From f9f448364ed3d74f6b5e04820edf411fca1cacd5 Mon Sep 17 00:00:00 2001 From: roytev Date: Tue, 14 Nov 2023 21:47:26 +0200 Subject: [PATCH 01/14] interim --- .idea/codeStyles/Project.xml | 7 + charts/atlantis/templates/statefulset.yaml | 6 - charts/atlantis/tests/secret-aws_test.yaml | 48 ++ .../atlantis/tests/secret-gitconfig_test.yaml | 41 ++ charts/atlantis/tests/secret-netrc_test.yaml | 38 ++ .../tests/secret-service-account_test.yaml | 47 ++ charts/atlantis/tests/statefulset_test.yaml | 577 ++++++++++++++++++ charts/atlantis/values.schema.json | 38 +- 8 files changed, 794 insertions(+), 8 deletions(-) create mode 100644 .idea/codeStyles/Project.xml create mode 100644 charts/atlantis/tests/secret-aws_test.yaml create mode 100644 charts/atlantis/tests/secret-gitconfig_test.yaml create mode 100644 charts/atlantis/tests/secret-netrc_test.yaml create mode 100644 charts/atlantis/tests/secret-service-account_test.yaml create mode 100644 charts/atlantis/tests/statefulset_test.yaml diff --git a/.idea/codeStyles/Project.xml b/.idea/codeStyles/Project.xml new file mode 100644 index 00000000..919ce1f1 --- /dev/null +++ b/.idea/codeStyles/Project.xml @@ -0,0 +1,7 @@ + + + + + + \ No newline at end of file diff --git a/charts/atlantis/templates/statefulset.yaml b/charts/atlantis/templates/statefulset.yaml index 1accc53e..f64e7756 100644 --- a/charts/atlantis/templates/statefulset.yaml +++ b/charts/atlantis/templates/statefulset.yaml @@ -142,12 +142,6 @@ spec: {{- if .Values.containerSecurityContext }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- end }} - {{- if .Values.command }} - command: - {{- range .Values.command }} - - {{ . }} - {{- end }} - {{- end }} args: - server {{- if .Values.config }} diff --git a/charts/atlantis/tests/secret-aws_test.yaml b/charts/atlantis/tests/secret-aws_test.yaml new file mode 100644 index 00000000..567dbf1e --- /dev/null +++ b/charts/atlantis/tests/secret-aws_test.yaml @@ -0,0 +1,48 @@ +--- +suite: test secret-aws for aws +templates: + - secret-aws.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: awsSecretName + set: + awsSecretName: 'atlantis-aws' + asserts: + - hasDocuments: + count: 0 + - it: aws + set: + aws: + credentials: | + [default] + aws_access_key_id=YOUR_ACCESS_KEY_ID + aws_secret_access_key=YOUR_SECRET_ACCESS_KEY + region=us-east-1 + config: | + [profile a_role_to_assume] + role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume + source_profile = default + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-aws + - equal: + path: data["config"] + value: W3Byb2ZpbGUgYV9yb2xlX3RvX2Fzc3VtZV0Kcm9sZV9hcm4gPSBhcm46YXdzOmlhbTo6MTIzNDU2Nzg5OnJvbGUvc2VydmljZS1yb2xlL3JvbGVUb0Fzc3VtZQpzb3VyY2VfcHJvZmlsZSA9IGRlZmF1bHQK + - equal: + path: data["credentials"] + value: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPVlPVVJfQUNDRVNTX0tFWV9JRAphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9WU9VUl9TRUNSRVRfQUNDRVNTX0tFWQpyZWdpb249dXMtZWFzdC0xCg== + + + diff --git a/charts/atlantis/tests/secret-gitconfig_test.yaml b/charts/atlantis/tests/secret-gitconfig_test.yaml new file mode 100644 index 00000000..a3f3cefa --- /dev/null +++ b/charts/atlantis/tests/secret-gitconfig_test.yaml @@ -0,0 +1,41 @@ +--- +suite: test secret-gitconfig for gitconfig +templates: + - secret-gitconfig.yaml +release: + name: my-release +tests: + - it: default values + template: secret-gitconfig.yaml + asserts: + - hasDocuments: + count: 0 + - it: gitconfigSecretName + template: secret-gitconfig.yaml + set: + gitconfigSecretName: 'atlantis-gitconfig' + asserts: + - hasDocuments: + count: 0 + - it: gitconfig + template: secret-gitconfig.yaml + set: + gitconfig: | + [url "https://YOUR_GH_TOKEN@github.com"] + insteadOf = https://github.com + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-gitconfig + - equal: + path: data["gitconfig"] + value: W3VybCAiaHR0cHM6Ly9ZT1VSX0dIX1RPS0VOQGdpdGh1Yi5jb20iXQppbnN0ZWFkT2YgPSBodHRwczovL2dpdGh1Yi5jb20K + + + diff --git a/charts/atlantis/tests/secret-netrc_test.yaml b/charts/atlantis/tests/secret-netrc_test.yaml new file mode 100644 index 00000000..57b5b35a --- /dev/null +++ b/charts/atlantis/tests/secret-netrc_test.yaml @@ -0,0 +1,38 @@ +--- +suite: test secret-netrc for netrc +templates: + - secret-netrc.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: netrcSecretName + set: + netrcSecretName: 'atlantis-netrc' + asserts: + - hasDocuments: + count: 0 + - it: netrc + set: + netrc: | + machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-netrc + - equal: + path: data["netrc"] + value: bWFjaGluZSBhcnRpZmFjdG9yeS5teWFwcC5jb20gbG9naW4gWU9VUl9VU0VSTkFNRSBwYXNzd29yZCBZT1VSX1BBU1NXT1JECm1hY2hpbmUgYml0YnVja2V0Lm15YXBwLmNvbSBsb2dpbiBZT1VSX1VTRVJOQU1FIHBhc3N3b3JkIFlPVVJfUEFTU1dPUkQK + + + diff --git a/charts/atlantis/tests/secret-service-account_test.yaml b/charts/atlantis/tests/secret-service-account_test.yaml new file mode 100644 index 00000000..fd72f496 --- /dev/null +++ b/charts/atlantis/tests/secret-service-account_test.yaml @@ -0,0 +1,47 @@ +--- +suite: test secret-service-account for serviceAccountSecrets +templates: + - secret-service-account.yaml +release: + name: my-release +tests: + - it: default values + template: secret-service-account.yaml + asserts: + - hasDocuments: + count: 0 + - it: serviceAccountSecrets + template: secret-service-account.yaml + set: + serviceAccountSecrets: + credentials: VG9ueSBTb3ByYW5v + credentials-staging: Q2FybWVsYSBTb3ByYW5v + asserts: + - hasDocuments: + count: 2 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.labels.component + value: service-account-secret + - documentIndex: 0 + equal: + path: data["service-account.json"] + value: VG9ueSBTb3ByYW5v + - documentIndex: 0 + equal: + path: metadata.name + value: credentials + - documentIndex: 1 + equal: + path: data["service-account.json"] + value: Q2FybWVsYSBTb3ByYW5v + - documentIndex: 1 + equal: + path: metadata.name + value: credentials-staging + + + diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml new file mode 100644 index 00000000..180b3c1e --- /dev/null +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -0,0 +1,577 @@ +--- +suite: test statefulset +templates: + - configmap-config.yaml + - configmap-repo-config.yaml + - statefulset.yaml +chart: + appVersion: test-appVersion +release: + name: my-release +tests: + - it: default values + template: statefulset.yaml + asserts: + - isKind: + of: StatefulSet + - equal: + path: apiVersion + value: apps/v1 + - equal: + path: metadata.name + value: my-release-atlantis + - equal: + path: metadata.labels.app + value: atlantis + - matchRegex: + path: metadata.labels.chart + pattern: ^atlantis- + - equal: + path: metadata.labels.heritage + value: Helm + - equal: + path: metadata.labels.release + value: my-release + - notExists: + path: metadata.annotations + - equal: + path: spec.serviceName + value: my-release-atlantis + - equal: + path: spec.replicas + value: 1 + - equal: + path: spec.selector + value: + matchLabels: + app: atlantis + release: my-release + - equal: + path: spec.template.metadata.labels + value: + app: atlantis + release: my-release + - equal: + path: spec.template.metadata.annotations + value: + checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + checksum/repo-config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + - notExists: + path: spec.template.spec.hostAliases + - equal: + path: spec.template.spec.hostNetwork + value: false + - equal: + path: spec.template.spec.serviceAccountName + value: my-release-atlantis + - equal: + path: spec.template.spec.shareProcessNamespace + value: false + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + - notExists: + path: spec.template.spec.terminationGracePeriodSeconds + - equal: + path: spec.template.spec.securityContext + value: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 100 + - notExists: + path: spec.template.spec.priorityClassName + - isNullOrEmpty: + path: spec.template.spec.volumes + - notExists: + path: spec.template.spec.imagePullSecrets + - notExists: + path: spec.template.spec.initContainers + - equal: + path: spec.template.spec.containers[0].name + value: atlantis + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/runatlantis/atlantis:test-appVersion + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - notExists: + path: spec.template.spec.containers[0].securityContext + - equal: + path: spec.template.spec.containers[0].args + value: + - server + - equal: + path: spec.template.spec.containers[0].ports + value: + - containerPort: 4141 + name: atlantis + - notExists: + path: spec.template.spec.containers[0].lifeCycle + - notExists: + path: spec.template.spec.containers[0].envFrom + - equal: + path: spec.template.spec.containers[0].env + value: + - name: ATLANTIS_DATA_DIR + value: /atlantis-data + - name: ATLANTIS_REPO_ALLOWLIST + value: + - name: ATLANTIS_PORT + value: "4141" + - name: ATLANTIS_ATLANTIS_URL + value: http:// + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + failureThreshold: 5 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + failureThreshold: 5 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 5 + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - mountPath: /atlantis-data + name: atlantis-data + - isNullOrEmpty: + path: spec.template.spec.containers[0].resources + - notExists: + path: spec.template.spec.nodeSelector + - notExists: + path: spec.template.spec.tolerations + - notExists: + path: spec.template.spec.topologySpreadConstraints + - notExists: + path: spec.template.spec.updateStrategy + - equal: + path: spec.volumeClaimTemplates + value: + - metadata: + name: atlantis-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - it: Statefulset annotations + template: statefulset.yaml + set: + statefulSet.annotations: + strong-stuff: "true" + asserts: + - equal: + path: metadata.annotations + value: + strong-stuff: "true" + - it: replicaCount + template: statefulset.yaml + set: + replicaCount: 2 + asserts: + - equal: + path: spec.replicas + value: 2 + - it: podTemplate labels + template: statefulset.yaml + set: + podTemplate.labels: + team: infra + asserts: + - equal: + path: spec.template.metadata.labels.team + value: infra + - it: podTemplate annotations + template: statefulset.yaml + set: + podTemplate.annotations: + iam.amazonaws.com/role: arn:aws:iam::123456789123:role/atlantis-role + asserts: + - equal: + path: spec.template.metadata.annotations["iam.amazonaws.com/role"] + value: arn:aws:iam::123456789123:role/atlantis-role + - it: hostAliases + template: statefulset.yaml + set: + hostAliases: + - hostnames: + - aaa.com + - test.ccc.com + ip: 10.0.0.0 + - hostnames: + - bbb.com + ip: 10.0.0.2 + asserts: + - equal: + path: spec.template.spec.hostAliases + value: + - hostnames: + - aaa.com + - test.ccc.com + ip: 10.0.0.0 + - hostnames: + - bbb.com + ip: 10.0.0.2 + - it: hostNetwork + template: statefulset.yaml + set: + hostNetwork: true + asserts: + - equal: + path: spec.template.spec.hostNetwork + value: true + - it: serviceAccountName + template: statefulset.yaml + set: + serviceAccount.name: atlantis-sa + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: atlantis-sa + - it: shareProcessNamespace + template: statefulset.yaml + set: + statefulSet.shareProcessNamespace: true + asserts: + - equal: + path: spec.template.spec.shareProcessNamespace + value: true + - it: automountServiceAccountToken + template: statefulset.yaml + set: + serviceAccount.mount: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - it: terminationGracePeriodSeconds + template: statefulset.yaml + set: + terminationGracePeriodSeconds: 30 + asserts: + - equal: + path: spec.template.spec.terminationGracePeriodSeconds + value: 30 + - it: securityContext + template: statefulset.yaml + set: + statefulSet.securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + - it: priorityClassName + template: statefulset.yaml + set: + statefulSet.priorityClassName: high-priority + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: high-priority + - it: tlsSecretName + template: statefulset.yaml + set: + tlsSecretName: test-tls + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: tls + secret: + secretName: test-tls + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "tls")] + value: + mountPath: /etc/tls/ + name: tls + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_SSL_CERT_FILE + value: /etc/tls/tls.crt + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_SSL_KEY_FILE + value: /etc/tls/tls.key + - it: serviceAccountSecrets + template: statefulset.yaml + set: + serviceAccountSecrets: + credentials: VG9ueSBTb3ByYW5v + credentials-staging: Q2FybWVsYSBTb3ByYW5v + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: credentials-volume + secret: + secretName: credentials + - name: credentials-staging-volume + secret: + secretName: credentials-staging + + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "credentials-volume")] + value: + mountPath: /etc/credentials + name: credentials-volume + readOnly: true + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "credentials-staging-volume")] + value: + mountPath: /etc/credentials-staging + name: credentials-staging-volume + readOnly: true + - it: googleServiceAccountSecrets + template: statefulset.yaml + set: + googleServiceAccountSecrets: + - name: gcp-ci + secretName: gcp-ci-secret + - name: gcp-staging + secretName: gcp-staging-secret + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gcp-ci + secret: + secretName: gcp-ci-secret + - name: gcp-staging + secret: + secretName: gcp-staging-secret + + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gcp-ci")] + value: + mountPath: /var/secrets/gcp-ci + name: gcp-ci + readOnly: true + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gcp-staging")] + value: + mountPath: /var/secrets/gcp-staging + name: gcp-staging + readOnly: true + - it: gitconfig + template: statefulset.yaml + set: + gitconfig: | + [url "https://YOUR_GH_TOKEN@github.com"] + insteadOf = https://github.com + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: my-release-atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig + - it: gitconfigSecretName + template: statefulset.yaml + set: + gitconfigSecretName: 'atlantis-gitconfig' + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig + - it: netrc + template: statefulset.yaml + set: + netrc: | + machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: my-release-atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc + - it: netrcSecretName + template: statefulset.yaml + set: + netrcSecretName: 'atlantis-netrc' + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc + - it: aws + template: statefulset.yaml + set: + aws: + credentials: | + [default] + aws_access_key_id=YOUR_ACCESS_KEY_ID + aws_secret_access_key=YOUR_SECRET_ACCESS_KEY + region=us-east-1 + config: | + [profile a_role_to_assume] + role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume + source_profile = default + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: aws-volume + secret: + secretName: my-release-atlantis-aws + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] + value: + mountPath: /home/atlantis/.aws + name: aws-volume + readOnly: true + - it: aws directory + template: statefulset.yaml + set: + aws: + directory: "/etc/aws_config" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_CONFIG_FILE + value: /etc/aws_config/config + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_SHARED_CREDENTIALS_FILE + value: /etc/aws_config/credentials + - it: awsSecretName + template: statefulset.yaml + set: + awsSecretName: 'atlantis-aws' + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: aws-volume + secret: + secretName: atlantis-aws + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] + value: + mountPath: /home/atlantis/.aws + name: aws-volume + readOnly: true + - it: githubApp + template: statefulset.yaml + set: + githubApp: + id: 123456 + slug: foo + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + secret: baz + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: github-app-key-volume + secret: + items: + - key: key.pem + path: key.pem + secretName: my-release-atlantis-webhook + + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "github-app-key-volume")] + value: + mountPath: /var/github-app + name: github-app-key-volume + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_ID + value: "123456" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_SLUG + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: github_secret + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_KEY_FILE + value: /var/github-app/key.pem + + + + + + + + + + diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index c0e91fb4..f5656bb9 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -3,7 +3,7 @@ "description":"Default values for atlantis. Declare variables to be passed into your templates.", "type":"object", "additionalProperties":false, - "properties":{ + "properties": { "atlantisUrl":{ "description":"The URL at which Atlantis will be available. This is used to set the webhook URL in GitHub.", "type":"string", @@ -20,6 +20,14 @@ "github.com/myorg/*" ] }, + "orgWhitelist":{ + "type":"string", + "default":"", + "description":"Deprecated (see orgAllowlist) List of repositories from which Atlantis will accept webhooks. Accepts wildcard characters (`*`). Multiple values may be comma-separated.", + "examples":[ + "github.com/myorg/*" + ] + }, "logLevel":{ "type":"string", "description":"Level to use for logging. Either debug, info, warn, or error.", @@ -54,7 +62,13 @@ "description":"Hostname of your GitHub Enterprise installation." } }, - "additionalProperties":false + "additionalProperties":false, + "if": { + "minProperties": 1 + }, + "then": { + "required": ["user"] + } }, "githubApp":{ "type":"object", @@ -1135,6 +1149,26 @@ "$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle" } }, + "allOf": [ + { + "if": { + "properties": { + "githubApp": { + "minProperties": 1 + } + } + } + }, + { + "if": { + "properties": { + "vcsSecretName": { + "minLength": 0 + } + } + } + } + ], "definitions":{ "io.k8s.api.core.v1.HostAlias":{ "description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.", From 8c0d7a00df736851f5d8e940b70ce8b4c9cbf58b Mon Sep 17 00:00:00 2001 From: roytev Date: Tue, 14 Nov 2023 22:33:50 +0200 Subject: [PATCH 02/14] Delete Project.xml --- .idea/codeStyles/Project.xml | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 .idea/codeStyles/Project.xml diff --git a/.idea/codeStyles/Project.xml b/.idea/codeStyles/Project.xml deleted file mode 100644 index 919ce1f1..00000000 --- a/.idea/codeStyles/Project.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - \ No newline at end of file From cfda86cd5ac753a99b701a1602ae7a3a83235465 Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:15:44 +0200 Subject: [PATCH 03/14] Update statefulset_test.yaml --- charts/atlantis/tests/statefulset_test.yaml | 57 +++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index 180b3c1e..d39437d6 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -565,6 +565,63 @@ tests: content: name: ATLANTIS_GH_APP_KEY_FILE value: /var/github-app/key.pem + - it: githubApp vcsSecretName + template: statefulset.yaml + set: + vcsSecretName: 'atlantis-vcs' + githubApp: + id: 123456 + slug: foo + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: github-app-key-volume + secret: + items: + - key: key.pem + path: key.pem + secretName: atlantis-vcs + + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "github-app-key-volume")] + value: + mountPath: /var/github-app + name: github-app-key-volume + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: github_secret + name: atlantis-vcs + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_KEY_FILE + value: /var/github-app/key.pem + - it: gitlab + template: statefulset.yaml + set: + gitlab: + user: foo + token: bar + secret: baz + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_TOKEN + value: "123456" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_URL + value: https://gitlab.com + + From adb922f29e1850cdd5095aa011b0b3f9546b4b7b Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:19:45 +0200 Subject: [PATCH 04/14] Create .gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..b00e1ed9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# IDE or Editor-specific +.idea/ +.vscode/ From 3d041260aab7c219f71a1a1c3fa231d0af6ce1d7 Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:19:58 +0200 Subject: [PATCH 05/14] Update values.yaml --- charts/atlantis/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 090b704b..1eae7cab 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -16,6 +16,9 @@ nameOverride: "" orgAllowlist: # logLevel: "debug" +# Deprecated in favor of orgAllowlist +# orgWhitelist: + # If using GitHub, specify like the following: github: {} # github: From 440b60ca571af13288e61fd0c6fbc18b4dd49707 Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:33:22 +0200 Subject: [PATCH 06/14] add unittest to workflow --- .github/workflows/lint-test.yaml | 5 ++++- ct.yaml | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 23afff66..1336f822 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -37,7 +37,10 @@ jobs: if [[ -n "$changed" ]]; then echo "changed=true" >> "$GITHUB_OUTPUT" fi - + - name: install helm unittests + if: steps.list-changed.outputs.changed == 'true' + run: | + helm plugin install --version v0.3.6 https://github.com/helm-unittest/helm-unittest - name: Run chart-testing (lint) if: steps.list-changed.outputs.changed == 'true' run: | diff --git a/ct.yaml b/ct.yaml index c0770cd5..516a126b 100644 --- a/ct.yaml +++ b/ct.yaml @@ -4,3 +4,5 @@ target-branch: main chart-dirs: - charts helm-extra-args: --timeout 600s +additional-commands: + - helm unittest {{ .Path }} From 33a626dcd79aed45321089ef34ef491aecf7566f Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:35:25 +0200 Subject: [PATCH 07/14] Update Chart.yaml --- charts/atlantis/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index 3907e661..53e2900c 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: v0.26.0 description: A Helm chart for Atlantis https://www.runatlantis.io name: atlantis -version: 4.18.0 +version: 4.19.0 keywords: - terraform home: https://www.runatlantis.io From 5494df7227a98333e77ea421e683c6cc5e36ef4c Mon Sep 17 00:00:00 2001 From: roytev Date: Fri, 24 Nov 2023 17:40:55 +0200 Subject: [PATCH 08/14] Update statefulset_test.yaml --- charts/atlantis/tests/statefulset_test.yaml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index d39437d6..3f784413 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -610,16 +610,27 @@ tests: token: bar secret: baz asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GITLAB_USER + value: "foo" - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_GITLAB_TOKEN - value: "123456" + valueFrom: + secretKeyRef: + key: gitlab_token + name: my-release-atlantis-webhook - contains: path: spec.template.spec.containers[0].env content: - name: ATLANTIS_GITLAB_URL - value: https://gitlab.com + name: ATLANTIS_GITLAB_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: gitlab_secret + name: my-release-atlantis-webhook From baede95eb0df4082f248e12e01aad5be97a3b0ab Mon Sep 17 00:00:00 2001 From: roytev Date: Sat, 2 Dec 2023 17:49:49 +0200 Subject: [PATCH 09/14] more fixes and tests --- charts/atlantis/templates/secret-webhook.yaml | 4 +- .../atlantis/tests/secret-webhook_test.yaml | 169 ++++++++++++++++++ charts/atlantis/values.schema.json | 28 +-- 3 files changed, 172 insertions(+), 29 deletions(-) create mode 100644 charts/atlantis/tests/secret-webhook_test.yaml diff --git a/charts/atlantis/templates/secret-webhook.yaml b/charts/atlantis/templates/secret-webhook.yaml