From 07c8944b6331de78175c01c663942831c7b74d77 Mon Sep 17 00:00:00 2001 From: vardhaman Date: Tue, 28 Mar 2023 18:32:05 +0530 Subject: [PATCH] add checkers and helper functions --- .../rancher-gatekeeper/rancher-gatekeeper.go | 4981 +++++++++++++++-- ...per-test.go => rancher-gatekeeper_test.go} | 2 +- tests/rancher-gatekeeper/testdata.go | 118 +- 3 files changed, 4689 insertions(+), 412 deletions(-) rename tests/rancher-gatekeeper/{rancher-gatekeeper-test.go => rancher-gatekeeper_test.go} (86%) diff --git a/tests/rancher-gatekeeper/rancher-gatekeeper.go b/tests/rancher-gatekeeper/rancher-gatekeeper.go index a523985d036..a8ad785d49b 100644 --- a/tests/rancher-gatekeeper/rancher-gatekeeper.go +++ b/tests/rancher-gatekeeper/rancher-gatekeeper.go @@ -1,10 +1,23 @@ package rancher_gatekeeper import ( - "github.com/aiyengar2/hull/pkg/chart" + "fmt" + "reflect" + + "github.com/rancher/charts/tests/common" "github.com/rancher/hull/pkg/chart" + "github.com/rancher/hull/pkg/checker" "github.com/rancher/hull/pkg/test" "github.com/rancher/hull/pkg/utils" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + policyv1 "k8s.io/api/policy/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/kubernetes/pkg/apis/admissionregistration" + networkingv1 "k8s.io/kubernetes/pkg/apis/networking" + rbacv1 "k8s.io/kubernetes/pkg/apis/rbac" ) var ChartPath = utils.MustGetLatestChartVersionPathFromIndex("../index.yaml", "rancher-gatekeeper", true) @@ -27,16 +40,32 @@ var suite = test.Suite{ Name: "Set .Values.replicas", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "replicas", "2", + Set( + "replicas", 3, ), }, { Name: "Set .Values.auditInterval", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "auditInterval", "40", + Set( + "auditInterval", 150, + ), + }, + { + Name: "Set .Values.metricsBackends", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "metricsBackends", testMetricsBackend, + ), + }, + { + Name: "Set .Values.constraintViolationsLimit", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "constraintViolationsLimit", 30, ), }, { @@ -46,13 +75,12 @@ var suite = test.Suite{ SetValue( "auditMatchKindOnly", "false", ), - }, - { - Name: "Set .Values.constraintViolationsLimit to 20", + }, { + Name: "Set .Values.auditMatchKindOnly to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "constraintViolationsLimit", "20", + "auditMatchKindOnly", "true", ), }, { @@ -64,696 +92,740 @@ var suite = test.Suite{ ), }, { - Name: "Set .Values.disableMutation to false", + Name: "Set .Values.auditFromCache to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "disableMutation", "false", + "auditFromCache", "true", ), }, { - Name: "Set .Values.disableValidatingWebhook to false", + Name: "Set .Values.disableMutation to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "disableValidatingWebhook", "false", + "disableMutation", "false", ), }, { - Name: "Set .Values.validatingWebhookTimeoutSeconds to 3", + Name: "Set .Values.disableMutation to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "validatingWebhookTimeoutSeconds", "3", + "disableMutation", "true", ), }, { - Name: "Set .Values.validatingWebhookFailurePolicy to Ignore", + Name: "Set .Values.enableExternalData to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "validatingWebhookFailurePolicy", "Ignore", + "enableExternalData", "false", ), }, { - Name: "Set .Values.validatingWebhookCheckIgnoreFailurePolicy to Fail", + Name: "Set .Values.enableExternalData to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "validatingWebhookCheckIgnoreFailurePolicy", "Fail", + "enableExternalData", "true", ), }, { - Name: "Set .Values.mutatingWebhookFailurePolicy to Fail", + Name: "Set .Values.disableValidatingWebhook to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "mutatingWebhookFailurePolicy", "Fail", + "disableValidatingWebhook", "false", ), }, { - Name: "Set .Values.mutatingWebhookReinvocationPolicy to IfNeeded", + Name: "Set .Values.disableValidatingWebhook to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "mutatingWebhookReinvocationPolicy", "IfNeeded", + "disableValidatingWebhook", "true", ), }, { - Name: "Set .Values.mutatingWebhookTimeoutSeconds to 2", + Name: "Set .Values.validatingWebhookTimeoutSeconds to 4", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "mutatingWebhookReinvocationPolicy", "2", + Set( + "validatingWebhookTimeoutSeconds", 4, ), }, { - Name: "Set .Values.auditChunkSize to 600", + Name: "Set .Values.validatingWebhookFailurePolicy to Ignore", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "auditChunkSize", "600", + "validatingWebhookFailurePolicy", "Ignore", ), }, { - Name: "Set .Values.logLevel to Debug", + Name: "Set .Values.validatingWebhookFailurePolicy to Fail", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "logLevel", "DEBUG", + "validatingWebhookFailurePolicy", "Fail", ), }, - - // For .Values.postUpgrade { - Name: "Set Values for postUpgrade.labelNamespace.enabled", + Name: "Set .Values.validatingWebhookObjectSelector", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postUpgrade.labelNamespace.enabled", "true", + Set( + "validatingWebhookObjectSelector", testValidatingWebhookObjectSelector, ), }, { - Name: "Set Values for postUpgrade.labelNamespace.enabled to false", + Name: "Set .Values.validatingWebhookAnnotations", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postUpgrade.labelNamespace.enabled", "false", + Set( + "validatingWebhookAnnotations", testWebhookAnnotations, ), }, { - Name: "Set .postUpgrade.labelNamespace.image.repository and .postUpgrade.labelNamespace.image.tag", + Name: "Set .Values.validatingWebhookCheckIgnoreFailurePolicy to Fail", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.image.repository", "test-kubectl-repo", - ). - SetValue( - "postUpgrade.labelNamespace.image.tag", "v1.20.11", + "validatingWebhookCheckIgnoreFailurePolicy", "Fail", ), }, { - Name: "Set postUpgrade.labelNamespace.image.pullPolicy to IfNotPresent", + Name: "Set .Values.validatingWebhookCheckIgnoreFailurePolicy to Ignore", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.image.pullPolicy", "IfNotPresent", + "validatingWebhookCheckIgnoreFailurePolicy", "Ignore", ), }, { - Name: "Set postUpgrade.labelNamespace.image.pullPolicy to Always", + Name: "Set .Values.enableDeleteOperations to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.image.pullPolicy", "Always", + "enableDeleteOperations", "false", ), }, { - Name: "Set postUpgrade.labelNamespace.image.pullPolicy to Never", + Name: "Set .Values.enableDeleteOperations to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.image.pullPolicy", "Never", + "enableDeleteOperations", "true", ), }, { - Name: "Set postUpgrade.labelNamespace.image.pullSecrets", + Name: "Set .Values.mutatingWebhookFailurePolicy to Fail", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.image.pullSecrets", "testPullSecrets", + "mutatingWebhookFailurePolicy", "Fail", ), }, { - Name: "Set postUpgrade.labelNamespace.extraNamespaces", + Name: "Set .Values.mutatingWebhookFailurePolicy to Ignore", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.labelNamespace.extraNamespaces", "testExtraNamespace", + "mutatingWebhookFailurePolicy", "Ignore", ), }, { - Name: "Set postUpgrade.labelNamespace.podSecurity", + Name: "Set .Values.mutatingWebhookReinvocationPolicy to IfNeeded", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - Set( - "postUpgrade.labelNamespace.podSecurity", testPodSecurityLabels, + SetValue( + "mutatingWebhookReinvocationPolicy", "IfNeeded", ), }, { - Name: "Set postUpgrade.tolerations", + Name: "Set .Values.mutatingWebhookReinvocationPolicy to Never", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - Set( - "postUpgrade.tolerations", testTolerations, + SetValue( + "mutatingWebhookReinvocationPolicy", "Never", ), }, { - Name: "Set postUpgrade.nodeSelector", + Name: "Set .Values.mutatingWebhookAnnotations", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postUpgrade.nodeSelector", testNodeSelector, + "mutatingWebhookAnnotations", testWebhookAnnotations, ), }, { - Name: "Set postUpgrade.affinity", + Name: "Set .Values.mutatingWebhookTimeoutSeconds to 2", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postUpgrade.affinity", testAffinity, + "mutatingWebhookTimeoutSeconds", 2, ), }, { - Name: "Set postUpgrade.resources", + Name: "Set .Values.enableGeneratorResourceExpansion to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - Set( - "postUpgrade.affinity", testResources, + SetValue( + "enableGeneratorResourceExpansion", "false", ), }, { - Name: "Set postUpgrade.securityContext.allowPrivilegeEscalation to True", + Name: "Set .Values.enableGeneratorResourceExpansion to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.allowPrivilegeEscalation", "true", + "enableGeneratorResourceExpansion", "true", ), }, { - Name: "Set postUpgrade.securityContext.allowPrivilegeEscalation to False", + Name: "Set .Values.enableTLSHealthcheck to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.allowPrivilegeEscalation", "false", + "enableTLSHealthcheck", "false", ), }, { - Name: "Set postUpgrade.securityContext.capabilities.drop", + Name: "Set .Values.enableTLSHealthcheck to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.capabilities.drop", "NET_ADMIN", + "enableTLSHealthcheck", "true", ), }, { - Name: "Set postUpgrade.securityContext.readOnlyRootFilesystem to False", + Name: "Set .Values.maxServingThreads to 1", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postUpgrade.securityContext.readOnlyRootFilesystem", "false", + Set( + "maxServingThreads", 1, ), }, { - Name: "Set postUpgrade.securityContext.readOnlyRootFilesystem to true", + Name: "Set .Values.auditChunkSize to 600", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postUpgrade.securityContext.readOnlyRootFilesystem", "true", + Set( + "auditChunkSize", 600, ), }, { - Name: "Set postUpgrade.securityContext.runAsGroup", + Name: "Set .Values.logLevel to Debug", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.runAsGroup", "3000", + "logLevel", "DEBUG", ), }, { - Name: "Set postUpgrade.securityContext.runAsNonRoot to False", + Name: "Set .Values.logLevel to INFO", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.runAsNonRoot", "false", + "logLevel", "INFO", ), }, { - Name: "Set postUpgrade.securityContext.runAsNonRoot to True", + Name: "Set .Values.logLevel to WARNING", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.runAsNonRoot", "true", + "logLevel", "WARNING", ), }, { - Name: "Set postUpgrade.securityContext.runAsUser", + Name: "Set .Values.logLevel to ERROR", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postUpgrade.securityContext.runAsUser", "2000", + "logLevel", "ERROR", ), }, - - // For .Values.postInstall { - Name: "Set Values for postInstall.labelNamespace.enabled", + Name: "Set .Values.logDenies to false", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.enabled", "true", + "logDenies", "false", ), }, { - Name: "Set Values for postInstall.labelNamespace.enabled to false", + Name: "Set .Values.logDenies to true", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.enabled", "false", + "logDenies", "true", ), }, { - Name: "Set postInstall.labelNamespace.extraRules", + Name: "Set .Values.logMutations to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue("postInstall.labelNamespace.extraRules", "testExtraRules"), + SetValue( + "logMutations", "false", + ), }, { - Name: "Set .postInstall.labelNamespace.image.repository and .postInstall.labelNamespace.image.tag", + Name: "Set .Values.logMutations to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.image.repository", "test-gatekeeper-crd-repo", - ). - SetValue( - "postInstall.labelNamespace.image.tag", "v3.10.0", + "logMutations", "true", ), }, { - Name: "Set postInstall.labelNamespace.image.pullPolicy to IfNotPresent", + Name: "Set .Values.emitAdmissionEvents to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.image.pullPolicy", "IfNotPresent", + "emitAdmissionEvents", "false", ), }, { - Name: "Set postInstall.labelNamespace.image.pullPolicy to Always", + Name: "Set .Values.emitAdmissionEvents to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.image.pullPolicy", "Always", + "emitAdmissionEvents", "true", ), }, { - Name: "Set postInstall.labelNamespace.image.pullPolicy to Never", + Name: "Set .Values.emitAuditEvents to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.image.pullPolicy", "Never", + "emitAuditEvents", "false", ), }, { - Name: "Set postInstall.labelNamespace.image.pullSecrets", + Name: "Set .Values.emitAuditEvents to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.labelNamespace.image.pullSecrets", "testPullSecrets", + "emitAuditEvents", "true", ), }, { - Name: "Set postInstall.labelNamespace.extraNamespaces", + Name: "Set .Values.admissionEventsInvolvedNamespace to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.labelNamespace.extraNamespaces", "testExtraNamespace", + Set( + "admissionEventsInvolvedNamespace", false, ), }, { - Name: "Set postInstall.labelNamespace.podSecurity", + Name: "Set .Values.admissionEventsInvolvedNamespace to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postInstall.labelNamespace.podSecurity", testPodSecurityLabels, + "admissionEventsInvolvedNamespace", true, ), }, - // For .Values.postInstall.probeWebhook + // // For .Values.postUpgrade { - Name: "Set Values for postInstall.probeWebhook.enabled", + Name: "Set Values for postUpgrade.labelNamespace.enabled", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.enabled", "true", + "postUpgrade.labelNamespace.enabled", "true", ), }, { - Name: "Set Values for postInstall.probeWebhook.enabled to false", + Name: "Set Values for postUpgrade.labelNamespace.enabled to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.enabled", "false", + "postUpgrade.labelNamespace.enabled", "false", ), }, { - Name: "Set .postInstall.probeWebhook.image.repository and .postInstall.probeWebhook.image.tag", + Name: "Set .postUpgrade.labelNamespace.image.repository and .postUpgrade.labelNamespace.image.tag", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.image.repository", "test-curlimages-repo", + "postUpgrade.labelNamespace.image.repository", "test-kubectl-repo", ). SetValue( - "postInstall.probeWebhook.image.tag", "v7.83.1", + "postUpgrade.labelNamespace.image.tag", "v1.20.11", ), }, { - Name: "Set postInstall.probeWebhook.image.pullPolicy to IfNotPresent", + Name: "Set postUpgrade.labelNamespace.image.pullPolicy to IfNotPresent", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.image.pullPolicy", "IfNotPresent", + "postUpgrade.labelNamespace.image.pullPolicy", "IfNotPresent", ), }, { - Name: "Set postInstall.probeWebhook.image.pullPolicy to Always", + Name: "Set postUpgrade.labelNamespace.image.pullPolicy to Always", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.image.pullPolicy", "Always", + "postUpgrade.labelNamespace.image.pullPolicy", "Always", ), }, { - Name: "Set postInstall.probeWebhook.image.pullPolicy to Never", + Name: "Set postUpgrade.labelNamespace.image.pullPolicy to Never", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.image.pullPolicy", "Never", + "postUpgrade.labelNamespace.image.pullPolicy", "Never", ), }, + // { + // Name: "Set postUpgrade.labelNamespace.image.pullSecrets with labelNamespace set to true", + + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // Set( + // "postUpgrade.labelNamespace.image.pullSecrets", testPullSecrets, + // ). + // Set( + // "postUpgrade.labelNamespace.enabled", true, + // ), + // }, + // { + // Name: "Set postUpgrade.labelNamespace.image.pullSecrets with labelNamespace set to false", + + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // Set( + // "postUpgrade.labelNamespace.image.pullSecrets", testPullSecrets, + // ). + // Set( + // "postUpgrade.labelNamespace.enabled", false, + // ), + // }, { - Name: "Set postInstall.probeWebhook.image.pullSecrets", + Name: "Set postUpgrade.labelNamespace.image.pullSecrets", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.image.pullSecrets", "testPullSecrets", - ), - }, - { - Name: "Set Values for postInstall.probeWebhook.waitTimeout", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.waitTimeout", "50", - ), - }, - { - Name: "Set Values for postInstall.probeWebhook.httpTimeout", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.httpTimeout", "1", - ), - }, - { - Name: "Set Values for postInstall.probeWebhook.insecureHTTPS", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.insecureHTTPS", "true", + Set( + "postUpgrade.labelNamespace.image.pullSecrets", testPullSecrets, ), }, { - Name: "Set Values for postInstall.probeWebhook.insecureHTTPS to false", + Name: "Set postUpgrade.labelNamespace.extraNamespaces", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.insecureHTTPS", "false", + Set( + "postUpgrade.labelNamespace.extraNamespaces", testExtraNamespaces, + ). + Set( + "postUpgrade.labelNamespace.enabled", true, ), }, { - Name: "Set postInstall.probeWebhook.tolerations", + Name: "Set postUpgrade.labelNamespace.podSecurity", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postInstall.probeWebhook.tolerations", testTolerations, + "postUpgrade.labelNamespace.podSecurity", testPodSecurityLabels, ), }, { - Name: "Set postInstall.probeWebhook.nodeSelector", + Name: "Set postUpgrade.affinity", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postInstall.probeWebhook.nodeSelector", testNodeSelector, + "postUpgrade.affinity", testAffinity, ), }, { - Name: "Set postInstall.probeWebhook.affinity", + Name: "Set postUpgrade.resources", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postInstall.probeWebhook.affinity", testAffinity, + "postUpgrade.resources", testResources, ), }, { - Name: "Set postInstall.probeWebhook.securityContext.allowPrivilegeEscalation to True", + Name: "Set postUpgrade.