1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
require 'spec_helper'
describe Gitlab::Kubernetes::Helm::InitCommand do
let(:application) { create(:clusters_applications_helm) }
let(:rbac) { false }
let(:files) { {} }
let(:init_command) { described_class.new(name: application.name, files: files, rbac: rbac) }
let(:commands) do
<<~EOS
helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem
EOS
end
subject { init_command }
it_behaves_like 'helm commands'
context 'on a rbac-enabled cluster' do
let(:rbac) { true }
it_behaves_like 'helm commands' do
let(:commands) do
<<~EOS
helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem --service-account tiller
EOS
end
end
end
describe '#rbac?' do
subject { init_command.rbac? }
context 'rbac is enabled' do
let(:rbac) { true }
it { is_expected.to be_truthy }
end
context 'rbac is not enabled' do
let(:rbac) { false }
it { is_expected.to be_falsey }
end
end
describe '#config_map_resource' do
let(:metadata) do
{
name: 'values-content-configuration-helm',
namespace: 'gitlab-managed-apps',
labels: { name: 'values-content-configuration-helm' }
}
end
let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) }
subject { init_command.config_map_resource }
it 'returns a KubeClient resource with config map content for the application' do
is_expected.to eq(resource)
end
end
describe '#pod_resource' do
subject { init_command.pod_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a pod that uses the tiller serviceAccountName' do
expect(subject.spec.serviceAccountName).to eq('tiller')
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates a pod that uses the default serviceAccountName' do
expect(subject.spec.serviceAcccountName).to be_nil
end
end
end
describe '#service_account_resource' do
let(:resource) do
Kubeclient::Resource.new(metadata: { name: 'tiller', namespace: 'gitlab-managed-apps' })
end
subject { init_command.service_account_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the tiller ServiceAccount' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
describe '#cluster_role_binding_resource' do
let(:resource) do
Kubeclient::Resource.new(
metadata: { name: 'tiller-admin' },
roleRef: { apiGroup: 'rbac.authorization.k8s.io', kind: 'ClusterRole', name: 'cluster-admin' },
subjects: [{ kind: 'ServiceAccount', name: 'tiller', namespace: 'gitlab-managed-apps' }]
)
end
subject { init_command.cluster_role_binding_resource }
context 'rbac is enabled' do
let(:rbac) { true }
it 'generates a Kubeclient resource for the ClusterRoleBinding for tiller' do
is_expected.to eq(resource)
end
end
context 'rbac is not enabled' do
let(:rbac) { false }
it 'generates nothing' do
is_expected.to be_nil
end
end
end
end
|