Resolve "Mutual SSL Auth For Helm TIller"

author: Mayra Cabrera <mcabrera@gitlab.com> 2018-08-07 15:39:38 +0300
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-08-07 15:39:38 +0300
commit: fc134096370c94bc1312060c42ed69b2665f0f95 (patch)
tree: 7e2a8764e590ae7128058cad67165f8ff1c66722 /spec/lib
parent: b3deca7a2606a6b2cef464ed08417be4ffb0cb6b (diff)
7 files changed, 91 insertions, 73 deletions
diff --git a/spec/lib/gitlab/kubernetes/config_map_spec.rb b/spec/lib/gitlab/kubernetes/config_map_spec.rb
index e253b291277..fe65d03875f 100644
--- a/spec/lib/gitlab/kubernetes/config_map_spec.rb
+++ b/spec/lib/gitlab/kubernetes/config_map_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Gitlab::Kubernetes::ConfigMap do
   let(:kubeclient) { double('kubernetes client') }
   let(:application) { create(:clusters_applications_prometheus) }
-  let(:config_map) { described_class.new(application.name, application.values) }
+  let(:config_map) { described_class.new(application.name, application.files) }
   let(:namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }
 
   let(:metadata) do
@@ -15,7 +15,7 @@ describe Gitlab::Kubernetes::ConfigMap do
   end
 
   describe '#generate' do
-    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: { values: application.values }) }
+    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: application.files) }
     subject { config_map.generate }
 
     it 'should build a Kubeclient Resource' do
diff --git a/spec/lib/gitlab/kubernetes/helm/api_spec.rb b/spec/lib/gitlab/kubernetes/helm/api_spec.rb
index 6e9b4ca0869..341f71a3e49 100644
--- a/spec/lib/gitlab/kubernetes/helm/api_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/api_spec.rb
@@ -39,7 +39,7 @@ describe Gitlab::Kubernetes::Helm::Api do
     end
 
     context 'with a ConfigMap' do
-      let(:resource) { Gitlab::Kubernetes::ConfigMap.new(application.name, application.values).generate }
+      let(:resource) { Gitlab::Kubernetes::ConfigMap.new(application.name, application.files).generate }
 
       it 'creates a ConfigMap on kubeclient' do
         expect(client).to receive(:create_config_map).with(resource).once
diff --git a/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb
index 7be8be54d5e..d50616e95e8 100644
--- a/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/base_command_spec.rb
@@ -2,7 +2,25 @@ require 'spec_helper'
 
 describe Gitlab::Kubernetes::Helm::BaseCommand do
   let(:application) { create(:clusters_applications_helm) }
-  let(:base_command) { described_class.new(application.name) }
+  let(:test_class) do
+    Class.new do
+      include Gitlab::Kubernetes::Helm::BaseCommand
+
+      def name
+        "test-class-name"
+      end
+
+      def files
+        {
+          some: 'value'
+        }
+      end
+    end
+  end
+
+  let(:base_command) do
+    test_class.new
+  end
 
   subject { base_command }
 
@@ -18,15 +36,9 @@ describe Gitlab::Kubernetes::Helm::BaseCommand do
     end
   end
 
-  describe '#config_map?' do
-    subject { base_command.config_map? }
-
-    it { is_expected.to be_falsy }
-  end
-
   describe '#pod_name' do
     subject { base_command.pod_name }
 
-    it { is_expected.to eq('install-helm') }
+    it { is_expected.to eq('install-test-class-name') }
   end
 end
diff --git a/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
new file mode 100644
index 00000000000..167bee22fc3
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe Gitlab::Kubernetes::Helm::Certificate do
+  describe '.generate_root' do
+    subject { described_class.generate_root }
+
+    it 'should generate a root CA that expires a long way in the future' do
+      expect(subject.cert.not_after).to be > 999.years.from_now
+    end
+  end
+
+  describe '#issue' do
+    subject { described_class.generate_root.issue }
+
+    it 'should generate a cert that expires soon' do
+      expect(subject.cert.not_after).to be < 60.minutes.from_now
+    end
+
+    context 'passing in INFINITE_EXPIRY' do
+      subject { described_class.generate_root.issue(expires_in: described_class::INFINITE_EXPIRY) }
+
+      it 'should generate a cert that expires a long way in the future' do
+        expect(subject.cert.not_after).to be > 999.years.from_now
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
index 89e36a298f8..dcbc046cf00 100644
--- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
@@ -2,9 +2,9 @@ require 'spec_helper'
 
 describe Gitlab::Kubernetes::Helm::InitCommand do
   let(:application) { create(:clusters_applications_helm) }
-  let(:commands) { 'helm init >/dev/null' }
+  let(:commands) { 'helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem >/dev/null' }
 
-  subject { described_class.new(application.name) }
+  subject { described_class.new(name: application.name, files: {}) }
 
   it_behaves_like 'helm commands'
 end
diff --git a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
index cd456a45287..982e2f41043 100644
--- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
@@ -1,83 +1,82 @@
 require 'rails_helper'
 
 describe Gitlab::Kubernetes::Helm::InstallCommand do
-  let(:application) { create(:clusters_applications_prometheus) }
-  let(:namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }
-  let(:install_command) { application.install_command }
+  let(:files) { { 'ca.pem': 'some file content' } }
+  let(:repository) { 'https://repository.example.com' }
+  let(:version) { '1.2.3' }
+
+  let(:install_command) do
+    described_class.new(
+      name: 'app-name',
+      chart: 'chart-name',
+      files: files,
+      version: version, repository: repository
+    )
+  end
 
   subject { install_command }
 
-  context 'for ingress' do
-    let(:application) { create(:clusters_applications_ingress) }
-
-    it_behaves_like 'helm commands' do
-      let(:commands) do
-        <<~EOS
-         helm init --client-only >/dev/null
-         helm install #{application.chart} --name #{application.name} --version #{application.version} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
-        EOS
-      end
+  it_behaves_like 'helm commands' do
+    let(:commands) do
+      <<~EOS
+      helm init --client-only >/dev/null
+      helm repo add app-name https://repository.example.com
+      helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
+      EOS
     end
   end
 