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.securityContext.allowPrivilegeEscalation", "true", + Set( + "postUpgrade.securityContext", testSecurityContext, ), }, - { - Name: "Set postInstall.probeWebhook.securityContext.allowPrivilegeEscalation to False", + // For .Values.postInstall + { + Name: "Set Values for postInstall.labelNamespace.enabled", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.allowPrivilegeEscalation", "false", + "postInstall.labelNamespace.enabled", "true", ), }, { - Name: "Set postInstall.probeWebhook.securityContext.capabilities.drop", - + Name: "Set Values for postInstall.labelNamespace.enabled to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.capabilities.drop", "NET_ADMIN", + "postInstall.labelNamespace.enabled", "false", ), }, + // { + // Name: "Set postInstall.labelNamespace.extraRules", + + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // SetValue("postInstall.labelNamespace.extraRules", "testExtraRules"), + // }, { - Name: "Set postInstall.probeWebhook.securityContext.readOnlyRootFilesystem to False", + Name: "Set .postInstall.labelNamespace.image.repository and .postInstall.labelNamespace.image.tag", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.readOnlyRootFilesystem", "false", + "postInstall.labelNamespace.image.repository", "test-gatekeeper-crd-repo", + ). + SetValue( + "postInstall.labelNamespace.image.tag", "v3.10.0", ), }, { - Name: "Set postInstall.probeWebhook.securityContext.readOnlyRootFilesystem to true", + Name: "Set postInstall.labelNamespace.image.pullPolicy to IfNotPresent", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.readOnlyRootFilesystem", "true", + "postInstall.labelNamespace.image.pullPolicy", "IfNotPresent", ), }, { - Name: "Set postInstall.probeWebhook.securityContext.runAsGroup", + Name: "Set postInstall.labelNamespace.image.pullPolicy to Always", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.runAsGroup", "3000", + "postInstall.labelNamespace.image.pullPolicy", "Always", ), }, { - Name: "Set postInstall.probeWebhook.securityContext.runAsNonRoot to False", + Name: "Set postInstall.labelNamespace.image.pullPolicy to Never", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "postInstall.probeWebhook.securityContext.runAsNonRoot", "false", + "postInstall.labelNamespace.image.pullPolicy", "Never", ), }, + // { + // Name: "Set postInstall.labelNamespace.image.pullSecrets", + + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // SetValue( + // "postInstall.labelNamespace.image.pullSecrets", "testPullSecrets", + // ), + // }, { - Name: "Set postInstall.probeWebhook.securityContext.runAsNonRoot to True", + Name: "Set postInstall.labelNamespace.extraNamespaces", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.securityContext.runAsNonRoot", "true", + Set( + "postInstall.labelNamespace.extraNamespaces", testExtraNamespaces, ), }, { - Name: "Set postInstall.probeWebhook.securityContext.runAsUser", + Name: "Set postInstall.labelNamespace.podSecurity", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "postInstall.probeWebhook.securityContext.runAsUser", "2000", + Set( + "postInstall.labelNamespace.podSecurity", testPodSecurityLabels, ), }, - // For .Values.preUninstall - { - Name: "Set preUninstall.deleteWebhookConfigurations.extraRules", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue("preUninstall.deleteWebhookConfigurations.extraRules", "testExtraRules"), - }, + // For .Values.postInstall.probeWebhook { - Name: "Set preUninstall.deleteWebhookConfigurations.enabled to False", - + Name: "Set Values for postInstall.probeWebhook.enabled", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.enabled", "false", + "postInstall.probeWebhook.enabled", "true", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.enabled to True", - + Name: "Set Values for postInstall.probeWebhook.enabled to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.enabled", "true", + "postInstall.probeWebhook.enabled", "false", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.image.repository and preUninstall.deleteWebhookConfigurations.image.tag", + Name: "Set .postInstall.probeWebhook.image.repository and .postInstall.probeWebhook.image.tag", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.image.repository", "test-gatekeeper-crd-repo", + "postInstall.probeWebhook.image.repository", "test-curlimages-repo", ). SetValue( - "preUninstall.deleteWebhookConfigurations.image.tag", "v3.10.0", + "postInstall.probeWebhook.image.tag", "v7.83.1", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to IfNotPresent", + Name: "Set postInstall.probeWebhook.image.pullPolicy to IfNotPresent", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "IfNotPresent", + "postInstall.probeWebhook.image.pullPolicy", "IfNotPresent", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to Always", + Name: "Set postInstall.probeWebhook.image.pullPolicy to Always", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "Always", + "postInstall.probeWebhook.image.pullPolicy", "Always", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to Never", + Name: "Set postInstall.probeWebhook.image.pullPolicy to Never", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "Never", + "postInstall.probeWebhook.image.pullPolicy", "Never", ), }, { - Name: "Set preUninstall.deleteWebhookConfigurations.image.pullSecrets", + Name: "Set postInstall.probeWebhook.image.pullSecrets", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.deleteWebhookConfigurations.image.pullSecrets", "testPullSecrets", + "postInstall.probeWebhook.image.pullSecrets", "testPullSecrets", ), }, { - Name: "Set preUninstall.tolerations", - + Name: "Set Values for postInstall.probeWebhook.waitTimeout", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "preUninstall.tolerations", testTolerations, + "postInstall.probeWebhook.waitTimeout", 50, ), }, { - Name: "Set preUninstall.nodeSelector", - + Name: "Set Values for postInstall.probeWebhook.httpTimeout", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "preUninstall.nodeSelector", testNodeSelector, + "postInstall.probeWebhook.httpTimeout", 1, ), }, { - Name: "Set preUninstall.affinity", - + Name: "Set Values for postInstall.probeWebhook.insecureHTTPS to true", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - Set( - "preUninstall.affinity", testAffinity, + SetValue( + "postInstall.probeWebhook.insecureHTTPS", "true", ), }, { - Name: "Set preUninstall.resources", - + Name: "Set Values for postInstall.probeWebhook.insecureHTTPS to false", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + SetValue( + "postInstall.probeWebhook.insecureHTTPS", "false", + ), + }, + { + Name: "Set postInstall.affinity", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "postUpgrade.affinity", testResources, + "postInstall.affinity", testAffinity, ), }, { - Name: "Set preUninstall.securityContext.allowPrivilegeEscalation to True", + Name: "Set postInstall.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "preUninstall.securityContext.allowPrivilegeEscalation", "true", + Set( + "postInstall.securityContext", testSecurityContext, + ). + Set( + "postInstall.labelNamespace.enabled", true, ), }, + + // // For .Values.preUninstall + // { + // Name: "Set preUninstall.deleteWebhookConfigurations.extraRules", + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // SetValue("preUninstall.deleteWebhookConfigurations.extraRules", "testExtraRules"), + // }, { - Name: "Set preUninstall.securityContext.allowPrivilegeEscalation to False", + Name: "Set preUninstall.deleteWebhookConfigurations.enabled to False", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.allowPrivilegeEscalation", "false", + "preUninstall.deleteWebhookConfigurations.enabled", "false", ), }, { - Name: "Set preUninstall.securityContext.capabilities.drop", + Name: "Set preUninstall.deleteWebhookConfigurations.enabled to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.capabilities.drop", "NET_ADMIN", + "preUninstall.deleteWebhookConfigurations.enabled", "true", ), }, { - Name: "Set preUninstall.securityContext.readOnlyRootFilesystem to False", + Name: "Set preUninstall.deleteWebhookConfigurations.image.repository and preUninstall.deleteWebhookConfigurations.image.tag", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.readOnlyRootFilesystem", "false", + "preUninstall.deleteWebhookConfigurations.image.repository", "test-gatekeeper-crd-repo", + ). + SetValue( + "preUninstall.deleteWebhookConfigurations.image.tag", "v3.10.0", ), }, { - Name: "Set preUninstall.securityContext.readOnlyRootFilesystem to true", + Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to IfNotPresent", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.readOnlyRootFilesystem", "true", + "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "IfNotPresent", ), }, { - Name: "Set preUninstall.securityContext.runAsGroup", + Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to Always", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.runAsGroup", "3000", + "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "Always", ), }, { - Name: "Set preUninstall.securityContext.runAsNonRoot to False", + Name: "Set preUninstall.deleteWebhookConfigurations.image.pullPolicy to Never", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "preUninstall.securityContext.runAsNonRoot", "false", + "preUninstall.deleteWebhookConfigurations.image.pullPolicy", "Never", ), }, { - Name: "Set preUninstall.securityContext.runAsNonRoot to True", + Name: "Set preUninstall.deleteWebhookConfigurations.image.pullSecrets", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "preUninstall.securityContext.runAsNonRoot", "true", + Set( + "preUninstall.deleteWebhookConfigurations.image.pullSecrets", testPullSecrets, + ), + }, + { + Name: "Set preUninstall.affinity", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "preUninstall.affinity", testAffinity, + ), + }, + { + Name: "Set preUninstall.resources", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "preUninstall.resources", testResources, ), }, { - Name: "Set preUninstall.securityContext.runAsUser", + Name: "Set preUninstall.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "preUninstall.securityContext.runAsUser", "2000", + Set( + "preUninstall.securityContext", testSecurityContext, ), }, @@ -808,8 +880,8 @@ var suite = test.Suite{ Name: "Set images.pullSecrets", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "images.pullSecrets", "testPullSecrets", + Set( + "images.pullSecrets", testPullSecrets, ), }, { @@ -820,12 +892,19 @@ var suite = test.Suite{ ), }, { - Name: "Set podCountLimit", + Name: "Set podLabels", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "podCountLimit", "120", + Set( + "podLabels", testPodLabels, ), }, + // { + // Name: "Set podCountLimit", + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // Set( + // "podCountLimit", 120, + // ), + // }, { Name: "Set enableRuntimeDefaultSeccompProfile to False", @@ -843,7 +922,7 @@ var suite = test.Suite{ ), }, - // For Values.controllerManager + // // For Values.controllerManager { Name: "Set controllerManager.exemptNamespaces", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). @@ -851,6 +930,13 @@ var suite = test.Suite{ "controllerManager.exemptNamespaces", testExemptNamespaces, ), }, + { + Name: "Set controllerManager.exemptNamespacePrefixes", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "controllerManager.exemptNamespacePrefixes", testExemptNamespacesPrefixes, + ), + }, { Name: "Set controllerManager.hostNetwork to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). @@ -889,43 +975,43 @@ var suite = test.Suite{ { Name: "Set controllerManager.port", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.port", "8000", + Set( + "controllerManager.port", 8000, ), }, { Name: "Set controllerManager.metricsPort", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.metricsPort", "8080", + Set( + "controllerManager.metricsPort", 8080, ), }, { Name: "Set controllerManager.healthPort", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.healthPort", "8989", + Set( + "controllerManager.healthPort", 8989, ), }, { Name: "Set controllerManager.readinessTimeout", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.readinessTimeout", "2", + Set( + "controllerManager.readinessTimeout", 2, ), }, { Name: "Set controllerManager.livenessTimeout", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.livenessTimeout", "2", + Set( + "controllerManager.livenessTimeout", 2, ), }, { Name: "Set controllerManager.priorityClassName", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "controllerManager.priorityClassName", "cluster-critical", + "controllerManager.priorityClassName", "system-cluster-critical", ), }, { @@ -943,146 +1029,95 @@ var suite = test.Suite{ ), }, { - Name: "Set livenessTimeout.tlsMinVersion", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "livenessTimeout.tlsMinVersion", "1.2", - ), - }, - { - Name: "Set controllerManager.tolerations", - + Name: "Set controllerManager.tlsMinVersion", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "controllerManager.tolerations", testTolerations, + "controllerManager.tlsMinVersion", 1.2, ), }, { - Name: "Set controllerManager.nodeSelector", - + Name: "Set controllerManager.affinity", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). Set( - "controllerManager.nodeSelector", testNodeSelector, - ), - }, - { - Name: "Set controllerManager.resources.limits", - - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.resources.limits.cpu", "900m", - ). - SetValue( - "controllerManager.resources.limits.memory", "500Mi", - ), - }, - { - Name: "Set controllerManager.resources.requests", - - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.resources.requests.cpu", "90m", - ). - SetValue( - "controllerManager.resources.requests.memory", "250Mi", - ), - }, - { - Name: "Set controllerManager.securityContext.allowPrivilegeEscalation to True", - - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.allowPrivilegeEscalation", "true", + "controllerManager.affinity", testDeploymentAffinity, ), }, { - Name: "Set controllerManager.securityContext.allowPrivilegeEscalation to False", + Name: "Set controllerManager.tolerations", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.allowPrivilegeEscalation", "false", + Set( + "controllerManager.tolerations", testTolerations, ), }, { - Name: "Set controllerManager.securityContext.capabilities.drop", + Name: "Set controllerManager.nodeSelector", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.capabilities.drop", "NET_ADMIN", + Set( + "controllerManager.nodeSelector", testNodeSelector, ), }, - { - Name: "Set controllerManager.securityContext.readOnlyRootFilesystem to False", + // { + // Name: "Set controllerManager.resources", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.readOnlyRootFilesystem", "false", - ), - }, + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // Set( + // "controllerManager.resources", testResources, + // ), + // }, { - Name: "Set controllerManager.securityContext.readOnlyRootFilesystem to true", + Name: "Set controllerManager.