index 3661feef..ed2811d3 100644 --- a/charts/atlantis/templates/secret-webhook.yaml +++ b/charts/atlantis/templates/secret-webhook.yaml @@ -10,7 +10,7 @@ data: key.pem: {{ required "githubApp.key is required if githubApp configuration is specified." .Values.githubApp.key | b64enc }} github_secret: {{ required "githubApp.secret is required if githubApp configuration is specified." .Values.githubApp.secret | b64enc }} {{- end}} - {{- if .Values.github.user }} + {{- if .Values.github }} github_token: {{ required "github.token is required if github configuration is specified." .Values.github.token | b64enc }} github_secret: {{ required "github.secret is required if github configuration is specified." .Values.github.secret | b64enc }} {{- end}} @@ -23,7 +23,7 @@ data: {{- if .Values.bitbucket.baseURL }} bitbucket_secret: {{ required "bitbucket.secret is required if bitbucket.baseURL is specified." .Values.bitbucket.secret | b64enc }} {{- end}} - {{- end }} + {{- end }} {{- if .Values.azuredevops }} azuredevops_token: {{ required "azuredevops.token is required if azuredevops configuration is specified." .Values.azuredevops.token | b64enc }} azuredevops_webhook_password: {{ required "azuredevops.webhookPassword is required if azuredevops configuration is specified." .Values.azuredevops.webhookPassword | b64enc }} diff --git a/charts/atlantis/tests/secret-webhook_test.yaml b/charts/atlantis/tests/secret-webhook_test.yaml new file mode 100644 index 00000000..54dee4bc --- /dev/null +++ b/charts/atlantis/tests/secret-webhook_test.yaml @@ -0,0 +1,169 @@ +--- +suite: test secret-webhook for git webhook secret +templates: + - secret-webhook.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-webhook + - isNullOrEmpty: + path: data + - it: vcsSecretName + set: + vcsSecretName: atlantis-vcs + asserts: + - hasDocuments: + count: 0 + - it: githubApp only id set + set: + githubApp: + id: 123456 + asserts: + - failedTemplate: + errorMessage: githubApp.key is required if githubApp configuration is specified. + - it: githubApp only id and key are set + set: + githubApp: + id: 123456 + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + asserts: + - failedTemplate: + errorMessage: githubApp.secret is required if githubApp configuration is specified. + - it: githubApp + set: + githubApp: + id: 123456 + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + key.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi4uLgotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== + - it: github only user set + set: + github: + user: foo + asserts: + - failedTemplate: + errorMessage: github.token is required if github configuration is specified. + - it: github only user and token are set + set: + github: + user: foo + token: bar + asserts: + - failedTemplate: + errorMessage: github.secret is required if github configuration is specified. + - it: github + set: + github: + user: foo + token: bar + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + github_token: YmFy + - it: gitlab only user set + set: + gitlab: + user: foo + asserts: + - failedTemplate: + errorMessage: gitlab.token is required if gitlab configuration is specified. + - it: gitlab only user and token are set + set: + gitlab: + user: foo + token: bar + asserts: + - failedTemplate: + errorMessage: gitlab.secret is required if gitlab configuration is specified. + - it: gitlab + set: + github: + user: foo + token: bar + secret: baz + asserts: + - equal: + path: data + value: + github_secret: YmF6 + github_token: YmFy + - it: bitbucket only user set + set: + bitbucket: + user: foo + asserts: + - failedTemplate: + errorMessage: bitbucket.token is required if bitbucket configuration is specified. + - it: bitbucket user and token are set + set: + bitbucket: + user: foo + token: bar + asserts: + - equal: + path: data + value: + bitbucket_token: YmFy + - it: bitbucket server only user and token are set + set: + bitbucket: + user: foo + token: bar + baseURL: https://bitbucket.yourorganization.com + asserts: + - failedTemplate: + errorMessage: bitbucket.secret is required if bitbucket.baseURL is specified. + - it: bitbucket server + set: + bitbucket: + user: foo + token: bar + secret: baz + baseURL: https://bitbucket.yourorganization.com + asserts: + - equal: + path: data + value: + bitbucket_secret: YmF6 + bitbucket_token: YmFy + - it: azuredevops only token set + set: + azuredevops: + token: bar + asserts: + - failedTemplate: + errorMessage: azuredevops.webhookPassword is required if azuredevops + configuration is specified. + - it: azuredevops + set: + azuredevops: + token: bar + webhookPassword: baz + asserts: + - equal: + path: data + value: + azuredevops_token: YmFy + azuredevops_webhook_password: YmF6 diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index 47fbe0e9..8fc27d79 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -77,13 +77,7 @@ "description":"Hostname of your GitHub Enterprise installation." } }, - "additionalProperties":false, - "if": { - "minProperties": 1 - }, - "then": { - "required": ["user"] - } + "additionalProperties":false }, "githubApp":{ "type":"object", @@ -1199,26 +1193,6 @@ "$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle" } }, - "allOf": [ - { - "if": { - "properties": { - "githubApp": { - "minProperties": 1 - } - } - } - }, - { - "if": { - "properties": { - "vcsSecretName": { - "minLength": 0 - } - } - } - } - ], "definitions":{ "io.k8s.api.core.v1.HostAlias":{ "description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.", From e1044e20442121fa1824c702f9084922f56f1607 Mon Sep 17 00:00:00 2001 From: roytev Date: Sat, 9 Dec 2023 17:05:25 +0200 Subject: [PATCH 10/14] Update statefulset_test.yaml --- charts/atlantis/tests/statefulset_test.yaml | 136 ++++++++++++++++++++ 1 file changed, 136 insertions(+) diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index 3f784413..b36d3c6a 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -631,6 +631,142 @@ tests: secretKeyRef: key: gitlab_secret name: my-release-atlantis-webhook + - it: bitbucket + template: statefulset.yaml + set: + bitbucket: + user: foo + token: bar + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_USER + value: "foo" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_TOKEN + valueFrom: + secretKeyRef: + key: bitbucket_token + name: my-release-atlantis-webhook + - it: bitbucket server + template: statefulset.yaml + set: + bitbucket: + user: foo + token: bar + secret: baz + baseURL: https://bitbucket.yourorganization.com + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: bitbucket_secret + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_BITBUCKET_BASE_URL + value: "https://bitbucket.yourorganization.com" + - it: azuredevops + template: statefulset.yaml + set: + azuredevops: + user: foo + token: bar + webhookUser: bobby + webhookPassword: bacala + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_USER + value: "foo" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_TOKEN + valueFrom: + secretKeyRef: + key: azuredevops_token + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_WEBHOOK_USER + value: "bobby" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_WEBHOOK_PASSWORD + valueFrom: + secretKeyRef: + key: azuredevops_webhook_password + name: my-release-atlantis-webhook + - it: basicAuth + template: statefulset.yaml + set: + basicAuth: + username: "atlantis" + password: "forever" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_BASIC_AUTH + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: my-release-atlantis-basic-auth + + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: my-release-atlantis-basic-auth + - it: basicAuthSecretName + template: statefulset.yaml + set: + basicAuthSecretName: "atlantis-basic-auth" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_BASIC_AUTH + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_USERNAME + valueFrom: + secretKeyRef: + key: username + name: atlantis-basic-auth + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_WEB_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: atlantis-basic-auth + + + + From 68288f6e33d1df0a3f452c68ca614bbb7a182045 Mon Sep 17 00:00:00 2001 From: roytev Date: Thu, 8 Feb 2024 08:56:32 +0200 Subject: [PATCH 11/14] more tests --- README.md | 1 - charts/atlantis/Chart.yaml | 2 +- charts/atlantis/tests/secret-api_test.yaml | 38 ++ charts/atlantis/tests/secret-aws_test.yaml | 6 +- .../tests/secret-basic-auth_test.yaml | 44 ++ .../atlantis/tests/secret-gitconfig_test.yaml | 6 +- charts/atlantis/tests/secret-netrc_test.yaml | 6 +- .../tests/secret-service-account_test.yaml | 10 + .../atlantis/tests/secret-webhook_test.yaml | 8 + charts/atlantis/tests/service_test.yaml | 89 ++++ charts/atlantis/tests/statefulset_test.yaml | 490 ++++++++++-------- charts/atlantis/values.schema.json | 4 - charts/atlantis/values.yaml | 3 - 13 files changed, 492 insertions(+), 215 deletions(-) create mode 100644 charts/atlantis/tests/secret-api_test.yaml create mode 100644 charts/atlantis/tests/secret-basic-auth_test.yaml create mode 100644 charts/atlantis/tests/service_test.yaml diff --git a/README.md b/README.md index 2d3ef3bf..02b26041 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,6 @@ The following options are supported. See [values.yaml](/charts/atlantis/values.y | `bitbucket.secret` | Webhook secret for Bitbucket repositories (Bitbucket Server only). | n/a | | `bitbucket.token` | Personal access token for the Atlantis Bitbucket user. | n/a | | `bitbucket.user` | Name of the Atlantis Bitbucket user. | n/a | -| `command` | Optionally override the [`command` field](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#container-v1-core) of the Atlantis Docker container. If not set, the default Atlantis `ENTRYPOINT` is used. Must be an array. | n/a | | `commonLabels` | Add Common Labels to all resources | `{}` | | `config` | Override atlantis main configuration by config map. It's allow some additional functionality like slack notifications. | n/a | | `containerSecurityContext.allowPrivilegeEscalation` | Whether to enable privilege escalation | n/a | diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index 84c711a3..067567c8 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: v0.27.0 description: A Helm chart for Atlantis https://www.runatlantis.io name: atlantis -version: 4.19.0 +version: 4.20.0 keywords: - terraform home: https://www.runatlantis.io diff --git a/charts/atlantis/tests/secret-api_test.yaml b/charts/atlantis/tests/secret-api_test.yaml new file mode 100644 index 00000000..d7413c11 --- /dev/null +++ b/charts/atlantis/tests/secret-api_test.yaml @@ -0,0 +1,38 @@ +--- +suite: test secret-api for api secret +templates: + - secret-api.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: apiSecretName + set: + apiSecretName: 'atlantis-api' + asserts: + - hasDocuments: + count: 0 + - it: apiSecret + set: + api.secret: 'spongebob' + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-api + - equal: + path: data["apisecret"] + value: c3BvbmdlYm9i + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-aws_test.yaml b/charts/atlantis/tests/secret-aws_test.yaml index 567dbf1e..7fa73fed 100644 --- a/charts/atlantis/tests/secret-aws_test.yaml +++ b/charts/atlantis/tests/secret-aws_test.yaml @@ -27,6 +27,8 @@ tests: [profile a_role_to_assume] role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume source_profile = default + commonLabels: + team: "infra" asserts: - hasDocuments: count: 1 @@ -43,6 +45,8 @@ tests: - equal: path: data["credentials"] value: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPVlPVVJfQUNDRVNTX0tFWV9JRAphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9WU9VUl9TRUNSRVRfQUNDRVNTX0tFWQpyZWdpb249dXMtZWFzdC0xCg== - + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-basic-auth_test.yaml b/charts/atlantis/tests/secret-basic-auth_test.yaml new file mode 100644 index 00000000..2c2b8d1d --- /dev/null +++ b/charts/atlantis/tests/secret-basic-auth_test.yaml @@ -0,0 +1,44 @@ +--- +suite: test secret-basic-auth for git basic-auth secret +templates: + - secret-basic-auth.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - hasDocuments: + count: 0 + - it: basicAuthSecretName + set: + basicAuthSecretName: "atlantis-basic-auth" + asserts: + - hasDocuments: + count: 0 + - it: basicAuth + set: + basicAuth: + username: "atlantis" + password: "forever" + commonLabels: + team: "infra" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret + - isAPIVersion: + of: v1 + - equal: + path: metadata.name + value: my-release-atlantis-basic-auth + - equal: + path: data["username"] + value: YXRsYW50aXM= + - equal: + path: data["password"] + value: Zm9yZXZlcg== + - equal: + path: metadata.labels.team + value: infra + diff --git a/charts/atlantis/tests/secret-gitconfig_test.yaml b/charts/atlantis/tests/secret-gitconfig_test.yaml index a3f3cefa..9ddb465a 100644 --- a/charts/atlantis/tests/secret-gitconfig_test.yaml +++ b/charts/atlantis/tests/secret-gitconfig_test.yaml @@ -23,6 +23,8 @@ tests: gitconfig: | [url "https://YOUR_GH_TOKEN@github.com"] insteadOf = https://github.com + commonLabels: + team: "infra" asserts: - hasDocuments: count: 1 @@ -36,6 +38,8 @@ tests: - equal: path: data["gitconfig"] value: W3VybCAiaHR0cHM6Ly9ZT1VSX0dIX1RPS0VOQGdpdGh1Yi5jb20iXQppbnN0ZWFkT2YgPSBodHRwczovL2dpdGh1Yi5jb20K - + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-netrc_test.yaml b/charts/atlantis/tests/secret-netrc_test.yaml index 57b5b35a..631da999 100644 --- a/charts/atlantis/tests/secret-netrc_test.yaml +++ b/charts/atlantis/tests/secret-netrc_test.yaml @@ -20,6 +20,8 @@ tests: netrc: | machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD + commonLabels: + team: "infra" asserts: - hasDocuments: count: 1 @@ -33,6 +35,8 @@ tests: - equal: path: data["netrc"] value: bWFjaGluZSBhcnRpZmFjdG9yeS5teWFwcC5jb20gbG9naW4gWU9VUl9VU0VSTkFNRSBwYXNzd29yZCBZT1VSX1BBU1NXT1JECm1hY2hpbmUgYml0YnVja2V0Lm15YXBwLmNvbSBsb2dpbiBZT1VSX1VTRVJOQU1FIHBhc3N3b3JkIFlPVVJfUEFTU1dPUkQK - + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-service-account_test.yaml b/charts/atlantis/tests/secret-service-account_test.yaml index fd72f496..9c0bb7a8 100644 --- a/charts/atlantis/tests/secret-service-account_test.yaml +++ b/charts/atlantis/tests/secret-service-account_test.yaml @@ -16,6 +16,8 @@ tests: serviceAccountSecrets: credentials: VG9ueSBTb3ByYW5v credentials-staging: Q2FybWVsYSBTb3ByYW5v + commonLabels: + team: infra asserts: - hasDocuments: count: 2 @@ -34,6 +36,10 @@ tests: equal: path: metadata.name value: credentials + - documentIndex: 0 + equal: + path: metadata.labels.team + value: infra - documentIndex: 1 equal: path: data["service-account.json"] @@ -42,6 +48,10 @@ tests: equal: path: metadata.name value: credentials-staging + - documentIndex: 1 + equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/secret-webhook_test.yaml b/charts/atlantis/tests/secret-webhook_test.yaml index 54dee4bc..4c263c7b 100644 --- a/charts/atlantis/tests/secret-webhook_test.yaml +++ b/charts/atlantis/tests/secret-webhook_test.yaml @@ -167,3 +167,11 @@ tests: value: azuredevops_token: YmFy azuredevops_webhook_password: YmF6 + - it: commonLabels + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/service_test.yaml b/charts/atlantis/tests/service_test.yaml new file mode 100644 index 00000000..892f61e0 --- /dev/null +++ b/charts/atlantis/tests/service_test.yaml @@ -0,0 +1,89 @@ +--- +suite: test service +templates: + - service.yaml +release: + name: my-release +tests: + - it: default values + asserts: + - isKind: + of: Service + - equal: + path: apiVersion + value: v1 + - equal: + path: metadata.name + value: my-release-atlantis + - equal: + path: spec + value: + ports: + - name: atlantis + port: 80 + protocol: TCP + targetPort: 4141 + selector: + app: atlantis + release: my-release + type: NodePort + - it: loadBalancerSourceRanges + set: + service: + loadBalancerSourceRanges: + - 10.0.0.0/8 + asserts: + - equal: + path: spec.loadBalancerSourceRanges + value: + - 10.0.0.0/8 + - it: loadBalancerIP + set: + service: + loadBalancerIP: 172.16.5.2 + asserts: + - equal: + path: spec.loadBalancerIP + value: 172.16.5.2 + - it: service type + set: + service: + type: ClusterIP + annotations: + haproxy.org/check: "true" + port: 8080 + targetPort: 8181 + asserts: + - equal: + path: metadata.annotations + value: + haproxy.org/check: "true" + - equal: + path: spec + value: + ports: + - name: atlantis + port: 8080 + protocol: TCP + targetPort: 8181 + selector: + app: atlantis + release: my-release + type: ClusterIP + - it: nodePort + set: + service: + type: NodePort + nodePort: 30000 + asserts: + - equal: + path: spec.ports[0].nodePort + value: 30000 + - it: commonLabels + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index b36d3c6a..ec142374 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -323,8 +323,8 @@ tests: template: statefulset.yaml set: serviceAccountSecrets: - credentials: VG9ueSBTb3ByYW5v - credentials-staging: Q2FybWVsYSBTb3ByYW5v + credentials: VG9ueSBTb3ByYW5v + credentials-staging: Q2FybWVsYSBTb3ByYW5v asserts: - equal: path: spec.template.spec.volumes @@ -335,15 +335,16 @@ tests: - name: credentials-staging-volume secret: secretName: credentials-staging - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "credentials-volume")] + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "credentials-volume")] value: mountPath: /etc/credentials name: credentials-volume readOnly: true - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "credentials-staging-volume")] + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "credentials-staging-volume")] value: mountPath: /etc/credentials-staging name: credentials-staging-volume @@ -366,7 +367,6 @@ tests: - name: gcp-staging secret: secretName: gcp-staging-secret - - equal: path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gcp-ci")] value: @@ -386,37 +386,39 @@ tests: [url "https://YOUR_GH_TOKEN@github.com"] insteadOf = https://github.com asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: gitconfig-volume - secret: - secretName: my-release-atlantis-gitconfig - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gitconfig-volume")] - value: - mountPath: /home/atlantis/.gitconfig - name: gitconfig-volume - readOnly: true - subPath: gitconfig + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: my-release-atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig - it: gitconfigSecretName template: statefulset.yaml set: - gitconfigSecretName: 'atlantis-gitconfig' - asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: gitconfig-volume - secret: - secretName: atlantis-gitconfig - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "gitconfig-volume")] - value: - mountPath: /home/atlantis/.gitconfig - name: gitconfig-volume - readOnly: true - subPath: gitconfig + gitconfigSecretName: atlantis-gitconfig + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: gitconfig-volume + secret: + secretName: atlantis-gitconfig + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "gitconfig-volume")] + value: + mountPath: /home/atlantis/.gitconfig + name: gitconfig-volume + readOnly: true + subPath: gitconfig - it: netrc template: statefulset.yaml set: @@ -424,50 +426,50 @@ tests: machine artifactory.myapp.com login YOUR_USERNAME password YOUR_PASSWORD machine bitbucket.myapp.com login YOUR_USERNAME password YOUR_PASSWORD asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: netrc-volume - secret: - secretName: my-release-atlantis-netrc - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] - value: - mountPath: /home/atlantis/.netrc - name: netrc-volume - readOnly: true - subPath: netrc + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: my-release-atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc - it: netrcSecretName template: statefulset.yaml set: - netrcSecretName: 'atlantis-netrc' - asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: netrc-volume - secret: - secretName: atlantis-netrc - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] - value: - mountPath: /home/atlantis/.netrc - name: netrc-volume - readOnly: true - subPath: netrc + netrcSecretName: atlantis-netrc + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: netrc-volume + secret: + secretName: atlantis-netrc + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "netrc-volume")] + value: + mountPath: /home/atlantis/.netrc + name: netrc-volume + readOnly: true + subPath: netrc - it: aws template: statefulset.yaml set: aws: - credentials: | - [default] - aws_access_key_id=YOUR_ACCESS_KEY_ID - aws_secret_access_key=YOUR_SECRET_ACCESS_KEY - region=us-east-1 - config: | - [profile a_role_to_assume] - role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume - source_profile = default + credentials: | + [default] + aws_access_key_id=YOUR_ACCESS_KEY_ID + aws_secret_access_key=YOUR_SECRET_ACCESS_KEY + region=us-east-1 + config: | + [profile a_role_to_assume] + role_arn = arn:aws:iam::123456789:role/service-role/roleToAssume + source_profile = default asserts: - equal: path: spec.template.spec.volumes @@ -485,93 +487,93 @@ tests: template: statefulset.yaml set: aws: - directory: "/etc/aws_config" - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: AWS_CONFIG_FILE - value: /etc/aws_config/config - - contains: - path: spec.template.spec.containers[0].env - content: - name: AWS_SHARED_CREDENTIALS_FILE - value: /etc/aws_config/credentials + directory: /etc/aws_config + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_CONFIG_FILE + value: /etc/aws_config/config + - contains: + path: spec.template.spec.containers[0].env + content: + name: AWS_SHARED_CREDENTIALS_FILE + value: /etc/aws_config/credentials - it: awsSecretName template: statefulset.yaml set: - awsSecretName: 'atlantis-aws' - asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: aws-volume - secret: - secretName: atlantis-aws - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] - value: - mountPath: /home/atlantis/.aws - name: aws-volume - readOnly: true + awsSecretName: atlantis-aws + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: aws-volume + secret: + secretName: atlantis-aws + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "aws-volume")] + value: + mountPath: /home/atlantis/.aws + name: aws-volume + readOnly: true - it: githubApp template: statefulset.yaml set: - githubApp: - id: 123456 - slug: foo - key: | - -----BEGIN PRIVATE KEY----- - ... - -----END PRIVATE KEY----- - secret: baz - asserts: - - equal: - path: spec.template.spec.volumes - value: - - name: github-app-key-volume - secret: - items: - - key: key.pem - path: key.pem - secretName: my-release-atlantis-webhook - - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "github-app-key-volume")] - value: - mountPath: /var/github-app - name: github-app-key-volume - readOnly: true - - contains: - path: spec.template.spec.containers[0].env - content: - name: ATLANTIS_GH_APP_ID - value: "123456" - - contains: - path: spec.template.spec.containers[0].env - content: - name: ATLANTIS_GH_APP_SLUG - value: foo - - contains: - path: spec.template.spec.containers[0].env - content: - name: ATLANTIS_GH_WEBHOOK_SECRET - valueFrom: - secretKeyRef: - key: github_secret - name: my-release-atlantis-webhook - - contains: - path: spec.template.spec.containers[0].env - content: - name: ATLANTIS_GH_APP_KEY_FILE - value: /var/github-app/key.pem + githubApp: + id: 123456 + slug: foo + key: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + secret: baz + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: github-app-key-volume + secret: + items: + - key: key.pem + path: key.pem + secretName: my-release-atlantis-webhook + - equal: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "github-app-key-volume")] + value: + mountPath: /var/github-app + name: github-app-key-volume + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_ID + value: "123456" + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_SLUG + value: foo + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_WEBHOOK_SECRET + valueFrom: + secretKeyRef: + key: github_secret + name: my-release-atlantis-webhook + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_GH_APP_KEY_FILE + value: /var/github-app/key.pem - it: githubApp vcsSecretName template: statefulset.yaml set: - vcsSecretName: 'atlantis-vcs' - githubApp: - id: 123456 - slug: foo + vcsSecretName: atlantis-vcs + githubApp: + id: 123456 + slug: foo asserts: - equal: path: spec.template.spec.volumes @@ -582,9 +584,9 @@ tests: - key: key.pem path: key.pem secretName: atlantis-vcs - - equal: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "github-app-key-volume")] + path: spec.template.spec.containers[0].volumeMounts[?