kuma
142 строки · 4.7 Кб
1package container_patch
2
3import (
4"fmt"
5
6"github.com/gruntwork-io/terratest/modules/k8s"
7. "github.com/onsi/ginkgo/v2"
8. "github.com/onsi/gomega"
9kube_core "k8s.io/api/core/v1"
10
11k8s_util "github.com/kumahq/kuma/pkg/plugins/runtime/k8s/util"
12. "github.com/kumahq/kuma/test/framework"
13"github.com/kumahq/kuma/test/framework/deployments/testserver"
14"github.com/kumahq/kuma/test/framework/envs/kubernetes"
15)
16
17func ContainerPatch() {
18const namespace = "container-patch"
19const mesh = "container-patch"
20const appName = "test-service"
21const appNameWithPatch = "test-service-patched"
22
23containerPatch := func(ns string) string {
24return fmt.Sprintf(`apiVersion: kuma.io/v1alpha1
25kind: ContainerPatch
26metadata:
27namespace: %s
28name: container-patch-1
29spec:
30sidecarPatch:
31- op: add
32path: /securityContext/privileged
33value: "true"`, ns)
34}
35containerPatch2 := func(ns string) string {
36return fmt.Sprintf(`apiVersion: kuma.io/v1alpha1
37kind: ContainerPatch
38metadata:
39namespace: %s
40name: container-patch-2
41spec:
42initPatch:
43- op: remove
44path: /securityContext/runAsUser`, ns)
45}
46BeforeAll(func() {
47err := NewClusterSetup().
48Install(NamespaceWithSidecarInjection(namespace)).
49Install(YamlK8s(containerPatch(Config.KumaNamespace))).
50Install(YamlK8s(containerPatch2(Config.KumaNamespace))).
51Install(MeshKubernetes(mesh)).
52Install(testserver.Install(
53testserver.WithNamespace(namespace),
54testserver.WithMesh(mesh),
55testserver.WithName(appNameWithPatch),
56testserver.WithPodAnnotations(
57map[string]string{"kuma.io/container-patches": "container-patch-1,container-patch-2"},
58),
59)).
60Install(testserver.Install(
61testserver.WithNamespace(namespace),
62testserver.WithMesh(mesh),
63testserver.WithName(appName),
64)).
65Setup(kubernetes.Cluster)
66Expect(err).ToNot(HaveOccurred())
67})
68E2EAfterAll(func() {
69Expect(kubernetes.Cluster.TriggerDeleteNamespace(namespace)).To(Succeed())
70Expect(kubernetes.Cluster.DeleteMesh(mesh)).To(Succeed())
71})
72
73It("should apply container patch to kubernetes configuration", func() {
74// when
75// pod without container patch
76podName, err := PodNameOfApp(kubernetes.Cluster, appName, namespace)
77Expect(err).ToNot(HaveOccurred())
78pod, err := k8s.GetPodE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), podName)
79Expect(err).ToNot(HaveOccurred())
80
81// then
82Expect(pod.Spec.InitContainers).To(
83Or(HaveLen(1), HaveLen(2)),
84)
85// should have default value *int64 = 0
86Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(Equal(new(int64)))
87Expect(pod.Spec.Containers).To(
88Or(HaveLen(2), HaveLen(1)),
89)
90beSidecarWithoutPrivileged := And(
91WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)),
92WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, BeNil()),
93)
94if len(pod.Spec.Containers) == 2 {
95// kuma-sidecar is the first container
96Expect(pod.Spec.Containers[0]).To(beSidecarWithoutPrivileged)
97} else {
98Expect(pod.Spec.InitContainers).To(HaveLen(2))
99// kuma-sidecar is the second init container
100Expect(pod.Spec.InitContainers[1]).To(beSidecarWithoutPrivileged)
101}
102
103// when
104// pod with patch
105podName, err = PodNameOfApp(kubernetes.Cluster, appNameWithPatch, namespace)
106Expect(err).ToNot(HaveOccurred())
107pod, err = k8s.GetPodE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(namespace), podName)
108Expect(err).ToNot(HaveOccurred())
109
110// then
111pointerTrue := new(bool)
112*pointerTrue = true
113Expect(pod.Spec.InitContainers).To(
114Or(HaveLen(1), HaveLen(2)),
115)
116// should doesn't have defined RunAsUser
117Expect(pod.Spec.InitContainers[0].SecurityContext.RunAsUser).To(BeNil())
118Expect(pod.Spec.Containers).To(
119Or(HaveLen(2), HaveLen(1)),
120)
121beSidecarWithPrivileged := And(
122WithTransform(func(c kube_core.Container) string { return c.Name }, BeEquivalentTo(k8s_util.KumaSidecarContainerName)),
123WithTransform(func(c kube_core.Container) *bool { return c.SecurityContext.Privileged }, Equal(pointerTrue)),
124)
125if len(pod.Spec.Containers) == 2 {
126// kuma-sidecar is the first container
127Expect(pod.Spec.Containers[0]).To(beSidecarWithPrivileged)
128} else {
129Expect(pod.Spec.InitContainers).To(HaveLen(2))
130// kuma-sidecar is the second init container
131Expect(pod.Spec.InitContainers[1]).To(beSidecarWithPrivileged)
132}
133})
134
135It("should reject ContainerPatch in non-system namespace", func() {
136// when
137err := k8s.KubectlApplyFromStringE(kubernetes.Cluster.GetTesting(), kubernetes.Cluster.GetKubectlOptions(), containerPatch(namespace))
138
139// then
140Expect(err).To(HaveOccurred())
141})
142}
143