Add SSH reruns tests

CircleCI-Public · Jul 3, 2023 · 8d0e264 · 8d0e264
1 parent d3c5b24
commit 8d0e264
Show file tree

Hide file tree

Showing 6 changed files with 196 additions and 2 deletions.
diff --git a/changelog.md b/changelog.md
@@ -4,7 +4,7 @@ This is the Container Agent Helm Chart changelog
 
 # 101.0.8
 
-- [PREVIEW] Support SSH reruns 
+- [PRERELEASE] Support SSH reruns 
 
 # 101.0.7
 

diff --git a/templates/role.yaml b/templates/role.yaml
@@ -22,7 +22,7 @@ rules:
 
   {{- if .Values.agent.ssh.isEnabled }}
   - apiGroups: ["", "gateway.networking.k8s.io"]
-    resources: ["gateways", "services", "endpoints"]
+    resources: ["gateways", "services"]
     verbs: ["get"]
   {{- end }} # if .Values.agent.ssh.isEnabled
 

diff --git a/templates/ssh.yaml b/templates/ssh.yaml
@@ -12,6 +12,12 @@ metadata:
   namespace: {{ $namespace }}
 spec:
   controllerName: {{ .Values.agent.ssh.controllerName }}
+  {{- with .Values.agent.ssh.parametersRef }}
+  parametersRef:
+    group: {{ .group }}
+    kind: {{ .kind }}
+    name: {{ .name }}
+  {{- end }}
 
 ---
 apiVersion: gateway.networking.k8s.io/v1beta1

diff --git a/tests/__snapshot__/ssh_test.yaml.snap b/tests/__snapshot__/ssh_test.yaml.snap
@@ -0,0 +1,100 @@
+should create Gateway and Service resources if enabled:
+  1: |
+    apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: GatewayClass
+    metadata:
+      name: RELEASE-NAME-container-agent-ssh
+      namespace: NAMESPACE
+    spec:
+      controllerName: example.net/gateway-controller
+  2: |
+    apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    metadata:
+      name: RELEASE-NAME-container-agent-ssh
+      namespace: NAMESPACE
+    spec:
+      gatewayClassName: RELEASE-NAME-container-agent-ssh
+      listeners:
+        - allowedRoutes:
+            kinds:
+              - kind: TCPRoute
+          name: ssh-22
+          port: 22
+          protocol: TCP
+        - allowedRoutes:
+            kinds:
+              - kind: TCPRoute
+          name: ssh-23
+          port: 23
+          protocol: TCP
+        - allowedRoutes:
+            kinds:
+              - kind: TCPRoute
+          name: ssh-24
+          port: 24
+          protocol: TCP
+  3: |
+    apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TCPRoute
+    metadata:
+      name: ssh-22
+      namespace: NAMESPACE
+    spec:
+      parentRefs:
+        - name: RELEASE-NAME-container-agent-ssh
+          sectionName: ssh-22
+      rules:
+        - backendRefs:
+            - name: RELEASE-NAME-container-agent-ssh
+              port: 22
+  4: |
+    apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TCPRoute
+    metadata:
+      name: ssh-23
+      namespace: NAMESPACE
+    spec:
+      parentRefs:
+        - name: RELEASE-NAME-container-agent-ssh
+          sectionName: ssh-23
+      rules:
+        - backendRefs:
+            - name: RELEASE-NAME-container-agent-ssh
+              port: 23
+  5: |
+    apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: TCPRoute
+    metadata:
+      name: ssh-24
+      namespace: NAMESPACE
+    spec:
+      parentRefs:
+        - name: RELEASE-NAME-container-agent-ssh
+          sectionName: ssh-24
+      rules:
+        - backendRefs:
+            - name: RELEASE-NAME-container-agent-ssh
+              port: 24
+  6: |
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: RELEASE-NAME-container-agent-ssh
+      namespace: NAMESPACE
+    spec:
+      ports:
+        - name: ssh-22
+          port: 22
+          protocol: TCP
+          targetPort: ssh-22
+        - name: ssh-23
+          port: 23
+          protocol: TCP
+          targetPort: ssh-23
+        - name: ssh-24
+          port: 24
+          protocol: TCP
+          targetPort: ssh-24
+      selector:
+        app.kubernetes.io/managed-by: circleci-container-agent
diff --git a/tests/ssh_test.yaml b/tests/ssh_test.yaml
@@ -0,0 +1,87 @@
+suite: test ssh
+tests:
+  - it: should create Gateway and Service resources if enabled
+    template: templates/ssh.yaml
+    set:
+      agent.ssh.isEnabled: true
+      agent.ssh.controllerName: "example.net/gateway-controller"
+      agent.ssh.startPort: 22
+      agent.ssh.numPorts: 3
+    asserts:
+      - matchSnapshot: {}
+
+  - it: should update Role rules to allow get Gateway and Service resources if enabled
+    template: templates/role.yaml
+    set:
+      agent.ssh.isEnabled: true
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "gateway.networking.k8s.io"]
+            resources: ["gateways", "services"]
+            verbs: ["get"]
+        documentIndex: 0
+
+  - it: should set container-agent ssh configuration if enabled
+    template: templates/deployment.yaml
+    set:
+      agent.ssh.isEnabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_IS_ENABLED
+            value: "true"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_GATEWAY_NAME
+            value: "RELEASE-NAME-container-agent-ssh"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_SERVICE_NAME
+            value: "RELEASE-NAME-container-agent-ssh"
+
+  - it: should not create any Gateway or Service resources if disabled
+    template: templates/ssh.yaml
+    set:
+      agent.ssh.isEnabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not update Role rules to allow get Gateway and Service resources if disabled
+    template: templates/role.yaml
+    set:
+      agent.ssh.isEnabled: false
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups: ["", "gateway.networking.k8s.io"]
+            resources: ["gateways", "services"]
+            verbs: ["get"]
+        documentIndex: 0
+
+  - it: should not set container-agent ssh configuration if disabled
+    template: templates/deployment.yaml
+    set:
+      agent.ssh.isEnabled: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_IS_ENABLED
+            value: "true"
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_GATEWAY_NAME
+            value: "RELEASE-NAME-container-agent-ssh"
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: KUBE_SSH_SERVICE_NAME
+            value: "RELEASE-NAME-container-agent-ssh"
diff --git a/values.yaml b/values.yaml
@@ -213,6 +213,7 @@ agent:
     # Please consult the documentation for your preferred Gateway implementation for guidance on setting it up in your cluster.
     # The Envoy Gateway has been successfully tested for SSH reruns (see: https://gateway.envoyproxy.io/v0.4.0/user/tcp-routing.html).
     controllerName: "gateway.envoyproxy.io/gatewayclass-controller"
+    parametersRef: {}
 
     # Specify the port range that is approved for SSH connections.
     # Note that the number of concurrent jobs rerun with SSH is limited by the number of ports in this range.