diff --git a/client/tests/requests_proxy_test.yaml b/client/tests/requests_proxy_test.yaml new file mode 100644 index 0000000..3c5f3f8 --- /dev/null +++ b/client/tests/requests_proxy_test.yaml @@ -0,0 +1,120 @@ +suite: Requests Proxy Deployment +# requests-proxy-deployment.yaml had no unit test. It is a workload pod that +# runs in the data plane, so the security-context invariants (see +# docs/SECURITY.md) and the single-worker constraint (the proxy keeps the pod +# token registry in process-local memory — more than one worker silently +# breaks token lookups) need a regression guard. The resources block is also +# nil-guarded against `helm upgrade --reuse-values` from pre-1.3.6 releases; +# pinning the rendered defaults catches a guard that eats the preceding +# newline (the historic `readOnlyRootFilesystem: trueresources:` bug). +templates: + - templates/requests-proxy-deployment.yaml +set: + clientId: "test-id" + clientPassword: "test" + dockerRegistry: + server: https://index.docker.io/v1/ + username: test + password: test + email: test@test.com +tests: + - it: should create the requests-proxy Deployment + asserts: + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-requests-proxy + + - it: should carry standard chart labels + asserts: + - exists: + path: metadata.labels["app.kubernetes.io/name"] + - exists: + path: metadata.labels["helm.sh/chart"] + + - it: should run exactly one replica + # Token registry is process-local; replicas>1 would shard token lookups. + asserts: + - equal: + path: spec.replicas + value: 1 + + - it: should not automount the service account token + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + + - it: should enforce a hardened pod security context + asserts: + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.seccompProfile.type + value: RuntimeDefault + + - it: should enforce a hardened container security context + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.containers[0].securityContext.runAsUser + value: 1001 + - equal: + path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation + value: false + - equal: + path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem + value: true + - contains: + path: spec.template.spec.containers[0].securityContext.capabilities.drop + content: "ALL" + + - it: should pull the jobs-manager image from docker.io + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: "^docker\\.io/tracebloc/jobs-manager[:@]" + + - it: should expose the proxy on container port 8888 + asserts: + - equal: + path: spec.template.spec.containers[0].ports[0].containerPort + value: 8888 + + - it: should run gunicorn with a single worker + # Mirrors the replica constraint at the process level — the token registry + # lives in one worker's memory. + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--workers=1" + + - it: should render the default resource requests and limits + asserts: + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 256Mi + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 1000m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should honor a resource override through the nil-guard + set: + resources: + requestsProxy: + limits: + memory: 1Gi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 1Gi