truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-06-17 07:27:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

add cronjob and job tests

Browse Source
This commit is contained in:
Stavros kois
2023-01-12 16:50:13 +02:00
parent 9e196da718
commit 0bfe7dc80f
12 changed files with 1892 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml
View File

@@ -418,7 +418,7 @@ tests:
- isNull:
path: spec.template.spec.containers[0].e1v
- it: should fail with lifecycle defined in additional container
- it: should pass with lifecycle defined in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
@@ -451,7 +451,6 @@ tests:
- test2
- it: should fail with env trying to override fixedEnvs in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -462,7 +461,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in additional container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
@@ -480,7 +478,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in additional container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
@@ -871,7 +868,6 @@ tests:
runAsUser: 0
- it: should fail with probe type set to auto in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -969,7 +965,6 @@ tests:
periodSeconds: 5
- it: should fail with invalid protocol in ports in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -982,7 +977,6 @@ tests:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -995,7 +989,6 @@ tests:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-some-name) container.
- it: should fail without containerPort in ports in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -1007,7 +1000,6 @@ tests:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container.
- it: should fail with non-int containerPort in ports in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -1019,7 +1011,6 @@ tests:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int.
- it: should fail with non-int hostPort in ports in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -1080,7 +1071,6 @@ tests:
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:
@@ -1092,7 +1082,6 @@ tests:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in additional container
documentIndex: *deploymentDoc
set:
additionalContainers:
some-name:

12
library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml
View File

@@ -419,7 +419,6 @@ tests:
path: spec.template.spec.initContainers[0].env
- it: should fail with lifecycle defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -429,7 +428,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -440,7 +438,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in init container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
@@ -458,7 +455,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in init container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
@@ -849,7 +845,6 @@ tests:
runAsUser: 0
- it: should fail with probes in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -861,7 +856,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes
- it: should fail with invalid protocol in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -874,7 +868,6 @@ tests:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -887,7 +880,6 @@ tests:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-some-name) container.
- it: should fail without containerPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -899,7 +891,6 @@ tests:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container.
- it: should fail with non-int containerPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -911,7 +902,6 @@ tests:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int.
- it: should fail with non-int hostPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -972,7 +962,6 @@ tests:
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -984,7 +973,6 @@ tests:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:

15
library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml
View File

@@ -162,7 +162,7 @@ tests:
content:
terminationMessagePath: somePath
terminationMessagePolicy: File
# TODO: copy and adapt tests to jobSpecContainer
- it: should pass with resources inherited from main container and modified in init container
documentIndex: *deploymentDoc
set:
@@ -421,7 +421,6 @@ tests:
path: spec.template.spec.initContainers[0].env
- it: should fail with lifecycle defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -431,7 +430,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -442,7 +440,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in init container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
@@ -460,7 +457,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in init container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
@@ -477,7 +473,6 @@ tests:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *deploymentDoc
set:
@@ -852,7 +847,6 @@ tests:
runAsUser: 0
- it: should fail with probes in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -864,7 +858,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes
- it: should fail with invalid protocol in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -877,7 +870,6 @@ tests:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -890,7 +882,6 @@ tests:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-some-name) container.
- it: should fail without containerPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -902,7 +893,6 @@ tests:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container.
- it: should fail with non-int containerPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -914,7 +904,6 @@ tests:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int.
- it: should fail with non-int hostPort in ports in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -975,7 +964,6 @@ tests:
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:
@@ -987,7 +975,6 @@ tests:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in init container
documentIndex: *deploymentDoc
set:
initContainers:
some-name:

12
library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml
View File

@@ -433,7 +433,6 @@ tests:
path: spec.template.spec.initContainers[0].env
- it: should fail with lifecycle defined in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -443,7 +442,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -454,7 +452,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in install container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
@@ -472,7 +469,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in install container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
@@ -863,7 +859,6 @@ tests:
runAsUser: 0
- it: should fail with probes in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -875,7 +870,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes
- it: should fail with invalid protocol in ports in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -888,7 +882,6 @@ tests:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -901,7 +894,6 @@ tests:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-some-name) container.
- it: should fail without containerPort in ports in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -913,7 +905,6 @@ tests:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container.
- it: should fail with non-int containerPort in ports in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -925,7 +916,6 @@ tests:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int.
- it: should fail with non-int hostPort in ports in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -986,7 +976,6 @@ tests:
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:
@@ -998,7 +987,6 @@ tests:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in install container
documentIndex: *deploymentDoc
set:
installContainers:
some-name:

