diff --git a/library/common-test/tests/container/envFixed_test.yaml b/library/common-test/tests/container/envFixed_test.yaml index 7ac00db8bb..7c93bc8eff 100644 --- a/library/common-test/tests/container/envFixed_test.yaml +++ b/library/common-test/tests/container/envFixed_test.yaml @@ -376,7 +376,65 @@ tests: - name: S6_READ_ONLY_ROOT value: "1" - # Failures + - it: should create the correct fixed envs with large int values + set: + image: *image + workload: + workload-name: + enabled: true + primary: true + type: Deployment + podSpec: + securityContext: + fsGroup: 100000514 + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + fixedEnv: + PUID: 200000514 + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "002" + - name: UMASK_SET + value: "002" + - name: NVIDIA_VISIBLE_DEVICES + value: "void" + - name: PUID + value: "200000514" + - name: USER_ID + value: "200000514" + - name: UID + value: "200000514" + - name: PGID + value: "100000514" + - name: GROUP_ID + value: "100000514" + - name: GID + value: "100000514" + - name: S6_READ_ONLY_ROOT + value: "1" + + # # Failures - it: it should fail with NVIDIA_CAPS having invalid values set: image: *image diff --git a/library/common-test/tests/container/envList_test.yaml b/library/common-test/tests/container/envList_test.yaml index b102ee196d..0045743ceb 100644 --- a/library/common-test/tests/container/envList_test.yaml +++ b/library/common-test/tests/container/envList_test.yaml @@ -35,6 +35,14 @@ tests: value: "{{ .Values.some_other_value }}" - name: env3 value: "" + - name: env4 + value: 100000514 + - name: env5 + value: "100000514" + - name: env6 + value: 100text000514 + - name: env7 + value: "100.400" asserts: - documentIndex: &deploymentDoc 0 isKind: @@ -60,6 +68,30 @@ tests: content: name: env3 value: "" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: env4 + value: "100000514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: env5 + value: "100000514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: env6 + value: "100text000514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: env7 + value: "100.400" # Failures - it: it should fail with empty name diff --git a/library/common-test/tests/container/env_test.yaml b/library/common-test/tests/container/env_test.yaml index f51d1afc6c..cf06ea3ccc 100644 --- a/library/common-test/tests/container/env_test.yaml +++ b/library/common-test/tests/container/env_test.yaml @@ -66,6 +66,10 @@ tests: fieldPath: metadata.name VAR8: "" VAR9: false + VAR10: "100000514" + VAR11: 100000514 + VAR12: 1000text00514 + VAR13: "100.40" asserts: - documentIndex: &deploymentDoc 2 isKind: @@ -141,6 +145,30 @@ tests: content: name: VAR9 value: "false" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: VAR10 + value: "100000514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: VAR11 + value: "100000514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: VAR12 + value: "1000text00514" + - documentIndex: *deploymentDoc + contains: + path: spec.template.spec.containers[0].env + content: + name: VAR13 + value: "100.40" # Failures - it: it should fail invalid ref diff --git a/library/common-test/tests/pod/securityContext.yaml b/library/common-test/tests/pod/securityContext.yaml index 6fcae6982b..d2f50f8b84 100644 --- a/library/common-test/tests/pod/securityContext.yaml +++ b/library/common-test/tests/pod/securityContext.yaml @@ -134,6 +134,35 @@ tests: - name: some_other_name value: "some_different_value" + - it: should pass with fsGroup and supplementalGroups with long int + set: + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + securityContext: + fsGroup: 100000514 + fsGroupChangePolicy: Always + supplementalGroups: + - 1002 + - 100000514 + asserts: + - documentIndex: *deploymentDoc + isKind: + of: Deployment + - documentIndex: *deploymentDoc + equal: + path: spec.template.spec.securityContext + value: + fsGroup: 100000514 + fsGroupChangePolicy: Always + supplementalGroups: + - 1002 + - 100000514 + sysctls: [] + - it: should pass with sysctls automatically appended based on services set: some_sysctl_name: some_name diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index 03d4be4f8a..924c936a35 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: common description: A library chart for iX Official Catalog type: library -version: 1.0.11 +version: 1.0.12 appVersion: v1 annotations: title: Common Library Chart diff --git