-  context 'for prometheus' do
-    let(:application) { create(:clusters_applications_prometheus) }
+  context 'when there is no repository' do
+    let(:repository) { nil }
 
     it_behaves_like 'helm commands' do
       let(:commands) do
         <<~EOS
          helm init --client-only >/dev/null
-         helm install #{application.chart} --name #{application.name} --version #{application.version} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
         EOS
       end
     end
   end
 
-  context 'for runner' do
-    let(:ci_runner) { create(:ci_runner) }
-    let(:application) { create(:clusters_applications_runner, runner: ci_runner) }
+  context 'when there is no ca.pem file' do
+    let(:files) { { 'file.txt': 'some content' } }
 
     it_behaves_like 'helm commands' do
       let(:commands) do
         <<~EOS
          helm init --client-only >/dev/null
-         helm repo add #{application.name} #{application.repository}
-         helm install #{application.chart} --name #{application.name} --version #{application.version} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm repo add app-name https://repository.example.com
+         helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
         EOS
       end
     end
   end
 
-  context 'for jupyter' do
-    let(:application) { create(:clusters_applications_jupyter) }
+  context 'when there is no version' do
+    let(:version) { nil }
 
     it_behaves_like 'helm commands' do
       let(:commands) do
         <<~EOS
          helm init --client-only >/dev/null
-         helm repo add #{application.name} #{application.repository}
-         helm install #{application.chart} --name #{application.name} --version #{application.version} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm repo add app-name https://repository.example.com
+         helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
         EOS
       end
     end
   end
 
-  describe '#config_map?' do
-    subject { install_command.config_map? }
-
-    it { is_expected.to be_truthy }
-  end
-
   describe '#config_map_resource' do
     let(:metadata) do
       {
-        name: "values-content-configuration-#{application.name}",
-        namespace: namespace,
-        labels: { name: "values-content-configuration-#{application.name}" }
+        name: "values-content-configuration-app-name",
+        namespace: 'gitlab-managed-apps',
+        labels: { name: "values-content-configuration-app-name" }
       }
     end
 
-    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: { values: application.values }) }
+    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) }
 
     subject { install_command.config_map_resource }
 
diff --git a/spec/lib/gitlab/kubernetes/helm/pod_spec.rb b/spec/lib/gitlab/kubernetes/helm/pod_spec.rb
index 43adc80d576..ec64193c0b2 100644
--- a/spec/lib/gitlab/kubernetes/helm/pod_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/pod_spec.rb
@@ -2,14 +2,13 @@ require 'rails_helper'
 
 describe Gitlab::Kubernetes::Helm::Pod do
   describe '#generate' do
-    let(:cluster) { create(:cluster) }
-    let(:app) {  create(:clusters_applications_prometheus, cluster: cluster) }
+    let(:app) {  create(:clusters_applications_prometheus) }
     let(:command) {  app.install_command }
     let(:namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }
 
     subject { described_class.new(command, namespace) }
 
-    shared_examples 'helm pod' do
+    context 'with a command' do
       it 'should generate a Kubeclient::Resource' do
         expect(subject.generate).to be_a_kind_of(Kubeclient::Resource)
       end
@@ -41,10 +40,6 @@ describe Gitlab::Kubernetes::Helm::Pod do
         spec = subject.generate.spec
         expect(spec.restartPolicy).to eq('Never')
       end
-    end
-
-    context 'with a install command' do
-      it_behaves_like 'helm pod'
 
       it 'should include volumes for the container' do
         container = subject.generate.spec.containers.first
@@ -60,24 +55,8 @@ describe Gitlab::Kubernetes::Helm::Pod do
       it 'should mount configMap specification in the volume' do
         volume = subject.generate.spec.volumes.first
         expect(volume.configMap['name']).to eq("values-content-configuration-#{app.name}")
-        expect(volume.configMap['items'].first['key']).to eq('values')
-        expect(volume.configMap['items'].first['path']).to eq('values.yaml')
-      end
-    end
-
-    context 'with a init command' do
-      let(:app) { create(:clusters_applications_helm, cluster: cluster) }
-
-      it_behaves_like 'helm pod'
-
-      it 'should not include volumeMounts inside the container' do
-        container = subject.generate.spec.containers.first
-        expect(container.volumeMounts).to be_nil
-      end
-
-      it 'should not a volume inside the specification' do
-        spec = subject.generate.spec
-        expect(spec.volumes).to be_nil
+        expect(volume.configMap['items'].first['key']).to eq(:'values.yaml')
+        expect(volume.configMap['items'].first['path']).to eq(:'values.yaml')
       end
     end
   end
author	Mayra Cabrera <mcabrera@gitlab.com>	2018-08-07 15:39:38 +0300
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2018-08-07 15:39:38 +0300
commit	fc134096370c94bc1312060c42ed69b2665f0f95 (patch)
tree	7e2a8764e590ae7128058cad67165f8ff1c66722 /spec/lib
parent	b3deca7a2606a6b2cef464ed08417be4ffb0cb6b (diff)