From f0cbd00b6a86f9838045230b570c98be197ee07d Mon Sep 17 00:00:00 2001 From: Antoine Arlaud Date: Tue, 5 Sep 2023 23:32:45 +0200 Subject: [PATCH] feat: add cacertfile to load cacert more easily --- charts/snyk-broker/Chart.yaml | 2 +- .../templates/cacert_configmap.yaml | 14 +- ...broker_deployment_configmap_test.yaml.snap | 325 ++++++++++++++++++ .../broker_deployment_test.yaml.snap | 24 +- .../broker_deployment_configmap_test.yaml | 25 ++ charts/snyk-broker/tests/dummy_ca_cert.pem | 21 ++ .../tests/fixtures/cacert_values.yaml | 23 ++ 7 files changed, 420 insertions(+), 14 deletions(-) create mode 100644 charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap create mode 100644 charts/snyk-broker/tests/broker_deployment_configmap_test.yaml create mode 100644 charts/snyk-broker/tests/dummy_ca_cert.pem create mode 100644 charts/snyk-broker/tests/fixtures/cacert_values.yaml diff --git a/charts/snyk-broker/Chart.yaml b/charts/snyk-broker/Chart.yaml index b38e928..431dedd 100644 --- a/charts/snyk-broker/Chart.yaml +++ b/charts/snyk-broker/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: snyk-broker -version: 1.7.2 +version: 1.8.0 description: A Helm chart for Kubernetes type: application diff --git a/charts/snyk-broker/templates/cacert_configmap.yaml b/charts/snyk-broker/templates/cacert_configmap.yaml index 08846e5..067a88a 100644 --- a/charts/snyk-broker/templates/cacert_configmap.yaml +++ b/charts/snyk-broker/templates/cacert_configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.caCert }} +{{- if and (.Values.caCert) (not .Values.caCertFile) }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,4 +8,16 @@ metadata: {{- include "snyk-broker.labels" . | nindent 4 }} data: {{ (.Files.Glob .Values.caCert).AsConfig | nindent 2 }} +{{- end }} + +{{- if and (.Values.caCertFile) (not .Values.caCert) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "snyk-broker.fullname" . }}-cacert-configmap + namespace: {{ .Release.Namespace }} + labels: + {{- include "snyk-broker.labels" . | nindent 4 }} +data: + cacert: {{ .Values.caCertFile | nindent 4}} {{- end }} \ No newline at end of file diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap new file mode 100644 index 0000000..60e0422 --- /dev/null +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap @@ -0,0 +1,325 @@ +cacert: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: github-com-broker + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + template: + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + spec: + containers: + - env: + - name: BROKER_SERVER_URL + value: https://broker.test.snyk.io + - name: BROKER_HEALTHCHECK_PATH + value: /healthcheck + - name: BROKER_SYSTEMCHECK_PATH + value: /systemcheck + - name: BROKER_TOKEN + valueFrom: + secretKeyRef: + key: github-com-broker-token-key + name: github-com-broker-token + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + key: github-com-token-key + name: github-com-token + - name: PORT + value: "8000" + - name: BROKER_CLIENT_URL + value: http://brokerclient + - name: LOG_LEVEL + value: info + - name: LOG_ENABLE_BODY + value: "false" + - name: CA_CERT + value: /home/node/cacert/tests/dummy_ca_cert.pem + - name: ACCEPT_CODE + value: "true" + - name: ACCEPT_IAC + value: tf,yaml,yml,json,tpl + - name: BROKER_DISPATCHER_BASE_URL + value: https://api.test.snyk.io + image: snyk/broker:github-com + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8000 + initialDelaySeconds: 3 + periodSeconds: 10 + timeoutSeconds: 1 + name: github-com-broker + ports: + - containerPort: 8000 + name: http + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8000 + initialDelaySeconds: 3 + periodSeconds: 10 + timeoutSeconds: 1 + resources: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /home/node/cacert + name: RELEASE-NAME-snyk-broker-cacert-volume + readOnly: true + securityContext: {} + serviceAccountName: snyk-broker + volumes: + - configMap: + name: RELEASE-NAME-snyk-broker-cacert-configmap + name: RELEASE-NAME-snyk-broker-cacert-volume + 2: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: github-com-broker-service + namespace: NAMESPACE + spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + type: ClusterIP + 3: | + apiVersion: v1 + data: + dummy_ca_cert.pem: |- + -----BEGIN