truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-06-16 06:58:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

harden volumeMounts and secret/configmap volumes and update tests

Browse Source
This commit is contained in:
Stavros kois
2022-12-13 21:12:55 +02:00
parent 2197ce7847
commit ca6535c19a
7 changed files with 69 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
library/common-test/tests/cert/cert_secret_mount_test.yaml
View File

@@ -46,12 +46,12 @@ tests:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
asserts:
- isKind:
of: Deployment
@@ -62,7 +62,7 @@ tests:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
@@ -79,7 +79,7 @@ tests:
path: spec.template.spec.volumes[1].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[1].name
pattern: *patternKey
@@ -105,12 +105,12 @@ tests:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
key:
enabled: false
path: /some/path/key.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
asserts:
- isKind:
of: Deployment
@@ -121,7 +121,7 @@ tests:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
@@ -147,12 +147,12 @@ tests:
enabled: false
path: /some/path/crt.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
asserts:
- matchRegex:
path: spec.template.spec.volumes[0].name
@@ -161,7 +161,7 @@ tests:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternKey
@@ -190,24 +190,24 @@ tests:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
cert-name2:
id: 2
cert:
enabled: true
path: /some/path/crt.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
key:
enabled: true
path: /some/path/key.key
readOnly: true
defaultMode: 700
defaultMode: "0700"
asserts:
- isKind:
of: Deployment
@@ -218,7 +218,7 @@ tests:
path: spec.template.spec.volumes[0].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[0].name
pattern: *patternCert
@@ -236,7 +236,7 @@ tests:
path: spec.template.spec.volumes[1].secret
value:
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[1].name
pattern: *patternCert
@@ -254,7 +254,7 @@ tests:
path: spec.template.spec.volumes[2].secret
value:
secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[2].name
pattern: *patternKey
@@ -272,7 +272,7 @@ tests:
path: spec.template.spec.volumes[3].secret
value:
secretName: RELEASE-NAME-common-test-cert-name2-ixcert-2-2
defaultMode: 700
defaultMode: 0700
- matchRegex:
path: spec.template.spec.containers[0].volumeMounts[3].name
pattern: *patternKey

13
library/common-test/tests/container_in_deployment/volumeMounts_test.yaml
View File

@@ -21,7 +21,18 @@ tests:
- failedTemplate:
errorMessage: <mountPath> must be defined, alternatively use the <noMount> flag.
- it: should fail with empty mountPath set
- it: should fail with empty readOnly
set:
persistence:
vol1:
enabled: true
mountPath: /some/path
readOnly:
asserts:
- failedTemplate:
errorMessage: <readOnly> cannot be empty on item (vol1)
- it: should fail with empty mountPath
set:
persistence:
vol1:

32
library/common-test/tests/deployment/volume_configMap_test.yaml
View File

@@ -62,7 +62,7 @@ tests:
configMap:
name: some_object_name
- it: should pass with added configMap and defaultMode as int
- it: should fail with added configMap and defaultMode as int
documentIndex: *deploymentDoc
set:
persistence:
@@ -70,16 +70,11 @@ tests:
type: configMap
enabled: true
objectName: some_object_name
defaultMode: 777
defaultMode: 0777
noMount: true
asserts:
- equal:
path: spec.template.spec.volumes[0]
value:
name: some_volume
configMap:
name: some_object_name
defaultMode: 777
- failedTemplate:
errorMessage: <defaultMode> (511, converted to octal) is not valid format. Valid format is string with 4 digits <0777>.
- it: should pass with added configMap and defaultMode as string
documentIndex: *deploymentDoc
@@ -89,7 +84,7 @@ tests:
type: configMap
enabled: true
objectName: some_object_name
defaultMode: "777"
defaultMode: "0777"
noMount: true
asserts:
- equal:
@@ -98,9 +93,9 @@ tests:
name: some_volume
configMap:
name: some_object_name
defaultMode: 777
defaultMode: 0777
- it: should pass with added configMap and defaultMode as int from tpl
- it: should fail with added configMap and defaultMode as int from tpl
documentIndex: *deploymentDoc
set:
mode: 644
@@ -112,18 +107,13 @@ tests:
defaultMode: "{{ .Values.mode }}"
noMount: true
asserts:
- equal:
path: spec.template.spec.volumes[0]
value:
name: some_volume
configMap:
name: some_object_name
defaultMode: 644
- failedTemplate:
errorMessage: <defaultMode> (644, converted to octal) is not valid format. Valid format is string with 4 digits <0777>.
- it: should pass with added configMap and defaultMode as string from tpl
documentIndex: *deploymentDoc
set:
mode: "644"
mode: "0644"
persistence:
some_volume:
type: configMap
@@ -138,7 +128,7 @@ tests:
name: some_volume
configMap:
name: some_object_name
defaultMode: 644
defaultMode: 0644
- it: should pass with added configMap and items
documentIndex: *deploymentDoc

