diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 23afff66..1336f822 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -37,7 +37,10 @@ jobs: if [[ -n "$changed" ]]; then echo "changed=true" >> "$GITHUB_OUTPUT" fi - + - name: install helm unittests + if: steps.list-changed.outputs.changed == 'true' + run: | + helm plugin install --version v0.3.6 https://github.com/helm-unittest/helm-unittest - name: Run chart-testing (lint) if: steps.list-changed.outputs.changed == 'true' run: | diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..b00e1ed9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# IDE or Editor-specific +.idea/ +.vscode/ diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index 84c711a3..067567c8 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: v0.27.0 description: A Helm chart for Atlantis https://www.runatlantis.io name: atlantis -version: 4.19.0 +version: 4.20.0 keywords: - terraform home: https://www.runatlantis.io diff --git a/charts/atlantis/templates/secret-webhook.yaml b/charts/atlantis/templates/secret-webhook.yaml index 3661feef..6d4782c4 100644 --- a/charts/atlantis/templates/secret-webhook.yaml +++ b/charts/atlantis/templates/secret-webhook.yaml @@ -23,7 +23,7 @@ data: {{- if .Values.bitbucket.baseURL }} bitbucket_secret: {{ required "bitbucket.secret is required if bitbucket.baseURL is specified." .Values.bitbucket.secret | b64enc }} {{- end}} - {{- end }} + {{- end }} {{- if .Values.azuredevops }} azuredevops_token: {{ required "azuredevops.token is required if azuredevops configuration is specified." .Values.azuredevops.token | b64enc }} azuredevops_webhook_password: {{ required "azuredevops.webhookPassword is required if azuredevops configuration is specified." .Values.azuredevops.webhookPassword | b64enc }} diff --git a/charts/atlantis/templates/statefulset.yaml b/charts/atlantis/templates/statefulset.yaml index 76e37382..05e5b654 100644 --- a/charts/atlantis/templates/statefulset.yaml +++ b/charts/atlantis/templates/statefulset.yaml @@ -181,9 +181,9 @@ spec: {{- if .Values.command }} command: {{- range .Values.command }} - - {{ . }} - {{- end }} - {{- end }} + - {{ . }} + {{- end }} + {{- end }} args: - server {{- if .Values.config }} diff --git a/charts/atlantis/tests/secret-api_test.yaml b/charts/atlantis/tests/secret-api_test.yaml new file mode 100644 index 00000000..d7413c11 --- /dev/null +++ b/charts/atlantis/tests/secret-api_test.yaml @@ -0,0 +1,38 @@ +--- +suite: test secret-api for api secret +templates: + - secret-api.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: apiSecretName + set: + apiSecretName: 'atlantis-api' + asserts: + - hasDocuments: + count: 0 + - it: apiSecret + set: + api.secret: 'spongebob' + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-api + - equal: + path: data["apisecret"] + value: c3BvbmdlYm9i + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-aws_test.yaml b/charts/atlantis/tests/secret-aws_test.yaml new file mode 100644 index 00000000..7fa73fed --- /dev/null +++ b/charts/atlantis/tests/secret-aws_test.yaml @@ -0,0 +1,52 @@ +--- +suite: test secret-aws for aws +templates: + - secret-aws.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: awsSecretName + set: + awsSecretName: 'atlantis-aws' + asserts: + - hasDocuments: + count: 0 + - it: aws + set: + aws: + credentials: | + [default] + aws_access_key_id=YOUR_ACCESS_KEY_ID + aws_secret_access_key=YOUR_SECRET_ACCESS_KEY + region=us-east-1 + config: | + [profile a_role_to_assume] + role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume + source_profile = default + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-aws + - equal: + path: data["config"] + value: W3Byb2ZpbGUgYV9yb2xlX3RvX2Fzc3VtZV0Kcm9sZV9hcm4gPSBhcm46YXdzOmlhbTo6MTIzNDU2Nzg5OnJvbGUvc2VydmljZS1yb2xlL3JvbGVUb0Fzc3VtZQpzb3VyY2VfcHJvZmlsZSA9IGRlZmF1bHQK + - equal: + path: data["credentials"] + value: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPVlPVVJfQUNDRVNTX0tFWV9JRAphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9WU9VUl9TRUNSRVRfQUNDRVNTX0tFWQpyZWdpb249dXMtZWFzdC0xCg== + - equal: + path: metadata.labels.team + value: infra + + diff --git a/charts/atlantis/tests/secret-basic-auth_test.yaml b/charts/atlantis/tests/secret-basic-auth_test.yaml new file mode 100644 index 00000000..2c2b8d1d --- /dev/null +++ b/charts/atlantis/tests/secret-basic-auth_test.yaml @@ -0,0 +1,44 @@ +--- +suite: test secret-basic-auth for git basic-auth secret +templates: + - secret-basic-auth.