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.readOnlyRootFilesystem", "true", + Set( + "controllerManager.securityContext", testSecurityContext, ), }, { - Name: "Set controllerManager.securityContext.runAsGroup", + Name: "Set controllerManager.podSecurityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.runAsGroup", "3000", + Set( + "controllerManager.podSecurityContext", testPodSecurityContext, ), }, - { - Name: "Set controllerManager.securityContext.runAsNonRoot to False", + // { + // Name: "Set controllerManager.extraRules", - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "controllerManager.securityContext.runAsNonRoot", "false", - ), - }, + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // Set("controllerManager.extraRules", testExtraRules), + // }, { - Name: "Set controllerManager.securityContext.runAsNonRoot to True", - + Name: "Set controllerManager.logFile", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "controllerManager.securityContext.runAsNonRoot", "true", + "controllerManager.logFile", "test-file", ), }, { - Name: "Set controllerManager.securityContext.runAsUser", - + Name: "Set controllerManager.clientCertName", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "controllerManager.securityContext.runAsUser", "2000", + "controllerManager.clientCertName", "test", ), }, { - Name: "Set controllerManager.podSecurityContext.fsGroup", - + Name: "Set Values for controllerManager.networkPolicy.enabled", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "controllerManager.podSecurityContext.fsGroup", "1000", + "controllerManager.networkPolicy.enabled", "true", ), }, { - Name: "Set controllerManager.podSecurityContext.supplementalGroups", - + Name: "Set Values for controllerManager.networkPolicy.enabled to false", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "controllerManager.podSecurityContext.supplementalGroups", "1000", + "controllerManager.networkPolicy.enabled", "false", ), }, - { - Name: "Set controllerManager.extraRules", - - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue("controllerManager.extraRules", "testExtraRules"), - }, - // For Values.audit + // // For Values.audit { Name: "Set audit.hostNetwork to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). @@ -1150,7 +1185,7 @@ var suite = test.Suite{ Name: "Set audit.priorityClassName", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.priorityClassName", "cluster-critical", + "audit.priorityClassName", "system-cluster-critical", ), }, { @@ -1183,6 +1218,7 @@ var suite = test.Suite{ "audit.nodeSelector", testNodeSelector, ), }, + { Name: "Set audit.affinity", @@ -1192,136 +1228,4287 @@ var suite = test.Suite{ ), }, { - Name: "Set audit.resources.limits", + Name: "Set audit.resources", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.resources.limits.cpu", "900m", - ). - SetValue( - "audit.resources.limits.memory", "500Mi", + Set( + "audit.resources", testResources, ), }, + { - Name: "Set audit.resources.requests", + Name: "Set audit.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.resources.requests.cpu", "90m", - ). - SetValue( - "audit.resources.requests.memory", "250Mi", + Set( + "audit.securityContext", testSecurityContext, ), }, { - Name: "Set audit.securityContext.allowPrivilegeEscalation to True", + Name: "Set audit.podSecurityContext", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set( + "audit.podSecurityContext", testPodSecurityContext, + ), + }, + // { + // Name: "Set audit.writeToRAMDisk to False", + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // SetValue( + // "audit.writeToRAMDisk", "false", + // ), + // }, + // { + // Name: "Set audit.writeToRAMDisk to True", + + // TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + // SetValue( + // "audit.writeToRAMDisk", "true", + // ), + // }, + { + Name: "Set audit.logFile", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.securityContext.allowPrivilegeEscalation", "true", + "audit.logFile", "test-file", ), }, + { - Name: "Set audit.securityContext.allowPrivilegeEscalation to False", + Name: "Set crds.affinity", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.securityContext.allowPrivilegeEscalation", "false", + Set( + "crds.affinity", testAffinity, ), }, { - Name: "Set audit.securityContext.capabilities.drop", + Name: "Set crds.resources", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.securityContext.capabilities.drop", "NET_ADMIN", + Set( + "crds.resources", testResources, ), }, { - Name: "Set audit.securityContext.readOnlyRootFilesystem to False", + Name: "Set crds.securityContext", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.securityContext.readOnlyRootFilesystem", "false", + Set( + "crds.securityContext", testSecurityContext, ), }, { - Name: "Set audit.securityContext.readOnlyRootFilesystem to true", + Name: "Set pdb.controllerManager.minAvailable", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue( - "audit.securityContext.readOnlyRootFilesystem", "true", + Set( + "pdb.controllerManager.minAvailable", 1, ), }, { - Name: "Set audit.securityContext.runAsGroup", + Name: "Set .Values.global.cattle.psp.enabled to true", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set("global.cattle.psp.enabled", true), + }, + { + Name: "Set .Values.global.cattle.psp.enabled to false", + + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + Set("global.cattle.psp.enabled", false), + }, + { + Name: "Set Values.global.cattle.systemDefaultRegistry", + TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). + SetValue("global.cattle.systemDefaultRegistry", "test-registry"), + }, + { + Name: "Set externalCertInjection.enabled to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.securityContext.runAsGroup", "3000", + "externalCertInjection.enabled", "true", ), }, { - Name: "Set audit.securityContext.runAsNonRoot to False", - + Name: "Set externalCertInjection.enabled to False", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.securityContext.runAsNonRoot", "false", + "externalCertInjection.enabled", "false", ), }, { - Name: "Set audit.securityContext.runAsNonRoot to True", - + Name: "Set externalCertInjection.secretName", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.securityContext.runAsNonRoot", "true", + "externalCertInjection.secretName", "secret", ), }, { - Name: "Set audit.securityContext.runAsUser", - + Name: "Set Values.nameOverride", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.securityContext.runAsUser", "2000", + "nameOverride", "example-chart", ), }, { - Name: "Set audit.podSecurityContext.fsGroup", - + Name: "Set upgradeCRDs.enabled to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.podSecurityContext.fsGroup", "1000", + "upgradeCRDs.enabled", "true", ), }, { - Name: "Set audit.podSecurityContext.supplementalGroups", - + Name: "Set upgradeCRDs.enabled to False", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.podSecurityContext.supplementalGroups", "1000", + "upgradeCRDs.enabled", "false", ), }, { - Name: "Set audit.writeToRAMDisk to False", - + Name: "Set rbac.create to True", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.writeToRAMDisk", "false", + "rbac.create", "true", ), }, { - Name: "Set audit.writeToRAMDisk to True", - + Name: "Set rbac.create to False", TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). SetValue( - "audit.writeToRAMDisk", "true", + "rbac.create", "false", ), }, + }, + + NamedChecks: []test.NamedCheck{ + + // { + // Name: "All Workloads Have Service Account", + // Checks: common.AllWorkloadsHaveServiceAccount, + // }, + { + Name: "All Workloads Have Node Selectors And Tolerations For OS", + Checks: common.AllWorkloadsHaveNodeSelectorsAndTolerationsForOS, + }, { - Name: "Set audit.extraRules", + Name: "All Workload Container Should Have SystemDefaultRegistryPrefix", + Checks: common.AllContainerImagesShouldHaveSystemDefaultRegistryPrefix, + Covers: []string{ + "Values.global.cattle.systemDefaultRegistry", + }, + }, + { + Name: "Check gatekeeper-controller-manager deployment has correct number of replicas (.Values.replicas)", + Covers: []string{ + ".Values.replicas", + }, - TemplateOptions: chart.NewTemplateOptions(DefaultReleaseName, DefaultNamespace). - SetValue("audit.extraRules", "testExtraRules"), + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.Name != "gatekeeper-controller-manager" { + return + } + + expectedReplicasValue, ok := checker.RenderValue[int32](tc, ".Values.replicas") + if ok { + assert.NotNil(tc.T, deployment.Spec.Replicas) + + assert.Equal(tc.T, + expectedReplicasValue, *deployment.Spec.Replicas, + "deplooyment %s does not have correct number of replicas, expected: %v got: %v", + deployment.Name, expectedReplicasValue, *deployment.Spec.Replicas, + ) + } + }), + }, + }, + { + Name: "Check gatekeeper-audit-controller deployment has correct auditInterval (.Values.auditInterval)", + Covers: []string{ + ".Values.auditInterval", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditIntervalValue, ok := checker.RenderValue[int](tc, ".Values.auditInterval") + + expectedArg := fmt.Sprintf("--audit-interval=%d", auditIntervalValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct audit interval argument", + container.Name, obj.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct auditMatchKindOnly set (.Values.auditMatchKindOnly)", + Covers: []string{ + ".Values.auditMatchKindOnly", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditMatchKindOnlyVal, ok := checker.RenderValue[bool](tc, ".Values.auditMatchKindOnly") + + expectedArg := fmt.Sprintf("--audit-match-kind-only=%t", auditMatchKindOnlyVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct auditMatchKindOnly argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct auditFromCache set (.Values.auditFromCache)", + Covers: []string{ + ".Values.auditFromCache", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditFromCacheVal, ok := checker.RenderValue[bool](tc, ".Values.auditFromCache") + + expectedArg := fmt.Sprintf("--audit-from-cache=%t", auditFromCacheVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct auditFromCache argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct disableMutation (.Values.disableMutation)", + Covers: []string{ + ".Values.disableMutation", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + disableMutationVal, ok := checker.RenderValue[bool](tc, ".Values.disableMutation") + + expectedArg := "--operation=mutation-status" + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found == !disableMutationVal, + "container %s of obj %s does not have correct disableMutation argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + // { + // Name: "Check gatekeeper-audit-controller and controller manager deployments has correct disableMutation set (.Values.disableMutation)", + // Covers: []string{ + // ".Values.disableMutation", + // }, + + // Checks: test.Checks{ + // checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + // if obj.GetName() != "gatekeeper-audit" { + // return + // } + + // assert.Equal(tc.T, + // 1, len(podTemplateSpec.Spec.Containers), + // "obj %s does not have correct number of containers, expected: %v got: %v", + // obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + // ) + + // if len(podTemplateSpec.Spec.Containers) > 0 { + // container := podTemplateSpec.Spec.Containers[0] + + // disableMutationVal, _ := checker.RenderValue[bool](tc, ".Values.disableMutation") + + // expected := container.Args + // if disableMutationVal { + // expected := append(container.Args, "--operation=mutation-status") + // assert.Equal(tc.T, expected, container.Args, + // "container %s of obj %s does not have correct disableMutation argument set. Expected container args: %v. Got: %v", + // container.Name, obj.GetName(), expected, container.Args) + // } + + // assert.Equal(tc.T, expected, container.Args, + // "container %s of obj %s does not have correct disableMutation argument set", + // container.Name, obj.GetName()) + // } + // }), + // }, + // }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct number of constraintViolationsLimit (.Values.constraintViolationsLimit)", + Covers: []string{ + ".Values.constraintViolationsLimit", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + constraintViolationsLimitValue, ok := checker.RenderValue[int](tc, ".Values.constraintViolationsLimit") + + expectedArg := fmt.Sprintf("--constraint-violations-limit=%d", constraintViolationsLimitValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct constraintsViolation argument", + container.Name, obj.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct enableExternalData (.Values.enableExternalData)", + Covers: []string{ + ".Values.enableExternalData", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + enableExternalDataValue, ok := checker.RenderValue[bool](tc, ".Values.enableExternalData") + + expectedArg := fmt.Sprintf("--enable-external-data=%t", enableExternalDataValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct enableExternalData argument", + container.Name, obj.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct enableGeneratorResourceExpansion Args (.Values.enableGeneratorResourceExpansion)", + Covers: []string{ + ".Values.enableGeneratorResourceExpansion", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + enableGeneratorResourceExpansionValue, ok := checker.RenderValue[int](tc, ".Values.enableGeneratorResourceExpansion") + + expectedArg := fmt.Sprintf("--enable-generator-resource-expansion=%d", enableGeneratorResourceExpansionValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct enableGeneratorResourceExpansion argument", + container.Name, obj.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct number of auditChunkSize (.Values.auditChunkSize)", + Covers: []string{ + ".Values.auditChunkSize", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditChunkSizeValue, ok := checker.RenderValue[int](tc, ".Values.auditChunkSize") + + expectedArg := fmt.Sprintf("--audit-chunk-size=%d", auditChunkSizeValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct auditChunkSize argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment containers has correct metrics backend arg (.Values.metricsBackends)", + Covers: []string{ + ".Values.metricsBackends", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + metricsBackendsValue, ok := checker.RenderValue[[]string](tc, ".Values.metricsBackends") + + expectedArg := fmt.Sprintf("--metrics-backend=%s", metricsBackendsValue[0]) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct metricsBackends argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct number of enableTLSHealthcheck (.Values.enableTLSHealthcheck)", + Covers: []string{ + ".Values.enableTLSHealthcheck", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != " gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + enableTLSHealthcheckValue, _ := checker.RenderValue[bool](tc, ".Values.enableTLSHealthcheck") + + expected := container.Args + + if enableTLSHealthcheckValue { + + expected = append(container.Args, "--enable-tls-healthcheck") + } + + assert.Equal(tc.T, expected, container.Args, + "container %s of obj %s does not have correct tlsHealthCheck argument set. Expected container args: %v. Got: %v", + container.Name, obj.GetName(), expected, container.Args) + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct number of maxServingThreads (.Values.maxServingThreads)", + Covers: []string{ + ".Values.maxServingThreads", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + maxServingThreadsValue, ok := checker.RenderValue[int](tc, ".Values.maxServingThreads") + + expectedArg := fmt.Sprintf("--max-serving-threads=%d", maxServingThreadsValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct maxServingThreads argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct logLevel set (.Values.logLevel)", + Covers: []string{ + ".Values.logLevel", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + logLevelValue, ok := checker.RenderValue[string](tc, ".Values.logLevel") + + expectedArg := fmt.Sprintf("--log-level=%s", logLevelValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct logLevel argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct logDenies set (.Values.logDenies)", + Covers: []string{ + ".Values.logDenies", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + logDeniesVal, ok := checker.RenderValue[bool](tc, ".Values.logDenies") + + expectedArg := fmt.Sprintf("--log-denies=%t", logDeniesVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct logDenies argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct logMutations set (.Values.logMutations)", + Covers: []string{ + ".Values.logMutations", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + logMutationsVal, ok := checker.RenderValue[bool](tc, ".Values.logMutations") + + expectedArg := fmt.Sprintf("--log-mutations=%t", logMutationsVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct logMutations argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct emitAdmissionEvents set (.Values.emitAdmissionEvents)", + Covers: []string{ + ".Values.emitAdmissionEvents", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + emitAdmissionEventsVal, ok := checker.RenderValue[bool](tc, ".Values.emitAdmissionEvents") + + expectedArg := fmt.Sprintf("--emit-admission-events=%t", emitAdmissionEventsVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct emitAdmissionEvents argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct emitAuditEvents set (.Values.emitAuditEvents)", + Covers: []string{ + ".Values.emitAuditEvents", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + emitAuditEventsVal, ok := checker.RenderValue[bool](tc, ".Values.emitAuditEvents") + + expectedArg := fmt.Sprintf("--emit-audit-events=%t", emitAuditEventsVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct emitAuditEvents argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment container has correct admissionEventsInvolvedNamespace arg set (.Values.admissionEventsInvolvedNamespace)", + Covers: []string{ + ".Values.admissionEventsInvolvedNamespace", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + admissionEventsInvolvedNamespaceVal, ok := checker.RenderValue[bool](tc, ".Values.admissionEventsInvolvedNamespace") + + expectedArg := fmt.Sprintf("--admission-events-involved-namespace=%t", admissionEventsInvolvedNamespaceVal) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct admissionEventsInvolvedNamespace argument set", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + // Checkers for Values.postUpgrade + + { + Name: "Check postUpgrade.labelNamespace.enabled", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.enabled", + ".Values.postUpgrade.probeWebhook.enabled", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + // enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + enableprobeWebhookVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.probeWebhook.enabled") + + if !enableLabelNamespaceVal && enableprobeWebhookVal { + found := false + if job.Name == "gatekeeper-update-namespace-label-post-upgrade" { + found = true + } + + assert.True(tc.T, found, + "Incorrect postUpgrade labelNamespace configuration") + } + + }), + }, + }, + + { + Name: "Check namespace-post-upgrade job containers have correct extra namespace args (.Values.postUpgrade.labelNamespace.extraNamespaces)", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.extraNamespaces", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal && job.GetName() != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + if len(job.Spec.Template.Spec.Containers) > 0 { + + extraNamespacesVal, _ := checker.RenderValue[[]string](tc, ".Values.postUpgrade.labelNamespace.extraNamespaces") + if len(extraNamespacesVal) > 0 { + container := job.Spec.Template.Spec.Containers[0] + containerArgsVal := container.Args + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range extraNamespacesVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Job %s container does not have correct namespaces in container args", job.Name) + } + } + }), + }, + }, + + { + Name: "Check namespace-post-upgrade job tcontainers have correct podSecurity labels in container args (.Values.postUpgrade.labelNamespace.podSecurity)", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.podSecurity", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.Containers), + ) + + if len(job.Spec.Template.Spec.Containers) > 0 { + container := job.Spec.Template.Spec.Containers[0] + + podSecurityVal, _ := checker.RenderValue[[]string](tc, ".Values.postUpgrade.labelNamespace.podSecurity") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + containerArgsVal := container.Args + + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range podSecurityVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Job %s container does not have correct podSecurity labels in container args", job.Name) + } + }), + }, + }, + + { + Name: "Check kubectl image repository and tag for postUpgrade Job", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.image.repository", + ".Values.postUpgrade.labelNamespace.image.tag", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + ok := assert.Equal(tc.T, 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers: expected: %d, got: %d", + job.Name, 1, len(job.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := job.Spec.Template.Spec.Containers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + kubectlRepo, _ := checker.RenderValue[string](tc, ".Values.postUpgrade.labelNamespace.image.repository") + kubectlTag, _ := checker.RenderValue[string](tc, ".Values.postUpgrade.labelNamespace.image.tag") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + containerImage := kubectlRepo + ":" + kubectlTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of job %s does not have correct image: expected: %v got: %v", + container.Name, job.Name, expectedContainerImage, container.Image) + + }), + }, + }, + + { + Name: "Check that postUpgrade job has correct imagePullSecrets", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.image.pullSecrets", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + labelNamespaceEnabled, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + expectedImagePullSecrets, _ := checker.RenderValue[[]corev1.LocalObjectReference](tc, ".Values.postUpgrade.labelNamespace.image.pullSecrets") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + if len(expectedImagePullSecrets) == 0 || !labelNamespaceEnabled { + expectedImagePullSecrets = nil + } + + assert.Equal(tc.T, + expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets, + "job %s does not have correct imagePullSecrets: expected: %v got: %v", + job.Name, expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets) + }), + }, + }, + + { + Name: "Check that postUpgrade job containers have correct imagePullPolicy", + Covers: []string{ + ".Values.postUpgrade.labelNamespace.image.pullPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + expectedImagePullPolicy, exists := checker.RenderValue[corev1.PullPolicy](tc, ".Values.postUpgrade.labelNamespace.image.pullPolicy") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + if exists { + for _, container := range job.Spec.Template.Spec.Containers { + + assert.Equal(tc.T, + expectedImagePullPolicy, container.ImagePullPolicy, + "container %s of job %s does not have correct imagePullPolicy: expected: %v got: %v", + container.Name, job.Name, expectedImagePullPolicy, container.ImagePullPolicy) + } + } + }), + }, + }, + + { + + Name: "Check postUpgrade.affinity", + Covers: []string{ + ".Values.postUpgrade.affinity", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + container := job.Spec.Template.Spec + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.postUpgrade.affinity") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, container.Affinity, + "job %s does not have correct affinity: expected: %v, got: %v", + job.Name, expectedAffinity, container.Affinity) + + }), + }, + }, + + { + Name: "Check postUpgrade has correct SecurityContext as per given value", + Covers: []string{ + ".Values.postUpgrade.securityContext", + }, + + Checks: test.Checks{ + + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + container := job.Spec.Template.Spec.Containers[0] + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.postUpgrade.securityContext") + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + enableRuntimeDefaultSeccompProfileVal, _ := checker.RenderValue[bool](tc, "Values.enableRuntimeDefaultSeccompProfile") + + if !enableLabelNamespaceVal { + return + } + + if enableRuntimeDefaultSeccompProfileVal { + expected.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } + + assert.True(tc.T, + reflect.DeepEqual(expected, container.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + job.Name, job, expected, container.SecurityContext, + ) + }), + }, + }, + + { + Name: "Check postUpgrade resources", + Covers: []string{ + ".Values.postUpgrade.resources", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postUpgrade.labelNamespace.enabled") + + if !enableLabelNamespaceVal { + return + } + + if job.Name != "gatekeeper-update-namespace-label-post-upgrade" { + return + } + + container := job.Spec.Template.Spec + + ok := assert.Equal(tc.T, 1, len(container.Containers), + "deployment %s does not have correct number of container: expected: %d, got: %d", + job.Name, 1, len(container.Containers)) + + if !ok { + return + } + + expectedResourceReq, _ := checker.RenderValue[corev1.ResourceRequirements](tc, ".Values.postUpgrade.resources") + + assert.Equal(tc.T, + expectedResourceReq, container.Containers[0].Resources, + "container %s of deployment %s does not have correct resources constraint: expected: %v, got: %v", + container.Containers[0].Name, job.Name, expectedResourceReq, container.Containers[0].Resources) + + }), + }, + }, + + // For Values.postInstall + + { + Name: "Check postInstall.labelNamespace.enabled", + Covers: []string{ + ".Values.postInstall.labelNamespace.enabled", + ".Values.postInstall.probeWebhook.enabled", + }, + + Checks: test.Checks{ + checker.OnResources(func(tc *checker.TestContext, jobs []*batchv1.Job) { + + enableLabelNamespaceVal, _ := checker.RenderValue[bool](tc, ".Values.postInstall.labelNamespace.enabled") + enableprobeWebhookVal, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !enableLabelNamespaceVal && enableprobeWebhookVal { + found := false + for _, job := range jobs { + if job.Name == "gatekeeper-probe-webhook-post-install" { + found = true + } + } + + assert.True(tc.T, found, + "Incorrect postInstall labelNamespace configuration") + } + + }), + }, + }, + + { + Name: "Check images repository and tag for postInstall Job", + Covers: []string{ + ".Values.postInstall.labelNamespace.image.repository", + ".Values.postInstall.labelNamespace.image.tag", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + ok := assert.Equal(tc.T, 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers: expected: %d, got: %d", + job.Name, 1, len(job.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := job.Spec.Template.Spec.Containers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + imageRepo, _ := checker.RenderValue[string](tc, ".Values.postInstall.labelNamespace.image.repository") + imageTag, _ := checker.RenderValue[string](tc, ".Values.postInstall.labelNamespace.image.tag") + + containerImage := imageRepo + ":" + imageTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of job %s does not have correct image: expected: %v got: %v", + container.Name, job.Name, expectedContainerImage, container.Image) + + }), + }, + }, + + { + Name: "Check that postInstall job containers have correct imagePullPolicy", + Covers: []string{ + ".Values.postInstall.labelNamespace.image.pullPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + expectedImagePullPolicy, exists := checker.RenderValue[corev1.PullPolicy](tc, ".Values.postInstall.labelNamespace.image.pullPolicy") + + if exists { + for _, container := range job.Spec.Template.Spec.Containers { + + assert.Equal(tc.T, + expectedImagePullPolicy, container.ImagePullPolicy, + "container %s of job %s does not have correct imagePullPolicy: expected: %v got: %v", + container.Name, job.Name, expectedImagePullPolicy, container.ImagePullPolicy) + } + } + }), + }, + }, + + // { + // Name: "Check that postInstall job has correct imagePullSecrets", + // Covers: []string{ + // ".Values.postInstall.labelNamespace.image.pullSecrets", + // }, + + // Checks: test.Checks{ + // checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + // if job.Name != "gatekeeper-update-namespace-label" { + // return + // } + + // labelNamespaceEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.labelNamespace.enabled") + + // expectedImagePullSecrets, _ := checker.RenderValue[[]corev1.LocalObjectReference](tc, ".Values.postInstall.labelNamespace.image.pullSecrets") + + // if len(expectedImagePullSecrets) == 0 || !labelNamespaceEnabled { + // expectedImagePullSecrets = nil + // } + + // assert.Equal(tc.T, + // expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets, + // "job %s does not have correct image: expected: %v got: %v", + // job.Name, expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets) + // }), + // }, + // }, + + { + + Name: "Check postInstall.affinity", + Covers: []string{ + ".Values.postInstall.affinity", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + container := job.Spec.Template.Spec + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.postInstall.affinity") + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, container.Affinity, + "job %s does not have correct affinity: expected: %v, got: %v", + job.Name, expectedAffinity, container.Affinity) + + }), + }, + }, + + { + Name: "Check postInstall has correct SecurityContext as per given value", + Covers: []string{ + ".Values.postInstall.securityContext", + }, + + Checks: test.Checks{ + + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + container := job.Spec.Template.Spec.Containers[0] + + enableRuntimeDefaultSeccompProfileVal, _ := checker.RenderValue[bool](tc, "Values.enableRuntimeDefaultSeccompProfile") + + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.postInstall.securityContext") + + if enableRuntimeDefaultSeccompProfileVal { + expected.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } + + assert.True(tc.T, + reflect.DeepEqual(expected, container.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + job.Name, job, expected, container.SecurityContext, + ) + }), + }, + }, + + { + Name: "Check images repository and tag for postInstall Job", + Covers: []string{ + ".Values.postInstall.probeWebhook.image.repository", + ".Values.postInstall.probeWebhook.image.tag", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + ok := assert.Equal(tc.T, 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers: expected: %d, got: %d", + job.Name, 1, len(job.