diff --git a/deployments/kubernetes/chart/forecastle/.gitignore b/deployments/kubernetes/chart/forecastle/.gitignore new file mode 100644 index 00000000..a9b8a3f7 --- /dev/null +++ b/deployments/kubernetes/chart/forecastle/.gitignore @@ -0,0 +1,3 @@ +# helm unittest +__snapshot__ +**/.debug diff --git a/deployments/kubernetes/chart/forecastle/Chart.yaml b/deployments/kubernetes/chart/forecastle/Chart.yaml index f22c0e19..6a0d3d05 100644 --- a/deployments/kubernetes/chart/forecastle/Chart.yaml +++ b/deployments/kubernetes/chart/forecastle/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: forecastle description: forecastle chart that runs on kubernetes icon: https://github.com/stakater/Forecastle/raw/master/assets/web/forecastle-round-100px.png -version: 1.4.0 +version: 1.5.0 appVersion: "v2.0.0" keywords: - forecastle diff --git a/deployments/kubernetes/chart/forecastle/templates/deployment.yaml b/deployments/kubernetes/chart/forecastle/templates/deployment.yaml index e01511c4..7ba89533 100644 --- a/deployments/kubernetes/chart/forecastle/templates/deployment.yaml +++ b/deployments/kubernetes/chart/forecastle/templates/deployment.yaml @@ -31,17 +31,16 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} containers: - - {{- $containerSecurityContext := mustMergeOverwrite ((.Values.forecastle.container).securityContext | default dict) ((.Values.forecastle.deployment).securityContext | default dict) }} - {{- if $containerSecurityContext }} - securityContext: {{- toYaml $containerSecurityContext | nindent 12 }} + - name: {{ template "forecastle.name" . }} + image: "{{ .Values.forecastle.image.name }}:{{ .Values.forecastle.image.tag }}" + {{- with .Values.forecastle.deployment.securityContext }} + securityContext: {{- toYaml . | nindent 10 }} {{- end }} env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: "{{ .Values.forecastle.image.name }}:{{ .Values.forecastle.image.tag }}" - name: {{ template "forecastle.name" . }} {{- if .Values.forecastle.deployment.resources }} resources: {{ toYaml .Values.forecastle.deployment.resources | indent 10 }} @@ -51,7 +50,7 @@ spec: mountPath: /etc/forecastle {{- if .Values.forecastle.openshiftOauthProxy.enabled }} - name: oauth-proxy - image: "{{ default "stakater/oauth-proxy:v0.0.2" .Values.forecastle.openshiftOauthProxy.image }}" + image: {{ .Values.forecastle.openshiftOauthProxy.image | quote }} imagePullPolicy: IfNotPresent ports: - containerPort: 8443 diff --git a/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml b/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml index c15d0ae9..d6161508 100644 --- a/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml +++ b/deployments/kubernetes/chart/forecastle/tests/deployment_test.yaml @@ -5,33 +5,22 @@ templates: - configmap.yaml # dependency tests: - - it: includes container security context + - it: includes pod security context when specified template: deployment.yaml set: - forecastle.deployment.securityContext: { allowPrivilegeEscalation: false } + forecastle.deployment.podSecurityContext: + runAsNonRoot: true asserts: - equal: - path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation - value: false - - - it: includes container security context (deprecated) entries - template: deployment.yaml - set: - forecastle.container.securityContext: { allowPrivilegeEscalation: false } - asserts: - - equal: - path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation - value: false + path: spec.template.spec.securityContext.runAsNonRoot + value: true - - it: merges container security context fields + - it: includes forecastle container security context when specified template: deployment.yaml set: - forecastle.container.securityContext: { allowPrivilegeEscalation: true } - forecastle.deployment.securityContext: { runAsNonRoot: true, allowPrivilegeEscalation: false } + forecastle.deployment.securityContext: + allowPrivilegeEscalation: false asserts: - equal: path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation value: false - - equal: - path: spec.template.spec.containers[0].securityContext.runAsNonRoot - value: true diff --git a/deployments/kubernetes/chart/forecastle/tests/ingress_test.yaml b/deployments/kubernetes/chart/forecastle/tests/ingress_test.yaml new file mode 100644 index 00000000..e3f8d1b9 --- /dev/null +++ b/deployments/kubernetes/chart/forecastle/tests/ingress_test.yaml @@ -0,0 +1,24 @@ +suite: Deployment + +templates: + - ingress.yaml + +tests: + - it: should render nothing if not enabled + asserts: + - containsDocument: + kind: Ingress + apiVersion: networking.k8s.io/v1 + not: true + - hasDocuments: + count: 0 + + - it: should set tls if given + set: + forecastle.ingress.enabled: true + forecastle.ingress.tls: + - secretName: my-tls-secret + asserts: + - equal: + path: spec.tls[0].secretName + value: my-tls-secret diff --git a/deployments/kubernetes/chart/forecastle/tests/nameOverride_test.yaml b/deployments/kubernetes/chart/forecastle/tests/nameOverride_test.yaml new file mode 100644 index 00000000..3adeaf08 --- /dev/null +++ b/deployments/kubernetes/chart/forecastle/tests/nameOverride_test.yaml @@ -0,0 +1,27 @@ +suite: Override Resource Names + +templates: + - "templates/*.yaml" + +tests: + - it: should generate resource names based on Helm chart name by default + documentSelector: + path: metadata.name + matchMany: true + skipEmptyTemplates: true + asserts: + - matchRegex: + path: metadata.name + pattern: ^forecastle + + - it: should generate resource names based on nameOverride value when specified + set: + nameOverride: custom-forecastle + documentSelector: + path: metadata.name + matchMany: true + skipEmptyTemplates: true + asserts: + - matchRegex: + path: metadata.name + pattern: ^custom-forecastle diff --git a/deployments/kubernetes/chart/forecastle/tests/namespace_test.yaml b/deployments/kubernetes/chart/forecastle/tests/namespace_test.yaml new file mode 100644 index 00000000..7df6e017 --- /dev/null +++ b/deployments/kubernetes/chart/forecastle/tests/namespace_test.yaml @@ -0,0 +1,30 @@ +suite: Override Namespace + +templates: + - "templates/*.yaml" + +release: + namespace: my-namespace + +tests: + - it: should use Helm release namespace by default + documentSelector: + path: metadata.namespace + matchMany: true + skipEmptyTemplates: true + asserts: + - equal: + path: metadata.namespace + value: my-namespace + + - it: should use namespace value when specified + set: + namespace: custom-namespace + documentSelector: + path: metadata.namespace + matchMany: true + skipEmptyTemplates: true + asserts: + - equal: + path: metadata.namespace + value: custom-namespace diff --git a/deployments/kubernetes/chart/forecastle/values.yaml b/deployments/kubernetes/chart/forecastle/values.yaml index 568e3741..b8c1b7dd 100644 --- a/deployments/kubernetes/chart/forecastle/values.yaml +++ b/deployments/kubernetes/chart/forecastle/values.yaml @@ -1,9 +1,11 @@ +nameOverride: +namespace: + forecastle: labels: group: com.stakater.platform provider: stakater - version: 1.3.0 - namespace: default + version: 1.5.0 image: name: stakater/forecastle tag: v2.0.0 @@ -13,15 +15,17 @@ forecastle: annotations: {} affinity: {} nodeSelector: {} - podSecurityContext: - {} + # Pod security context + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # runAsNonRoot: true # runAsUser: 10001 # fsGroup: 10001 # seccompProfile: # type: RuntimeDefault - securityContext: - {} + # Container security context + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} # runAsNonRoot: true # runAsUser: 10002 # runAsGroup: 10002 @@ -35,18 +39,18 @@ forecastle: # type: RuntimeDefault tolerations: {} resources: {} - # requests: - # cpu: 100m - # memory: 32Mi - # limits: - # cpu: 200m - # memory: 64Mi + # requests: + # cpu: 100m + # memory: 32Mi + # limits: + # cpu: 200m + # memory: 64Mi + imagePullSecrets: [] pod: annotations: {} - podDisruptionBudget: - {} - #minAvailable: 90% - #maxUnavailable: 10% + podDisruptionBudget: {} + # minAvailable: 90% + # maxUnavailable: 10% networkPolicy: enabled: false ingress: @@ -86,19 +90,17 @@ forecastle: # Auto-detected from X-Forwarded-Prefix header if not set. # Leave empty for root path hosting. basePath: - proxy: - enabled: false openshiftOauthProxy: enabled: false + image: stakater/oauth-proxy:v0.0.2 serviceAccountAnnotations: {} resources: {} - # requests: - # cpu: 100m - # memory: 32Mi - # limits: - # cpu: 200m - # memory: 64Mi - # image: stakater/oauth-proxy:v0.0.2 + # requests: + # cpu: 100m + # memory: 32Mi + # limits: + # cpu: 200m + # memory: 64Mi securityContext: {} oidcProxy: enabled: false @@ -129,10 +131,10 @@ forecastle: paths: - path: / pathType: Prefix - #tls: - #- hosts: - # - forecastle.example.com - # secretName: ~ + tls: [] + # - hosts: + # - forecastle.example.com + # secretName: ~ route: enabled: false