a/library/common/templates/helpers/_makeIntOrNoop.tpl b/library/common/templates/helpers/_makeIntOrNoop.tpl new file mode 100644 index 0000000000..c1be00ecbe --- /dev/null +++ b/library/common/templates/helpers/_makeIntOrNoop.tpl @@ -0,0 +1,23 @@ +{{- define "ix.v1.common.helper.makeIntOrNoop" -}} + {{- $value := . -}} + + {{/* + Ints in Helm can be either int, int64 or float64. + + Values that start with zero should not be converted + to int again as this will strip leading zeros. + + Numbers converted to E notation by Helm will + always contain the "e" character. So we only + convert those. + */}} + {{- if and + (mustHas (kindOf $value) (list "int" "int64" "float64")) + (not (hasPrefix "0" ($value | toString))) + (contains "e" ($value | toString | lower)) + -}} + {{- $value | int -}} + {{- else -}} + {{- $value -}} + {{- end -}} +{{- end -}} diff --git a/library/common/templates/lib/container/_env.tpl b/library/common/templates/lib/container/_env.tpl index 8d2dcbf663..4e984565dc 100644 --- a/library/common/templates/lib/container/_env.tpl +++ b/library/common/templates/lib/container/_env.tpl @@ -15,9 +15,12 @@ objectData: The object data to be used to render the container. {{- $value := "" -}} {{/* Only tpl valid values, there are cases that empty values after merges can be "" */}} {{- if not (kindIs "invalid" $v) -}} - {{- $value = tpl (toString $v) $rootCtx -}} + {{- $value = $v -}} + {{- if kindIs "string" $v -}} + {{- $value = tpl $v $rootCtx -}} + {{- end -}} {{- end }} - value: {{ $value | quote }} + value: {{ include "ix.v1.common.helper.makeIntOrNoop" $value | quote }} {{- else if kindIs "map" $v }} valueFrom: {{- $refs := (list "configMapKeyRef" "secretKeyRef" "fieldRef") -}} diff --git a/library/common/templates/lib/container/_envList.tpl b/library/common/templates/lib/container/_envList.tpl index d7a9c9e5c2..05203b1cde 100644 --- a/library/common/templates/lib/container/_envList.tpl +++ b/library/common/templates/lib/container/_envList.tpl @@ -12,8 +12,12 @@ objectData: The object data to be used to render the container. {{- if not $env.name -}} {{- fail "Container - Expected non-empty " -}} {{- end -}} {{/* Empty value is valid */}} - {{- include "ix.v1.common.helper.container.envDupeCheck" (dict "rootCtx" $rootCtx "objectData" $objectData "source" "envList" "key" $env.name) }} + {{- include "ix.v1.common.helper.container.envDupeCheck" (dict "rootCtx" $rootCtx "objectData" $objectData "source" "envList" "key" $env.name) -}} + {{- $value := $env.value -}} + {{- if kindIs "string" $env.value -}} + {{- $value = tpl $env.value $rootCtx -}} + {{- end }} - name: {{ $env.name | quote }} - value: {{ tpl (toString $env.value) $rootCtx | quote }} + value: {{ include "ix.v1.common.helper.makeIntOrNoop" $value | quote }} {{- end -}} {{- end -}} diff --git a/library/common/templates/lib/container/_fixedEnv.tpl b/library/common/templates/lib/container/_fixedEnv.tpl index ccbfce56d5..bc1791c5f6 100644 --- a/library/common/templates/lib/container/_fixedEnv.tpl +++ b/library/common/templates/lib/container/_fixedEnv.tpl @@ -69,6 +69,6 @@ objectData: The object data to be used to render the container. {{- range $env := $fixed -}} {{- include "ix.v1.common.helper.container.envDupeCheck" (dict "rootCtx" $rootCtx "objectData" $objectData "source" "fixedEnv" "key" $env.k) }} - name: {{ $env.k | quote }} - value: {{ $env.v | quote }} + value: {{ (include "ix.v1.common.helper.makeIntOrNoop" $env.v) | quote }} {{- end -}} {{- end -}} diff --git a/library/common/templates/lib/pod/_podSecurityContext.tpl b/library/common/templates/lib/pod/_podSecurityContext.tpl index 9667619258..f2bd8e7d22 100644 --- a/library/common/templates/lib/pod/_podSecurityContext.tpl +++ b/library/common/templates/lib/pod/_podSecurityContext.tpl @@ -64,12 +64,12 @@ objectData: The object data to be used to render the Pod. {{- if not (mustHas $secContext.fsGroupChangePolicy $policies) -}} {{- fail (printf "Pod - Expected to be one of [%s], but got [%s]" (join ", " $policies) $secContext.fsGroupChangePolicy) -}} {{- end }} -fsGroup: {{ $secContext.fsGroup }} +fsGroup: {{ include "ix.v1.common.helper.makeIntOrNoop" $secContext.fsGroup }} fsGroupChangePolicy: {{ $secContext.fsGroupChangePolicy }} {{- with $secContext.supplementalGroups }} supplementalGroups: {{- range . }} - - {{ . }} + - {{ include "ix.v1.common.helper.makeIntOrNoop" . }} {{- end -}} {{- else }} supplementalGroups: []