32
library/common-test/tests/deployment/volume_secret_test.yaml
View File

@@ -52,7 +52,7 @@ tests:
secret:
secretName: some_object_name
- it: should pass with added secret and defaultMode as int
- it: should fail with added secret and defaultMode as int
documentIndex: *deploymentDoc
set:
persistence:
@@ -60,16 +60,11 @@ tests:
type: secret
enabled: true
objectName: some_object_name
defaultMode: 777
defaultMode: 0777
noMount: true
asserts:
- equal:
path: spec.template.spec.volumes[0]
value:
name: some_volume
secret:
secretName: some_object_name
defaultMode: 777
- failedTemplate:
errorMessage: <defaultMode> (511, converted to octal) is not valid format. Valid format is string with 4 digits <0777>.
- it: should pass with added secret and defaultMode as string
documentIndex: *deploymentDoc
@@ -79,7 +74,7 @@ tests:
type: secret
enabled: true
objectName: some_object_name
defaultMode: "777"
defaultMode: "0777"
noMount: true
asserts:
- equal:
@@ -88,9 +83,9 @@ tests:
name: some_volume
secret:
secretName: some_object_name
defaultMode: 777
defaultMode: 0777
- it: should pass with added secret and defaultMode as int from tpl
- it: should fail with added secret and defaultMode as int from tpl
documentIndex: *deploymentDoc
set:
mode: 644
@@ -102,18 +97,13 @@ tests:
defaultMode: "{{ .Values.mode }}"
noMount: true
asserts:
- equal:
path: spec.template.spec.volumes[0]
value:
name: some_volume
secret:
secretName: some_object_name
defaultMode: 644
- failedTemplate:
errorMessage: <defaultMode> (644, converted to octal) is not valid format. Valid format is string with 4 digits <0777>.
- it: should pass with added secret and defaultMode as string from tpl
documentIndex: *deploymentDoc
set:
mode: "644"
mode: "0644"
persistence:
some_volume:
type: secret
@@ -128,7 +118,7 @@ tests:
name: some_volume
secret:
secretName: some_object_name
defaultMode: 644
defaultMode: 0644
- it: should fail with added secret and no key on items
set:

6
library/common/1.0.0/templates/lib/container/_volumeMounts.tpl
View File

@@ -11,8 +11,12 @@
{{- with $item.subPath }}
subPath: {{ tpl . $ }}
{{- end -}}
{{- if (hasKey $item "readOnly") }}
{{- if (hasKey $item "readOnly") -}}
{{- if or (eq $item.readOnly true) (eq $item.readOnly false) }}
readOnly: {{ $item.readOnly }}
{{- else -}}
{{- fail (printf "<readOnly> cannot be empty on item (%s)" $index) -}}
{{- end -}}
{{- end -}}
{{- with $item.mountPropagation }}
mountPropagation: {{ tpl . $ }}

7
library/common/1.0.0/templates/lib/pod/volumes/_configMap.tpl
View File

@@ -7,7 +7,12 @@
configMap:
name: {{ $objectName }}
{{- with $vol.defaultMode }}
defaultMode: {{ tpl (toString .) $root }}
{{- $defMode := tpl (toString .) $root -}}
{{- if (mustRegexMatch "^[0-9]{4}$" $defMode) }}
defaultMode: {{ $defMode }}
{{- else -}}
{{- fail (printf "<defaultMode> (%s, converted to octal) is not valid format. Valid format is string with 4 digits <0777>." $defMode) -}}
{{- end -}}
{{- end -}}
{{- with $vol.items }}
items:

7
library/common/1.0.0/templates/lib/pod/volumes/_secret.tpl
View File

@@ -7,7 +7,12 @@
secret:
secretName: {{ $objectName }}
{{- with $vol.defaultMode }}
defaultMode: {{ tpl (toString .) $root }}
{{- $defMode := tpl (toString .) $root -}}
{{- if (mustRegexMatch "^[0-9]{4}$" $defMode) }} {{/* TODO: Document that "0700" equals to 448 in octal, k8s accepts both */}}
defaultMode: {{ $defMode }} {{/* TODO: But because when octal values pass from go variables they covert to octal, we require them as string to avoid confusion */}}
{{- else -}}
{{- fail (printf "<defaultMode> (%s, converted to octal) is not valid format. Valid format is string with 4 digits <0777>." $defMode) -}}
{{- end -}}
{{- end -}}
{{- with $vol.items }}
items: