From 8216d88c7ca99226b851147dbad31592123621e4 Mon Sep 17 00:00:00 2001 From: Aran Shavit Date: Tue, 29 Oct 2024 11:55:57 +0200 Subject: [PATCH] Added helm unit tests for automountServiceAccountToken for all serviceAccounts/Workloads Signed-off-by: Aran Shavit --- .../job-patch/job-createSecret_test.yaml | 12 +++++ .../job-patch/job-patchWebhook_test.yaml | 12 +++++ .../tests/controller-daemonset_test.yaml | 9 ++++ .../tests/controller-deployment_test.yaml | 8 +++ .../tests/controller-serviceaccount_test.yaml | 47 +++++++++++++++++ .../default-backend-deployment_test.yaml | 9 ++++ .../default-backend-serviceaccount_test.yaml | 51 +++++++++++++++++++ 7 files changed, 148 insertions(+) create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml create mode 100644 charts/ingress-nginx/tests/controller-serviceaccount_test.yaml create mode 100644 charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml new file mode 100644 index 000000000..2dd95e591 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml @@ -0,0 +1,12 @@ +suite: Admission Webhooks > Create Secret Job +templates: + - admission-webhooks/job-patch/job-createSecret.yaml + +tests: + - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml new file mode 100644 index 000000000..39b3e27b3 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml @@ -0,0 +1,12 @@ +suite: Admission Webhooks > Patch Webhook Job +templates: + - admission-webhooks/job-patch/job-patchWebhook.yaml + +tests: + - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index d2d77befb..0321fd376 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -190,3 +190,12 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false + set: + controller.kind: DaemonSet + serviceAccount.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 1cc9c9325..18306079e 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -215,3 +215,11 @@ tests: - equal: path: spec.progressDeadlineSeconds value: 111 + + - it: should create a Deployment with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false + set: + serviceAccount.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml new file mode 100644 index 000000000..928e53772 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Controller > ServiceAccount +templates: + - controller-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `serviceAccount.create` is false + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `serviceAccount.create` is true + set: + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx + + - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set + set: + serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false + set: + serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index c3fa33968..11d400c46 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -187,3 +187,12 @@ tests: - equal: path: spec.template.spec.containers[0].image value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml new file mode 100644 index 000000000..05a815d0a --- /dev/null +++ b/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml @@ -0,0 +1,51 @@ +suite: Default Backend > ServiceAccount +templates: + - default-backend-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-backend + + - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false