diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
| commit | 9f46488805e86b1bc341ea1620b866016c2ce5ed (patch) | |
| tree | f9748c7e287041e37d6da49e0a29c9511dc34768 /spec/lib/gitlab/kubernetes | |
| parent | dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff) | |
| download | gitlab-ce-9f46488805e86b1bc341ea1620b866016c2ce5ed.tar.gz | |
Add latest changes from gitlab-org/gitlab@13-0-stable-ee
Diffstat (limited to 'spec/lib/gitlab/kubernetes')
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/api_spec.rb | 25 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/base_command_spec.rb | 80 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/delete_command_spec.rb | 41 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/init_command_spec.rb | 73 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/install_command_spec.rb | 84 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/parsers/list_v2_spec.rb | 100 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb | 68 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/pod_spec.rb | 2 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/reset_command_spec.rb | 33 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/kube_client_spec.rb | 108 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/network_policy_spec.rb | 224 |
11 files changed, 499 insertions, 339 deletions
diff --git a/spec/lib/gitlab/kubernetes/helm/api_spec.rb b/spec/lib/gitlab/kubernetes/helm/api_spec.rb index 8147990ecc3..1f925fd45af 100644 --- a/spec/lib/gitlab/kubernetes/helm/api_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/api_spec.rb @@ -92,7 +92,6 @@ describe Gitlab::Kubernetes::Helm::API do allow(client).to receive(:get_config_map).and_return(nil) allow(client).to receive(:create_config_map).and_return(nil) allow(client).to receive(:create_service_account).and_return(nil) - allow(client).to receive(:create_cluster_role_binding).and_return(nil) allow(client).to receive(:delete_pod).and_return(nil) allow(namespace).to receive(:ensure_exists!).once end @@ -136,7 +135,7 @@ describe Gitlab::Kubernetes::Helm::API do context 'without a service account' do it 'does not create a service account on kubeclient' do expect(client).not_to receive(:create_service_account) - expect(client).not_to receive(:create_cluster_role_binding) + expect(client).not_to receive(:update_cluster_role_binding) subject.install(command) end @@ -160,15 +159,14 @@ describe Gitlab::Kubernetes::Helm::API do ) end - context 'service account and cluster role binding does not exist' do + context 'service account does not exist' do before do expect(client).to receive(:get_service_account).with('tiller', 'gitlab-managed-apps').and_raise(Kubeclient::ResourceNotFoundError.new(404, 'Not found', nil)) - expect(client).to receive(:get_cluster_role_binding).with('tiller-admin').and_raise(Kubeclient::ResourceNotFoundError.new(404, 'Not found', nil)) end it 'creates a service account, followed the cluster role binding on kubeclient' do expect(client).to receive(:create_service_account).with(service_account_resource).once.ordered - expect(client).to receive(:create_cluster_role_binding).with(cluster_role_binding_resource).once.ordered + expect(client).to receive(:update_cluster_role_binding).with(cluster_role_binding_resource).once.ordered subject.install(command) end @@ -177,21 +175,6 @@ describe Gitlab::Kubernetes::Helm::API do context 'service account already exists' do before do expect(client).to receive(:get_service_account).with('tiller', 'gitlab-managed-apps').and_return(service_account_resource) - expect(client).to receive(:get_cluster_role_binding).with('tiller-admin').and_raise(Kubeclient::ResourceNotFoundError.new(404, 'Not found', nil)) - end - - it 'updates the service account, followed by creating the cluster role binding' do - expect(client).to receive(:update_service_account).with(service_account_resource).once.ordered - expect(client).to receive(:create_cluster_role_binding).with(cluster_role_binding_resource).once.ordered - - subject.install(command) - end - end - - context 'service account and cluster role binding already exists' do - before do - expect(client).to receive(:get_service_account).with('tiller', 'gitlab-managed-apps').and_return(service_account_resource) - expect(client).to receive(:get_cluster_role_binding).with('tiller-admin').and_return(cluster_role_binding_resource) end it 'updates the service account, followed by creating the cluster role binding' do @@ -216,7 +199,7 @@ describe Gitlab::Kubernetes::Helm::API do context 'legacy abac cluster' do it 'does not create a service account on kubeclient' do expect(client).not_to receive(:create_service_account) - expect(client).not_to receive(:create_cluster_role_binding) + expect(client).not_to receive(:update_cluster_role_binding) subject.install(command) end diff --git a/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb index a11a9d08503..2a4a911cf38 100644 --- a/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb @@ -3,6 +3,10 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::BaseCommand do + subject(:base_command) do + test_class.new(rbac) + end + let(:application) { create(:clusters_applications_helm) } let(:rbac) { false } @@ -30,87 +34,17 @@ describe Gitlab::Kubernetes::Helm::BaseCommand do end end - let(:base_command) do - test_class.new(rbac) - end - - subject { base_command } - - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) { '' } end - describe '#pod_resource' do - subject { base_command.pod_resource } - - it 'returns a kubeclient resoure with pod content for application' do - is_expected.to be_an_instance_of ::Kubeclient::Resource - end - - context 'when rbac is true' do - let(:rbac) { true } - - it 'also returns a kubeclient resource' do - is_expected.to be_an_instance_of ::Kubeclient::Resource - end - end - end - describe '#pod_name' do subject { base_command.pod_name } it { is_expected.to eq('install-test-class-name') } end - describe '#service_account_resource' do - let(:resource) do - Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' }) - end - - subject { base_command.service_account_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a Kubeclient resource for the tiller ServiceAccount' do - is_expected.to eq(resource) - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates nothing' do - is_expected.to be_nil - end - end - end - - describe '#cluster_role_binding_resource' do - let(:resource) do - Kubeclient::Resource.new( - metadata: { name: 'tiller-admin' }, - roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' }, - subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }] - ) - end - - subject { base_command.cluster_role_binding_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do - is_expected.to eq(resource) - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates nothing' do - is_expected.to be_nil - end - end + it_behaves_like 'helm command' do + let(:command) { base_command } end end diff --git a/spec/lib/gitlab/kubernetes/helm/delete_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/delete_command_spec.rb index 82e15864687..95d60c18d56 100644 --- a/spec/lib/gitlab/kubernetes/helm/delete_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/delete_command_spec.rb @@ -3,14 +3,13 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::DeleteCommand do + subject(:delete_command) { described_class.new(name: app_name, rbac: rbac, files: files) } + let(:app_name) { 'app-name' } let(:rbac) { true } let(:files) { {} } - let(:delete_command) { described_class.new(name: app_name, rbac: rbac, files: files) } - - subject { delete_command } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -26,7 +25,7 @@ describe Gitlab::Kubernetes::Helm::DeleteCommand do stub_feature_flags(managed_apps_local_tiller: false) end - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm init --upgrade @@ -48,7 +47,7 @@ describe Gitlab::Kubernetes::Helm::DeleteCommand do EOS end - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm init --upgrade @@ -67,29 +66,19 @@ describe Gitlab::Kubernetes::Helm::DeleteCommand do end end - describe '#pod_resource' do - subject { delete_command.pod_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a pod that uses the tiller serviceAccountName' do - expect(subject.spec.serviceAccountName).to eq('tiller') - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates a pod that uses the default serviceAccountName' do - expect(subject.spec.serviceAcccountName).to be_nil - end - end - end - describe '#pod_name' do subject { delete_command.pod_name } it { is_expected.to eq('uninstall-app-name') } end + + it_behaves_like 'helm command' do + let(:command) { delete_command } + end + + describe '#delete_command' do + it 'deletes the release' do + expect(subject.delete_command).to eq('helm delete --purge app-name') + end + end end diff --git a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb index 13021a08f9f..05d9b63d12b 