.runAsGroup)) (or .Values.security.PUID (eq (.Values.security.PUID | int) 0)) }} {{/* If root user or root group and a PUID is set, set PUID and related envs */}}
- name: PUID
value: {{ tpl (toYaml .Values.security.PUID) $ | quote }}
@@ -25,9 +25,9 @@
value: {{ tpl (toYaml .Values.podSecurityContext.fsGroup) $ | quote }}
- name: GID
value: {{ tpl (toYaml .Values.podSecurityContext.fsGroup) $ | quote }}
{{- end }}
{{- end -}}
{{- if or (.Values.securityContext.readOnlyRootFilesystem) (.Values.securityContext.runAsNonRoot) }} {{/* Mainly for LSIO containers, tell S6 to avoid using rootfs */}}
- name: S6_READ_ONLY_ROOT
value: "1"
{{- end }}
{{- end -}}
{{- end -}}

View File

@@ -41,13 +41,17 @@
terminationMessagePolicy: {{ tpl . $ }}
{{- end }}
env:
{{- if .Values.injectFixedEnvs }}
{{- include "ix.v1.common.container.fixedEnvs" . | nindent 4 }}
{{- end }}
{{- if .Values.injectFixedEnvs -}}
{{- include "ix.v1.common.container.fixedEnvs" . | nindent 4 -}}
{{- end -}}
{{- $context := dict -}} {{/* Create a new context and pass it to envVars include, so tpl can work. */}}
{{- $_ := set $context "envs" .Values.env -}}
{{- $_ := set $context "root" $ -}}
{{- include "ix.v1.common.container.envVars" $context | nindent 4 }}
{{- include "ix.v1.common.container.envVars" $context | nindent 4 -}}
{{- $context := dict -}} {{/* Create a new context and pass it to envList include, so tpl can work. */}}
{{- $_ := set $context "envList" .Values.envList -}}
{{- $_ := set $context "root" $ -}}
{{- include "ix.v1.common.container.envList" $context | nindent 4 -}}
{{- end -}}
{{/*

View File

@@ -107,6 +107,13 @@ security:
# optional: false (ony with secretKeyRef)
env: {}
# -- Mainly used in the SCALE UI. Helm Template enabled.
envList: []
# - name: SOME_ENV_VAR
# value: SOME_VALUE
# - name: SOME_ENV_VAR2
# value: SOME_VALUE2
controller:
# -- Enable the controller.
enabled: true