diff --git a/tests/application_policy_edge_cases_test.yaml b/tests/application_policy_edge_cases_test.yaml new file mode 100644 index 0000000..9080fb1 --- /dev/null +++ b/tests/application_policy_edge_cases_test.yaml @@ -0,0 +1,246 @@ +suite: Test application-policies edge cases +templates: + - templates/policies/application-policies.yaml +release: + name: release-test +tests: + - it: should use vpArgoNamespace as destination namespace when singleArgoCD is true + values: + - ./clusterselector_values.yaml + set: + global: + singleArgoCD: true + vpArgoNamespace: custom-argocd + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.destination.namespace + value: custom-argocd + + - it: should use pattern-name namespace as destination when singleArgoCD is false + values: + - ./clusterselector_values.yaml + set: + global: + singleArgoCD: false + pattern: multicloud-gitops + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.destination.namespace + value: multicloud-gitops-group-one + + - it: should include helmOverrides in non-multisource mode + values: + - ./clusterselector_values.yaml + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + contains: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.source.helm.parameters + content: + name: clusterGroup.isHubCluster + value: "false" + + - it: should use per-group repoURL when specified + values: + - ./clusterselector_values.yaml + set: + clusterGroup: + managedClusterGroups: + exampleRegion: + name: group-one + repoURL: https://github.com/custom/repo + acmlabels: + - name: clusterGroup + value: group-one + helmOverrides: + - name: clusterGroup.isHubCluster + value: false + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.source.repoURL + value: https://github.com/custom/repo + + - it: should set prune to true when deletePattern is not none + values: + - ./clusterselector_values.yaml + set: + global: + deletePattern: DeleteChildApps + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.syncPolicy.automated.prune + value: true + + - it: should set prune to false when deletePattern is none + values: + - ./clusterselector_values.yaml + set: + global: + deletePattern: none + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.syncPolicy.automated.prune + value: false + + - it: should set pruneObjectBehavior when deletePattern is DeleteChildApps + values: + - ./clusterselector_values.yaml + set: + global: + deletePattern: DeleteChildApps + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.pruneObjectBehavior + value: DeleteIfCreated + + - it: should use custom applicationRetryLimit + values: + - ./clusterselector_values.yaml + set: + global: + options: + applicationRetryLimit: 5 + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + asserts: + - documentSelector: + path: metadata.name + value: group-one-clustergroup-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.syncPolicy.retry.limit + value: 5 + + - it: should render separate resources for multiple managedClusterGroups + set: + global: + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + clusterGroup: + managedClusterGroups: + groupOne: + name: east + acmlabels: + - name: clusterGroup + value: east + helmOverrides: + - name: clusterGroup.isHubCluster + value: false + groupTwo: + name: west + acmlabels: + - name: clusterGroup + value: west + helmOverrides: + - name: clusterGroup.isHubCluster + value: false + asserts: + - hasDocuments: + count: 6 + - documentSelector: + path: metadata.name + value: east-clustergroup-policy + isKind: + of: Policy + - documentSelector: + path: metadata.name + value: west-clustergroup-policy + isKind: + of: Policy + - documentSelector: + path: metadata.name + value: east-placement-binding + isKind: + of: PlacementBinding + - documentSelector: + path: metadata.name + value: west-placement-binding + isKind: + of: PlacementBinding + - documentSelector: + path: metadata.name + value: east-placement + isKind: + of: Placement + - documentSelector: + path: metadata.name + value: west-placement + isKind: + of: Placement + + - it: should set correct clusterGroup.name per group in multiple managedClusterGroups + set: + global: + multiSourceSupport: true + multiSourceRepoUrl: "https://charts.example.com" + multiSourceTargetRevision: "0.1.0" + clusterGroup: + managedClusterGroups: + groupOne: + name: east + acmlabels: + - name: clusterGroup + value: east + helmOverrides: + - name: clusterGroup.isHubCluster + value: false + groupTwo: + name: west + acmlabels: + - name: clusterGroup + value: west + helmOverrides: + - name: clusterGroup.isHubCluster + value: false + asserts: + - documentSelector: + path: metadata.name + value: east-clustergroup-policy + contains: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters + content: + name: clusterGroup.name + value: east + - documentSelector: + path: metadata.name + value: west-clustergroup-policy + contains: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters + content: + name: clusterGroup.name + value: west diff --git a/tests/clusterdeployment_test.yaml b/tests/clusterdeployment_test.yaml new file mode 100644 index 0000000..d020434 --- /dev/null +++ b/tests/clusterdeployment_test.yaml @@ -0,0 +1,287 @@ +suite: Test ClusterDeployment provisioning +templates: + - templates/provision/clusterdeployment.yaml +release: + name: release-test +tests: + - it: should not render when no clusterDeployments defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + asserts: + - hasDocuments: + count: 0 + + - it: should render Namespace, ClusterDeployment, and ManagedCluster for AWS + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + isKind: + of: Namespace + - documentIndex: 0 + equal: + path: metadata.name + value: cluster1-region-one + - documentIndex: 1 + isKind: + of: ClusterDeployment + - documentIndex: 1 + equal: + path: metadata.name + value: cluster1-region-one + - documentIndex: 1 + equal: + path: metadata.namespace + value: cluster1-region-one + - documentIndex: 1 + equal: + path: spec.baseDomain + value: example.com + - documentIndex: 1 + equal: + path: spec.clusterName + value: cluster1-region-one + - documentIndex: 1 + equal: + path: spec.platform.aws.region + value: us-east-1 + - documentIndex: 1 + equal: + path: spec.platform.aws.credentialsSecretRef.name + value: cluster1-region-one-creds + - documentIndex: 1 + equal: + path: spec.provisioning.imageSetRef.name + value: img4.14.10-multi-appsub + - documentIndex: 1 + equal: + path: spec.provisioning.installConfigSecretRef.name + value: cluster1-region-one-install-config + - documentIndex: 1 + equal: + path: spec.provisioning.sshPrivateKeySecretRef.name + value: cluster1-region-one-ssh-private-key + - documentIndex: 1 + equal: + path: spec.pullSecretRef.name + value: cluster1-region-one-pull-secret + + - it: should render correctly for Azure platform + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-two + clusterDeployments: + myCluster: + name: azcluster + baseDomain: azure.example.com + openshiftVersion: "4.15.2" + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + asserts: + - hasDocuments: + count: 3 + - documentIndex: 1 + equal: + path: spec.platform.azure.region + value: eastus + - documentIndex: 1 + equal: + path: spec.platform.azure.credentialsSecretRef.name + value: azcluster-region-two-creds + + - it: should set default clusterGroup label on ManagedCluster when no acmlabels + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - documentIndex: 2 + isKind: + of: ManagedCluster + - documentIndex: 2 + equal: + path: metadata.labels.clusterGroup + value: region-one + - documentIndex: 2 + equal: + path: metadata.labels["cluster.open-cluster-management.io/clusterset"] + value: region-one + - documentIndex: 2 + equal: + path: spec.hubAcceptsClient + value: true + + - it: should use acmlabels on ManagedCluster when specified as list + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + acmlabels: + - name: environment + value: production + - name: region + value: us-east + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - documentIndex: 2 + equal: + path: metadata.labels.environment + value: production + - documentIndex: 2 + equal: + path: metadata.labels.region + value: us-east + + - it: should use default label when acmlabels is empty + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + acmlabels: [] + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - documentIndex: 2 + equal: + path: metadata.labels.clusterGroup + value: region-one + + - it: should render multiple clusters from the same group + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + first: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + second: + name: cluster2 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-west-2 + asserts: + - hasDocuments: + count: 6 + + - it: should render resources for multiple