12
library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml
View File

@@ -435,7 +435,6 @@ tests:
path: spec.template.spec.initContainers[0].env
- it: should fail with lifecycle defined in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -445,7 +444,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -456,7 +454,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in upgrade container
documentIndex: *deploymentDoc
set:
configmap:
some-confmap:
@@ -474,7 +471,6 @@ tests:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in upgrade container
documentIndex: *deploymentDoc
set:
secret:
some-secret:
@@ -865,7 +861,6 @@ tests:
runAsUser: 0
- it: should fail with probes in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -877,7 +872,6 @@ tests:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes
- it: should fail with invalid protocol in ports in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -890,7 +884,6 @@ tests:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -903,7 +896,6 @@ tests:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-some-name) container.
- it: should fail without containerPort in ports in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -915,7 +907,6 @@ tests:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container.
- it: should fail with non-int containerPort in ports in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -927,7 +918,6 @@ tests:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int.
- it: should fail with non-int hostPort in ports in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -988,7 +978,6 @@ tests:
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:
@@ -1000,7 +989,6 @@ tests:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in upgrade container
documentIndex: *deploymentDoc
set:
upgradeContainers:
some-name:

1120
library/common-test/tests/jobs/cronJobSpecContainer_test copy.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

707
library/common-test/tests/jobs/jobSpecContainer_test.yaml
View File

@@ -1,4 +1,4 @@
suite: jobTemplate test
suite: job Containers test
templates:
- common.yaml
tests:
@@ -183,7 +183,7 @@ tests:
cpu: 25m
memory: 80Mi
jobs:
some-name:
job-name:
enabled: true
podSpec:
containers:
@@ -211,7 +211,7 @@ tests:
documentIndex: *jobDoc
set:
jobs:
some-name:
job-name:
enabled: true
podSpec:
containers:
@@ -251,7 +251,7 @@ tests:
some_name: a_name
some_name2: a_name2
jobs:
some-name:
job-name:
enabled: true
podSpec:
containers:
@@ -271,7 +271,7 @@ tests:
- configMapRef:
name: a_name2
- it: should pass with env and envList defined in init container
- it: should pass with env and envList defined in job container
documentIndex: *jobDoc
set:
some_value: value
@@ -279,7 +279,7 @@ tests:
some_value3: value3
some_value4: value4
jobs:
some-name:
job-name:
enabled: true
podSpec:
containers:
@@ -315,3 +315,698 @@ tests:
value: value3
- name: var4
value: value4
- it: should pass with changed PUID/UMASK
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
securityContext:
runAsUser: 0
runAsNonRoot: false
security:
UMASK: "003"
PUID: 1000
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
env:
- name: TZ
value: UTC
- name: UMASK
value: "003"
- name: UMASK_SET
value: "003"
- name: NVIDIA_VISIBLE_DEVICES
value: void
- name: PUID
value: "1000"
- name: USER_ID
value: "1000"
- name: UID
value: "1000"
- name: PGID
value: "568"
- name: GROUP_ID
value: "568"
- name: GID
value: "568"
- name: S6_READ_ONLY_ROOT
value: "1"
- it: should pass with disabled injectFixedEnvs
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
securityContext:
runAsUser: 0
runAsNonRoot: false
injectFixedEnvs: false
asserts:
- isNull:
path: spec.template.spec.containers[0].env
- it: should fail with lifecycle defined in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
lifecycle:
asserts:
- failedTemplate:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support lifecycle hooks
- it: should fail with env trying to override fixedEnvs in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
env:
TZ: something
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)]
- it: should fail with env trying to override configmap in job container
set:
configmap:
some-confmap:
enabled: true
parseAsEnv: true
content:
TZ: something
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
envFrom:
- configMapRef:
name: '{{ include "ix.v1.common.names.fullname" . }}-some-confmap'
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)]
- it: should fail with env trying to override secret in job container
set:
secret:
some-secret:
enabled: true
parseAsEnv: true
content:
TZ: something
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
envFrom:
- secretRef:
name: '{{ include "ix.v1.common.names.fullname" . }}-some-secret'
asserts:
- failedTemplate:
errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)]
- it: should pass with securityContext inherited
documentIndex: *jobDoc
set:
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with deviceList defined in job container
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
deviceList:
- enabled: true
mountPath: /host/dev/usb
hostPath: /dev/usb
securityContext:
inherit: true
asserts:
- equal:
path: spec.template.spec.securityContext
value:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups:
- 5
- 10
- 20
- 24
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add: []
drop:
- ALL
privileged: true
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with deviceList and scaleGPU defined in job container
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
scaleGPU:
nvidia: something
deviceList:
- enabled: true
mountPath: /host/dev/usb
hostPath: /dev/usb
securityContext:
inherit: true
asserts:
- equal:
path: spec.template.spec.securityContext
value:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups:
- 5
- 10
- 20
- 24
- 44
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add: []
drop:
- ALL
privileged: true
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with port <=1024 defined in job container
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- name: http