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: basicAuthSecretName + set: + basicAuthSecretName: "atlantis-basic-auth" + asserts: + - hasDocuments: + count: 0 + - it: basicAuth + set: + basicAuth: + username: "atlantis" + password: "forever" + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-basic-auth + - equal: + path: data["username"] + value: YXRsYW50aXM= + - equal: + path: data["password"] + value: Zm9yZXZlcg== + - equal: + path: metadata.labels.team + value: infra + diff --git a/charts/atlantis/tests/secret-gitconfig_test.yaml b/charts/atlantis/tests/secret-gitconfig_test.yaml new file mode 100644 index 00000000..9ddb465a --- /dev/null +++ b/charts/atlantis/tests/secret-gitconfig_test.yaml @@ -0,0 +1,45 @@ +--- +suite: test secret-gitconfig for gitconfig +templates: + - secret-gitconfig.yaml +release: + name: my-release +tests: + - it: default values + template: secret-gitconfig.yaml + asserts: + - hasDocuments: + count: 0 + - it: gitconfigSecretName + template: secret-gitconfig.yaml + set: + gitconfigSecretName: 'atlantis-gitconfig' + asserts: + - hasDocuments: + count: 0 + - it: gitconfig + template: secret-gitconfig.yaml + set: + gitconfig: | + [url "https://YOUR_GH_TOKEN@github.com"] + insteadOf = https://github.com + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-gitconfig + - equal: + path: data["gitconfig"] + value: W3VybCAiaHR0cHM6Ly9ZT1VSX0dIX1RPS0VOQGdpdGh1Yi5jb20iXQppbnN0ZWFkT2YgPSBodHRwczovL2dpdGh1Yi5jb20K + - equal: + path: metadata.labels.team + value: infra + + diff --git a/charts/atlantis/tests/secret-netrc_test.yaml b/charts/atlantis/tests/secret-netrc_test.yaml new file mode 100644 index 00000000..631da999 --- /dev/null +++ b/charts/atlantis/tests/secret-netrc_test.yaml @@ -0,0 +1,42 @@ +--- +suite: test secret-netrc for netrc +templates: + - secret-netrc.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: netrcSecretName + set: + netrcSecretName: 'atlantis-netrc' + asserts: + - hasDocuments: + count: 0 + - it: netrc + set: + netrc: | + machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-netrc + - equal: + path: data["netrc"] + value: bWFjaGluZSBhcnRpZmFjdG9yeS5teWFwcC5jb20gbG9naW4gWU9VUl9VU0VSTkFNRSBwYXNzd29yZCBZT1VSX1BBU1NXT1JECm1hY2hpbmUgYml0YnVja2V0Lm15YXBwLmNvbSBsb2dpbiBZT1VSX1VTRVJOQU1FIHBhc3N3b3JkIFlPVVJfUEFTU1dPUkQK + - equal: + path: metadata.labels.team + value: infra + + diff --git a/charts/atlantis/tests/secret-service-account_test.yaml b/charts/atlantis/tests/secret-service-account_test.yaml new file mode 100644 index 00000000..9c0bb7a8 --- /dev/null +++ b/charts/atlantis/tests/secret-service-account_test.yaml @@ -0,0 +1,57 @@ +--- +suite: test secret-service-account for serviceAccountSecrets +templates: + - secret-service-account.yaml +release: + name: my-release +tests: + - it: default values + template: secret-service-account.yaml + asserts: + - hasDocuments: + count: 0 + - it: serviceAccountSecrets + template: secret-service-account.yaml + set: + serviceAccountSecrets: + credentials: VG9ueSBTb3ByYW5v + credentials-staging: Q2FybWVsYSBTb3ByYW5v + commonLabels: + team: infra + asserts: + - hasDocuments: + count: 2 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.labels.component + value: service-account-secret + - documentIndex: 0 + equal: + path: data["service-account.json"] + value: VG9ueSBTb3ByYW5v + - documentIndex: 0 + equal: + path: metadata.name + value: credentials + - documentIndex: 0 + equal: + path: metadata.labels.team + value: infra + - documentIndex: 1 + equal: + path: data["service-account.json"] + value: Q2FybWVsYSBTb3ByYW5v + - documentIndex: 1 + equal: + path: metadata.name + value: credentials-staging + - documentIndex: 1 + equal: + path: metadata.labels.team + value: infra + + + diff --git a/charts/atlantis/tests/secret-webhook_test.yaml b/charts/atlantis/tests/secret-webhook_test.yaml new file mode 100644 index 00000000..4c263c7b --- /dev/null +++ b/charts/atlantis/tests/secret-webhook_test.yaml @@ -0,0 +1,177 @@ +--- +suite: test secret-webhook for git webhook secret +templates: + - secret-webhook.