diff --git a/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml index ee0fa71b68..80511820f1 100644 --- a/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml @@ -418,7 +418,7 @@ tests: - isNull: path: spec.template.spec.containers[0].e1v - - it: should fail with lifecycle defined in additional container + - it: should pass with lifecycle defined in additional container documentIndex: *deploymentDoc set: additionalContainers: @@ -451,7 +451,6 @@ tests: - test2 - it: should fail with env trying to override fixedEnvs in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -462,7 +461,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] - it: should fail with env trying to override configmap in additional container - documentIndex: *deploymentDoc set: configmap: some-confmap: @@ -480,7 +478,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] - it: should fail with env trying to override secret in additional container - documentIndex: *deploymentDoc set: secret: some-secret: @@ -871,7 +868,6 @@ tests: runAsUser: 0 - it: should fail with probe type set to auto in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -969,7 +965,6 @@ tests: periodSeconds: 5 - it: should fail with invalid protocol in ports in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -982,7 +977,6 @@ tests: errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP. - it: should fail without name in ports in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -995,7 +989,6 @@ tests: errorMessage: is required in all in (RELEASE-NAME-common-test-some-name) container. - it: should fail without containerPort in ports in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -1007,7 +1000,6 @@ tests: errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. - it: should fail with non-int containerPort in ports in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -1019,7 +1011,6 @@ tests: errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int. - it: should fail with non-int hostPort in ports in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -1080,7 +1071,6 @@ tests: name: udp-port - it: should fail without trying to mount a non existent volume in volumeMounts defined in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: @@ -1092,7 +1082,6 @@ tests: errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . - it: should fail without name in volumeMounts defined in additional container - documentIndex: *deploymentDoc set: additionalContainers: some-name: diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml index 65ea590804..657d285601 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml @@ -419,7 +419,6 @@ tests: path: spec.template.spec.initContainers[0].env - it: should fail with lifecycle defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -429,7 +428,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks - it: should fail with env trying to override fixedEnvs in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -440,7 +438,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] - it: should fail with env trying to override configmap in init container - documentIndex: *deploymentDoc set: configmap: some-confmap: @@ -458,7 +455,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] - it: should fail with env trying to override secret in init container - documentIndex: *deploymentDoc set: secret: some-secret: @@ -849,7 +845,6 @@ tests: runAsUser: 0 - it: should fail with probes in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -861,7 +856,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes - it: should fail with invalid protocol in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -874,7 +868,6 @@ tests: errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP. - it: should fail without name in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -887,7 +880,6 @@ tests: errorMessage: is required in all in (RELEASE-NAME-common-test-some-name) container. - it: should fail without containerPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -899,7 +891,6 @@ tests: errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. - it: should fail with non-int containerPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -911,7 +902,6 @@ tests: errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int. - it: should fail with non-int hostPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -972,7 +962,6 @@ tests: name: udp-port - it: should fail without trying to mount a non existent volume in volumeMounts defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -984,7 +973,6 @@ tests: errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . - it: should fail without name in volumeMounts defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml index a5809a6038..3674886b76 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml @@ -162,7 +162,7 @@ tests: content: terminationMessagePath: somePath terminationMessagePolicy: File -# TODO: copy and adapt tests to jobSpecContainer + - it: should pass with resources inherited from main container and modified in init container documentIndex: *deploymentDoc set: @@ -421,7 +421,6 @@ tests: path: spec.template.spec.initContainers[0].env - it: should fail with lifecycle defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -431,7 +430,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks - it: should fail with env trying to override fixedEnvs in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -442,7 +440,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] - it: should fail with env trying to override configmap in init container - documentIndex: *deploymentDoc set: configmap: some-confmap: @@ -460,7 +457,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] - it: should fail with env trying to override secret in init container - documentIndex: *deploymentDoc set: secret: some-secret: @@ -477,7 +473,6 @@ tests: - failedTemplate: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] - - it: should pass with securityContext inherited documentIndex: *deploymentDoc set: @@ -852,7 +847,6 @@ tests: runAsUser: 0 - it: should fail with probes in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -864,7 +858,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes - it: should fail with invalid protocol in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -877,7 +870,6 @@ tests: errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP. - it: should fail without name in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -890,7 +882,6 @@ tests: errorMessage: is required in all in (RELEASE-NAME-common-test-some-name) container. - it: should fail without containerPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -902,7 +893,6 @@ tests: errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. - it: should fail with non-int containerPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -914,7 +904,6 @@ tests: errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int. - it: should fail with non-int hostPort in ports in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -975,7 +964,6 @@ tests: name: udp-port - it: should fail without trying to mount a non existent volume in volumeMounts defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: @@ -987,7 +975,6 @@ tests: errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . - it: should fail without name in volumeMounts defined in init container - documentIndex: *deploymentDoc set: initContainers: some-name: diff --git a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml index 95a90ef41b..e1534990ea 100644 --- a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml @@ -433,7 +433,6 @@ tests: path: spec.template.spec.initContainers[0].env - it: should fail with lifecycle defined in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -443,7 +442,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks - it: should fail with env trying to override fixedEnvs in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -454,7 +452,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] - it: should fail with env trying to override configmap in install container - documentIndex: *deploymentDoc set: configmap: some-confmap: @@ -472,7 +469,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] - it: should fail with env trying to override secret in install container - documentIndex: *deploymentDoc set: secret: some-secret: @@ -863,7 +859,6 @@ tests: runAsUser: 0 - it: should fail with probes in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -875,7 +870,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes - it: should fail with invalid protocol in ports in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -888,7 +882,6 @@ tests: errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP. - it: should fail without name in ports in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -901,7 +894,6 @@ tests: errorMessage: is required in all in (RELEASE-NAME-common-test-some-name) container. - it: should fail without containerPort in ports in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -913,7 +905,6 @@ tests: errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. - it: should fail with non-int containerPort in ports in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -925,7 +916,6 @@ tests: errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int. - it: should fail with non-int hostPort in ports in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -986,7 +976,6 @@ tests: name: udp-port - it: should fail without trying to mount a non existent volume in volumeMounts defined in install container - documentIndex: *deploymentDoc set: installContainers: some-name: @@ -998,7 +987,6 @@ tests: errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . - it: should fail without name in volumeMounts defined in install container - documentIndex: *deploymentDoc set: installContainers: some-name: diff --git a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml index 62ffa4241c..bf75b52d18 100644 --- a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml @@ -435,7 +435,6 @@ tests: path: spec.template.spec.initContainers[0].env - it: should fail with lifecycle defined in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -445,7 +444,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support lifecycle hooks - it: should fail with env trying to override fixedEnvs in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -456,7 +454,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] - it: should fail with env trying to override configmap in upgrade container - documentIndex: *deploymentDoc set: configmap: some-confmap: @@ -474,7 +471,6 @@ tests: errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-some-name) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] - it: should fail with env trying to override secret in upgrade container - documentIndex: *deploymentDoc set: secret: some-secret: @@ -865,7 +861,6 @@ tests: runAsUser: 0 - it: should fail with probes in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -877,7 +872,6 @@ tests: errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-some-name) do not support probes - it: should fail with invalid protocol in ports in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -890,7 +884,6 @@ tests: errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Valid protocols are TCP and UDP. - it: should fail without name in ports in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -903,7 +896,6 @@ tests: errorMessage: is required in all in (RELEASE-NAME-common-test-some-name) container. - it: should fail without containerPort in ports in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -915,7 +907,6 @@ tests: errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. - it: should fail with non-int containerPort in ports in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -927,7 +918,6 @@ tests: errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-some-name) container. Must be an int. - it: should fail with non-int hostPort in ports in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -988,7 +978,6 @@ tests: name: udp-port - it: should fail without trying to mount a non existent volume in volumeMounts defined in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: @@ -1000,7 +989,6 @@ tests: errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . - it: should fail without name in volumeMounts defined in upgrade container - documentIndex: *deploymentDoc set: upgradeContainers: some-name: diff --git a/library/common-test/tests/jobs/cronJobSpecContainer_test copy.yaml b/library/common-test/tests/jobs/cronJobSpecContainer_test copy.yaml new file mode 100644 index 0000000000..f82cc48fd1 --- /dev/null +++ b/library/common-test/tests/jobs/cronJobSpecContainer_test copy.yaml @@ -0,0 +1,1120 @@ +suite: cron Job Containers test +templates: + - common.yaml +tests: + - it: should pass with default values + documentIndex: &deploymentDoc 0 + asserts: + - hasDocuments: + count: 3 + - isKind: + of: Deployment + + - it: should pass with default in job + documentIndex: &cronJobDoc 3 + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + asserts: + - isKind: + of: CronJob + - isAPIVersion: + of: batch/v1 + + - it: should pass with default container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.containers[0] + value: + name: RELEASE-NAME-common-test-job-main + image: repo:tag + imagePullPolicy: IfNotPresent + tty: false + stdin: false + env: + - name: "TZ" + value: "UTC" + - name: "UMASK" + value: "002" + - name: "UMASK_SET" + value: "002" + - name: "NVIDIA_VISIBLE_DEVICES" + value: "void" + - name: "S6_READ_ONLY_ROOT" + value: "1" + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + capabilities: + add: [] + drop: + - "ALL" + resources: + requests: + cpu: 10m + memory: 50Mi + limits: + cpu: 4000m + memory: 8Gi + + - it: should pass with image defined in job container + documentIndex: *cronJobDoc + set: + jobImage: + repository: some-repo-job + tag: some-tag-job + pullPolicy: Never + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: jobImage + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + image: some-repo-job:some-tag-job + imagePullPolicy: Never + + - it: should pass with tty and stdin defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + tty: true + stdin: true + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + tty: true + stdin: true + + - it: should pass with command defined in job container + documentIndex: *cronJobDoc + set: + port: 8080 + entrypoint: ./run.sh + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + command: + - /bin/sh + - -c + - | + {{ .Values.entrypoint }} + args: + - --port + - "{{ .Values.port }}" + extraArgs: + - --data_dir + - /data + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + command: + - /bin/sh + - -c + - | + ./run.sh + args: + - --port + - "8080" + - --data_dir + - /data + + - it: should pass with termination defined in job container + documentIndex: *cronJobDoc + set: + port: 8080 + entrypoint: ./run.sh + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + termination: + messagePath: somePath + messagePolicy: File + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + terminationMessagePath: somePath + terminationMessagePolicy: File + + - it: should pass with resources inherited from main container and modified in job container + documentIndex: *cronJobDoc + set: + resources: + requests: + cpu: 25m + memory: 80Mi + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + resources: + inherit: true + limits: + cpu: 1000m + memory: 1Gi + requests: + memory: 120Mi + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 25m + memory: 120Mi + + - it: should pass with resources defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + nvidiaCaps: + - compute + scaleGPU: + gpu.intel.com/i915: "1" + resources: + limits: + cpu: 3000m + memory: 4Gi + requests: + cpu: 20m + memory: 100Mi + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + resources: + limits: + cpu: 3000m + memory: 4Gi + gpu.intel.com/i915: "1" + requests: + cpu: 20m + memory: 100Mi + - contains: + path: spec.jobTemplate.spec.template.spec.containers[0].env + content: + name: NVIDIA_DRIVER_CAPABILITIES + value: compute + + - it: should pass with envFrom defined in job container + documentIndex: *cronJobDoc + set: + some_name: a_name + some_name2: a_name2 + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + envFrom: + - configMapRef: + name: "{{ .Values.some_name }}" + - configMapRef: + name: "{{ .Values.some_name2 }}" + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + envFrom: + - configMapRef: + name: a_name + - configMapRef: + name: a_name2 + + - it: should pass with env and envList defined in job container + documentIndex: *cronJobDoc + set: + some_value: value + some_value2: value2 + some_value3: value3 + some_value4: value4 + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + env: + var1: "{{ .Values.some_value }}" + var2: "{{ .Values.some_value2 }}" + envList: + - name: var3 + value: "{{ .Values.some_value3 }}" + - name: var4 + value: "{{ .Values.some_value4 }}" + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "002" + - name: UMASK_SET + value: "002" + - name: NVIDIA_VISIBLE_DEVICES + value: void + - name: S6_READ_ONLY_ROOT + value: "1" + - name: var1 + value: value + - name: var2 + value: value2 + - name: var3 + value: value3 + - name: var4 + value: value4 + + - it: should pass with changed PUID/UMASK + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + securityContext: + runAsUser: 0 + runAsNonRoot: false + security: + UMASK: "003" + PUID: 1000 + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "003" + - name: UMASK_SET + value: "003" + - name: NVIDIA_VISIBLE_DEVICES + value: void + - name: PUID + value: "1000" + - name: USER_ID + value: "1000" + - name: UID + value: "1000" + - name: PGID + value: "568" + - name: GROUP_ID + value: "568" + - name: GID + value: "568" + - name: S6_READ_ONLY_ROOT + value: "1" + + - it: should pass with disabled injectFixedEnvs + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + securityContext: + runAsUser: 0 + runAsNonRoot: false + injectFixedEnvs: false + asserts: + - isNull: + path: spec.jobTemplate.spec.template.spec.containers[0].env + + - it: should fail with lifecycle defined in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + lifecycle: + asserts: + - failedTemplate: + errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support lifecycle hooks + + - it: should fail with env trying to override fixedEnvs in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + env: + TZ: something + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] + + - it: should fail with env trying to override configmap in job container + set: + configmap: + some-confmap: + enabled: true + parseAsEnv: true + content: + TZ: something + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + envFrom: + - configMapRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-confmap' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] + + - it: should fail with env trying to override secret in job container + set: + secret: + some-secret: + enabled: true + parseAsEnv: true + content: + TZ: something + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + envFrom: + - secretRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-secret' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + - it: should pass with securityContext inherited + documentIndex: *cronJobDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with deviceList defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + deviceList: + - enabled: true + mountPath: /host/dev/usb + hostPath: /dev/usb + securityContext: + inherit: true + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.securityContext + value: + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: + - 5 + - 10 + - 20 + - 24 + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with deviceList and scaleGPU defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + scaleGPU: + nvidia: something + deviceList: + - enabled: true + mountPath: /host/dev/usb + hostPath: /dev/usb + securityContext: + inherit: true + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.securityContext + value: + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: + - 5 + - 10 + - 20 + - 24 + - 44 + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with port <=1024 defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext default + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with inherit and at least one value changed + documentIndex: *cronJobDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + runAsNonRoot: false + runAsUser: 0 + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - something_else + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with probes in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + probes: + liveness: + enabled: true + asserts: + - failedTemplate: + errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support probes + + - it: should fail with invalid protocol in ports in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: invalid-proto + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Valid protocols are TCP and UDP. + + - it: should fail without name in ports in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: TCP + name: "" + asserts: + - failedTemplate: + errorMessage: is required in all in (RELEASE-NAME-common-test-job-main) container. + + - it: should fail without containerPort in ports in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: "" + name: tcp-port + asserts: + - failedTemplate: + errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. + + - it: should fail with non-int containerPort in ports in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: not-int + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int. + + - it: should fail with non-int hostPort in ports in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: 1234 + hostPort: not-int + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int. + + - it: should pass without protocol in ports in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: 5678 + name: tcp-port + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + + - it: should pass with ports defined in job container + documentIndex: *cronJobDoc + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + - containerPort: 1234 + protocol: UDP + name: udp-port + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + - containerPort: 1234 + protocol: UDP + name: udp-port + + - it: should fail without trying to mount a non existent volume in volumeMounts defined in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + volumeMounts: + - name: some-volume + mountPath: /some/path + asserts: + - failedTemplate: + errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . + + - it: should fail without name in volumeMounts defined in job container + set: + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + volumeMounts: + - name: + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + asserts: + - failedTemplate: + errorMessage: is required in volumeMounts in init/install/upgrade/additional containers. + + - it: should pass with volumeMounts defined in job container + documentIndex: *cronJobDoc + set: + persistence: + some-volume: + enabled: true + noMount: true + type: emptyDir + some-other-volume: + enabled: true + noMount: true + type: emptyDir + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + + - it: should pass with deviceList and volumeMounts defined in job container + documentIndex: *cronJobDoc + set: + deviceList: + - enabled: true + type: hostPath + mountPath: /host/dev/something + hostPath: /dev/something + persistence: + some-volume: + enabled: true + noMount: true + type: emptyDir + some-other-volume: + enabled: true + noMount: true + type: emptyDir + jobs: + job-name: + enabled: true + cron: + enabled: true + schedule: "* * * * *" + podSpec: + containers: + main: + deviceList: + - enabled: true + type: hostPath + mountPath: /host/dev/usb + hostPath: /dev/usb + - enabled: true + type: hostPath + mountPath: /host/dev/serial + hostPath: /dev/serial + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + asserts: + - isSubset: + path: spec.jobTemplate.spec.template.spec.containers[0] + content: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + - name: device-job-main-0 + mountPath: /host/dev/usb + - name: device-job-main-1 + mountPath: /host/dev/serial diff --git a/library/common-test/tests/jobs/jobSpecContainer_test.yaml b/library/common-test/tests/jobs/jobSpecContainer_test.yaml index 9667f606ba..7090f6089a 100644 --- a/library/common-test/tests/jobs/jobSpecContainer_test.yaml +++ b/library/common-test/tests/jobs/jobSpecContainer_test.yaml @@ -1,4 +1,4 @@ -suite: jobTemplate test +suite: job Containers test templates: - common.yaml tests: @@ -183,7 +183,7 @@ tests: cpu: 25m memory: 80Mi jobs: - some-name: + job-name: enabled: true podSpec: containers: @@ -211,7 +211,7 @@ tests: documentIndex: *jobDoc set: jobs: - some-name: + job-name: enabled: true podSpec: containers: @@ -251,7 +251,7 @@ tests: some_name: a_name some_name2: a_name2 jobs: - some-name: + job-name: enabled: true podSpec: containers: @@ -271,7 +271,7 @@ tests: - configMapRef: name: a_name2 - - it: should pass with env and envList defined in init container + - it: should pass with env and envList defined in job container documentIndex: *jobDoc set: some_value: value @@ -279,7 +279,7 @@ tests: some_value3: value3 some_value4: value4 jobs: - some-name: + job-name: enabled: true podSpec: containers: @@ -315,3 +315,698 @@ tests: value: value3 - name: var4 value: value4 + + - it: should pass with changed PUID/UMASK + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + securityContext: + runAsUser: 0 + runAsNonRoot: false + security: + UMASK: "003" + PUID: 1000 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + env: + - name: TZ + value: UTC + - name: UMASK + value: "003" + - name: UMASK_SET + value: "003" + - name: NVIDIA_VISIBLE_DEVICES + value: void + - name: PUID + value: "1000" + - name: USER_ID + value: "1000" + - name: UID + value: "1000" + - name: PGID + value: "568" + - name: GROUP_ID + value: "568" + - name: GID + value: "568" + - name: S6_READ_ONLY_ROOT + value: "1" + + - it: should pass with disabled injectFixedEnvs + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + securityContext: + runAsUser: 0 + runAsNonRoot: false + injectFixedEnvs: false + asserts: + - isNull: + path: spec.template.spec.containers[0].env + + - it: should fail with lifecycle defined in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + lifecycle: + asserts: + - failedTemplate: + errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support lifecycle hooks + + - it: should fail with env trying to override fixedEnvs in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + env: + TZ: something + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (env)] + + - it: should fail with env trying to override configmap in job container + set: + configmap: + some-confmap: + enabled: true + parseAsEnv: true + content: + TZ: something + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + envFrom: + - configMapRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-confmap' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (configmap-RELEASE-NAME-common-test-some-confmap)] + + - it: should fail with env trying to override secret in job container + set: + secret: + some-secret: + enabled: true + parseAsEnv: true + content: + TZ: something + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + envFrom: + - secretRef: + name: '{{ include "ix.v1.common.names.fullname" . }}-some-secret' + asserts: + - failedTemplate: + errorMessage: Environment Variable (TZ) on container (RELEASE-NAME-common-test-job-main) is set more than once. [to (UTC) on (fixedEnv)] and [to (something) on (secret-RELEASE-NAME-common-test-some-secret)] + + - it: should pass with securityContext inherited + documentIndex: *jobDoc + set: + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with deviceList defined in job container + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + deviceList: + - enabled: true + mountPath: /host/dev/usb + hostPath: /dev/usb + securityContext: + inherit: true + asserts: + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: + - 5 + - 10 + - 20 + - 24 + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with deviceList and scaleGPU defined in job container + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + scaleGPU: + nvidia: something + deviceList: + - enabled: true + mountPath: /host/dev/usb + hostPath: /dev/usb + securityContext: + inherit: true + asserts: + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: + - 5 + - 10 + - 20 + - 24 + - 44 + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with port <=1024 defined in job container + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext default + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + + - it: should pass with securityContext changed + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Something + drop: + - Something_Else + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with some values changed + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + imageSelector: image + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + add: + - Something + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Something + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + + - it: should pass with securityContext with inherit and at least one value changed + documentIndex: *jobDoc + set: + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + drop: + - something_else + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + imageSelector: image + securityContext: + inherit: true + runAsNonRoot: false + runAsUser: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: [] + drop: + - something_else + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: false + runAsUser: 0 + + - it: should fail with probes in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + probes: + liveness: + enabled: true + asserts: + - failedTemplate: + errorMessage: Init/Install/Upgrade/(Cron)Job Container (RELEASE-NAME-common-test-job-main) do not support probes + + - it: should fail with invalid protocol in ports in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: invalid-proto + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (invalid-proto) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Valid protocols are TCP and UDP. + + - it: should fail without name in ports in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: TCP + name: "" + asserts: + - failedTemplate: + errorMessage: is required in all in (RELEASE-NAME-common-test-job-main) container. + + - it: should fail without containerPort in ports in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: "" + name: tcp-port + asserts: + - failedTemplate: + errorMessage: is required in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. + + - it: should fail with non-int containerPort in ports in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: not-int + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int. + + - it: should fail with non-int hostPort in ports in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: 1234 + hostPort: not-int + name: tcp-port + asserts: + - failedTemplate: + errorMessage: Invalid (not-int) in port (tcp-port) in (RELEASE-NAME-common-test-job-main) container. Must be an int. + + - it: should pass without protocol in ports in job container + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: 5678 + name: tcp-port + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + + - it: should pass with ports defined in job container + documentIndex: *jobDoc + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + - containerPort: 1234 + protocol: UDP + name: udp-port + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + ports: + - containerPort: 5678 + protocol: TCP + name: tcp-port + - containerPort: 1234 + protocol: UDP + name: udp-port + + - it: should fail without trying to mount a non existent volume in volumeMounts defined in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + volumeMounts: + - name: some-volume + mountPath: /some/path + asserts: + - failedTemplate: + errorMessage: You are trying to mount a volume that does not exist (some-volume). Please define the volume in . + + - it: should fail without name in volumeMounts defined in job container + set: + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + volumeMounts: + - name: + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + asserts: + - failedTemplate: + errorMessage: is required in volumeMounts in init/install/upgrade/additional containers. + + - it: should pass with volumeMounts defined in job container + documentIndex: *jobDoc + set: + persistence: + some-volume: + enabled: true + noMount: true + type: emptyDir + some-other-volume: + enabled: true + noMount: true + type: emptyDir + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + + - it: should pass with deviceList and volumeMounts defined in job container + documentIndex: *jobDoc + set: + deviceList: + - enabled: true + type: hostPath + mountPath: /host/dev/something + hostPath: /dev/something + persistence: + some-volume: + enabled: true + noMount: true + type: emptyDir + some-other-volume: + enabled: true + noMount: true + type: emptyDir + jobs: + job-name: + enabled: true + podSpec: + containers: + main: + deviceList: + - enabled: true + type: hostPath + mountPath: /host/dev/usb + hostPath: /dev/usb + - enabled: true + type: hostPath + mountPath: /host/dev/serial + hostPath: /dev/serial + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + volumeMounts: + - name: some-volume + mountPath: /some/path + readOnly: false + subPath: /some/sub/path + - name: some-other-volume + mountPath: /some/other/path + readOnly: false + subPath: /some/other/sub/path + - name: device-job-main-0 + mountPath: /host/dev/usb + - name: device-job-main-1 + mountPath: /host/dev/serial diff --git a/library/common/1.0.0/templates/lib/container/_security.tpl b/library/common/1.0.0/templates/lib/container/_security.tpl index 07c04bd3a3..a1c9d669a4 100644 --- a/library/common/1.0.0/templates/lib/container/_security.tpl +++ b/library/common/1.0.0/templates/lib/container/_security.tpl @@ -138,13 +138,13 @@ The reason is not splitted, is that on one of the places needs a combo of all va {{/* Go over the containers */}} {{- range $containerName, $container := (get $root.Values $key) -}} - {{/* If the container has deviceList */}} + {{/* If at least 1 container has deviceList... */}} {{- if hasKey $container "deviceList" -}} {{- if $container.deviceList -}} {{- $appendDeviceGroups = true -}} {{- end -}} {{- end -}} - {{/* If the container has scaleGPU */}} + {{/* If at least 1 container has GPU... */}} {{- if hasKey $container "scaleGPU" -}} {{- if $container.scaleGPU -}} {{- $appendGPUGroup = true -}} @@ -157,9 +157,15 @@ The reason is not splitted, is that on one of the places needs a combo of all va {{- range $jobName, $job := $root.Values.jobs -}} {{- if $job.enabled -}} {{- range $name, $container := $job.podSpec.containers -}} + {{/* If at least 1 container has deviceList... */}} + {{- if hasKey $container "deviceList" -}} + {{- if $container.deviceList -}} + {{- $appendDeviceGroups = true -}} + {{- end -}} + {{- end -}} + {{/* If at least 1 container has GPU... */}} {{- if hasKey $container "scaleGPU" -}} {{- if $container.scaleGPU -}} - {{/* If at least 1 container has GPU... */}} {{- $appendGPUGroup = true -}} {{- end -}} {{- end -}} @@ -186,7 +192,7 @@ The reason is not splitted, is that on one of the places needs a combo of all va {{- end -}} {{/* Validate values, as mergeOverwrite also passes null values */}} - {{- if eq (toString $returnValue.fsGroup) "" -}} + {{- if (kindIs "invalid" $returnValue.fsGroup) -}} {{- fail (printf " key cannot be empty. Set a value or remove the key for the default (%v) to take effect." $defaultPodSecCont.fsGroup) -}} {{- else if not (mustHas (kindOf $returnValue.fsGroup) (list "int" "float64")) -}} {{- fail (printf " key has value of (%q). But must be an int." $returnValue.fsGroup) -}} diff --git a/library/common/1.0.0/templates/lib/job/_jobPod.tpl b/library/common/1.0.0/templates/lib/job/_jobPod.tpl index 96dbff0e62..e7cf5f913c 100644 --- a/library/common/1.0.0/templates/lib/job/_jobPod.tpl +++ b/library/common/1.0.0/templates/lib/job/_jobPod.tpl @@ -276,4 +276,3 @@ volumes: {{- . | nindent 2 }} {{- end -}} {{- end -}} -{{/* TODO: Unit Tests */}} diff --git a/library/common/1.0.0/templates/lib/job/_validateCron.tpl b/library/common/1.0.0/templates/lib/job/_validateCron.tpl index 1aec33e706..6ad1c2d7ad 100644 --- a/library/common/1.0.0/templates/lib/job/_validateCron.tpl +++ b/library/common/1.0.0/templates/lib/job/_validateCron.tpl @@ -48,4 +48,3 @@ {{- end -}} {{- end -}} {{- end -}} -{{/* TODO: Unit Tests */}} diff --git a/library/common/1.0.0/templates/lib/values/lists/_deviceList.tpl b/library/common/1.0.0/templates/lib/values/lists/_deviceList.tpl index cc76faac4a..50fc0aa702 100644 --- a/library/common/1.0.0/templates/lib/values/lists/_deviceList.tpl +++ b/library/common/1.0.0/templates/lib/values/lists/_deviceList.tpl @@ -25,46 +25,65 @@ {{- range $key := (list "initContainers" "installContainers" "upgradeContainers" "additionalContainers") -}} {{/* If they have containers defined... */}} {{- if (get $root.Values $key) -}} - - {{/* Go over the containers */}} - {{- range $containerName, $container := (get $root.Values $key) -}} - {{/* If the container has deviceList */}} - {{- if hasKey $container "deviceList" -}} - - {{/* Go over the devices */}} - {{- range $index, $device := $container.deviceList -}} - {{/* Generate the name */}} - {{- $deviceName := (printf "device-%s-%s" $containerName (toString $index)) -}} - - {{- if $device.name -}} - {{- $deviceName = (printf "%s-%s" $containerName (toString $device.name)) -}} - {{- end -}} - - {{/* Add the name on the device item */}} - {{- $_ := set $device "name" $deviceName -}} - {{/* Note that "set" mutates the actual item and not a copy */}} - - {{/* Make sure a volumeMount list exists */}} - {{- if not (hasKey $container "volumeMounts") -}} - {{- $_ := set $container "volumeMounts" list -}} - {{- end -}} - - {{/* Append a volumeMount item, so other templates - take care of the mounting of the device */}} - {{- $_ := set $container "volumeMounts" (mustAppend $container.volumeMounts $device) -}} - - {{/* Make sure a persistence dict exists */}} - {{- if not (hasKey $root.Values "persistence") -}} - {{- $_ := set $root.Values "persistence" dict -}} - {{- end -}} - - {{/* Add a noMount flag so it won't get mounted in the main container */}} - {{- $_ := set $device "noMount" true -}} - {{/* Add the device on persistence, - so other templates take care of the volume creation */}} - {{- $_ := set $root.Values.persistence $deviceName $device -}} - {{- end -}} - {{- end -}} + {{- include "ix.v1.common.lib.values.deviceList.containers" (dict "root" $root "containers" (get $root.Values $key)) -}} + {{- end -}} + {{- end -}} + {{/* Go over all jobs */}} + {{- range $name, $job := $root.Values.jobs -}} + {{- if $job.enabled -}} + {{- if and $job.podSpec $job.podSpec.containers -}} + {{- include "ix.v1.common.lib.values.deviceList.containers" (dict "root" $root "isJob" true "containers" ($job.podSpec.containers)) -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "ix.v1.common.lib.values.deviceList.containers" -}} + {{- $containers := .containers -}} + {{- $root := .root -}} + {{- $isJob := .isJob -}} + {{/* Go over the containers */}} + {{- range $containerName, $container := $containers -}} + {{/* If the container has deviceList */}} + {{- if hasKey $container "deviceList" -}} + + {{/* Go over the devices */}} + {{- range $index, $device := $container.deviceList -}} + {{/* Generate the name */}} + {{- $name := $containerName -}} + {{- if $isJob -}} + {{- $name = (printf "job-%s" $containerName) -}} + {{- end -}} + {{- $deviceName := (printf "device-%s-%s" $name (toString $index)) -}} + + {{- if $device.name -}} + {{- $deviceName = (printf "%s-%s" $name (toString $device.name)) -}} + {{- end -}} + + {{/* Add the name on the device item */}} + {{- $_ := set $device "name" $deviceName -}} + {{/* Note that "set" mutates the actual item and not a copy */}} + + {{/* Make sure a volumeMount list exists */}} + {{- if not (hasKey $container "volumeMounts") -}} + {{- $_ := set $container "volumeMounts" list -}} + {{- end -}} + + {{/* Append a volumeMount item, so other templates + take care of the mounting of the device */}} + {{- $_ := set $container "volumeMounts" (mustAppend $container.volumeMounts $device) -}} + + {{/* Make sure a persistence dict exists */}} + {{- if not (hasKey $root.Values "persistence") -}} + {{- $_ := set $root.Values "persistence" dict -}} + {{- end -}} + + {{/* Add a noMount flag so it won't get mounted in the main container */}} + {{- $_ := set $device "noMount" true -}} + {{- $_ := set $device "type" "hostPath" -}} + {{/* Add the device on persistence, + so other templates take care of the volume creation */}} + {{- $_ := set $root.Values.persistence $deviceName $device -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/library/common/1.0.0/templates/spawner/_jobAndCronJob.tpl b/library/common/1.0.0/templates/spawner/_jobAndCronJob.tpl index a4c88b5398..325a3452ef 100644 --- a/library/common/1.0.0/templates/spawner/_jobAndCronJob.tpl +++ b/library/common/1.0.0/templates/spawner/_jobAndCronJob.tpl @@ -16,4 +16,3 @@ {{- end -}} {{- end -}} {{- end -}} -{{/* TODO: Unit Tests */}}