containerPort: 80
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext default
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
imageSelector: image
securityContext:
inherit: true
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- it: should pass with securityContext changed
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
privileged: true
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- Something
drop:
- Something_Else
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with some values changed
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
imageSelector: image
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
capabilities:
add:
- Something
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- Something
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
- it: should pass with securityContext with inherit and at least one value changed
documentIndex: *jobDoc
set:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- something_else
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
imageSelector: image
securityContext:
inherit: true
runAsNonRoot: false
runAsUser: 0
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
securityContext:
allowPrivilegeEscalation: true
capabilities:
add: []
drop:
- something_else
privileged: true
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: false
runAsUser: 0
- it: should fail with probes in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
probes:
liveness:
enabled: true
asserts:
- failedTemplate:
errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support probes
- it: should fail with invalid protocol in ports in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: 5678
protocol: invalid-proto
name: tcp-port
asserts:
- failedTemplate:
errorMessage: Invalid <protocol> (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Valid protocols are TCP and UDP.
- it: should fail without name in ports in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: 5678
protocol: TCP
name: ""
asserts:
- failedTemplate:
errorMessage: <name> is required in all <ports> in (RELEASE-NAME-common-test-job-main) container.
- it: should fail without containerPort in ports in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: ""
name: tcp-port
asserts:
- failedTemplate:
errorMessage: <containerPort> is required in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container.
- it: should fail with non-int containerPort in ports in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: not-int
name: tcp-port
asserts:
- failedTemplate:
errorMessage: Invalid <containerPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int.
- it: should fail with non-int hostPort in ports in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: 1234
hostPort: not-int
name: tcp-port
asserts:
- failedTemplate:
errorMessage: Invalid <hostPort> (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int.
- it: should pass without protocol in ports in job container
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: 5678
name: tcp-port
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
ports:
- containerPort: 5678
protocol: TCP
name: tcp-port
- it: should pass with ports defined in job container
documentIndex: *jobDoc
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
ports:
- containerPort: 5678
protocol: TCP
name: tcp-port
- containerPort: 1234
protocol: UDP
name: udp-port
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
ports:
- containerPort: 5678
protocol: TCP
name: tcp-port
- containerPort: 1234
protocol: UDP
name: udp-port
- it: should fail without trying to mount a non existent volume in volumeMounts defined in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
volumeMounts:
- name: some-volume
mountPath: /some/path
asserts:
- failedTemplate:
errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in <persistence>.
- it: should fail without name in volumeMounts defined in job container
set:
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
volumeMounts:
- name:
mountPath: /some/path
readOnly: false
subPath: /some/sub/path
asserts:
- failedTemplate:
errorMessage: <name> is required in volumeMounts in init/install/upgrade/additional containers.
- it: should pass with volumeMounts defined in job container
documentIndex: *jobDoc
set:
persistence:
some-volume:
enabled: true
noMount: true
type: emptyDir
some-other-volume:
enabled: true
noMount: true
type: emptyDir
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
volumeMounts:
- name: some-volume
mountPath: /some/path
readOnly: false
subPath: /some/sub/path
- name: some-other-volume
mountPath: /some/other/path
readOnly: false
subPath: /some/other/sub/path
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
volumeMounts:
- name: some-volume
mountPath: /some/path
readOnly: false
subPath: /some/sub/path
- name: some-other-volume
mountPath: /some/other/path
readOnly: false
subPath: /some/other/sub/path
- it: should pass with deviceList and volumeMounts defined in job container
documentIndex: *jobDoc
set:
deviceList:
- enabled: true
type: hostPath
mountPath: /host/dev/something
hostPath: /dev/something
persistence:
some-volume:
enabled: true
noMount: true
type: emptyDir
some-other-volume:
enabled: true
noMount: true
type: emptyDir
jobs:
job-name:
enabled: true
podSpec:
containers:
main:
deviceList:
- enabled: true
type: hostPath
mountPath: /host/dev/usb
hostPath: /dev/usb
- enabled: true
type: hostPath
mountPath: /host/dev/serial
hostPath: /dev/serial
volumeMounts:
- name: some-volume
mountPath: /some/path
readOnly: false
subPath: /some/sub/path
- name: some-other-volume
mountPath: /some/other/path
readOnly: false
subPath: /some/other/sub/path
asserts:
- isSubset:
path: spec.template.spec.containers[0]
content:
volumeMounts:
- name: some-volume
mountPath: /some/path
readOnly: false
subPath: /some/sub/path
- name: some-other-volume
mountPath: /some/other/path
readOnly: false
subPath: /some/other/sub/path
- name: device-job-main-0
mountPath: /host/dev/usb
- name: device-job-main-1
mountPath: /host/dev/serial

14
library/common/1.0.0/templates/lib/container/_security.tpl
View File

@@ -138,13 +138,13 @@ The reason is not splitted, is that on one of the places needs a combo of all va
{{/* Go over the containers */}}
{{- range $containerName, $container := (get $root.Values $key) -}}
{{/* If the container has deviceList */}}
{{/* If at least 1 container has deviceList... */}}
{{- if hasKey $container "deviceList" -}}
{{- if $container.deviceList -}}
{{- $appendDeviceGroups = true -}}
{{- end -}}
{{- end -}}
{{/* If the container has scaleGPU */}}
{{/* If at least 1 container has GPU... */}}
{{- if hasKey $container "scaleGPU" -}}
{{- if $container.scaleGPU -}}
{{- $appendGPUGroup = true -}}
@@ -157,9 +157,15 @@ The reason is not splitted, is that on one of the places needs a combo of all va
{{- range $jobName, $job := $root.Values.jobs -}}
{{- if $job.enabled -}}
{{- range $name, $container := $job.podSpec.containers -}}
{{/* If at least 1 container has deviceList... */}}
{{- if hasKey $container "deviceList" -}}
{{- if $container.deviceList -}}
{{- $appendDeviceGroups = true -}}
{{- end -}}
{{- end -}}
{{/* If at least 1 container has GPU... */}}
{{- if hasKey $container "scaleGPU" -}}
{{- if $container.scaleGPU -}}
{{/* If at least 1 container has GPU... */}}
{{- $appendGPUGroup = true -}}
{{- end -}}
{{- end -}}
@@ -186,7 +192,7 @@ The reason is not splitted, is that on one of the places needs a combo of all va
{{- end -}}
{{/* Validate values, as mergeOverwrite also passes null values */}}
{{- if eq (toString $returnValue.fsGroup) "<nil>" -}}
{{- if (kindIs "invalid" $returnValue.fsGroup) -}}
{{- fail (printf "<fsGroup> key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $defaultPodSecCont.fsGroup) -}}
{{- else if not (mustHas (kindOf $returnValue.fsGroup) (list "int" "float64")) -}}
{{- fail (printf "<fsGroup> key has value of (%q). But must be an int." $returnValue.fsGroup) -}}

1
library/common/1.0.0/templates/lib/job/_jobPod.tpl
View File

@@ -276,4 +276,3 @@ volumes:
{{- . | nindent 2 }}
{{- end -}}
{{- end -}}
{{/* TODO: Unit Tests */}}