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := job.Spec.Template.Spec.InitContainers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + imageRepo, _ := checker.RenderValue[string](tc, ".Values.postInstall.probeWebhook.image.repository") + imageTag, _ := checker.RenderValue[string](tc, ".Values.postInstall.probeWebhook.image.tag") + + containerImage := imageRepo + ":" + imageTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of job %s does not have correct image: expected: %v got: %v", + container.Name, job.Name, expectedContainerImage, container.Image) + + }), + }, + }, + + { + Name: "Check that namespace-post-install job containers have correct imagePullPolicy", + Covers: []string{ + ".Values.postInstall.probeWebhook.image.pullPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + expectedImagePullPolicy, _ := checker.RenderValue[corev1.PullPolicy](tc, ".Values.postInstall.probeWebhook.image.pullPolicy") + + container := job.Spec.Template.Spec.InitContainers[0] + + assert.Equal(tc.T, + expectedImagePullPolicy, container.ImagePullPolicy, + "container %s of job %s does not have correct imagePullPolicy: expected: %v got: %v", + container.Name, job.Name, expectedImagePullPolicy, container.ImagePullPolicy) + }), + }, + }, + + { + Name: "Check that postInstall job has correct imagePullSecrets", + Covers: []string{ + ".Values.postInstall.probeWebhook.image.pullSecrets", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-probe-webhook-post-install" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + expectedImagePullSecrets, _ := checker.RenderValue[[]corev1.LocalObjectReference](tc, ".Values.postInstall.probeWebhook.image.pullSecrets") + + if len(expectedImagePullSecrets) == 0 || !probeWebhookEnabled { + expectedImagePullSecrets = nil + } + + assert.Equal(tc.T, + expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets, + "job %s does not have correct imagePullSecrets: expected: %v got: %v", + job.Name, expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets) + }), + }, + }, + + { + Name: "Check namespace-post-install job initcontainers have correct waitTimeout args (.Values.postInstall.probeWebhook.waitTimeout)", + Covers: []string{ + ".Values.postInstall.probeWebhook.waitTimeout", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.InitContainers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.InitContainers), + ) + + if len(job.Spec.Template.Spec.InitContainers) > 0 { + container := job.Spec.Template.Spec.InitContainers[0] + + probeWebhookWaitTimeoutValue, ok := checker.RenderValue[int](tc, ".Values.postInstall.probeWebhook.waitTimeout") + + expectedArg := fmt.Sprintf("%d", probeWebhookWaitTimeoutValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "Initcontainer %s of job %s does not have correct waitTimeout args argument", + container.Name, job.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check namespace-post-install job initcontainers have correct httpTimeout args (.Values.postInstall.probeWebhook.httpTimeout)", + Covers: []string{ + ".Values.postInstall.probeWebhook.httpTimeout", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.InitContainers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.InitContainers), + ) + + if len(job.Spec.Template.Spec.InitContainers) > 0 { + container := job.Spec.Template.Spec.InitContainers[0] + + probeWebhookHttpTimeoutValue, ok := checker.RenderValue[int](tc, ".Values.postInstall.probeWebhook.httpTimeout") + + expectedArg := fmt.Sprintf("%d", probeWebhookHttpTimeoutValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "Initcontainer %s of job %s does not have correct httpTimeout argument", + container.Name, job.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check namespace-post-install job initcontainers have correct insecureHTTPS args (.Values.postInstall.probeWebhook.httpTimeout)", + Covers: []string{ + ".Values.postInstall.probeWebhook.insecureHTTPS", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.InitContainers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.InitContainers), + ) + + if len(job.Spec.Template.Spec.InitContainers) > 0 { + container := job.Spec.Template.Spec.InitContainers[0] + + probeWebhookInsecureHTTPS, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.insecureHTTPS") + + initContainerArgs := container.Args + + if probeWebhookInsecureHTTPS { + + assert.Equal(tc.T, initContainerArgs, container.Args, + "container %s of obj %s does not have correct insecureHTTPS argument set. Expected container args: %v. Got: %v", + container.Name, job.Name, initContainerArgs, container.Args) + + } + + assert.Equal(tc.T, initContainerArgs, container.Args, + "container %s of obj %s does not have correct insecureHTTPS argument set. Expected container args: %v. Got: %v", + container.Name, job.Name, initContainerArgs, container.Args) + + } + }), + }, + }, + + { + Name: "Check namespace-post-install job tcontainers have correct extra namespace args (.Values.postInstall.labelNamespace.extraNamespaces)", + Covers: []string{ + ".Values.postInstall.labelNamespace.extraNamespaces", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.Containers), + ) + + if len(job.Spec.Template.Spec.Containers) > 0 { + container := job.Spec.Template.Spec.Containers[0] + + extraNamespacesVal, _ := checker.RenderValue[[]string](tc, ".Values.postInstall.labelNamespace.extraNamespaces") + + containerArgsVal := container.Args + + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range extraNamespacesVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Job container does not have correct namespaces in container args") + } + }), + }, + }, + + { + Name: "Check namespace-post-install job tcontainers have correct podSecurity labels in container args (.Values.postInstall.labelNamespace.podSecurity)", + Covers: []string{ + ".Values.postInstall.labelNamespace.podSecurity", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.GetName() != "gatekeeper-update-namespace-label" { + return + } + + assert.Equal(tc.T, + 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers, expected: %v got: %v", + job.GetName(), 1, len(job.Spec.Template.Spec.Containers), + ) + + if len(job.Spec.Template.Spec.Containers) > 0 { + container := job.Spec.Template.Spec.Containers[0] + + podSecurityVal, _ := checker.RenderValue[[]string](tc, ".Values.postInstall.labelNamespace.podSecurity") + + containerArgsVal := container.Args + + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range podSecurityVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Job container does not have correct podSecurity labels in container args") + } + }), + }, + }, + + // For preUninstall + + { + Name: "Check gatekeeper image repository and tag for preUninstall Job", + Covers: []string{ + ".Values.preUninstall.deleteWebhookConfigurations.image.repository", + ".Values.preUninstall.deleteWebhookConfigurations.image.tag", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + + ok := assert.Equal(tc.T, 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers: expected: %d, got: %d", + job.Name, 1, len(job.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := job.Spec.Template.Spec.Containers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + kubectlRepo, _ := checker.RenderValue[string](tc, ".Values.preUninstall.deleteWebhookConfigurations.image.repository") + kubectlTag, _ := checker.RenderValue[string](tc, ".Values.preUninstall.deleteWebhookConfigurations.image.tag") + + containerImage := kubectlRepo + ":" + kubectlTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of job %s does not have correct image: expected: %v got: %v", + container.Name, job.Name, expectedContainerImage, container.Image) + + }), + }, + }, + + { + Name: "Check that preUninstall job has correct imagePullSecrets", + Covers: []string{ + ".Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + + disableValidatingWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.disableValidatingWebhook") + disableMutationEnabled, _ := checker.RenderValue[bool](tc, ".Values.disableMutation") + deleteWebhookConfigurationsEnabled, _ := checker.RenderValue[bool](tc, ".Values.preUninstall.deleteWebhookConfigurations.enabled") + + expectedImagePullSecrets, _ := checker.RenderValue[[]corev1.LocalObjectReference](tc, ".Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets") + + if len(expectedImagePullSecrets) == 0 || ((!disableValidatingWebhookEnabled || !disableMutationEnabled) && deleteWebhookConfigurationsEnabled) { + expectedImagePullSecrets = nil + } + + assert.Equal(tc.T, + expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets, + "job %s does not have correct imagePullSecrets: expected: %v got: %v", + job.Name, expectedImagePullSecrets, job.Spec.Template.Spec.ImagePullSecrets) + }), + }, + }, + + { + + Name: "Check preUninstall.affinity", + Covers: []string{ + ".Values.preUninstall.affinity", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + container := job.Spec.Template.Spec + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.preUninstall.affinity") + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, container.Affinity, + "job %s does not have correct affinity: expected: %v, got: %v", + job.Name, expectedAffinity, container.Affinity) + + }), + }, + }, + + { + Name: "Check preUninstall has correct SecurityContext as per given value", + Covers: []string{ + ".Values.preUninstall.securityContext", + }, + + Checks: test.Checks{ + + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + + container := job.Spec.Template.Spec.Containers[0] + + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.preUninstall.securityContext") + + assert.True(tc.T, + reflect.DeepEqual(expected, container.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + job.Name, job, expected, container.SecurityContext, + ) + }), + }, + }, + + { + Name: "Check that preUninstall job containers have correct imagePullPolicy", + Covers: []string{ + ".Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + + expectedImagePullPolicy, exists := checker.RenderValue[corev1.PullPolicy](tc, ".Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy") + + if exists { + for _, container := range job.Spec.Template.Spec.Containers { + + assert.Equal(tc.T, + expectedImagePullPolicy, container.ImagePullPolicy, + "container %s of job %s does not have correct imagePullPolicy: expected: %v got: %v", + container.Name, job.Name, expectedImagePullPolicy, container.ImagePullPolicy) + } + } + }), + }, + }, + + { + Name: "Check preUninstall resources", + Covers: []string{ + ".Values.preUninstall.resources", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-delete-webhook-configs" { + return + } + + container := job.Spec.Template.Spec + + ok := assert.Equal(tc.T, 1, len(container.Containers), + "deployment %s does not have correct number of container: expected: %d, got: %d", + job.Name, 1, len(container.Containers)) + + if !ok { + return + } + + expectedResourceReq, _ := checker.RenderValue[corev1.ResourceRequirements](tc, ".Values.preUninstall.resources") + + assert.Equal(tc.T, + expectedResourceReq, container.Containers[0].Resources, + "container %s of deployment %s does not have correct resources constraint: expected: %v, got: %v", + container.Containers[0].Name, job.Name, expectedResourceReq, container.Containers[0].Resources) + + }), + }, + }, + + // For Values.audit + { + Name: "Check gatekeeper-audit-controller deployment has correct hostNetwork (.Values.audit.hostNetwork)", + Covers: []string{ + ".Values.audit.hostNetwork", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + auditHostNetworkValue, _ := checker.RenderValue[bool](tc, ".Values.audit.hostNetwork") + + expectedArg := auditHostNetworkValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.HostNetwork, + "audit-controller does not have correct HostNetwork set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.HostNetwork, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct dnsPolicy (.Values.audit.dnsPolicy)", + Covers: []string{ + ".Values.audit.dnsPolicy", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + auditdnsPolicyValue, _ := checker.RenderValue[corev1.DNSPolicy](tc, ".Values.audit.dnsPolicy") + + expectedArg := auditdnsPolicyValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.DNSPolicy, + "audit-controller does not have correct DNSPolicy set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.DNSPolicy, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct priorityClassName (.Values.audit.priorityClassName)", + Covers: []string{ + ".Values.audit.priorityClassName", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + PriorityClassNameValue, _ := checker.RenderValue[string](tc, ".Values.audit.priorityClassName") + + expectedArg := PriorityClassNameValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.PriorityClassName, + "audit-controller does not have correct PriorityClassName set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.PriorityClassName, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-critical-pods resource quota has correct priorityClassName (.Values.audit.priorityClassName)", + Covers: []string{ + ".Values.audit.priorityClassName", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, resourceQuota *corev1.ResourceQuota) { + + if resourceQuota.Name != "gatekeeper-critical-pods" { + return + } + + PriorityClassNameValue, _ := checker.RenderValue[string](tc, ".Values.audit.priorityClassName") + + expectedArg := PriorityClassNameValue + + assert.Equal(tc.T, + expectedArg, resourceQuota.Spec.ScopeSelector.MatchExpressions[0].Values[1], + "gatekeeper-critical-pods resourcequota does not have correct PriorityClassName set. Expected: %v got: %v", + expectedArg, resourceQuota.Spec.ScopeSelector.MatchExpressions[0].Values[1], + ) + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct disable-cert-rotation arg set in container args (.Values.audit.disableCertRotation)", + Covers: []string{ + ".Values.audit.disableCertRotation", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditDisableCertRotationValue, ok := checker.RenderValue[bool](tc, ".Values.audit.disableCertRotation") + + expectedArg := fmt.Sprintf("--disable-cert-rotation=%t", auditDisableCertRotationValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct auditDisableCertRotation argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct metricsPort (.Values.audit.metricsPort)", + Covers: []string{ + ".Values.audit.metricsPort", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditMetricsPortValue, ok := checker.RenderValue[int](tc, ".Values.audit.metricsPort") + + expectedArg := fmt.Sprintf("--prometheus-port=%d", auditMetricsPortValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct audit.metricsPort argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct logFile (.Values.audit.logFile)", + Covers: []string{ + ".Values.audit.logFile", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditLogFileVal, ok := checker.RenderValue[string](tc, ".Values.audit.logFile") + + expectedArg := fmt.Sprintf("--log-file=%s", auditLogFileVal) + if len(auditLogFileVal) > 0 { + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct audit.logFile argument", + container.Name, obj.GetName()) + } + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct logFile (.Values.audit.logFile)", + Covers: []string{ + ".Values.audit.logFile", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditLogFileVal, ok := checker.RenderValue[string](tc, ".Values.audit.logFile") + + expectedArg := fmt.Sprintf("--log-file=%s", auditLogFileVal) + if len(auditLogFileVal) > 0 { + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct audit.logFile argument", + container.Name, obj.GetName()) + } + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct healthPort (.Values.audit.healthPort)", + Covers: []string{ + ".Values.audit.healthPort", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditHealthPortValue, ok := checker.RenderValue[int](tc, ".Values.audit.healthPort") + + expectedLivenessProbePort := container.LivenessProbe.HTTPGet.Port + + expectedContainerHealthzPort := container.Ports[1].ContainerPort + + expectedArg := fmt.Sprintf("--health-addr=:%d", auditHealthPortValue) + + if ok { + found := false + + if auditHealthPortValue == int(expectedContainerHealthzPort) { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct healthz containerPort", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if auditHealthPortValue == expectedLivenessProbePort.IntValue() { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct LivenessProbe Port", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if auditHealthPortValue == expectedLivenessProbePort.IntValue() { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct LivenessProbe Port", + container.Name, obj.GetName()) + } + + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct audit.healthPort argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct readiness timeout (.Values.audit.readinessTimeout)", + Covers: []string{ + ".Values.audit.readinessTimeout", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditReadinessTimeoutValue, _ := checker.RenderValue[int](tc, ".Values.audit.readinessTimeout") + + expectedAuditReadinessTimeout := int32(auditReadinessTimeoutValue) + + assert.Equal(tc.T, + expectedAuditReadinessTimeout, container.ReadinessProbe.TimeoutSeconds, + "container %s of obj %s does not have correct audit.readinessTimeout argument, expected: %v, got: %v", + container.Name, obj.GetName(), expectedAuditReadinessTimeout, container.ReadinessProbe.TimeoutSeconds) + } + }), + }, + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct liveness timeout (.Values.audit.livenessTimeout)", + Covers: []string{ + ".Values.audit.livenessTimeout", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + auditLivenessTimeoutValue, _ := checker.RenderValue[int](tc, ".Values.audit.livenessTimeout") + + expectedAuditLivenessTimeout := int32(auditLivenessTimeoutValue) + + assert.Equal(tc.T, + expectedAuditLivenessTimeout, container.LivenessProbe.TimeoutSeconds, + "container %s of obj %s does not have correct audit.readinessTimeout argument, expected: %v, got: %v", + container.Name, obj.GetName(), expectedAuditLivenessTimeout, container.LivenessProbe.TimeoutSeconds) + } + }), + }, + }, + + { + Name: "Check audit has correct SecurityContext as per given value", + Covers: []string{ + ".Values.audit.securityContext", + ".Values.enableRuntimeDefaultSeccompProfile", + }, + + Checks: test.Checks{ + + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + enableRuntimeDefaultSeccompProfileVal, _ := checker.RenderValue[bool](tc, "Values.enableRuntimeDefaultSeccompProfile") + + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.audit.securityContext") + + if enableRuntimeDefaultSeccompProfileVal { + expected.