(@.name == + "github-app-key-volume")] value: mountPath: /var/github-app name: github-app-key-volume @@ -605,16 +607,16 @@ tests: - it: gitlab template: statefulset.yaml set: - gitlab: - user: foo - token: bar - secret: baz + gitlab: + user: foo + token: bar + secret: baz asserts: - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_GITLAB_USER - value: "foo" + value: foo - contains: path: spec.template.spec.containers[0].env content: @@ -634,15 +636,15 @@ tests: - it: bitbucket template: statefulset.yaml set: - bitbucket: - user: foo - token: bar + bitbucket: + user: foo + token: bar asserts: - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_BITBUCKET_USER - value: "foo" + value: foo - contains: path: spec.template.spec.containers[0].env content: @@ -654,11 +656,11 @@ tests: - it: bitbucket server template: statefulset.yaml set: - bitbucket: - user: foo - token: bar - secret: baz - baseURL: https://bitbucket.yourorganization.com + bitbucket: + user: foo + token: bar + secret: baz + baseURL: https://bitbucket.yourorganization.com asserts: - contains: path: spec.template.spec.containers[0].env @@ -672,48 +674,48 @@ tests: path: spec.template.spec.containers[0].env content: name: ATLANTIS_BITBUCKET_BASE_URL - value: "https://bitbucket.yourorganization.com" + value: https://bitbucket.yourorganization.com - it: azuredevops template: statefulset.yaml set: azuredevops: - user: foo - token: bar - webhookUser: bobby - webhookPassword: bacala + user: foo + token: bar + webhookUser: bobby + webhookPassword: bacala asserts: - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_AZUREDEVOPS_USER - value: "foo" + value: foo - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_AZUREDEVOPS_TOKEN valueFrom: - secretKeyRef: - key: azuredevops_token - name: my-release-atlantis-webhook + secretKeyRef: + key: azuredevops_token + name: my-release-atlantis-webhook - contains: path: spec.template.spec.containers[0].env content: name: ATLANTIS_AZUREDEVOPS_WEBHOOK_USER - value: "bobby" + value: bobby - contains: - path: spec.template.spec.containers[0].env - content: - name: ATLANTIS_AZUREDEVOPS_WEBHOOK_PASSWORD - valueFrom: - secretKeyRef: - key: azuredevops_webhook_password - name: my-release-atlantis-webhook + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_AZUREDEVOPS_WEBHOOK_PASSWORD + valueFrom: + secretKeyRef: + key: azuredevops_webhook_password + name: my-release-atlantis-webhook - it: basicAuth template: statefulset.yaml set: - basicAuth: - username: "atlantis" - password: "forever" + basicAuth: + username: atlantis + password: forever asserts: - contains: path: spec.template.spec.containers[0].env @@ -728,7 +730,6 @@ tests: secretKeyRef: key: username name: my-release-atlantis-basic-auth - - contains: path: spec.template.spec.containers[0].env content: @@ -740,7 +741,7 @@ tests: - it: basicAuthSecretName template: statefulset.yaml set: - basicAuthSecretName: "atlantis-basic-auth" + basicAuthSecretName: atlantis-basic-auth asserts: - contains: path: spec.template.spec.containers[0].env @@ -763,19 +764,102 @@ tests: secretKeyRef: key: password name: atlantis-basic-auth - - - - - - - - - - - - - - - - + - it: apiSecret + template: statefulset.yaml + set: + api.secret: spongebob + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_API_SECRET + valueFrom: + secretKeyRef: + key: apisecret + name: my-release-atlantis-api + - it: apiSecretSecretName + template: statefulset.yaml + set: + apiSecretName: atlantis-api + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ATLANTIS_API_SECRET + valueFrom: + secretKeyRef: + key: apisecret + name: atlantis-api + - it: commonLabels + template: statefulset.yaml + set: + commonLabels: + team: infra + asserts: + - equal: + path: metadata.labels.team + value: infra + - it: liveneessProbe false + template: statefulset.yaml + set: + livenessProbe: + enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[0].livenessProbe + - it: liveneessProbe + template: statefulset.yaml + set: + livenessProbe: + enabled: true + periodSeconds: 10 + initialDelaySeconds: 2 + timeoutSeconds: 1 + successThreshold: 2 + failureThreshold: 3 + scheme: HTTP + asserts: + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + failureThreshold: 3 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 2 + timeoutSeconds: 1 + - it: readinessProbe false + template: statefulset.yaml + set: + readinessProbe: + enabled: false + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe + - it: readinessProbe + template: statefulset.yaml + set: + readinessProbe: + enabled: true + periodSeconds: 10 + initialDelaySeconds: 2 + timeoutSeconds: 1 + successThreshold: 2 + failureThreshold: 3 + scheme: HTTP + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + failureThreshold: 3 + httpGet: + path: /healthz + port: 4141 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 2 + timeoutSeconds: 1 diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index 8fc27d79..24c2d41d 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -358,10 +358,6 @@ "type":"string", "description":"Name of a pre-existing Kubernetes `Secret` containing a `apisecret` key. Use this instead of `api.secret`" }, - "command":{ - "type":"array", - "description":"Override the command field of the Atlantis container" - }, "commonLabels":{ "type":"object", "description":"Add Common Labels to all resources", diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 1eae7cab..641f0586 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -215,9 +215,6 @@ enableDiffMarkdownFormat: false # If managing secrets outside the chart for the API secret, use this variable to reference the secret name # apiSecretName: "myapisecret" -# Override the command field of the Atlantis container -# command: [] - # Common Labels for all resources created by this chart. commonLabels: {} From 3b216bcc9169da0c49f6357674600777ed216968 Mon Sep 17 00:00:00 2001 From: roytev Date: Thu, 8 Feb 2024 09:04:16 +0200 Subject: [PATCH 12/14] add back command --- README.md | 1 + charts/atlantis/templates/statefulset.yaml | 6 ++++++ charts/atlantis/tests/statefulset_test.yaml | 10 ++++++++++ charts/atlantis/values.schema.json | 4 ++++ charts/atlantis/values.yaml | 3 +++ 5 files changed, 24 insertions(+) diff --git a/README.md b/README.md index 02b26041..2d3ef3bf 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ The following options are supported. See [values.yaml](/charts/atlantis/values.y | `bitbucket.secret` | Webhook secret for Bitbucket repositories (Bitbucket Server only). | n/a | | `bitbucket.token` | Personal access token for the Atlantis Bitbucket user. | n/a | | `bitbucket.user` | Name of the Atlantis Bitbucket user. | n/a | +| `command` | Optionally override the [`command` field](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.14/#container-v1-core) of the Atlantis Docker container. If not set, the default Atlantis `ENTRYPOINT` is used. Must