100644 --- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb @@ -3,25 +3,24 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::InitCommand do + subject(:init_command) { described_class.new(name: application.name, files: files, rbac: rbac) } + let(:application) { create(:clusters_applications_helm) } let(:rbac) { false } let(:files) { {} } - let(:init_command) { described_class.new(name: application.name, files: files, rbac: rbac) } - let(:commands) do - <<~EOS - helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem - EOS + it_behaves_like 'helm command generator' do + let(:commands) do + <<~EOS + helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem + EOS + end end - subject { init_command } - - it_behaves_like 'helm commands' - context 'on a rbac-enabled cluster' do let(:rbac) { true } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem --service-account tiller @@ -30,57 +29,7 @@ describe Gitlab::Kubernetes::Helm::InitCommand do end end - describe '#rbac?' do - subject { init_command.rbac? } - - context 'rbac is enabled' do - let(:rbac) { true } - - it { is_expected.to be_truthy } - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it { is_expected.to be_falsey } - end - end - - describe '#config_map_resource' do - let(:metadata) do - { - name: 'values-content-configuration-helm', - namespace: 'gitlab-managed-apps', - labels: { name: 'values-content-configuration-helm' } - } - end - - let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) } - - subject { init_command.config_map_resource } - - it 'returns a KubeClient resource with config map content for the application' do - is_expected.to eq(resource) - end - end - - describe '#pod_resource' do - subject { init_command.pod_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a pod that uses the tiller serviceAccountName' do - expect(subject.spec.serviceAccountName).to eq('tiller') - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates a pod that uses the default serviceAccountName' do - expect(subject.spec.serviceAcccountName).to be_nil - end - end + it_behaves_like 'helm command' do + let(:command) { init_command } end end diff --git a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb index a5ed8f57bf3..abd29e97505 100644 --- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb @@ -3,14 +3,7 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::InstallCommand do - let(:files) { { 'ca.pem': 'some file content' } } - let(:repository) { 'https://repository.example.com' } - let(:rbac) { false } - let(:version) { '1.2.3' } - let(:preinstall) { nil } - let(:postinstall) { nil } - - let(:install_command) do + subject(:install_command) do described_class.new( name: 'app-name', chart: 'chart-name', @@ -23,9 +16,14 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do ) end - subject { install_command } + let(:files) { { 'ca.pem': 'some file content' } } + let(:repository) { 'https://repository.example.com' } + let(:rbac) { false } + let(:version) { '1.2.3' } + let(:preinstall) { nil } + let(:postinstall) { nil } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -66,7 +64,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do EOS end - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm init --upgrade @@ -97,7 +95,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do context 'when rbac is true' do let(:rbac) { true } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -128,7 +126,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do context 'when there is a pre-install script' do let(:preinstall) { ['/bin/date', '/bin/true'] } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -161,7 +159,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do context 'when there is a post-install script' do let(:postinstall) { ['/bin/date', "/bin/false\n"] } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -194,7 +192,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do context 'when there is no ca.pem file' do let(:files) { { 'file.txt': 'some content' } } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -225,7 +223,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do context 'when there is no version' do let(:version) { nil } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -252,57 +250,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do end end - describe '#rbac?' do - subject { install_command.rbac? } - - context 'rbac is enabled' do - let(:rbac) { true } - - it { is_expected.to be_truthy } - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it { is_expected.to be_falsey } - end - end - - describe '#pod_resource' do - subject { install_command.pod_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a pod that uses the tiller serviceAccountName' do - expect(subject.spec.serviceAccountName).to eq('tiller') - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates a pod that uses the default serviceAccountName' do - expect(subject.spec.serviceAcccountName).to be_nil - end - end - end - - describe '#config_map_resource' do - let(:metadata) do - { - name: "values-content-configuration-app-name", - namespace: 'gitlab-managed-apps', - labels: { name: "values-content-configuration-app-name" } - } - end - - let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) } - - subject { install_command.config_map_resource } - - it 'returns a KubeClient resource with config map content for the application' do - is_expected.to eq(resource) - end + it_behaves_like 'helm command' do + let(:command) { install_command } end end diff --git a/spec/lib/gitlab/kubernetes/helm/parsers/list_v2_spec.rb b/spec/lib/gitlab/kubernetes/helm/parsers/list_v2_spec.rb new file mode 100644 index 00000000000..0ad5dc189c0 --- /dev/null +++ b/spec/lib/gitlab/kubernetes/helm/parsers/list_v2_spec.rb @@ -0,0 +1,100 @@ +# frozen_string_literal: true + +require 'fast_spec_helper' + +describe Gitlab::Kubernetes::Helm::Parsers::ListV2 do + let(:valid_file_contents) do + <<~EOF + { + "Next": "", + "Releases": [ + { + "Name": "certmanager", + "Revision": 2, + "Updated": "Sun Mar 29 06:55:42 2020", + "Status": "DEPLOYED", + "Chart": "cert-manager-v0.10.1", + "AppVersion": "v0.10.1", + "Namespace": "gitlab-managed-apps" + }, + { + "Name": "certmanager-crds", + "Revision": 2, + "Updated": "Sun Mar 29 06:55:32 2020", + "Status": "DEPLOYED", + "Chart": "cert-manager-crds-v0.2.0", + "AppVersion": "release-0.10", + "Namespace": "gitlab-managed-apps" + }, + { + "Name": "certmanager-issuer", + "Revision": 1, + "Updated": "Tue Feb 18 10:04:04 2020", + "Status": "FAILED", + "Chart": "cert-manager-issuer-v0.1.0", + "AppVersion": "", + "Namespace": "gitlab-managed-apps" + }, + { + "Name": "runner", + "Revision": 2, + "Updated": "Sun Mar 29 07:01:01 2020", + "Status": "DEPLOYED", + "Chart": "gitlab-runner-0.14.0", + "AppVersion": "12.8.0", + "Namespace": "gitlab-managed-apps" + } + ] + } + EOF + end + + describe '#initialize' do + it 'initializes without error' do + expect do + described_class.new(valid_file_contents) + end.not_to raise_error + end + + it 'raises an error on invalid JSON' do + expect do + described_class.new('') + end.to raise_error(described_class::ParserError) + end + end + + describe '#releases' do + subject(:list_v2) { described_class.new(valid_file_contents) } + + it 'returns list of releases' do + expect(list_v2.releases).to match([ + a_hash_including('Name' => 'certmanager', 'Status' => 'DEPLOYED'), + a_hash_including('Name' => 'certmanager-crds', 'Status' => 'DEPLOYED'), + a_hash_including('Name' => 'certmanager-issuer', 'Status' => 'FAILED'), + a_hash_including('Name' => 'runner', 'Status' => 'DEPLOYED') + ]) + end + + context 'empty Releases' do + let(:valid_file_contents) { '{}' } + + it 'returns an empty array' do + expect(list_v2.releases).to eq([]) + end + end + + context 'invalid Releases' do + let(:invalid_file_contents) do + '{ "Releases" : ["a", "b"] }' + end + + subject(:list_v2) { described_class.new(invalid_file_contents) } + + it 'raises an error' do + expect do + list_v2.releases + end.to raise_error(described_class::ParserError, 'Invalid format for Releases') + end + end + end +end diff --git a/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb index e69570f5371..eee842fa7d6 100644 --- a/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/patch_command_spec.rb @@ -33,7 +33,7 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do EOS end - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm init --upgrade @@ -57,7 +57,7 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do end end - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -83,7 +83,7 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do context 'when rbac is true' do let(:rbac) { true } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -110,7 +110,7 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do context 'when there is no ca.pem file' do let(:files) { { 'file.txt': 'some content' } } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS export HELM_HOST="localhost:44134" @@ -134,69 +134,19 @@ describe Gitlab::Kubernetes::Helm::PatchCommand do end end - describe '#pod_name' do - subject { patch_command.pod_name } - - it { is_expected.to eq 'install-app-name' } - end - context 'when there is no version' do let(:version) { nil } it { expect { patch_command }.to raise_error(ArgumentError, 'version is required') } end - describe '#rbac?' do - subject { patch_command.rbac? } - - context 'rbac is enabled' do - let(:rbac) { true } - - it { is_expected.to be_truthy } - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it { is_expected.to be_falsey } - end - end - - describe '#pod_resource' do - subject { patch_command.pod_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a pod that uses the tiller serviceAccountName' do - expect(subject.spec.serviceAccountName).to eq('tiller') - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } + describe '#pod_name' do + subject { patch_command.pod_name } - it 'generates a pod that uses the default serviceAccountName' do - expect(subject.spec.serviceAcccountName).to be_nil - end - end + it { is_expected.to eq 'install-app-name' } end - describe '#config_map_resource' do - let(:metadata) do - { - name: "values-content-configuration-app-name", - namespace: 'gitlab-managed-apps', - labels: { name: "values-content-configuration-app-name" } - } - end - - let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) } - - subject { patch_command.config_map_resource } - - it 'returns a KubeClient resource with config map content for the application' do - is_expected.to eq(resource) - end + it_behaves_like 'helm command' do + let(:command) { patch_command } end end diff --git a/spec/lib/gitlab/kubernetes/helm/pod_spec.rb b/spec/lib/gitlab/kubernetes/helm/pod_spec.rb index 3c62219a9a5..ea32ac96213 100644 --- a/spec/lib/gitlab/kubernetes/helm/pod_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/pod_spec.rb @@ -32,7 +32,7 @@ describe Gitlab::Kubernetes::Helm::Pod do it 'generates the appropriate specifications for the container' do container = subject.generate.spec.containers.first expect(container.name).to eq('helm') - expect(container.image).to eq('registry.gitlab.com/gitlab-org/cluster-integration/helm-install-image/releases/2.16.3-kube-1.13.12') + expect(container.image).to eq('registry.gitlab.com/gitlab-org/cluster-integration/helm-install-image/releases/2.16.6-kube-1.13.12') expect(container.env.count).to eq(3) expect(container.env.map(&:name)).to match_array([:HELM_VERSION, :TILLER_NAMESPACE, :COMMAND_SCRIPT]) expect(container.command).to match_array(["/bin/sh"]) diff --git a/spec/lib/gitlab/kubernetes/helm/reset_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/reset_command_spec.rb index 2a89b04723d..981bb4e4abf 100644 --- a/spec/lib/gitlab/kubernetes/helm/reset_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/reset_command_spec.rb @@ -3,14 +3,13 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::ResetCommand do + subject(:reset_command) { described_class.new(name: name, rbac: rbac, files: files) } + let(:rbac) { true } let(:name) { 'helm' } let(:files) { {} } - let(:reset_command) { described_class.new(name: name, rbac: rbac, files: files) } - - subject { reset_command } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS helm reset @@ -23,7 +22,7 @@ describe Gitlab::Kubernetes::Helm::ResetCommand do context 'when there is a ca.pem file' do let(:files) { { 'ca.pem': 'some file content' } } - it_behaves_like 'helm commands' do + it_behaves_like 'helm command generator' do let(:commands) do <<~EOS1.squish + "\n" + <<~EOS2 helm reset @@ -39,29 +38,13 @@ describe Gitlab::Kubernetes::Helm::ResetCommand do end end - describe '#pod_resource' do - subject { reset_command.pod_resource } - - context 'rbac is enabled' do - let(:rbac) { true } - - it 'generates a pod that uses the tiller serviceAccountName' do - expect(subject.spec.serviceAccountName).to eq('tiller') - end - end - - context 'rbac is not enabled' do - let(:rbac) { false } - - it 'generates a pod that uses the default serviceAccountName' do - expect(subject.spec.serviceAcccountName).to be_nil - end - end - end - describe '#pod_name' do subject { reset_command.pod_name } it { is_expected.to eq('uninstall-helm') } end + + it_behaves_like 'helm command' do + let(:command) { reset_command } + end end diff --git a/spec/lib/gitlab/kubernetes/kube_client_spec.rb b/spec/lib/gitlab/kubernetes/kube_client_spec.rb