tracebloc · saadqbal · Jun 4, 2026 · Jun 3, 2026
diff --git a/client/tests/requests_proxy_test.yaml b/client/tests/requests_proxy_test.yaml
@@ -0,0 +1,120 @@
+suite: Requests Proxy Deployment
+# requests-proxy-deployment.yaml had no unit test. It is a workload pod that
+# runs in the data plane, so the security-context invariants (see
+# docs/SECURITY.md) and the single-worker constraint (the proxy keeps the pod
+# token registry in process-local memory — more than one worker silently
+# breaks token lookups) need a regression guard. The resources block is also
+# nil-guarded against `helm upgrade --reuse-values` from pre-1.3.6 releases;
+# pinning the rendered defaults catches a guard that eats the preceding
+# newline (the historic `readOnlyRootFilesystem: trueresources:` bug).
+templates:
+  - templates/requests-proxy-deployment.yaml
+set:
+  clientId: "test-id"
+  clientPassword: "test"
+  dockerRegistry:
+    server: https://index.docker.io/v1/
+    username: test
+    password: test
+    email: test@test.com
+tests:
+  - it: should create the requests-proxy Deployment
+    asserts:
+      - isKind:
+          of: Deployment
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-requests-proxy
+
+  - it: should carry standard chart labels
+    asserts:
+      - exists:
+          path: metadata.labels["app.kubernetes.io/name"]
+      - exists:
+          path: metadata.labels["helm.sh/chart"]
+
+  - it: should run exactly one replica
+    # Token registry is process-local; replicas>1 would shard token lookups.
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 1
+
+  - it: should not automount the service account token
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+
+  - it: should enforce a hardened pod security context
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          value: RuntimeDefault
+
+  - it: should enforce a hardened container security context
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.runAsUser
+          value: 1001
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+          value: true
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.drop
+          content: "ALL"
+
+  - it: should pull the jobs-manager image from docker.io
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[0].image
+          pattern: "^docker\\.io/tracebloc/jobs-manager[:@]"
+
+  - it: should expose the proxy on container port 8888
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 8888
+
+  - it: should run gunicorn with a single worker
+    # Mirrors the replica constraint at the process level — the token registry
+    # lives in one worker's memory.
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--workers=1"
+
+  - it: should render the default resource requests and limits
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 100m
+      - equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 256Mi
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.cpu
+          value: 1000m
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 512Mi
+
+  - it: should honor a resource override through the nil-guard
+    set:
+      resources:
+        requestsProxy:
+          limits:
+            memory: 1Gi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources.limits.memory
+          value: 1Gi