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } + + assert.True(tc.T, + reflect.DeepEqual(expected, podTemplateSpec.Spec.Containers[0].SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + obj.GetName(), obj, expected, podTemplateSpec.Spec.Containers[0].SecurityContext, + ) + }), + }, + }, + + { + Name: "Check audit Has NodeSelector As Per Given Value", + Covers: []string{ + ".Values.audit.nodeSelector", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + nodeSelectorAddedByValues, _ := checker.RenderValue[map[string]string](tc, ".Values.audit.nodeSelector") + + expectedNodeSelector := map[string]string{} + + for k, v := range nodeSelectorAddedByValues { + expectedNodeSelector[k] = v + } + + for k, v := range defaultNodeSelector { + expectedNodeSelector[k] = v + } + + assert.Equal(tc.T, + expectedNodeSelector, podTemplateSpec.Spec.NodeSelector, + "workload %s (type: %T) does not have correct nodeSelectors, expected: %v got: %v", + obj.GetName(), obj, expectedNodeSelector, podTemplateSpec.Spec.NodeSelector, + ) + }), + }, + }, + { + Name: "Check audit Have Tolerations As Per Given Value", + Covers: []string{ + ".Values.audit.tolerations", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + tolerationsAddedByValues, _ := checker.RenderValue[[]corev1.Toleration](tc, ".Values.audit.tolerations") + + expectedTolerations := append(defaultTolerations, tolerationsAddedByValues...) + if len(expectedTolerations) == 0 { + expectedTolerations = nil + } + + assert.Equal(tc.T, + expectedTolerations, podTemplateSpec.Spec.Tolerations, + "workload %s (type: %T) does not have correct tolerations, expected: %v got: %v", + obj.GetName(), obj, expectedTolerations, podTemplateSpec.Spec.Tolerations, + ) + }), + }, + }, + + { + + Name: "Check audit.affinity", + Covers: []string{ + ".Values.audit.affinity", + }, + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.audit.affinity") + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, podTemplateSpec.Spec.Affinity, + "deployment %s does not have correct affinity: expected: %v, got: %v", + obj.GetName(), expectedAffinity, podTemplateSpec.Spec.Affinity) + + }), + }, + }, + + { + Name: "Check audit has correct PodSecurityContext as per given value", + Covers: []string{ + ".Values.audit.podSecurityContext", + }, + + Checks: test.Checks{ + + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + podSecurityContextAddedFromValues, _ := checker.RenderValue[*corev1.PodSecurityContext](tc, "Values.audit.podSecurityContext") + + expectedPodSecurityContext := podSecurityContextAddedFromValues + + assert.True(tc.T, + reflect.DeepEqual(expectedPodSecurityContext, podTemplateSpec.Spec.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + obj.GetName(), obj, expectedPodSecurityContext, podTemplateSpec.Spec.SecurityContext, + ) + }), + }, + }, + + // Checker functions for Values.controllerManager + + { + Name: "Check controllerManager deployment containers have correct exempt namespace args (.Values.controllerManager.exemptNamespaces)", + Covers: []string{ + ".Values.controllerManager.exemptNamespaces", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.GetName() != "gatekeeper-update-namespace-label" { + return + } + + assert.Equal(tc.T, + 1, len(deployment.Spec.Template.Spec.Containers), + "deployment %s does not have correct number of containers, expected: %v got: %v", + deployment.GetName(), 1, len(deployment.Spec.Template.Spec.Containers), + ) + + if len(deployment.Spec.Template.Spec.Containers) > 0 { + container := deployment.Spec.Template.Spec.Containers[0] + + exemptNamespaceVal, _ := checker.RenderValue[[]string](tc, ".Values.controllerManager.exemptNamespaces") + + containerArgsVal := container.Args + + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range exemptNamespaceVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "deployment %s container does not have correct exempt namespaces in container args", deployment.Name) + } + }), + }, + }, + + { + Name: "Check controllerManager deployment containers have correct exempt namespace prefixes args (.Values.controllerManager.exemptNamespacePrefixes)", + Covers: []string{ + ".Values.controllerManager.exemptNamespacePrefixes", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.GetName() != "gatekeeper-update-namespace-label" { + return + } + + assert.Equal(tc.T, + 1, len(deployment.Spec.Template.Spec.Containers), + "deployment %s does not have correct number of containers, expected: %v got: %v", + deployment.GetName(), 1, len(deployment.Spec.Template.Spec.Containers), + ) + + if len(deployment.Spec.Template.Spec.Containers) > 0 { + container := deployment.Spec.Template.Spec.Containers[0] + + exemptNamespacePrefixesVal, _ := checker.RenderValue[[]string](tc, ".Values.controllerManager.exemptNamespacePrefixes") + + containerArgsVal := container.Args + + args := make(map[string]bool) + + for _, s := range containerArgsVal { + args[s] = true + } + + allExist := true + + for _, s := range exemptNamespacePrefixesVal { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "deployment %s container does not have correct exempt namespaces prefixes in container args", deployment.Name) + } + }), + }, + }, + + { + Name: "Check controllerManager Has NodeSelector As Per Given Value", + Covers: []string{ + ".Values.controllerManager.nodeSelector", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + nodeSelectorAddedByValues, _ := checker.RenderValue[map[string]string](tc, ".Values.controllerManager.nodeSelector") + + expectedNodeSelector := map[string]string{} + + for k, v := range nodeSelectorAddedByValues { + expectedNodeSelector[k] = v + } + + for k, v := range defaultNodeSelector { + expectedNodeSelector[k] = v + } + + assert.Equal(tc.T, + expectedNodeSelector, podTemplateSpec.Spec.NodeSelector, + "workload %s (type: %T) does not have correct nodeSelectors, expected: %v got: %v", + obj.GetName(), obj, expectedNodeSelector, podTemplateSpec.Spec.NodeSelector, + ) + }), + }, + }, + { + Name: "Check All Workloads Have Tolerations As Per Given Value", + Covers: []string{ + ".Values.controllerManager.tolerations", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + tolerationsAddedByValues, _ := checker.RenderValue[[]corev1.Toleration](tc, ".Values.controllerManager.tolerations") + + expectedTolerations := append(defaultTolerations, tolerationsAddedByValues...) + if len(expectedTolerations) == 0 { + expectedTolerations = nil + } + + assert.Equal(tc.T, + expectedTolerations, podTemplateSpec.Spec.Tolerations, + "workload %s (type: %T) does not have correct tolerations, expected: %v got: %v", + obj.GetName(), obj, expectedTolerations, podTemplateSpec.Spec.Tolerations, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager-controller deployment has correct hostNetwork (.Values.controllerManager.hostNetwork)", + Covers: []string{ + ".Values.controllerManager.hostNetwork", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + controllerManagerHostNetworkValue, _ := checker.RenderValue[bool](tc, ".Values.controllerManager.hostNetwork") + + expectedArg := controllerManagerHostNetworkValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.HostNetwork, + "controllerManager-controller does not have correct HostNetwork set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.HostNetwork, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager-controller deployment has correct dnsPolicy (.Values.controllerManager.dnsPolicy)", + Covers: []string{ + ".Values.controllerManager.dnsPolicy", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + controllerManagerDnsPolicyValue, _ := checker.RenderValue[corev1.DNSPolicy](tc, ".Values.controllerManager.dnsPolicy") + + expectedArg := controllerManagerDnsPolicyValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.DNSPolicy, + "controllerManager-controller does not have correct DNSPolicy set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.DNSPolicy, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct priorityClassName (.Values.controllerManager.priorityClassName)", + Covers: []string{ + ".Values.controllerManager.priorityClassName", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + PriorityClassNameValue, _ := checker.RenderValue[string](tc, ".Values.controllerManager.priorityClassName") + + expectedArg := PriorityClassNameValue + + assert.Equal(tc.T, + expectedArg, podTemplateSpec.Spec.PriorityClassName, + "gatekeeper-controller-manager does not have correct priority class name set. Expected: %v got: %v", + expectedArg, podTemplateSpec.Spec.PriorityClassName, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-critical-pods resource quota has correct priorityClassName (.Values.controllerManager.priorityClassName)", + Covers: []string{ + ".Values.controllerManager.priorityClassName", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, resourceQuota *corev1.ResourceQuota) { + + if resourceQuota.Name != "gatekeeper-critical-pods" { + return + } + + PriorityClassNameValue, _ := checker.RenderValue[string](tc, ".Values.controllerManager.priorityClassName") + + expectedArg := PriorityClassNameValue + + assert.Equal(tc.T, + expectedArg, resourceQuota.Spec.ScopeSelector.MatchExpressions[0].Values[1], + "gatekeeper-controller-manager does not have correct priority class name set. Expected: %v got: %v", + expectedArg, resourceQuota.Spec.ScopeSelector.MatchExpressions[0].Values[1], + ) + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct readiness timeout (.Values.controllerManager.readinessTimeout)", + Covers: []string{ + ".Values.controllerManager.readinessTimeout", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerReadinessTimeoutValue, _ := checker.RenderValue[int](tc, ".Values.controllerManager.readinessTimeout") + + expectedAuditReadinessTimeout := int32(controllerManagerReadinessTimeoutValue) + + assert.Equal(tc.T, + expectedAuditReadinessTimeout, container.ReadinessProbe.TimeoutSeconds, + "container %s of obj %s does not have correct controllerManager.readinessTimeout argument, expected: %v, got: %v", + container.Name, obj.GetName(), expectedAuditReadinessTimeout, container.ReadinessProbe.TimeoutSeconds) + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct liveness timeout (.Values.controllerManager.livenessTimeout)", + Covers: []string{ + ".Values.controllerManager.livenessTimeout", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerLivenessTimeoutValue, _ := checker.RenderValue[int](tc, ".Values.controllerManager.livenessTimeout") + + expectedAuditLivenessTimeout := int32(controllerManagerLivenessTimeoutValue) + + assert.Equal(tc.T, + expectedAuditLivenessTimeout, container.LivenessProbe.TimeoutSeconds, + "container %s of obj %s does not have correct controllerManager.readinessTimeout argument, expected: %v, got: %v", + container.Name, obj.GetName(), expectedAuditLivenessTimeout, container.LivenessProbe.TimeoutSeconds) + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct port in container args and in container port (.Values.controllerManager.port)", + Covers: []string{ + ".Values.controllerManager.port", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerPortValue, ok := checker.RenderValue[int](tc, ".Values.controllerManager.port") + expectedContainerPortValue := container.Ports[0].ContainerPort + + expectedArg := fmt.Sprintf("--port=%d", controllerManagerPortValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManager.port argument", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if controllerManagerPortValue == int(expectedContainerPortValue) { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct containerPort", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct metricsPort in container args and container port (.Values.controllerManager.metricsPort)", + Covers: []string{ + ".Values.controllerManager.metricsPort", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerMetricsPortValue, ok := checker.RenderValue[int](tc, ".Values.controllerManager.metricsPort") + expectedContainerMetricsPort := container.Ports[1].ContainerPort + + expectedArg := fmt.Sprintf("--prometheus-port=%d", controllerManagerMetricsPortValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManager.metricsPort argument", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if controllerManagerMetricsPortValue == int(expectedContainerMetricsPort) { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct healthz containerPort", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct healthPort in container args and container port (.Values.controllerManager.healthPort)", + Covers: []string{ + ".Values.controllerManager.healthPort", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerHealthPortValue, ok := checker.RenderValue[int](tc, ".Values.controllerManager.healthPort") + + expectedLivenessProbePort := container.LivenessProbe.HTTPGet.Port + + expectedReadinessProbePort := container.ReadinessProbe.HTTPGet.Port + + expectedContainerHealthzPort := container.Ports[2].ContainerPort + + expectedArg := fmt.Sprintf("--health-addr=:%d", controllerManagerHealthPortValue) + + if ok { + found := false + + if controllerManagerHealthPortValue == int(expectedContainerHealthzPort) { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct healthz containerPort", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if controllerManagerHealthPortValue == expectedLivenessProbePort.IntValue() { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct LivenessProbe Port", + container.Name, obj.GetName()) + } + + if ok { + found := false + + if controllerManagerHealthPortValue == expectedReadinessProbePort.IntValue() { + found = true + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct ReadinessProbe Port", + container.Name, obj.GetName()) + } + + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManager.healthPort argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct disable-cert-rotation arg set in container args (.Values.controllerManager.disableCertRotation)", + Covers: []string{ + ".Values.controllerManager.disableCertRotation", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerDisableCertRotationValue, ok := checker.RenderValue[bool](tc, ".Values.controllerManager.disableCertRotation") + + expectedArg := fmt.Sprintf("--disable-cert-rotation=%t", controllerManagerDisableCertRotationValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManagerDisableCertRotation argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controller-manager deployment has correct controllerManagerTlsMinVersion arg in container args (.Values.controllerManager.tlsMinVersion)", + Covers: []string{ + ".Values.controllerManager.tlsMinVersion", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerTlsMinVersionValue, ok := checker.RenderValue[int](tc, ".Values.controllerManager.tlsMinVersion") + + expectedArg := fmt.Sprintf("--tls-min-version=%d", controllerManagerTlsMinVersionValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManagerTlsMinVersion argument", + container.Name, obj.GetName()) + } + } + }), + }, + }, + + { + + Name: "Check controllerManager.affinity", + Covers: []string{ + ".Values.controllerManager.affinity", + }, + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + spec := podTemplateSpec.Spec + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.controllerManager.affinity") + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, spec.Affinity, + "job %s does not have correct affinity: expected: %v, got: %v", + obj.GetName(), expectedAffinity, spec.Affinity) + }), + }, + }, + + { + Name: "Check controller-manager has correct SecurityContext as per given value", + Covers: []string{ + ".Values.controllerManager.securityContext", + }, + + Checks: test.Checks{ + + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + enableRuntimeDefaultSeccompProfileVal, _ := checker.RenderValue[bool](tc, "Values.enableRuntimeDefaultSeccompProfile") + + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.controllerManager.securityContext") + + if enableRuntimeDefaultSeccompProfileVal { + expected.