Skip to content

Commit

Permalink
automated commit
Browse files Browse the repository at this point in the history 
Signed-off-by: Public copy <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@github-actions
github-actions[bot] committed Jul 30, 2024
1 parent c539fde commit 383ea03
Showing 1 changed file with 120 additions and 130 deletions.
250 changes: 120 additions & 130 deletions images/postgres-helm-compat/tests/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,152 +1,142 @@
terraform {
required_providers {
oci = { source = "chainguard-dev/oci" }
oci = { source = "chainguard-dev/oci" }
imagetest = { source = "chainguard-dev/imagetest" }
}
}

variable "target_repository" {}

variable "digest" {
description = "The image digest to run tests over."
}

locals { parsed = provider::oci::parse(var.digest) }

// We rely on base image ("postgresql") tests and just just run the helm test here

resource "random_id" "hex" { byte_length = 4 }

resource "helm_release" "bitnami" {
name = "postgres-${random_id.hex.hex}"
repository = "oci://registry-1.docker.io/bitnamicharts"
chart = "postgresql"
data "imagetest_inventory" "this" {}

namespace = "postgres-${random_id.hex.hex}"
create_namespace = true
module "cluster_harness" {
source = "../../../tflib/imagetest/harnesses/k3s/"

// Point the chart at our Postgres image
set {
name = "image.registry"
value = local.parsed.registry
}
set {
name = "image.repository"
value = local.parsed.repo
}
set {
name = "image.digest"
value = local.parsed.digest
}
inventory = data.imagetest_inventory.this
name = basename(path.module)
target_repository = var.target_repository
cwd = path.module
}

set {
name = "primary.containerSecurityContext.runAsUser"
value = "1001"
}
// We rely on base image ("postgresql") tests and just just run the helm test here
module "helm" {
source = "../../../tflib/imagetest/helm"

# https://artifacthub.io/packages/helm/bitnami/postgresql#securing-traffic-using-tls
values = [
jsonencode({
volumePermissions = {
enabled = true,
},
tls = {
enabled = true,
autoGenerated = true,
},
}),
]
}
chart = "oci://registry-1.docker.io/bitnamicharts/postgresql"

resource "kubernetes_job" "test_tls" {
metadata {
name = "psqlc"
namespace = helm_release.bitnami.namespace
}
spec {
backoff_limit = 4
template {
metadata {
labels = {
app = "psqlc"
}
}
spec {
init_container {
name = "chown"
image = "cgr.dev/chainguard/busybox:latest"
command = ["sh", "-c", "cp /tmp/certs/* /certs && chown -R 1001:1001 /certs && chmod 0600 /certs/*"]
volume_mount {
name = "raw-certificates"
mount_path = "/tmp/certs"
}
volume_mount {
name = "certs"
mount_path = "/certs"
}
security_context {
run_as_user = 0
}
}
container {
name = "client"
image = var.digest
security_context {
allow_privilege_escalation = false
capabilities {
drop = ["ALL"]
}
privileged = false
read_only_root_filesystem = false
run_as_non_root = true
run_as_user = 1001
seccomp_profile {
type = "RuntimeDefault"
}
}
command = [
"psql",
"host=${helm_release.bitnami.id}-postgresql.${helm_release.bitnami.id}.svc.cluster.local port=5432 sslmode=require sslcert=/certs/tls.crt sslkey=/certs/tls.key sslrootcert=/certs/ca.crt",
"-c",
"SELECT 1",
]
env {
name = "PGPASSWORD"
value_from {
secret_key_ref {
name = "${helm_release.bitnami.id}-postgresql"
key = "postgres-password"
}
}
}
volume_mount {
name = "certs"
mount_path = "/certs"
}
volume_mount {
name = "raw-certificates"
mount_path = "/tmp/certs"
}
}
volume {
name = "raw-certificates"
secret {
default_mode = "0644"
secret_name = "${helm_release.bitnami.id}-postgresql-crt"
}
}
volume {
name = "certs"
empty_dir {}
}
restart_policy = "Never"
values = {
image = {
registry = local.parsed.registry
repository = local.parsed.repo
digest = local.parsed.digest
}
primary = {
containerSecurityContext = {
runAsUser = 1001
}
}
volumePermissions = {
enabled = true
}
tls = {
enabled = true
autoGenerated = true
}
}

}

module "helm_cleanup_bitnami" {
source = "../../../tflib/helm-cleanup"
name = helm_release.bitnami.id
namespace = helm_release.bitnami.namespace
resource "imagetest_feature" "basic" {
name = "basic"
description = "Basic installation"
harness = module.cluster_harness.harness

depends_on = [kubernetes_job.test_tls]
}
steps = [
{
name = "Helm Install"
cmd = module.helm.install_cmd
},
{
name = "Test TLS"
cmd = <<EOF
cat <<EOF2 | kubectl apply -f -
apiVersion: batch/v1
kind: Job
metadata:
name: test-tls
labels:
test: test-tls
app: psqlc
spec:
template:
spec:
initContainers:
- name: chown
image: cgr.dev/chainguard/busybox:latest
workingDir: /workspace
command:
- sh
- -c
- 'cp /tmp/certs/* certs && chown -R 1001:1001 /certs && chmod 0600 /certs/*'
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: certs
mountPath: /certs
securityContext:
runAsUser: 0
containers:
- name: client
image: ${var.digest}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
command:
- psql
- host=${module.helm.release_name}-postgresql.${module.helm.release_name}.svc.cluster.local port=5432 sslmode=require sslcert=/certs/tls.crt sslkeys=/certs/tls.key sslrootcert=/certs/ca.cert
- -c
- SELECT 1
env:
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: ${module.helm.release_name}-postgresql
key: postgres-password
volumeMounts:
- name: raw-certificates
mountPath: /tmp/certs
- name: certs
mountPath: /certs
volumes:
- name: certs
emptyDir: {}
- name: raw-certificates
secret:
defaultMode: 0644
secretName: ${module.helm.release_name}-postgresql-crt
restartPolicy: Never
EOF2
kubectl wait --for=condition=complete --timeout=120s job/test-tls
EOF
}
]

labels = {
type = "k8s"
}
}

0 comments on commit 383ea03

Please sign in to comment.