be an array. | n/a | | `commonLabels` | Add Common Labels to all resources | `{}` | | `config` | Override atlantis main configuration by config map. It's allow some additional functionality like slack notifications. | n/a | | `containerSecurityContext.allowPrivilegeEscalation` | Whether to enable privilege escalation | n/a | diff --git a/charts/atlantis/templates/statefulset.yaml b/charts/atlantis/templates/statefulset.yaml index 63b5da8a..05e5b654 100644 --- a/charts/atlantis/templates/statefulset.yaml +++ b/charts/atlantis/templates/statefulset.yaml @@ -178,6 +178,12 @@ spec: {{- if .Values.containerSecurityContext }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- end }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . }} + {{- end }} + {{- end }} args: - server {{- if .Values.config }} diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index ec142374..df6ac96b 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -790,6 +790,16 @@ tests: secretKeyRef: key: apisecret name: atlantis-api + - it: command + template: statefulset.yaml + set: + command: + - printenv + asserts: + - equal: + path: spec.template.spec.containers[0].command + value: + - printenv - it: commonLabels template: statefulset.yaml set: diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index 24c2d41d..8fc27d79 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -358,6 +358,10 @@ "type":"string", "description":"Name of a pre-existing Kubernetes `Secret` containing a `apisecret` key. Use this instead of `api.secret`" }, + "command":{ + "type":"array", + "description":"Override the command field of the Atlantis container" + }, "commonLabels":{ "type":"object", "description":"Add Common Labels to all resources", diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 641f0586..1eae7cab 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -215,6 +215,9 @@ enableDiffMarkdownFormat: false # If managing secrets outside the chart for the API secret, use this variable to reference the secret name # apiSecretName: "myapisecret" +# Override the command field of the Atlantis container +# command: [] + # Common Labels for all resources created by this chart. commonLabels: {} From f400585f4a428f2c3b1c0762f5ce73430c31a8e5 Mon Sep 17 00:00:00 2001 From: roytev Date: Thu, 8 Feb 2024 09:23:53 +0200 Subject: [PATCH 13/14] Update statefulset_test.yaml --- charts/atlantis/tests/statefulset_test.yaml | 139 +++++++++++--------- 1 file changed, 79 insertions(+), 60 deletions(-) diff --git a/charts/atlantis/tests/statefulset_test.yaml b/charts/atlantis/tests/statefulset_test.yaml index df6ac96b..34d5e5ba 100644 --- a/charts/atlantis/tests/statefulset_test.yaml +++ b/charts/atlantis/tests/statefulset_test.yaml @@ -171,16 +171,6 @@ tests: resources: requests: storage: 5Gi - - it: Statefulset annotations - template: statefulset.yaml - set: - statefulSet.annotations: - strong-stuff: "true" - asserts: - - equal: - path: metadata.annotations - value: - strong-stuff: "true" - it: replicaCount template: statefulset.yaml set: @@ -189,24 +179,6 @@ tests: - equal: path: spec.replicas value: 2 - - it: podTemplate labels - template: statefulset.yaml - set: - podTemplate.labels: - team: infra - asserts: - - equal: - path: spec.template.metadata.labels.team - value: infra - - it: podTemplate annotations - template: statefulset.yaml - set: - podTemplate.annotations: - iam.amazonaws.com/role: arn:aws:iam::123456789123:role/atlantis-role - asserts: - - equal: - path: spec.template.metadata.annotations["iam.amazonaws.com/role"] - value: arn:aws:iam::123456789123:role/atlantis-role - it: hostAliases template: statefulset.yaml set: @@ -261,38 +233,6 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false - - it: terminationGracePeriodSeconds - template: statefulset.yaml - set: - terminationGracePeriodSeconds: 30 - asserts: - - equal: - path: spec.template.spec.terminationGracePeriodSeconds - value: 30 - - it: securityContext - template: statefulset.yaml - set: - statefulSet.securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: Always - asserts: - - equal: - path: spec.template.spec.securityContext - value: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: Always - - it: priorityClassName - template: statefulset.yaml - set: - statefulSet.priorityClassName: high-priority - asserts: - - equal: - path: spec.template.spec.priorityClassName - value: high-priority - it: tlsSecretName template: statefulset.yaml set: @@ -873,3 +813,82 @@ tests: periodSeconds: 10 successThreshold: 2 timeoutSeconds: 1 + - it: podTemplate + template: statefulset.yaml + set: + podTemplate: + annotations: + iam.amazonaws.com/role: arn:aws:iam::123456789123:role/atlantis-role + labels: + group: base + asserts: + - equal: + path: spec.template.metadata.labels.group + value: base + - equal: + path: spec.template.metadata.annotations["iam.amazonaws.com/role"] + value: arn:aws:iam::123456789123:role/atlantis-role + - it: Statefulset annotations + template: statefulset.yaml + set: + statefulSet.annotations: + strong-stuff: "true" + asserts: + - equal: + path: metadata.annotations + value: + strong-stuff: "true" + - it: securityContext + template: statefulset.yaml + set: + statefulSet.securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: Always + - it: priorityClassName + template: statefulset.yaml + set: + statefulSet.priorityClassName: high-priority + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: high-priority + - it: updateStrategy + template: statefulset.yaml + set: + statefulSet.updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: 0 + asserts: + - equal: + path: spec.updateStrategy + value: + type: RollingUpdate + rollingUpdate: + partition: 0 + - it: shareProcessNamespace + template: statefulset.yaml + set: + statefulSet.shareProcessNamespace: true + asserts: + - equal: + path: spec.template.spec.shareProcessNamespace + value: true + - it: terminationGracePeriodSeconds + template: statefulset.yaml + set: + terminationGracePeriodSeconds: 30 + asserts: + - equal: + path: spec.template.spec.terminationGracePeriodSeconds + value: 30 From 6760b3f71aef17ab269662ce238a68bc4b9f681d Mon Sep 17 00:00:00 2001 From: roytev Date: Tue, 20 Feb 2024 16:03:54 +0200 Subject: [PATCH 14/14] revert fixes to be included in another pr --- charts/atlantis/templates/secret-webhook.yaml | 2 +- charts/atlantis/values.schema.json | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/charts/atlantis/templates/secret-webhook.yaml b/charts/atlantis/templates/secret-webhook.yaml index ed2811d3..6d4782c4 100644 --- a/charts/atlantis/templates/secret-webhook.yaml +++ b/charts/atlantis/templates/secret-webhook.yaml @@ -10,7 +10,7 @@ data: key.pem: {{ required "githubApp.key is required if githubApp configuration is specified." .Values.githubApp.key | b64enc }} github_secret: {{ required "githubApp.secret is required if githubApp configuration is specified." .Values.githubApp.secret | b64enc }} {{- end}} - {{- if .Values.github }} + {{- if .Values.github.user }} github_token: {{ required "github.token is required if github configuration is specified." .Values.github.token | b64enc }} github_secret: {{ required "github.secret is required if github configuration is specified." .Values.github.secret | b64enc }} {{- end}} diff --git a/charts/atlantis/values.schema.json b/charts/atlantis/values.schema.json index 8fc27d79..7b7f2b5d 100644 --- a/charts/atlantis/values.schema.json +++ b/charts/atlantis/values.schema.json @@ -35,14 +35,6 @@ "github.com/myorg/*" ] }, - "orgWhitelist":{ - "type":"string", - "default":"", - "description":"Deprecated (see orgAllowlist) List of repositories from which Atlantis will accept webhooks. Accepts wildcard characters (`*`). Multiple values may be comma-separated.", - "examples":[ - "github.com/myorg/*" - ] - }, "logLevel":{ "type":"string", "description":"Level to use for logging. Either debug, info, warn, or error.",