1
library/common/1.0.0/templates/lib/job/_validateCron.tpl
View File

@@ -48,4 +48,3 @@
{{- end -}}
{{- end -}}
{{- end -}}
{{/* TODO: Unit Tests */}}

99
library/common/1.0.0/templates/lib/values/lists/_deviceList.tpl
View File

@@ -25,46 +25,65 @@
{{- range $key := (list "initContainers" "installContainers" "upgradeContainers" "additionalContainers") -}}
{{/* If they have containers defined... */}}
{{- if (get $root.Values $key) -}}
{{/* Go over the containers */}}
{{- range $containerName, $container := (get $root.Values $key) -}}
{{/* If the container has deviceList */}}
{{- if hasKey $container "deviceList" -}}
{{/* Go over the devices */}}
{{- range $index, $device := $container.deviceList -}}
{{/* Generate the name */}}
{{- $deviceName := (printf "device-%s-%s" $containerName (toString $index)) -}}
{{- if $device.name -}}
{{- $deviceName = (printf "%s-%s" $containerName (toString $device.name)) -}}
{{- end -}}
{{/* Add the name on the device item */}}
{{- $_ := set $device "name" $deviceName -}}
{{/* Note that "set" mutates the actual item and not a copy */}}
{{/* Make sure a volumeMount list exists */}}
{{- if not (hasKey $container "volumeMounts") -}}
{{- $_ := set $container "volumeMounts" list -}}
{{- end -}}
{{/* Append a volumeMount item, so other templates
take care of the mounting of the device */}}
{{- $_ := set $container "volumeMounts" (mustAppend $container.volumeMounts $device) -}}
{{/* Make sure a persistence dict exists */}}
{{- if not (hasKey $root.Values "persistence") -}}
{{- $_ := set $root.Values "persistence" dict -}}
{{- end -}}
{{/* Add a noMount flag so it won't get mounted in the main container */}}
{{- $_ := set $device "noMount" true -}}
{{/* Add the device on persistence,
so other templates take care of the volume creation */}}
{{- $_ := set $root.Values.persistence $deviceName $device -}}
{{- end -}}
{{- end -}}
{{- include "ix.v1.common.lib.values.deviceList.containers" (dict "root" $root "containers" (get $root.Values $key)) -}}
{{- end -}}
{{- end -}}
{{/* Go over all jobs */}}
{{- range $name, $job := $root.Values.jobs -}}
{{- if $job.enabled -}}
{{- if and $job.podSpec $job.podSpec.containers -}}
{{- include "ix.v1.common.lib.values.deviceList.containers" (dict "root" $root "isJob" true "containers" ($job.podSpec.containers)) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "ix.v1.common.lib.values.deviceList.containers" -}}
{{- $containers := .containers -}}
{{- $root := .root -}}
{{- $isJob := .isJob -}}
{{/* Go over the containers */}}
{{- range $containerName, $container := $containers -}}
{{/* If the container has deviceList */}}
{{- if hasKey $container "deviceList" -}}
{{/* Go over the devices */}}
{{- range $index, $device := $container.deviceList -}}
{{/* Generate the name */}}
{{- $name := $containerName -}}
{{- if $isJob -}}
{{- $name = (printf "job-%s" $containerName) -}}
{{- end -}}
{{- $deviceName := (printf "device-%s-%s" $name (toString $index)) -}}
{{- if $device.name -}}
{{- $deviceName = (printf "%s-%s" $name (toString $device.name)) -}}
{{- end -}}
{{/* Add the name on the device item */}}
{{- $_ := set $device "name" $deviceName -}}
{{/* Note that "set" mutates the actual item and not a copy */}}
{{/* Make sure a volumeMount list exists */}}
{{- if not (hasKey $container "volumeMounts") -}}
{{- $_ := set $container "volumeMounts" list -}}
{{- end -}}
{{/* Append a volumeMount item, so other templates
take care of the mounting of the device */}}
{{- $_ := set $container "volumeMounts" (mustAppend $container.volumeMounts $device) -}}
{{/* Make sure a persistence dict exists */}}
{{- if not (hasKey $root.Values "persistence") -}}
{{- $_ := set $root.Values "persistence" dict -}}
{{- end -}}
{{/* Add a noMount flag so it won't get mounted in the main container */}}
{{- $_ := set $device "noMount" true -}}
{{- $_ := set $device "type" "hostPath" -}}
{{/* Add the device on persistence,
so other templates take care of the volume creation */}}
{{- $_ := set $root.Values.persistence $deviceName $device -}}
{{- end -}}
{{- end -}}
{{- end -}}

1
library/common/1.0.0/templates/spawner/_jobAndCronJob.tpl
View File

@@ -16,4 +16,3 @@
{{- end -}}
{{- end -}}
{{- end -}}
{{/* TODO: Unit Tests */}}