managedClusterGroups + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + clusterDeployments: + first: + name: cluster-east + baseDomain: east.example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + groupTwo: + name: west + clusterDeployments: + first: + name: cluster-west + baseDomain: west.example.com + openshiftVersion: "4.15.2" + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: westus2 + asserts: + - hasDocuments: + count: 6 + - documentIndex: 0 + isKind: + of: Namespace + - documentIndex: 0 + equal: + path: metadata.name + value: cluster-east-east + - documentIndex: 1 + isKind: + of: ClusterDeployment + - documentIndex: 1 + equal: + path: spec.platform.aws.region + value: us-east-1 + - documentIndex: 2 + isKind: + of: ManagedCluster + - documentIndex: 2 + equal: + path: metadata.labels["cluster.open-cluster-management.io/clusterset"] + value: east + - documentIndex: 3 + isKind: + of: Namespace + - documentIndex: 3 + equal: + path: metadata.name + value: cluster-west-west + - documentIndex: 4 + isKind: + of: ClusterDeployment + - documentIndex: 4 + equal: + path: spec.platform.azure.region + value: westus2 + - documentIndex: 5 + isKind: + of: ManagedCluster + - documentIndex: 5 + equal: + path: metadata.labels["cluster.open-cluster-management.io/clusterset"] + value: west diff --git a/tests/clusterpool_test.yaml b/tests/clusterpool_test.yaml new file mode 100644 index 0000000..963933f --- /dev/null +++ b/tests/clusterpool_test.yaml @@ -0,0 +1,323 @@ +suite: Test ClusterPool provisioning +templates: + - templates/provision/clusterpool.yaml +release: + name: release-test +tests: + - it: should not render when no clusterPools defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + asserts: + - hasDocuments: + count: 0 + + - it: should render ClusterPool for AWS with no clusters + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ClusterPool + - equal: + path: metadata.name + value: spoke-region-one + - equal: + path: spec.baseDomain + value: example.com + - equal: + path: spec.size + value: 0 + - equal: + path: spec.runningCount + value: 0 + - equal: + path: spec.platform.aws.region + value: us-east-1 + - equal: + path: spec.platform.aws.credentialsSecretRef.name + value: spoke-region-one-creds + - equal: + path: spec.imageSetRef.name + value: img4.14.10-multi-appsub + - equal: + path: spec.pullSecretRef.name + value: spoke-region-one-pull-secret + - equal: + path: spec.installConfigSecretTemplateRef.name + value: spoke-region-one-install-config + - equal: + path: spec.skipMachinePools + value: true + - equal: + path: metadata.labels.cloud + value: aws + - equal: + path: metadata.labels["cluster.open-cluster-management.io/clusterset"] + value: region-one + + - it: should render ClusterPool for Azure + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-two + clusterPools: + testPool: + name: azpool + openshiftVersion: "4.15.2" + baseDomain: azure.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + asserts: + - hasDocuments: + count: 1 + - equal: + path: spec.platform.azure.region + value: eastus + - equal: + path: metadata.labels.cloud + value: azure + + - it: should render ClusterPool and ClusterClaims when clusters are specified + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusters: + - spoke1 + - spoke2 + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + isKind: + of: ClusterPool + - documentIndex: 0 + equal: + path: spec.size + value: 2 + - documentIndex: 0 + equal: + path: spec.runningCount + value: 2 + - documentIndex: 1 + isKind: + of: ClusterClaim + - documentIndex: 1 + equal: + path: metadata.name + value: spoke1-region-one + - documentIndex: 1 + equal: + path: spec.clusterPoolName + value: spoke-region-one + - documentIndex: 2 + isKind: + of: ClusterClaim + - documentIndex: 2 + equal: + path: metadata.name + value: spoke2-region-one + + - it: should use explicit size when provided + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + size: 5 + platform: + aws: + region: us-east-1 + clusters: + - spoke1 + asserts: + - documentIndex: 0 + equal: + path: spec.size + value: 5 + - documentIndex: 0 + equal: + path: spec.runningCount + value: 1 + + - it: should use acmlabels on ClusterClaim when specified as list + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + acmlabels: + - name: environment + value: staging + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusters: + - spoke1 + asserts: + - documentIndex: 1 + equal: + path: metadata.labels.environment + value: staging + + - it: should use default clusterGroup label on ClusterClaim when no acmlabels + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusters: + - spoke1 + asserts: + - documentIndex: 1 + equal: + path: metadata.labels.clusterGroup + value: region-one + + - it: should have correct sync-wave annotations + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusters: + - spoke1 + asserts: + - documentIndex: 0 + equal: + path: metadata.annotations["argocd.argoproj.io/sync-wave"] + value: "10" + - documentIndex: 1 + equal: + path: metadata.annotations["argocd.argoproj.io/sync-wave"] + value: "20" + + - it: should render pools for multiple managedClusterGroups + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + clusterPools: + awsPool: + name: pool-east + openshiftVersion: "4.14.10" + baseDomain: east.example.com + platform: + aws: + region: us-east-1 + clusters: + - east1 + groupTwo: + name: west + clusterPools: + azurePool: + name: pool-west + openshiftVersion: "4.15.2" + baseDomain: west.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: westus2 + clusters: + - west1 + asserts: + - hasDocuments: + count: 4 + - documentSelector: + path: metadata.name + value: pool-east-east + isKind: + of: ClusterPool + - documentSelector: + path: metadata.name + value: pool-east-east + equal: + path: metadata.labels.cloud + value: aws + - documentSelector: + path: metadata.name + value: pool-west-west + isKind: + of: ClusterPool + - documentSelector: + path: metadata.name + value: pool-west-west + equal: + path: metadata.labels.cloud + value: azure + - documentSelector: + path: metadata.name + value: east1-east + isKind: + of: ClusterClaim + - documentSelector: + path: metadata.name + value: east1-east + equal: + path: spec.clusterPoolName + value: pool-east-east + - documentSelector: + path: metadata.name + value: west1-west + isKind: + of: ClusterClaim + - documentSelector: + path: metadata.name + value: west1-west + equal: + path: spec.clusterPoolName + value: pool-west-west diff --git a/tests/managedclusterset_test.yaml b/tests/managedclusterset_test.yaml new file mode 100644 index 0000000..79f5e66 --- /dev/null +++ b/tests/managedclusterset_test.yaml @@ -0,0 +1,121 @@ +suite: Test ManagedClusterSet provisioning +templates: + - templates/provision/managedclusterset.yaml +release: + name: release-test +tests: + - it: should not render when no clusterPools or clusterDeployments defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + asserts: + - hasDocuments: + count: 0 + + - it: should render ManagedClusterSet when clusterPools is defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ManagedClusterSet + - isAPIVersion: + of: cluster.open-cluster-management.io/v1beta2 + - equal: + path: metadata.name + value: region-one + - equal: + path: metadata.annotations["cluster.open-cluster-management.io/submariner-broker-ns"] + value: region-one-broker + - equal: + path: metadata.annotations["argocd.argoproj.io/sync-options"] + value: SkipDryRunOnMissingResource=true + + - it: should render ManagedClusterSet when clusterDeployments is defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-two + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: region-two + + - it: should render one ManagedClusterSet per group with both pools and deployments + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + asserts: + - hasDocuments: + count: 1 + + - it: should render multiple ManagedClusterSets for multiple groups with pools + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + groupTwo: + name: region-two + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-west-2 + asserts: + - hasDocuments: + count: 2 diff --git a/tests/managedclustersetbinding_test.yaml b/tests/managedclustersetbinding_test.yaml new file mode 100644 index 0000000..4ec0e13 --- /dev/null +++ b/tests/managedclustersetbinding_test.yaml @@ -0,0 +1,59 @@ +suite: Test ManagedClusterSetBinding +templates: + - templates/policies/managedclustersetbinding.yaml +release: + name: release-test +tests: + - it: should render ManagedClusterSetBinding when managedClusterGroups is set + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ManagedClusterSetBinding + - isAPIVersion: + of: cluster.open-cluster-management.io/v1beta2 + - equal: + path: metadata.name + value: default + - equal: + path: spec.clusterSet + value: default + - equal: + path: metadata.annotations["argocd.argoproj.io/sync-options"] + value: SkipDryRunOnMissingResource=true + + - it: should not render when managedClusterGroups is empty + set: + clusterGroup: + managedClusterGroups: {} + asserts: + - hasDocuments: + count: 0 + + - it: should not render when managedClusterGroups is null + set: + clusterGroup: + managedClusterGroups: null + asserts: + - hasDocuments: + count: 0 + + - it: should render exactly one document even with multiple groups + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: region-one + groupTwo: + name: region-two + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: default diff --git a/tests/ocp_gitops_policy_edge_cases_test.yaml b/tests/ocp_gitops_policy_edge_cases_test.yaml new file mode 100644 index 0000000..83ed32c --- /dev/null +++ b/tests/ocp_gitops_policy_edge_cases_test.yaml @@ -0,0 +1,171 @@ +suite: Test ocp-gitops-policy edge cases +templates: + - templates/policies/ocp-gitops-policy.yaml +release: + name: release-test +tests: + - it: should set custom route TLS when argocdServer route tls is configured + values: + - ./clusterselector_values.yaml + set: + global: + argocdServer: + route: + tls: + insecureEdgeTerminationPolicy: Allow + termination: passthrough + asserts: + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls.insecureEdgeTerminationPolicy + value: Allow + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls.termination + value: passthrough + + - it: should not include route TLS block when argocdServer is not configured + values: + - ./clusterselector_values.yaml + asserts: + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + isNull: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls + + - it: should use default TLS values when tls block has a key but no overrides + values: + - ./clusterselector_values.yaml + set: + global: + argocdServer: + route: + tls: + insecureEdgeTerminationPolicy: null + termination: null + asserts: + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls.insecureEdgeTerminationPolicy + value: Redirect + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls.termination + value: reencrypt + + - it: should not include route TLS block when tls is empty map + values: + - ./clusterselector_values.yaml + set: + global: + argocdServer: + route: + tls: {} + asserts: + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + isNull: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.tls + + - it: should render multiple groups each with their own set of resources + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + acmlabels: + - name: clusterGroup + value: east + groupTwo: + name: west + acmlabels: + - name: clusterGroup + value: west + asserts: + - hasDocuments: + count: 12 + - documentSelector: + path: metadata.name + value: east-gitops-policy + isKind: + of: Policy + - documentSelector: + path: metadata.name + value: west-gitops-policy + isKind: + of: Policy + - documentSelector: + path: metadata.name + value: east-gitops-policy-argocd + isKind: + of: Policy + - documentSelector: + path: metadata.name + value: west-gitops-policy-argocd + isKind: + of: Policy + + - it: should render server route as enabled + values: + - ./clusterselector_values.yaml + asserts: + - documentSelector: + path: metadata.name + value: group-one-gitops-policy-argocd + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.server.route.enabled + value: true + + - it: should set default channel when neither spokeGitops nor main gitops is set + set: + acm: + spokeGitops: null + main: + gitops: + channel: null + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + acmlabels: + - name: clusterGroup + value: region-one + asserts: + - documentSelector: + path: metadata.name + value: region-one-gitops-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.channel + value: gitops-1.20 + + - it: should set default source when neither spokeGitops nor main gitops source is set + set: + acm: + spokeGitops: null + main: + gitops: + operatorSource: null + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + acmlabels: + - name: clusterGroup + value: region-one + asserts: + - documentSelector: + path: metadata.name + value: region-one-gitops-policy + equal: + path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.source + value: redhat-operators diff --git a/tests/secrets_aws_test.yaml b/tests/secrets_aws_test.yaml new file mode 100644 index 0000000..5152688 --- /dev/null +++ b/tests/secrets_aws_test.yaml @@ -0,0 +1,260 @@ +suite: Test AWS secrets provisioning +templates: + - templates/provision/secrets-aws.yaml +release: + name: release-test +tests: + - it: should not render when no AWS clusterPools or clusterDeployments defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 0 + + - it: should not render for Azure-only platform + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: azure.