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } + + assert.True(tc.T, + reflect.DeepEqual(expected, podTemplateSpec.Spec.Containers[0].SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + obj.GetName(), obj, expected, podTemplateSpec.Spec.Containers[0].SecurityContext, + ) + }), + }, + }, + + { + Name: "Check controllerManager has correct PodSecurityContext as per given value", + Covers: []string{ + ".Values.controllerManager.podSecurityContext", + }, + + Checks: test.Checks{ + + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + podSecurityContextAddedFromValues, _ := checker.RenderValue[*corev1.PodSecurityContext](tc, "Values.controllerManager.podSecurityContext") + + expectedPodSecurityContext := podSecurityContextAddedFromValues + + assert.True(tc.T, + reflect.DeepEqual(expectedPodSecurityContext, podTemplateSpec.Spec.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + obj.GetName(), obj, expectedPodSecurityContext, podTemplateSpec.Spec.SecurityContext, + ) + }), + }, + }, + + { + Name: "Check gatekeeper-controllerManager-controller deployment has correct logFile (.Values.controllerManager.logFile)", + Covers: []string{ + ".Values.controllerManager.logFile", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerLogFileVal, ok := checker.RenderValue[string](tc, ".Values.controllerManager.logFile") + + expectedArg := fmt.Sprintf("--log-file=%s", controllerManagerLogFileVal) + if len(controllerManagerLogFileVal) > 0 { + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManager.logFile argument", + container.Name, obj.GetName()) + } + } + } + }), + }, + }, + + { + Name: "Check gatekeeper-controllerManager-controller deployment has correct clientCertName (.Values.controllerManager.clientCertName)", + Covers: []string{ + ".Values.controllerManager.clientCertName", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-controller-manager" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + controllerManagerClientCertNameVal, ok := checker.RenderValue[string](tc, ".Values.controllerManager.clientCertName") + + expectedArg := fmt.Sprintf("--client-cert-name=%s", controllerManagerClientCertNameVal) + if len(controllerManagerClientCertNameVal) > 0 { + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct controllerManager.clientCertName argument", + container.Name, obj.GetName()) + } + } + } + }), + }, + }, + + { + Name: "Check controllerManager.networkPolicy.enabled", + Covers: []string{ + ".Values.controllerManager.networkPolicy.enabled", + }, + + Checks: test.Checks{ + checker.OnResources(func(tc *checker.TestContext, networkPolicy []*networkingv1.NetworkPolicy) { + + enableNetworkPolicyVal, _ := checker.RenderValue[bool](tc, ".Values.controllerManager.networkPolicy.enabled") + + if enableNetworkPolicyVal { + found := false + for _, np := range networkPolicy { + if np.Name == "gatekeeper-controller-manager" { + found = true + } + } + + assert.True(tc.T, found, + "Incorrect controllerManager.networkPolicy configuration") + } + + }), + }, + }, + + // For .Values.crds + { + + Name: "Check crds.affinity", + Covers: []string{ + ".Values.crds.affinity", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-crds-hook" { + return + } + container := job.Spec.Template.Spec + + auditAffinityAddedFromValues, _ := checker.RenderValue[*corev1.Affinity](tc, ".Values.crds.affinity") + + expectedAffinity := auditAffinityAddedFromValues + assert.Equal(tc.T, + expectedAffinity, container.Affinity, + "job %s does not have correct affinity: expected: %v, got: %v", + job.Name, expectedAffinity, container.Affinity) + + }), + }, + }, + + { + Name: "Check crds has correct SecurityContext as per given value", + Covers: []string{ + ".Values.crds.securityContext", + }, + + Checks: test.Checks{ + + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-crds-hook" { + return + } + + container := job.Spec.Template.Spec.Containers[0] + + expected, _ := checker.RenderValue[*corev1.SecurityContext](tc, "Values.crds.securityContext") + enableRuntimeDefaultSeccompProfileVal, _ := checker.RenderValue[bool](tc, "Values.enableRuntimeDefaultSeccompProfile") + + if enableRuntimeDefaultSeccompProfileVal { + expected.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } + + assert.True(tc.T, + reflect.DeepEqual(expected, container.SecurityContext), + "workload %s (type: %T) does not have correct securityContext, expected: %v got: %v", + job.Name, job, expected, container.SecurityContext, + ) + }), + }, + }, + + { + Name: "Check crds resources", + Covers: []string{ + ".Values.crds.resources", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-crds-hook" { + return + } + + container := job.Spec.Template.Spec + + ok := assert.Equal(tc.T, 1, len(container.Containers), + "deployment %s does not have correct number of container: expected: %d, got: %d", + job.Name, 1, len(container.Containers)) + + if !ok { + return + } + + expectedResourceReq, _ := checker.RenderValue[corev1.ResourceRequirements](tc, ".Values.crds.resources") + + assert.Equal(tc.T, + expectedResourceReq, container.Containers[0].Resources, + "container %s of deployment %s does not have correct resources constraint: expected: %v, got: %v", + container.Containers[0].Name, job.Name, expectedResourceReq, container.Containers[0].Resources) + + }), + }, + }, + + // For Values.pdb + + { + Name: "Check controller manager minAvailable pdb", + Covers: []string{ + ".Values.pdb.controllerManager.minAvailable", + }, + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, policy *policyv1.PodDisruptionBudget) { + + if policy.Name != "gatekeeper-controller-manager" { + return + } + + expectedPdbValue, _ := checker.RenderValue[int](tc, ".Values.pdb.controllerManager.minAvailable") + + assert.Equal(tc.T, + expectedPdbValue, policy.Spec.MinAvailable, + "policy %s does not have correct minAvailable value set for pdb: %v, got: %v", + policy.Name, expectedPdbValue, policy.Spec.MinAvailable) + }), + }, + }, + { + + Name: "PSPs Are Created And Referenced As Per .Values.global.cattle.psp.enabled field", + Covers: []string{ + ".Values.global.cattle.psp.enabled", + }, + Checks: common.EnsurePSPsExist(1), + }, + + { + Name: "Check gatekeeper-audit-controller deployment has correct externalCertInjection Args (.Values.externalCertInjection.enabled)", + Covers: []string{ + ".Values.externalCertInjection.enabled", + }, + + Checks: test.Checks{ + checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + if obj.GetName() != "gatekeeper-audit" { + return + } + + assert.Equal(tc.T, + 1, len(podTemplateSpec.Spec.Containers), + "obj %s does not have correct number of containers, expected: %v got: %v", + obj.GetName(), 1, len(podTemplateSpec.Spec.Containers), + ) + + if len(podTemplateSpec.Spec.Containers) > 0 { + container := podTemplateSpec.Spec.Containers[0] + + externalCertInjectionValue, ok := checker.RenderValue[int](tc, ".Values.externalCertInjection.enabled") + + expectedArg := fmt.Sprintf("--disable-cert-rotation=%d", externalCertInjectionValue) + if ok { + found := false + + for _, arg := range container.Args { + if arg == expectedArg { + found = true + } + } + + assert.True(tc.T, found, + "container %s of obj %s does not have correct externalCertInjection argument", + container.Name, obj.GetName()) + } + + } + }), + }, + }, + + { + Name: "Check gatekeeper images and systemDefaultRegistry value", + Covers: []string{ + ".Values.images.gatekeeper.repository", + ".Values.images.gatekeeper.tag", + ".Values.global.cattle.systemDefaultRegistry", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.Name != "gatekeeper-audit" { + return + } + + ok := assert.Equal(tc.T, 1, len(deployment.Spec.Template.Spec.Containers), + "deployment %s does not have correct number of containers: expected: %d, got: %d", + deployment.Name, 1, len(deployment.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := deployment.Spec.Template.Spec.Containers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + gatekeeperRepo, _ := checker.RenderValue[string](tc, ".Values.images.gatekeeper.repository") + gatekeeperTag, _ := checker.RenderValue[string](tc, ".Values.images.gatekeeper.tag") + + containerImage := gatekeeperRepo + ":" + gatekeeperTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of deployement %s does not have correct image: expected: %v got: %v", + container.Name, deployment.Name, expectedContainerImage, container.Image) + }), + }, + }, + + { + Name: "Check gatekeepercrd images value", + Covers: []string{ + ".Values.images.gatekeepercrd.repository", + ".Values.images.gatekeepercrd.tag", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-audit" { + return + } + + ok := assert.Equal(tc.T, 1, len(job.Spec.Template.Spec.Containers), + "job %s does not have correct number of containers: expected: %d, got: %d", + job.Name, 1, len(job.Spec.Template.Spec.Containers)) + if !ok { + return + } + + container := job.Spec.Template.Spec.Containers[0] + systemDefaultRegistry := common.GetSystemDefaultRegistry(tc) + + gatekeeperRepo, _ := checker.RenderValue[string](tc, ".Values.images.gatekeepercrd.repository") + gatekeeperTag, _ := checker.RenderValue[string](tc, ".Values.images.gatekeepercrd.tag") + + containerImage := gatekeeperRepo + ":" + gatekeeperTag + + expectedContainerImage := systemDefaultRegistry + containerImage + assert.Equal(tc.T, + expectedContainerImage, container.Image, + "container %s of deployement %s does not have correct image: expected: %v got: %v", + container.Name, job.Name, expectedContainerImage, container.Image) + }), + }, + }, + + { + Name: "Check that audit-controller deployment containers have correct imagePullPolicy", + Covers: []string{ + ".Values.images.pullPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.Name != "gatekeeper-audit" { + return + } + + expectedImagePullPolicy, exists := checker.RenderValue[corev1.PullPolicy](tc, ".Values.images.pullPolicy") + + if exists { + for _, container := range deployment.Spec.Template.Spec.Containers { + + assert.Equal(tc.T, + expectedImagePullPolicy, container.ImagePullPolicy, + "container %s of deployment %s does not have correct imagePullPolicy: expected: %v got: %v", + container.Name, deployment.Name, expectedImagePullPolicy, container.ImagePullPolicy) + } + } + }), + }, + }, + + { + Name: "Check that audit controller job has correct imagePullSecrets", + Covers: []string{ + ".Values.images.pullSecrets", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.Name != "gatekeeper-audit" { + return + } + + expectedImagePullSecrets, _ := checker.RenderValue[[]corev1.LocalObjectReference](tc, ".Values.images.pullSecrets") + + if len(expectedImagePullSecrets) == 0 { + expectedImagePullSecrets = nil + } + + assert.Equal(tc.T, + expectedImagePullSecrets, deployment.Spec.Template.Spec.ImagePullSecrets, + "deployment %s does not have correct image: expected: %v got: %v", + deployment.Name, expectedImagePullSecrets, deployment.Spec.Template.Spec.ImagePullSecrets) + }), + }, + }, + + { + Name: "Check controllerManager deployment has correct annotations (.Values.podAnnotations)", + Covers: []string{ + ".Values.podAnnotations", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.GetName() != "gatekeeper-controller-manager" { + return + } + + expectedPodAnnotations, _ := checker.RenderValue[map[string]string](tc, ".Values.podAnnotations") + + deployementAnnotationVal := deployment.Spec.Template.Annotations + + args := make(map[string]bool) + + for _, s := range deployementAnnotationVal { + args[s] = true + } + + allExist := true + + for _, s := range expectedPodAnnotations { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "deployment %s container does not have correct Annotations", deployment.Name) + }), + }, + }, + + { + Name: "Check controllerManager deployment has correct labels (.Values.podLabels)", + Covers: []string{ + ".Values.podLabels", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, deployment *appsv1.Deployment) { + + if deployment.GetName() != "gatekeeper-controller-manager" { + return + } + + expectedPodLabels, _ := checker.RenderValue[map[string]string](tc, ".Values.podLabels") + + deployementLabelsVal := deployment.Spec.Template.Labels + + args := make(map[string]bool) + + for _, s := range deployementLabelsVal { + args[s] = true + } + + allExist := true + + for _, s := range expectedPodLabels { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "deployment %s container does not have correct labels", deployment.Name) + }), + }, + }, + + { + Name: "Check that update-namespace-label job volume has correct secret name", + Covers: []string{ + ".Values.externalCertInjection.secretName", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + if job.Name != "gatekeeper-update-namespace-label" { + return + } + + probeWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.postInstall.probeWebhook.enabled") + + if !probeWebhookEnabled { + return + } + + expectedexternalCertInjectionSecretName, _ := checker.RenderValue[string](tc, ".Values.externalCertInjection.secretName") + volumes := job.Spec.Template.Spec.Volumes[0] + assert.Equal(tc.T, + expectedexternalCertInjectionSecretName, volumes.Secret.SecretName, + "job %s volume does not have correct secret: expected: %v got: %v", + job.Name, expectedexternalCertInjectionSecretName, volumes.Secret.SecretName) + }), + }, + }, + + // { + // Name: "Check audit resources", + // Covers: []string{ + // ".Values.audit.resources", + // }, + // Checks: test.Checks{ + // checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + // // if !checker.Select("gatekeeper-audit", DefaultNamespace, obj) { + // // return + // // } + + // if obj.GetName() != "gatekeeper-audit" { + // return + // } + + // containers := podTemplateSpec.Spec.Containers + + // ok := assert.Equal(tc.T, 1, len(containers), + // "deployment %s does not have