CERTIFICATE----- + MIIDYzCCAksCFAYMPiMLU27bbnNw60gZkdMg4Rr2MA0GCSqGSIb3DQEBCwUAMG4x + CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM + AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu + dG9pbmVAc255ay5pbzAeFw0yMzA4MzEyMTE2NDRaFw0yNDA4MzAyMTE2NDRaMG4x + CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM + AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu + dG9pbmVAc255ay5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSe + fzWIMgAFuIwP4ScnLoZPb75dKLy8Ao2QtowF6WyntFuNWPJPLbs8sTeRPPbtbDYn + k2rfi15vQWL7HB7uKqTwFdXmf4kZu9SNxH1c7q+KNtYm1hiMBOlhM951N3gcefCE + W8A2rD95ngZlDdnFfBmsWvomg2a8OQjveMA9Nl3aR8qFNsym52yphTAilV+QMmmj + Xc7V/ElQElXN9uoSIbg6eTZ/yNqPDkdEQ+0f033IheHTdjFgnmCY4kFBp/4X6dDj + vUbmfvQ8c3GN11SvyoJgrd0grquiIp3qHRXIfr+U6Z5aAT+G4/paTnuRlMFhpQwV + D0Ur9jto7i/xo0gDArMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAP7c+rHqEbST8 + Vd25DNmhwb4hEGI2K8+YWixauZJOcRwamLrQree7UHn0EeWW+qZa2ec5G2y2fGb9 + HrB6C3LvDb0rmXWXbWTSM3Mj55ITDIYD3xBe2I5+jlykrxlEsC5QwFXMMbDKFwQj + J7V6gFfjJweX8Ko9kUdXdKmx2/napkPEkU8hoAZ4cMaaqfx6d2hvQL+2flQkjH+A + B3AgJ/FdaW0sb5caSstO1BEg3NgpJjO1YKRkxb1hkrjNRSJ2NfTkCwiTp9yIz25u + 2UANxr7bbnEPd4bkk7OjE6SL+RH3YMCa3sBqtKwY14vs61AoWlS1bE0z8aRRsX49 + owemeenoGQ== + -----END CERTIFICATE----- + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: RELEASE-NAME-snyk-broker-cacert-configmap + namespace: NAMESPACE + 4: | + apiVersion: v1 + data: + github-com-broker-token-key: MTIz + kind: Secret + metadata: + name: github-com-broker-token + type: Opaque + 5: | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: snyk-broker + namespace: NAMESPACE +cacertfile: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: github-com-broker + namespace: NAMESPACE + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + template: + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + spec: + containers: + - env: + - name: BROKER_SERVER_URL + value: https://broker.test.snyk.io + - name: BROKER_HEALTHCHECK_PATH + value: /healthcheck + - name: BROKER_SYSTEMCHECK_PATH + value: /systemcheck + - name: BROKER_TOKEN + valueFrom: + secretKeyRef: + key: github-com-broker-token-key + name: github-com-broker-token + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + key: github-com-token-key + name: github-com-token + - name: PORT + value: "8000" + - name: BROKER_CLIENT_URL + value: http://brokerclient + - name: LOG_LEVEL + value: info + - name: LOG_ENABLE_BODY + value: "false" + - name: ACCEPT_CODE + value: "true" + - name: ACCEPT_IAC + value: tf,yaml,yml,json,tpl + - name: BROKER_DISPATCHER_BASE_URL + value: https://api.test.snyk.io + image: snyk/broker:github-com + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8000 + initialDelaySeconds: 3 + periodSeconds: 10 + timeoutSeconds: 1 + name: github-com-broker + ports: + - containerPort: 8000 + name: http + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthcheck + port: 8000 + initialDelaySeconds: 3 + periodSeconds: 10 + timeoutSeconds: 1 + resources: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: null + securityContext: {} + serviceAccountName: snyk-broker + volumes: null + 2: | + apiVersion: v1 + kind: Service + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: github-com-broker-service + namespace: NAMESPACE + spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: snyk-broker + type: ClusterIP + 3: | + apiVersion: v1 + data: + cacert: testValueSetBySetFile + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: RELEASE-NAME-snyk-broker-cacert-configmap + namespace: NAMESPACE + 4: | + apiVersion: v1 + data: + github-com-broker-token-key: MTIz + kind: Secret + metadata: + name: github-com-broker-token + type: Opaque + 5: | + apiVersion: v1 + kind: ServiceAccount + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: snyk-broker + helm.sh/chart: snyk-broker-1.8.0 + name: snyk-broker + namespace: NAMESPACE diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap index 7be6a9c..44ea619 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_test.yaml.snap @@ -7,7 +7,7 @@ HA mode on: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker namespace: NAMESPACE spec: @@ -105,7 +105,7 @@ HA mode on: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker-service namespace: NAMESPACE spec: @@ -132,7 +132,7 @@ HA mode on: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: snyk-broker