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 0 + + - it: should render creds and infra-creds ExternalSecrets for AWS clusterPool + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 2 + - documentIndex: 0 + isKind: + of: ExternalSecret + - documentIndex: 0 + equal: + path: metadata.name + value: spoke-region-one-creds + - documentIndex: 0 + isNull: + path: metadata.namespace + - documentIndex: 0 + equal: + path: spec.secretStoreRef.name + value: vault-backend + - documentIndex: 0 + equal: + path: spec.secretStoreRef.kind + value: ClusterSecretStore + - documentIndex: 0 + equal: + path: spec.dataFrom[0].extract.key + value: secret/data/hub/aws + - documentIndex: 1 + isKind: + of: ExternalSecret + - documentIndex: 1 + equal: + path: metadata.name + value: spoke-region-one-infra-creds + - documentIndex: 1 + isNull: + path: metadata.namespace + + - it: should render namespaced ExternalSecrets for AWS clusterDeployment + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 2 + - documentIndex: 0 + equal: + path: metadata.name + value: cluster1-region-one-creds + - documentIndex: 0 + equal: + path: metadata.namespace + value: cluster1-region-one + - documentIndex: 1 + equal: + path: metadata.name + value: cluster1-region-one-infra-creds + - documentIndex: 1 + equal: + path: metadata.namespace + value: cluster1-region-one + + - it: should use custom awsKeyPath when specified + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + awsKeyPath: secret/data/custom/aws-keys + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 0 + equal: + path: spec.dataFrom[0].extract.key + value: secret/data/custom/aws-keys + - documentIndex: 1 + equal: + path: spec.data[1].remoteRef.key + value: secret/data/custom/aws-keys + - documentIndex: 1 + equal: + path: spec.data[2].remoteRef.key + value: secret/data/custom/aws-keys + + - it: should render infra-creds with correct data entries + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 1 + lengthEqual: + path: spec.data + count: 5 + - documentIndex: 1 + equal: + path: spec.data[0].secretKey + value: openshiftPullSecret + - documentIndex: 1 + equal: + path: spec.data[1].secretKey + value: awsKeyId + - documentIndex: 1 + equal: + path: spec.data[2].secretKey + value: awsAccessKey + - documentIndex: 1 + equal: + path: spec.data[3].secretKey + value: sshPublicKey + - documentIndex: 1 + equal: + path: spec.data[4].secretKey + value: sshPrivateKey + - documentIndex: 1 + equal: + path: spec.target.template.metadata.labels["cluster.open-cluster-management.io/type"] + value: aws + + - it: should render secrets for multiple managedClusterGroups with AWS pools + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + clusterPools: + pool1: + name: pool-east + openshiftVersion: "4.14.10" + baseDomain: east.example.com + platform: + aws: + region: us-east-1 + groupTwo: + name: west + clusterPools: + pool1: + name: pool-west + openshiftVersion: "4.15.2" + baseDomain: west.example.com + platform: + aws: + region: us-west-2 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 4 + - documentSelector: + path: metadata.name + value: pool-east-east-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-east-east-infra-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-west-west-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-west-west-infra-creds + isKind: + of: ExternalSecret diff --git a/tests/secrets_azure_test.yaml b/tests/secrets_azure_test.yaml new file mode 100644 index 0000000..50d5afd --- /dev/null +++ b/tests/secrets_azure_test.yaml @@ -0,0 +1,253 @@ +suite: Test Azure secrets provisioning +templates: + - templates/provision/secrets-azure.yaml +release: + name: release-test +tests: + - it: should not render when no Azure clusterPools or clusterDeployments defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 0 + + - it: should not render for AWS-only platform + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 0 + + - it: should render creds and infra-creds ExternalSecrets for Azure clusterPool + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: azpool + openshiftVersion: "4.15.2" + baseDomain: azure.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 2 + - documentIndex: 0 + isKind: + of: ExternalSecret + - documentIndex: 0 + equal: + path: metadata.name + value: azpool-region-one-creds + - documentIndex: 0 + isNull: + path: metadata.namespace + - documentIndex: 0 + equal: + path: spec.data[0].secretKey + value: azureOsServicePrincipal + - documentIndex: 0 + equal: + path: spec.data[0].remoteRef.key + value: secret/data/hub/azureOsServicePrincipal + - documentIndex: 0 + equal: + path: spec.secretStoreRef.name + value: vault-backend + - documentIndex: 1 + isKind: + of: ExternalSecret + - documentIndex: 1 + equal: + path: metadata.name + value: azpool-region-one-infra-creds + - documentIndex: 1 + isNull: + path: metadata.namespace + + - it: should render namespaced ExternalSecrets for Azure clusterDeployment + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + myCluster: + name: azcluster + baseDomain: azure.example.com + openshiftVersion: "4.15.2" + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 2 + - documentIndex: 0 + equal: + path: metadata.name + value: azcluster-region-one-creds + - documentIndex: 0 + equal: + path: metadata.namespace + value: azcluster-region-one + - documentIndex: 1 + equal: + path: metadata.name + value: azcluster-region-one-infra-creds + - documentIndex: 1 + equal: + path: metadata.namespace + value: azcluster-region-one + + - it: should use custom azureKeyPath when specified + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: azpool + openshiftVersion: "4.15.2" + baseDomain: azure.example.com + azureKeyPath: secret/data/custom/azure-creds + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: eastus + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 0 + equal: + path: spec.data[0].remoteRef.key + value: secret/data/custom/azure-creds + - documentIndex: 1 + equal: + path: spec.data[3].remoteRef.key + value: secret/data/custom/azure-creds + + - it: should render infra-creds with correct data entries and baseDomain + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: azpool + openshiftVersion: "4.15.2" + baseDomain: azure.example.com + platform: + azure: + baseDomainResourceGroupName: my-dns-zones + region: eastus + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 1 + lengthEqual: + path: spec.data + count: 4 + - documentIndex: 1 + equal: + path: spec.data[0].secretKey + value: openshiftPullSecret + - documentIndex: 1 + equal: + path: spec.data[1].secretKey + value: sshPublicKey + - documentIndex: 1 + equal: + path: spec.data[2].secretKey + value: sshPrivateKey + - documentIndex: 1 + equal: + path: spec.data[3].secretKey + value: azureOsServicePrincipal + + - it: should render secrets for multiple managedClusterGroups with Azure pools + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + clusterPools: + pool1: + name: pool-east + openshiftVersion: "4.15.2" + baseDomain: east.azure.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones-east + region: eastus + groupTwo: + name: west + clusterPools: + pool1: + name: pool-west + openshiftVersion: "4.15.2" + baseDomain: west.azure.example.com + platform: + azure: + baseDomainResourceGroupName: dns-zones-west + region: westus2 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 4 + - documentSelector: + path: metadata.name + value: pool-east-east-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-east-east-infra-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-west-west-creds + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-west-west-infra-creds + isKind: + of: ExternalSecret diff --git a/tests/secrets_common_test.yaml b/tests/secrets_common_test.yaml new file mode 100644 index 0000000..32461ea --- /dev/null +++ b/tests/secrets_common_test.yaml @@ -0,0 +1,299 @@ +suite: Test common secrets provisioning +templates: + - templates/provision/secrets-common.yaml +release: + name: release-test +tests: + - it: should not render when no clusterPools or clusterDeployments defined + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 0 + + - it: should render install-config pull-secret and ssh-key for AWS clusterPool + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + isKind: + of: Secret + - documentIndex: 0 + equal: + path: metadata.name + value: spoke-region-one-install-config + - documentIndex: 0 + isNull: + path: metadata.namespace + - documentIndex: 1 + isKind: + of: ExternalSecret + - documentIndex: 1 + equal: + path: metadata.name + value: spoke-region-one-pull-secret + - documentIndex: 1 + isNull: + path: metadata.namespace + - documentIndex: 1 + equal: + path: spec.target.template.type + value: kubernetes.io/dockerconfigjson + - documentIndex: 2 + isKind: + of: ExternalSecret + - documentIndex: 2 + equal: + path: metadata.name + value: spoke-region-one-ssh-private-key + - documentIndex: 2 + isNull: + path: metadata.namespace + + - it: should render namespaced secrets for clusterDeployment + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 3 + - documentIndex: 0 + equal: + path: metadata.name + value: cluster1-region-one-install-config + - documentIndex: 0 + equal: + path: metadata.namespace + value: cluster1-region-one + - documentIndex: 1 + equal: + path: metadata.name + value: cluster1-region-one-pull-secret + - documentIndex: 1 + equal: + path: metadata.namespace + value: cluster1-region-one + - documentIndex: 2 + equal: + path: metadata.name + value: cluster1-region-one-ssh-private-key + - documentIndex: 2 + equal: + path: metadata.namespace + value: cluster1-region-one + + - it: should use custom pullSecretKeyPath when specified + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + pullSecretKeyPath: secret/data/custom/pullsecret + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 1 + equal: + path: spec.data[0].remoteRef.key + value: secret/data/custom/pullsecret + + - it: should use custom sshPrivateKeyPath when specified + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + sshPrivateKeyPath: secret/data/custom/ssh + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - documentIndex: 2 + equal: + path: spec.data[0].remoteRef.key + value: secret/data/custom/ssh + + - it: should use correct secretStoreRef + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: spoke + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + secretStore: + name: my-secret-store + kind: SecretStore + asserts: + - documentIndex: 1 + equal: + path: spec.secretStoreRef.name + value: my-secret-store + - documentIndex: 1 + equal: + path: spec.secretStoreRef.kind + value: SecretStore + - documentIndex: 2 + equal: + path: spec.secretStoreRef.name + value: my-secret-store + + - it: should render 6 documents when both clusterPool and clusterDeployment exist + set: + clusterGroup: + managedClusterGroups: + testRegion: + name: region-one + clusterPools: + testPool: + name: pool1 + openshiftVersion: "4.14.10" + baseDomain: example.com + platform: + aws: + region: us-east-1 + clusterDeployments: + myCluster: + name: cluster1 + baseDomain: example.com + openshiftVersion: "4.14.10" + platform: + aws: + region: us-east-1 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 6 + + - it: should render secrets for multiple managedClusterGroups + set: + clusterGroup: + managedClusterGroups: + groupOne: + name: east + clusterPools: + pool1: + name: pool-east + openshiftVersion: "4.14.10" + baseDomain: east.example.com + platform: + aws: + region: us-east-1 + groupTwo: + name: west + clusterDeployments: + deploy1: + name: cluster-west + baseDomain: west.example.com + openshiftVersion: "4.15.2" + platform: + azure: + baseDomainResourceGroupName: dns-zones + region: westus2 + secretStore: + name: vault-backend + kind: ClusterSecretStore + asserts: + - hasDocuments: + count: 6 + - documentSelector: + path: metadata.name + value: pool-east-east-install-config + isKind: + of: Secret + - documentSelector: + path: metadata.name + value: pool-east-east-pull-secret + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-east-east-ssh-private-key + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: cluster-west-west-install-config + isKind: + of: Secret + - documentSelector: + path: metadata.name + value: cluster-west-west-pull-secret + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: cluster-west-west-ssh-private-key + isKind: + of: ExternalSecret + - documentSelector: + path: metadata.name + value: pool-east-east-pull-secret + isNull: + path: metadata.namespace + - documentSelector: + path: metadata.name + value: cluster-west-west-pull-secret + equal: + path: metadata.namespace + value: cluster-west-west