index 1959fbca33b..32597aa4f5a 100644 --- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb +++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb @@ -64,6 +64,45 @@ describe Gitlab::Kubernetes::KubeClient do end end + describe '.graceful_request' do + context 'successful' do + before do + allow(client).to receive(:foo).and_return(true) + end + + it 'returns connected status and foo response' do + result = described_class.graceful_request(1) { client.foo } + + expect(result).to eq({ status: :connected, response: true }) + end + end + + context 'errored' do + using RSpec::Parameterized::TableSyntax + + where(:error, :error_status) do + SocketError | :unreachable + OpenSSL::X509::CertificateError | :authentication_failure + StandardError | :unknown_failure + Kubeclient::HttpError.new(408, "timed out", nil) | :unreachable + Kubeclient::HttpError.new(408, "timeout", nil) | :unreachable + Kubeclient::HttpError.new(408, "", nil) | :authentication_failure + end + + with_them do + before do + allow(client).to receive(:foo).and_raise(error) + end + + it 'returns error status' do + result = described_class.graceful_request(1) { client.foo } + + expect(result).to eq({ status: error_status }) + end + end + end + end + describe '#initialize' do shared_examples 'local address' do it 'blocks local addresses' do @@ -174,10 +213,39 @@ describe Gitlab::Kubernetes::KubeClient do end end + describe '#networking_client' do + subject { client.networking_client } + + it_behaves_like 'a Kubeclient' + + it 'has the networking API group endpoint' do + expect(subject.api_endpoint.to_s).to match(%r{\/apis\/networking.k8s.io\Z}) + end + + it 'has the api_version' do + expect(subject.instance_variable_get(:@api_version)).to eq('v1') + end + end + + describe '#metrics_client' do + subject { client.metrics_client } + + it_behaves_like 'a Kubeclient' + + it 'has the metrics API group endpoint' do + expect(subject.api_endpoint.to_s).to match(%r{\/apis\/metrics.k8s.io\Z}) + end + + it 'has the api_version' do + expect(subject.instance_variable_get(:@api_version)).to eq('v1beta1') + end + end + describe 'core API' do let(:core_client) { client.core_client } [ + :get_nodes, :get_pods, :get_secrets, :get_config_map, @@ -220,8 +288,6 @@ describe Gitlab::Kubernetes::KubeClient do :create_role, :get_role, :update_role, - :create_cluster_role_binding, - :get_cluster_role_binding, :update_cluster_role_binding ].each do |method| describe "##{method}" do @@ -290,6 +356,30 @@ describe Gitlab::Kubernetes::KubeClient do end end + describe 'networking API group' do + let(:networking_client) { client.networking_client } + + [ + :create_network_policy, + :get_network_policies, + :update_network_policy, + :delete_network_policy + ].each do |method| + describe "##{method}" do + include_examples 'redirection not allowed', method + include_examples 'dns rebinding not allowed', method + + it 'delegates to the networking client' do + expect(client).to delegate_method(method).to(:networking_client) + end + + it 'responds to the method' do + expect(client).to respond_to method + end + end + end + end + describe 'non-entity methods' do it 'does not proxy for non-entity methods' do expect(client).not_to respond_to :proxy_url @@ -316,6 +406,16 @@ describe Gitlab::Kubernetes::KubeClient do end end + shared_examples 'create_or_update method using put' do + let(:update_method) { "update_#{resource_type}" } + + it 'calls the update method' do + expect(client).to receive(update_method).with(resource) + + subject + end + end + shared_examples 'create_or_update method' do let(:get_method) { "get_#{resource_type}" } let(:update_method) { "update_#{resource_type}" } @@ -355,7 +455,7 @@ describe Gitlab::Kubernetes::KubeClient do subject { client.create_or_update_cluster_role_binding(resource) } - it_behaves_like 'create_or_update method' + it_behaves_like 'create_or_update method using put' end describe '#create_or_update_role_binding' do @@ -367,7 +467,7 @@ describe Gitlab::Kubernetes::KubeClient do subject { client.create_or_update_role_binding(resource) } - it_behaves_like 'create_or_update method' + it_behaves_like 'create_or_update method using put' end describe '#create_or_update_service_account' do diff --git a/spec/lib/gitlab/kubernetes/network_policy_spec.rb b/spec/lib/gitlab/kubernetes/network_policy_spec.rb new file mode 100644 index 00000000000..f23d215a9a1 --- /dev/null +++ b/spec/lib/gitlab/kubernetes/network_policy_spec.rb @@ -0,0 +1,224 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Gitlab::Kubernetes::NetworkPolicy do + let(:policy) do + described_class.new( + name: name, + namespace: namespace, + creation_timestamp: '2020-04-14T00:08:30Z', + pod_selector: pod_selector, + policy_types: %w(Ingress Egress), + ingress: ingress, + egress: egress + ) + end + + let(:name) { 'example-name' } + let(:namespace) { 'example-namespace' } + let(:pod_selector) { { matchLabels: { role: 'db' } } } + + let(:ingress) do + [ + { + from: [ + { namespaceSelector: { matchLabels: { project: 'myproject' } } } + ] + } + ] + end + + let(:egress) do + [ + { + ports: [{ port: 5978 }] + } + ] + end + + describe '.from_yaml' do + let(:manifest) do + <<-POLICY +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: example-name + namespace: example-namespace +spec: + podSelector: + matchLabels: + role: db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + project: myproject + POLICY + end + let(:resource) do + ::Kubeclient::Resource.new( + metadata: { name: name, namespace: namespace }, + spec: { podSelector: pod_selector, policyTypes: %w(Ingress), ingress: ingress, egress: nil } + ) + end + + subject { Gitlab::Kubernetes::NetworkPolicy.from_yaml(manifest)&.generate } + + it { is_expected.to eq(resource) } + + context 'with nil manifest' do + let(:manifest) { nil } + + it { is_expected.to be_nil } + end + + context 'with invalid manifest' do + let(:manifest) { "\tfoo: bar" } + + it { is_expected.to be_nil } + end + + context 'with manifest without metadata' do + let(:manifest) do + <<-POLICY +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +spec: + podSelector: + matchLabels: + role: db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + project: myproject + POLICY + end + + it { is_expected.to be_nil } + end + + context 'with manifest without spec' do + let(:manifest) do + <<-POLICY +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: example-name + namespace: example-namespace + POLICY + end + + it { is_expected.to be_nil } + end + + context 'with disallowed class' do + let(:manifest) do + <<-POLICY +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: example-name + namespace: example-namespace + creationTimestamp: 2020-04-14T00:08:30Z +spec: + podSelector: + matchLabels: + role: db + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + project: myproject + POLICY + end + + it { is_expected.to be_nil } + end + end + + describe '.from_resource' do + let(:resource) do + ::Kubeclient::Resource.new( + metadata: { name: name, namespace: namespace, creationTimestamp: '2020-04-14T00:08:30Z', resourceVersion: '4990' }, + spec: { podSelector: pod_selector, policyTypes: %w(Ingress), ingress: ingress, egress: nil } + ) + end + let(:generated_resource) do + ::Kubeclient::Resource.new( + metadata: { name: name, namespace: namespace }, + spec: { podSelector: pod_selector, policyTypes: %w(Ingress), ingress: ingress, egress: nil } + ) + end + + subject { Gitlab::Kubernetes::NetworkPolicy.from_resource(resource)&.generate } + + it { is_expected.to eq(generated_resource) } + + context 'with nil resource' do + let(:resource) { nil } + + it { is_expected.to be_nil } + end + + context 'with resource without metadata' do + let(:resource) do + ::Kubeclient::Resource.new( + spec: { podSelector: pod_selector, policyTypes: %w(Ingress), ingress: ingress, egress: nil } + ) + end + + it { is_expected.to be_nil } + end + + context 'with resource without spec' do + let(:resource) do + ::Kubeclient::Resource.new( + metadata: { name: name, namespace: namespace, uid: '128cf288-7de4-11ea-aceb-42010a800089', resourceVersion: '4990' } + ) + end + + it { is_expected.to be_nil } + end + end + + describe '#generate' do + let(:resource) do + ::Kubeclient::Resource.new( + metadata: { name: name, namespace: namespace }, + spec: { podSelector: pod_selector, policyTypes: %w(Ingress Egress), ingress: ingress, egress: egress } + ) + end + + subject { policy.generate } + + it { is_expected.to eq(resource) } + end + + describe '#as_json' do + let(:json_policy) do + { + name: name, + namespace: namespace, + creation_timestamp: '2020-04-14T00:08:30Z', + manifest: YAML.dump( + { + metadata: { name: name, namespace: namespace }, + spec: { podSelector: pod_selector, policyTypes: %w(Ingress Egress), ingress: ingress, egress: egress } + }.deep_stringify_keys + ) + } + end + + subject { policy.as_json } + + it { is_expected.to eq(json_policy) } + end +end |