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-webhook + - isNullOrEmpty: + path: data + - it: vcsSecretName + set: + vcsSecretName: atlantis-vcs + asserts: + - hasDocuments: + count: 0 + - it: githubApp only id set + set: + githubApp: + id: 123456 + asserts: + - failedTemplate: + errorMessage: githubApp.key is required if githubApp configuration is specified. + - it: githubApp only id and key are set + set: + githubApp: + id: 123456 + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + asserts: + - failedTemplate: + errorMessage: githubApp.secret is required if githubApp configuration is specified. + - it: githubApp + set: + githubApp: + id: 123456 + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi4uLgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== + - it: github only user set + set: + github: + user: foo + asserts: + - failedTemplate: + errorMessage: github.token is required if github configuration is specified. + - it: github only user and token are set + set: + github: + user: foo + token: bar + asserts: + - failedTemplate: + errorMessage: github.secret is required if github configuration is specified. + - it: github + set: + github: + user: foo + token: bar + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + github_token: YmFy + - it: gitlab only user set + set: + gitlab: + user: foo + asserts: + - failedTemplate: + errorMessage: gitlab.token is required if gitlab configuration is specified. + - it: gitlab only user and token are set + set: + gitlab: + user: foo + token: bar + asserts: + - failedTemplate: + errorMessage: gitlab.secret is required if gitlab configuration is specified. + - it: gitlab + set: + github: + user: foo + token: bar + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + github_token: YmFy + - it: bitbucket only user set + set: + bitbucket: + user: foo + asserts: + - failedTemplate: + errorMessage: bitbucket.token is required if bitbucket configuration is specified. + - it: bitbucket user and token are set + set: + bitbucket: + user: foo + token: bar + asserts: + - equal: + path: data + value: + bitbucket_token: YmFy + - it: bitbucket server only user and token are set + set: + bitbucket: + user: foo + token: bar + baseURL: https://bitbucket.yourorganization.com + asserts: + - failedTemplate: + errorMessage: bitbucket.secret is required if bitbucket.baseURL is specified. + - it: bitbucket server + set: + bitbucket: + user: foo + token: bar + secret: baz + baseURL: https://bitbucket.yourorganization.com + asserts: + - equal: + path: data + value: + bitbucket_secret: YmF6 + bitbucket_token: YmFy + - it: azuredevops only token set + set: + azuredevops: + token: bar + asserts: + - failedTemplate: + errorMessage: azuredevops.webhookPassword is required if azuredevops + configuration is specified. + - it: azuredevops + set: + azuredevops: + token: bar + webhookPassword: baz + asserts: + - equal: + path: data + value: + azuredevops_token: YmFy + azuredevops_webhook_password: YmF6 + - it: commonLabels + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/service_test.yaml b/charts/atlantis/tests/service_test.yaml new file mode 100644 index 00000000..892f61e0 --- /dev/null +++ b/charts/atlantis/tests/service_test.yaml @@ -0,0 +1,89 @@ +--- +suite: test service +templates: + - service.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - isKind: + of: Service + - equal: + path: apiVersion + value: v1 + - equal: + path: metadata.name + value: my-release-atlantis + - equal: + path: spec + value: + ports: + - name: atlantis + port: 80 + protocol: TCP + targetPort: 4141 + selector: + app: atlantis + release: my-release + type: NodePort + - it: loadBalancerSourceRanges + set: + service: + loadBalancerSourceRanges: + - 10.0.0.0/8 + asserts: + - equal: + path: spec.loadBalancerSourceRanges + value: + - 10.0.0.0/8 + - it: loadBalancerIP + set: + service: + loadBalancerIP: 172.16.5.2 + asserts: + - equal: + path: spec.loadBalancerIP + value: 172.16.5.2 + - it: service type + set: + service: + type: ClusterIP + annotations: + haproxy.org/check: "true" + port: 8080 + targetPort: 8181 + asserts: + - equal: + path: metadata.annotations + value: + haproxy.org/check: "true" + - equal: + path: spec + value: + ports: + - name: atlantis + port: 8080 + protocol: TCP + targetPort: 8181 + selector: + app: atlantis + release: my-release + type: ClusterIP + - it: nodePort + set: + service: + type: NodePort + nodePort: 30000 + asserts: + - equal: + path: spec.ports[0].nodePort + value: 30000 + - it: commonLabels + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml new file mode 100644 index 00000000..34d5e5ba --- /dev/null +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -0,0 +1,894 @@ +--- +suite: test statefulset +templates: + - configmap-config.yaml + - configmap-repo-config.yaml + - statefulset.yaml +chart: + appVersion: test-appVersion +release: + name: my-release +tests: + - it: default values + template: statefulset.yaml + asserts: + - isKind: + of: StatefulSet + - equal: + path: apiVersion + value: apps/v1 + - equal: + path: metadata.name + value: my-release-atlantis + - equal: + path: metadata.labels.app + value: atlantis + - matchRegex: + path: metadata.labels.chart + pattern: ^atlantis- + - equal: + path: metadata.labels.heritage + value: Helm + - equal: + path: metadata.labels.release + value: my-release + - notExists: + path: metadata.annotations + - equal: + path: spec.serviceName + value: my-release-atlantis + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.selector + value: + matchLabels: + app: atlantis + release: my-release + - equal: + path: spec.template.metadata.labels + value: + app: atlantis + release: my-release + - equal: + path: spec.template.metadata.annotations + value: + checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + checksum/repo-config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + - notExists: + path: spec.template.spec.hostAliases + - equal: + path: spec.template.spec.hostNetwork + value: false + - equal: + path: spec.template.spec.serviceAccountName + value: my-release-atlantis + - equal: + path: spec.template.spec.shareProcessNamespace + value: false + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + - notExists: + path: spec.template.spec.terminationGracePeriodSeconds + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 100 + - notExists: + path: spec.template.spec.priorityClassName + - isNullOrEmpty: + path: spec.template.spec.volumes + - notExists: + path: spec.template.spec.imagePullSecrets + - notExists: + path: spec.template.spec.initContainers + - equal: + path: spec.template.spec.containers[0].name + value: atlantis + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/runatlantis/atlantis:test-appVersion + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - notExists: + path: spec.template.spec.containers[0].securityContext + - equal: + path: spec.template.spec.containers[0].args + value: + - server + - equal: + path: spec.template.spec.containers[0].ports + value: + - containerPort: 4141 + name: atlantis + - notExists: + path: spec.template.spec.containers[0].lifeCycle + - notExists: + path: spec.template.spec.containers[0].envFrom + - equal: + path: spec.template.spec.containers[0].env + value: + - name: ATLANTIS_DATA_DIR + value: /atlantis-data + - name: ATLANTIS_REPO_ALLOWLIST + value: + - name: ATLANTIS_PORT + value: "4141" + - name: ATLANTIS_ATLANTIS_URL + value: http:// + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + failureThreshold: 5 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + failureThreshold: 5 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - mountPath: /atlantis-data + name: atlantis-data + - isNullOrEmpty: + path: spec.template.spec.containers[0].resources + - notExists: + path: spec.template.spec.nodeSelector + - notExists: + path: spec.template.spec.tolerations + - notExists: + path: spec.template.spec.topologySpreadConstraints + - notExists: + path: spec.template.spec.updateStrategy + - equal: + path: spec.volumeClaimTemplates + value: + - metadata: + name: atlantis-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - it: replicaCount + template: statefulset.yaml + set: + replicaCount: 2 + asserts: + - equal: + path: spec.replicas + value: 2 + - it: hostAliases + template: statefulset.yaml + set: + hostAliases: + - hostnames: + - aaa.com + - test.ccc.com + ip: 10.0.0.0 + - hostnames: + - bbb.com + ip: 10.0.0.2 + asserts: + - equal: + path: spec.template.spec.hostAliases + value: + - hostnames: + - aaa.com + - test.ccc.com + ip: 10.0.0.0 + - hostnames: + - bbb.com + ip: 10.0.0.2 + - it: hostNetwork + template: statefulset.yaml + set: + hostNetwork: true + asserts: + - equal: + path: spec.template.spec.hostNetwork + value: true + - it: serviceAccountName + template: statefulset.yaml + set: + serviceAccount.name: atlantis-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: atlantis-sa + - it: shareProcessNamespace + template: statefulset.yaml + set: + statefulSet.shareProcessNamespace: true + asserts: + - equal: + path: spec.template.spec.shareProcessNamespace + value: true + - it: automountServiceAccountToken + template: statefulset.yaml + set: + serviceAccount.mount: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - it: tlsSecretName + template: statefulset.yaml + set: + tlsSecretName: test-tls + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: tls + secret: + secretName: test-tls + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "tls")] + value: + mountPath: /etc/tls/ + name: tls + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_SSL_CERT_FILE + value: /etc/tls/tls.crt + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_SSL_KEY_FILE + value: /etc/tls/tls.key + - it: serviceAccountSecrets + template: statefulset.yaml + set: + serviceAccountSecrets: + credentials: VG9ueSBTb3ByYW5v + credentials-staging: Q2FybWVsYSBTb3ByYW5v + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: credentials-volume + secret: + secretName: credentials + - name: credentials-staging-volume + secret: + secretName: credentials-staging + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "credentials-volume")] + value: + mountPath: /etc/credentials + name: credentials-volume + readOnly: true + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "credentials-staging-volume")] + value: + mountPath: /etc/credentials-staging + name: credentials-staging-volume + readOnly: true + - it: googleServiceAccountSecrets + template: statefulset.yaml + set: + googleServiceAccountSecrets: + - name: gcp-ci + secretName: gcp-ci-secret + - name: gcp-staging + secretName: gcp-staging-secret + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gcp-ci + secret: + secretName: gcp-ci-secret + - name: gcp-staging + secret: + secretName: gcp-staging-secret + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gcp-ci")] + value: + mountPath: /var/secrets/gcp-ci + name: gcp-ci + readOnly: true + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gcp-staging")] + value: + mountPath: /var/secrets/gcp-staging + name: gcp-staging + readOnly: true + - it: gitconfig + template: statefulset.yaml + set: + gitconfig: | + [url "https://YOUR_GH_TOKEN@github.com"] + insteadOf = https://github.com + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: my-release-atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig + - it: gitconfigSecretName + template: statefulset.yaml + set: + gitconfigSecretName: atlantis-gitconfig + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig + - it: netrc + template: statefulset.yaml + set: + netrc: | + machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: my-release-atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc + - it: netrcSecretName + template: statefulset.yaml + set: + netrcSecretName: atlantis-netrc + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc + - it: aws + template: statefulset.yaml + set: + aws: + credentials: | + [default] + aws_access_key_id=YOUR_ACCESS_KEY_ID + aws_secret_access_key=YOUR_SECRET_ACCESS_KEY + region=us-east-1 + config: | + [profile a_role_to_assume] + role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume + source_profile = default + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: aws-volume + secret: + secretName: my-release-atlantis-aws + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] + value: + mountPath: /home/atlantis/.aws + name: aws-volume + readOnly: true + - it: aws directory + template: statefulset.yaml + set: + aws: + directory: /etc/aws_config + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_CONFIG_FILE + value: /etc/aws_config/config + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_SHARED_CREDENTIALS_FILE + value: /etc/aws_config/credentials + - it: awsSecretName + template: statefulset.yaml + set: + awsSecretName: atlantis-aws + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: aws-volume + secret: + secretName: atlantis-aws + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] + value: + mountPath: /home/atlantis/.aws + name: aws-volume + readOnly: true + - it: githubApp + template: statefulset.yaml + set: + githubApp: + id: 123456 + slug: foo + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + secret: baz + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: github-app-key-volume + secret: + items: + - key: key.pem + path: key.pem + secretName: my-release-atlantis-webhook + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "github-app-key-volume")] + value: + mountPath: /var/github-app + name: github-app-key-volume + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_ID + value: "123456" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_SLUG + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: github_secret + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_KEY_FILE + value: /var/github-app/key.pem + - it: githubApp vcsSecretName + template: statefulset.yaml + set: + vcsSecretName: atlantis-vcs + githubApp: + id: 123456 + slug: foo + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: github-app-key-volume + secret: + items: + - key: key.pem + path: key.pem + secretName: atlantis-vcs + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "github-app-key-volume")] + value: + mountPath: /var/github-app + name: github-app-key-volume + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: github_secret + name: atlantis-vcs + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_KEY_FILE + value: /var/github-app/key.pem + - it: gitlab + template: statefulset.yaml + set: + gitlab: + user: foo + token: bar + secret: baz + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_USER + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_TOKEN + valueFrom: + secretKeyRef: + key: gitlab_token + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: gitlab_secret + name: my-release-atlantis-webhook + - it: bitbucket + template: statefulset.yaml + set: + bitbucket: + user: foo + token: bar + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_USER + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_TOKEN + valueFrom: + secretKeyRef: + key: bitbucket_token + name: my-release-atlantis-webhook + - it: bitbucket server + template: statefulset.yaml + set: + bitbucket: + user: foo + token: bar + secret: baz + baseURL: https://bitbucket.yourorganization.com + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: bitbucket_secret + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_BASE_URL + value: https://bitbucket.yourorganization.com + - it: azuredevops + template: statefulset.yaml + set: + azuredevops: + user: foo + token: bar + webhookUser: bobby + webhookPassword: bacala + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_USER + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_TOKEN + valueFrom: + secretKeyRef: + key: azuredevops_token + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_WEBHOOK_USER + value: bobby + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_WEBHOOK_PASSWORD + valueFrom: + secretKeyRef: + key: azuredevops_webhook_password + name: my-release-atlantis-webhook + - it: basicAuth + template: statefulset.yaml + set: + basicAuth: + username: atlantis + password: forever + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_BASIC_AUTH + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: my-release-atlantis-basic-auth + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: my-release-atlantis-basic-auth + - it: basicAuthSecretName + template: statefulset.yaml + set: + basicAuthSecretName: atlantis-basic-auth + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_BASIC_AUTH + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: atlantis-basic-auth + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: atlantis-basic-auth + - it: apiSecret + template: statefulset.yaml + set: + api.secret: spongebob + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_API_SECRET + valueFrom: + secretKeyRef: + key: apisecret + name: my-release-atlantis-api + - it: apiSecretSecretName + template: statefulset.yaml + set: + apiSecretName: atlantis-api + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_API_SECRET + valueFrom: + secretKeyRef: + key: apisecret + name: atlantis-api + - it: command + template: statefulset.yaml + set: + command: + - printenv + asserts: + - equal: + path: spec.template.spec.containers[0].command + value: + - printenv + - it: commonLabels + template: statefulset.yaml + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra + - it: liveneessProbe false + template: statefulset.yaml + set: + livenessProbe: + enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe + - it: liveneessProbe + template: statefulset.yaml + set: + livenessProbe: + enabled: true + periodSeconds: 10 + initialDelaySeconds: 2 + timeoutSeconds: 1 + successThreshold: 2 + failureThreshold: 3 + scheme: HTTP + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + failureThreshold: 3 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 2 + timeoutSeconds: 1 + - it: readinessProbe false + template: statefulset.yaml + set: + readinessProbe: + enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe + - it: readinessProbe + template: statefulset.yaml + set: + readinessProbe: + enabled: true + periodSeconds: 10 + initialDelaySeconds: 2 + timeoutSeconds: 1 + successThreshold: 2 + failureThreshold: 3 + scheme: HTTP + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + failureThreshold: 3 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 2 + timeoutSeconds: 1 + - it: podTemplate + template: statefulset.yaml + set: + podTemplate: + annotations: + iam.amazonaws.com/role: arn:aws:iam::123456789123:role/atlantis-role + labels: + group: base + asserts: + - equal: + path: spec.template.metadata.labels.group + value: base + - equal: + path: spec.template.metadata.annotations["iam.amazonaws.com/role"] + value: arn:aws:iam::123456789123:role/atlantis-role + - it: Statefulset annotations + template: statefulset.yaml + set: + statefulSet.annotations: + strong-stuff: "true" + asserts: + - equal: + path: metadata.annotations + value: + strong-stuff: "true" + - it: securityContext + template: statefulset.yaml + set: + statefulSet.securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + - it: priorityClassName + template: statefulset.yaml + set: + statefulSet.priorityClassName: high-priority + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: high-priority + - it: updateStrategy + template: statefulset.yaml + set: + statefulSet.updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 0 + asserts: + - equal: + path: spec.updateStrategy + value: + type: RollingUpdate + rollingUpdate: + partition: 0 + - it: shareProcessNamespace + template: statefulset.yaml + set: + statefulSet.shareProcessNamespace: true + asserts: + - equal: + path: spec.template.spec.shareProcessNamespace + value: true + - it: terminationGracePeriodSeconds + template: statefulset.yaml + set: + terminationGracePeriodSeconds: 30 + asserts: + - equal: + path: spec.template.spec.terminationGracePeriodSeconds + value: 30 diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 090b704b..1eae7cab 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -16,6 +16,9 @@ nameOverride: "" orgAllowlist: # logLevel: "debug" +# Deprecated in favor of orgAllowlist +# orgWhitelist: + # If using GitHub, specify like the following: github: {} # github: diff --git a/ct.yaml b/ct.yaml index c0770cd5..516a126b 100644 --- a/ct.yaml +++ b/ct.yaml @@ -4,3 +4,5 @@ target-branch: main chart-dirs: - charts helm-extra-args: --timeout 600s +additional-commands: + - helm unittest {{ .Path }}