correct number of container: expected: %d, got: %d", + // podTemplateSpec.Name, 1, len(containers)) + + // if !ok { + // return + // } + + // expectedResourceReq, _ := checker.RenderValue[corev1.ResourceRequirements](tc, ".Values.audit.resources") + + // assert.Equal(tc.T, + // expectedResourceReq, containers[0].Resources, + // "container %s of deployment %s does not have correct resources constraint: expected: %v, got: %v", + // containers[0].Name, podTemplateSpec.Name, expectedResourceReq, containers[0].Resources) + + // }), + // }, + // }, + + // { + // Name: "Check gatekeeper-audit-controller deployment has correct resources (.Values.audit.resources)", + // Covers: []string{ + // ".Values.audit.resources", + // }, + + // Checks: test.Checks{ + // checker.PerWorkload(func(tc *checker.TestContext, obj metav1.Object, podTemplateSpec corev1.PodTemplateSpec) { + + // if obj.GetName() != "gatekeeper-audit" { + // return + // } + + // container := podTemplateSpec.Spec + + // assert.Equal(tc.T, + // 1, len(container.Containers), + // "obj %s does not have correct number of containers, expected: %v got: %v", + // obj.GetName(), 1, len(container.Containers), + // ) + + // ok := assert.Equal(tc.T, 1, len(container.Containers), + // "deployment %s does not have correct number of container: expected: %d, got: %d", + // podTemplateSpec.Name, 1, len(container.Containers)) + + // if !ok { + // return + // } + + // expectedResourceReq, _ := checker.RenderValue[corev1.ResourceRequirements](tc, ".Values.audit.resources") + + // assert.Equal(tc.T, + // expectedResourceReq, container.Containers[0].Resources, + // "container %s of deployment %s does not have correct resources constraint: expected: %v, got: %v", + // container.Containers[0].Name, podTemplateSpec.Name, expectedResourceReq, container.Containers[0].Resources) + // }), + // }, + // }, + + { + Name: "Check Values.nameOverride", + Covers: []string{ + ".Values.nameOverride", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, psp *policyv1.PodSecurityPolicy) { + + if psp.Name != "gatekeeper-admin" { + return + } + + nameOverrideVal, ok := checker.RenderValue[string](tc, ".Values.nameOverride") + + expectedLabel := fmt.Sprintf("app: %s", nameOverrideVal) + + if ok { + found := false + + for _, arg := range psp.ObjectMeta.Labels { + if arg == expectedLabel { + found = true + } + } + + assert.True(tc.T, found, + "Policy %s does not have correct labels", + psp.Name) + } + }), + }, + }, + + { + Name: "Check upgradeCRDs.enabled", + Covers: []string{ + ".Values.upgradeCRDs.enabled", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, clusterRole *rbacv1.ClusterRole) { + + upgradeCRDsVal, _ := checker.RenderValue[bool](tc, ".Values.upgradeCRDs.enabled") + + if upgradeCRDsVal { + found := false + + if clusterRole.Name == "gatekeeper-admin-upgrade-crds" { + found = true + } + + assert.True(tc.T, found, + "Incorrect upgradeCRDs") + } + + }), + }, + }, + + { + Name: "Check rbac.create", + Covers: []string{ + ".Values.rbac.create", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, clusterRole *rbacv1.ClusterRole) { + + rbacCreateVal, _ := checker.RenderValue[bool](tc, ".Values.rbac.create") + + if rbacCreateVal { + found := false + + if clusterRole.Name == "gatekeeper-manager-role" { + found = true + } + + assert.True(tc.T, found, + "Incorrect rbac configuration") + } + }), + }, + }, + + // For Validating Webhooks + + { + Name: "Check disableValidatingWebhook", + Covers: []string{ + ".Values.disableValidatingWebhook", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + disableValidatingWebhookVal, _ := checker.RenderValue[bool](tc, ".Values.disableValidatingWebhook") + + if !disableValidatingWebhookVal { + found := false + if validatingWebhook.Webhooks[0].Name == "gatekeeper-validating-webhook-configuration" { + found = true + } + + assert.True(tc.T, found, + "Webhook %s has incorrect disableValidatingWebhook configuration", validatingWebhook.Webhooks[0].Name) + } + }), + }, + }, + + // { + // Name: "Check validatingWebhookObjectSelector", + // Covers: []string{ + // ".Values.validatingWebhookObjectSelector", + // }, + + // Checks: test.Checks{ + // checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + // disableValidatingWebhookVal, _ := checker.RenderValue[bool](tc, ".Values.disableValidatingWebhook") + + // if disableValidatingWebhookVal { + // return + // } + + // webhookSpec := validatingWebhook.Webhooks[0] + // validatingWebhookObjectSelectorVal, _ := checker.RenderValue[*metav1.LabelSelector](tc, ".Values.validatingWebhookObjectSelector") + // expectedObjectSelectorVal := webhookSpec.ObjectSelector + + // for _, ls := range expectedObjectSelectorVal { + // if metav1.LabelSelectorEquals(&selector, &ls) { + // fmt.Println("Found matching label selector:", ls) + // break + // } + // } + + // }), + // }, + // }, + + { + Name: "Check validatingWebhookTimeoutSeconds", + Covers: []string{ + ".Values.validatingWebhookTimeoutSeconds", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + validatingWebhookTimeoutSecondsVal, _ := checker.RenderValue[int32](tc, ".Values.validatingWebhookTimeoutSeconds") + webhookSpec := validatingWebhook.Webhooks[0] + assert.Equal(tc.T, validatingWebhookTimeoutSecondsVal, webhookSpec.TimeoutSeconds, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, validatingWebhookTimeoutSecondsVal, webhookSpec.TimeoutSeconds) + + }), + }, + }, + + { + Name: "Check validatingWebhookFailurePolicy", + Covers: []string{ + ".Values.validatingWebhookFailurePolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + validatingWebhookFailurePolicyVal, _ := checker.RenderValue[admissionregistration.FailurePolicyType](tc, ".Values.validatingWebhookFailurePolicy") + webhookSpec := validatingWebhook.Webhooks[0] + assert.Equal(tc.T, validatingWebhookFailurePolicyVal, webhookSpec.FailurePolicy, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, validatingWebhookFailurePolicyVal, webhookSpec.FailurePolicy) + + }), + }, + }, + + { + Name: "Check Validating Webhook configuration has correct annotations (.Values.validatingWebhookAnnotations)", + Covers: []string{ + ".Values.validatingWebhookAnnotations", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + expectedvalidatingWebhookAnnotations, _ := checker.RenderValue[map[string]string](tc, ".Values.validatingWebhookAnnotations") + + webhookAnnotationVal := validatingWebhook.ObjectMeta.Annotations + + args := make(map[string]bool) + + for _, s := range webhookAnnotationVal { + args[s] = true + } + + allExist := true + + for _, s := range expectedvalidatingWebhookAnnotations { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Validating Webhook %s container does not have correct Annotations", validatingWebhook.Name) + }), + }, + }, + + { + Name: "Check validatingWebhookCheckIgnoreFailurePolicy", + Covers: []string{ + ".Values.validatingWebhookCheckIgnoreFailurePolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + validatingWebhookCheckIgnoreFailurePolicyVal, _ := checker.RenderValue[admissionregistration.FailurePolicyType](tc, ".Values.validatingWebhookCheckIgnoreFailurePolicy") + webhookSpec := validatingWebhook.Webhooks[1] + assert.Equal(tc.T, validatingWebhookCheckIgnoreFailurePolicyVal, webhookSpec.FailurePolicy, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, validatingWebhookCheckIgnoreFailurePolicyVal, webhookSpec.FailurePolicy) + + }), + }, + }, + { + Name: "Check enableDeleteOperations", + Covers: []string{ + ".Values.enableDeleteOperations", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, validatingWebhook *admissionregistration.ValidatingWebhookConfiguration) { + + enableDeleteOperationsVal, _ := checker.RenderValue[bool](tc, ".Values.enableDeleteOperations") + + if enableDeleteOperationsVal { + found := false + if validatingWebhook.Webhooks[0].Name == "gatekeeper-validating-webhook-configuration" { + found = true + } + + assert.True(tc.T, found, + "Webhook %s has incorrect enableDeleteOperations configuration", validatingWebhook.Webhooks[0].Name) + } + }), + }, + }, + + // For mutating webhooks + { + Name: "Check mutatingWebhookFailurePolicy", + Covers: []string{ + ".Values.mutatingWebhookFailurePolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, mutatingWebhook *admissionregistration.MutatingWebhookConfiguration) { + + mutatingWebhookFailurePolicyVal, _ := checker.RenderValue[admissionregistration.FailurePolicyType](tc, ".Values.mutatingWebhookFailurePolicy") + webhookSpec := mutatingWebhook.Webhooks[0] + assert.Equal(tc.T, mutatingWebhookFailurePolicyVal, webhookSpec.FailurePolicy, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, mutatingWebhookFailurePolicyVal, webhookSpec.FailurePolicy) + }), + }, + }, + + { + Name: "Check mutatingWebhookReinvocationPolicy", + Covers: []string{ + ".Values.mutatingWebhookReinvocationPolicy", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, mutatingWebhook *admissionregistration.MutatingWebhookConfiguration) { + + mutatingWebhookReinvocationPolicyVal, _ := checker.RenderValue[admissionregistration.ReinvocationPolicyType](tc, ".Values.mutatingWebhookReinvocationPolicy") + webhookSpec := mutatingWebhook.Webhooks[0] + assert.Equal(tc.T, mutatingWebhookReinvocationPolicyVal, webhookSpec.ReinvocationPolicy, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, mutatingWebhookReinvocationPolicyVal, webhookSpec.ReinvocationPolicy) + }), + }, + }, + { + Name: "Check Validating Webhook configuration has correct annotations (.Values.mutatingWebhookAnnotations)", + Covers: []string{ + ".Values.mutatingWebhookAnnotations", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, mutatingWebhook *admissionregistration.MutatingWebhookConfiguration) { + + expectedMutatingWebhookAnnotations, _ := checker.RenderValue[map[string]string](tc, ".Values.mutatingWebhookAnnotations") + + webhookAnnotationVal := mutatingWebhook.ObjectMeta.Annotations + + args := make(map[string]bool) + + for _, s := range webhookAnnotationVal { + args[s] = true + } + + allExist := true + + for _, s := range expectedMutatingWebhookAnnotations { + if _, ok := args[s]; !ok { + allExist = false + break + } + } + assert.True(tc.T, allExist, + "Validating Webhook %s container does not have correct Annotations", mutatingWebhook.Name) + }), + }, + }, + { + Name: "Check mutatingWebhookTimeoutSeconds", + Covers: []string{ + ".Values.mutatingWebhookTimeoutSeconds", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, mutatingWebhook *admissionregistration.MutatingWebhookConfiguration) { + + mutatingWebhookTimeoutSecondsVal, _ := checker.RenderValue[int32](tc, ".Values.mutatingWebhookTimeoutSeconds") + webhookSpec := mutatingWebhook.Webhooks[0] + assert.Equal(tc.T, mutatingWebhookTimeoutSecondsVal, webhookSpec.TimeoutSeconds, + "Webhook %s has incorrect timeoutseconds. Expected: %v, got: %v", + webhookSpec.Name, mutatingWebhookTimeoutSecondsVal, webhookSpec.TimeoutSeconds) + + }), + }, + }, + + { + Name: "Check preUninstall.deleteWebhookConfigurations.enabled", + Covers: []string{ + ".Values.preUninstall.deleteWebhookConfigurations.enabled", + }, + + Checks: test.Checks{ + checker.PerResource(func(tc *checker.TestContext, job *batchv1.Job) { + + disableValidatingWebhookEnabled, _ := checker.RenderValue[bool](tc, ".Values.disableValidatingWebhook") + disableMutationEnabled, _ := checker.RenderValue[bool](tc, ".Values.disableMutation") + deleteWebhookConfigurationsEnabled, _ := checker.RenderValue[bool](tc, ".Values.preUninstall.deleteWebhookConfigurations.enabled") + + if (!disableValidatingWebhookEnabled || !disableMutationEnabled) && deleteWebhookConfigurationsEnabled { + found := false + if job.Name == "gatekeeper-delete-webhook-configs" { + fmt.Println("job found") + + found = true + } + + assert.True(tc.T, found, + "Incorrect preUninstall deleteWebhook configuration") + } + + }), + }, }, }, } diff --git a/tests/rancher-gatekeeper/rancher-gatekeeper-test.go b/tests/rancher-gatekeeper/rancher-gatekeeper_test.go similarity index 86% rename from tests/rancher-gatekeeper/rancher-gatekeeper-test.go rename to tests/rancher-gatekeeper/rancher-gatekeeper_test.go index b75496e6527..4348717e502 100644 --- a/tests/rancher-gatekeeper/rancher-gatekeeper-test.go +++ b/tests/rancher-gatekeeper/rancher-gatekeeper_test.go @@ -3,7 +3,7 @@ package rancher_gatekeeper import ( "testing" - "github.com/aiyengar2/hull/pkg/test" + "github.com/rancher/hull/pkg/test" ) func TestChart(t *testing.T) { diff --git a/tests/rancher-gatekeeper/testdata.go b/tests/rancher-gatekeeper/testdata.go index 10e3f91d8f6..1b5abaa9079 100644 --- a/tests/rancher-gatekeeper/testdata.go +++ b/tests/rancher-gatekeeper/testdata.go @@ -3,6 +3,7 @@ package rancher_gatekeeper import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // for Values.nodeSelector @@ -58,18 +59,69 @@ var testAffinity = &corev1.Affinity{ }, } -// podSecurityLabels -var defaultPodSecurityLabels = map[string]string{ - "pod-security.kubernetes.io/audit": "restricted", - "pod-security.kubernetes.io/audit-version": "latest", - "pod-security.kubernetes.io/warn": "restricted", - "pod-security.kubernetes.io/warn-version": "latest", - "pod-security.kubernetes.io/enforce": "restricted", - "pod-security.kubernetes.io/enforce-version": "v1.24", +var testDeploymentAffinity = &corev1.Affinity{ + PodAntiAffinity: &corev1.PodAntiAffinity{ + PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{ + { + PodAffinityTerm: corev1.PodAffinityTerm{ + LabelSelector: &v1.LabelSelector{ + MatchExpressions: []v1.LabelSelectorRequirement{ + { + Key: "test", + Operator: v1.LabelSelectorOpIn, + Values: []string{"test"}, + }, + }, + }, + TopologyKey: "testTopologyKey", + }, + }, + }, + }, } -var testPodSecurityLabels = map[string]string{ - "test": "testVal", +var testValidatingWebhookObjectSelector = &v1.LabelSelector{ + MatchExpressions: []v1.LabelSelectorRequirement{ + { + Key: "test", + Operator: v1.LabelSelectorOpIn, + Values: []string{"test"}, + }, + }, +} + +var allowPrivilegeEscalationVal bool = false +var readOnlyRootFilesystemVal bool = true +var runAsGroupVal int64 = 999 +var runAsNonRootVal bool = true +var runAsUserVal int64 = 1000 + +var testSecurityContext = &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"All"}, + }, + AllowPrivilegeEscalation: &allowPrivilegeEscalationVal, + ReadOnlyRootFilesystem: &readOnlyRootFilesystemVal, + RunAsGroup: &runAsGroupVal, + RunAsNonRoot: &runAsNonRootVal, + RunAsUser: &runAsUserVal, +} + +var fsGroupsVal int64 = 1000 +var supplementalGroupsVal = []int64{1000} +var testPodSecurityContext = &corev1.PodSecurityContext{ + FSGroup: &fsGroupsVal, + SupplementalGroups: supplementalGroupsVal, +} + +// podSecurityLabels +var testPodSecurityLabels = []string{ + "pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24", } // for Values.resources @@ -84,19 +136,57 @@ var testResources = corev1.ResourceRequirements{ }, } +// var testResources = corev1.ResourceRequirements{ +// Limits: corev1.ResourceList{ +// corev1.ResourceCPU: +// }, +// } + +var testWebhookAnnotations = map[string]string{ + "test/annotation": "annotationVal", + "test/annotation2": "annotationVal2", +} + // for Values.podAnnotation var testPodAnnotation = map[string]string{ - "test": "testVal", + "test/annotation": "annotationVal", + "test/annotation2": "annotationVal2", } -// for Values.controllerManager.exepmtNamespaces +var testPodLabels = map[string]string{ + "test/label1": "labelVal1", + "test/label2": "labelVal2", +} -var testExemptNamespaces = []string{ +var testExtraNamespaces = []string{ "test-ns1", "test-ns2", - "test-ns3", +} + +// for Values.controllerManager + +var testExemptNamespaces = []string{ + "testExempt-ns1", + "testExempt-ns2", + "testExempt-ns3", +} + +var testExemptNamespacesPrefixes = []string{ + "testExemptNamespacesPrefixesNs1", + "testExemptNamespacesPrefixesnsNs2", + "testExemptNamespacesPrefixesnsNs3", } var defaultExemptNamespace = []string{ "default", } + +var testMetricsBackend = []string{ + "default", +} + +var testPullSecrets = []corev1.LocalObjectReference{ + { + Name: "testSecret", + }, +}