namespace: NAMESPACE HA mode on with 4 replicas: @@ -144,7 +144,7 @@ HA mode on with 4 replicas: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker namespace: NAMESPACE spec: @@ -242,7 +242,7 @@ HA mode on with 4 replicas: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker-service namespace: NAMESPACE spec: @@ -269,7 +269,7 @@ HA mode on with 4 replicas: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: snyk-broker namespace: NAMESPACE default values: @@ -281,7 +281,7 @@ default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker namespace: NAMESPACE spec: @@ -377,7 +377,7 @@ default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker-service namespace: NAMESPACE spec: @@ -404,7 +404,7 @@ default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: snyk-broker namespace: NAMESPACE preflight checks off: @@ -416,7 +416,7 @@ preflight checks off: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker namespace: NAMESPACE spec: @@ -514,7 +514,7 @@ preflight checks off: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: github-com-broker-service namespace: NAMESPACE spec: @@ -541,6 +541,6 @@ preflight checks off: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-1.7.2 + helm.sh/chart: snyk-broker-1.8.0 name: snyk-broker namespace: NAMESPACE diff --git a/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml b/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml new file mode 100644 index 0000000..110dcc8 --- /dev/null +++ b/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml @@ -0,0 +1,25 @@ +suite: test broker deployment +templates: + - broker_deployment.yaml + - broker_service.yaml + - secrets.yaml + - serviceaccount.yaml + - cacert_configmap.yaml + +tests: + - it: cacert + values: + - ./fixtures/default_values.yaml + set: + caCert: tests/dummy_ca_cert.pem + asserts: + - matchSnapshot: {} + - it: cacertfile + values: + - ./fixtures/default_values.yaml + set: + caCertFile: testValueSetBySetFile + asserts: + - matchSnapshot: {} + + diff --git a/charts/snyk-broker/tests/dummy_ca_cert.pem b/charts/snyk-broker/tests/dummy_ca_cert.pem new file mode 100644 index 0000000..a9058eb --- /dev/null +++ b/charts/snyk-broker/tests/dummy_ca_cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYzCCAksCFAYMPiMLU27bbnNw60gZkdMg4Rr2MA0GCSqGSIb3DQEBCwUAMG4x +CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM +AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu +dG9pbmVAc255ay5pbzAeFw0yMzA4MzEyMTE2NDRaFw0yNDA4MzAyMTE2NDRaMG4x +CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM +AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu +dG9pbmVAc255ay5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSe +fzWIMgAFuIwP4ScnLoZPb75dKLy8Ao2QtowF6WyntFuNWPJPLbs8sTeRPPbtbDYn +k2rfi15vQWL7HB7uKqTwFdXmf4kZu9SNxH1c7q+KNtYm1hiMBOlhM951N3gcefCE +W8A2rD95ngZlDdnFfBmsWvomg2a8OQjveMA9Nl3aR8qFNsym52yphTAilV+QMmmj +Xc7V/ElQElXN9uoSIbg6eTZ/yNqPDkdEQ+0f033IheHTdjFgnmCY4kFBp/4X6dDj +vUbmfvQ8c3GN11SvyoJgrd0grquiIp3qHRXIfr+U6Z5aAT+G4/paTnuRlMFhpQwV +D0Ur9jto7i/xo0gDArMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAP7c+rHqEbST8 +Vd25DNmhwb4hEGI2K8+YWixauZJOcRwamLrQree7UHn0EeWW+qZa2ec5G2y2fGb9 +HrB6C3LvDb0rmXWXbWTSM3Mj55ITDIYD3xBe2I5+jlykrxlEsC5QwFXMMbDKFwQj +J7V6gFfjJweX8Ko9kUdXdKmx2/napkPEkU8hoAZ4cMaaqfx6d2hvQL+2flQkjH+A +B3AgJ/FdaW0sb5caSstO1BEg3NgpJjO1YKRkxb1hkrjNRSJ2NfTkCwiTp9yIz25u +2UANxr7bbnEPd4bkk7OjE6SL+RH3YMCa3sBqtKwY14vs61AoWlS1bE0z8aRRsX49 +owemeenoGQ== +-----END CERTIFICATE----- diff --git a/charts/snyk-broker/tests/fixtures/cacert_values.yaml b/charts/snyk-broker/tests/fixtures/cacert_values.yaml new file mode 100644 index 0000000..2b7ec52 --- /dev/null +++ b/charts/snyk-broker/tests/fixtures/cacert_values.yaml @@ -0,0 +1,23 @@ +# Default values for snyk-broker. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +##### Snyk Specific Values ##### + +# Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative +brokerToken: "123" + +# brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. +# Ex: http://kubernetes-ingress.domain.com:8000/broker +brokerClientUrl: "http://brokerclient" + +# Do not touch unless directed by a Snyk Representative +brokerServerUrl: "https://broker.test.snyk.io" + +preflightChecks: + enabled: true + +highAvailabilityMode: + enabled: false +brokerDispatcherUrl: "https://api.test.snyk.io" +