def app_spec():
return AppSpec(
name="testapp",
namespace="default",
image="finntech/testimage:version",
replicas=3,
autoscaler=AUTOSCALER_SPEC,
resources=EMPTY_RESOURCE_SPEC,
admin_access=False,
secrets_in_environment=False,
prometheus=PROMETHEUS_SPEC,
datadog=DATADOG_SPEC,
ports=[
PortSpec(protocol="http", name="http", port=80, target_port=8080),
],
health_checks=HealthCheckSpec(
liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10,
period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1),
readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None,
initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3,
timeout_seconds=1)),
teams=[u'foo'],
tags=[u'bar'],
deployment_id="test_app_deployment_id",
labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}),
annotations=LabelAndAnnotationSpec({}, {}, {}, {}, {}),
ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)])],
strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None),
singleton=False,
ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)
)
def app_spec(**kwargs):
default_app_spec = AppSpec(
uid="c1f34517-6f54-11ea-8eaf-0ad3d9992c8c",
name="testapp",
namespace="default",
image="finntech/testimage:version",
autoscaler=AutoscalerSpec(enabled=False, min_replicas=2, max_replicas=3, cpu_threshold_percentage=50),
resources=ResourcesSpec(requests=ResourceRequirementSpec(cpu=None, memory=None),
limits=ResourceRequirementSpec(cpu=None, memory=None)),
admin_access=False,
secrets_in_environment=False,
prometheus=PrometheusSpec(enabled=True, port='http', path='/internal-backstage/prometheus'),
datadog=DatadogSpec(enabled=False, tags={}),
ports=[
PortSpec(protocol="http", name="http", port=80, target_port=8080),
],
health_checks=HealthCheckSpec(
liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10,
period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1),
readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None,
initial_delay_seconds=10, period_seconds=10, success_threshold=1,
failure_threshold=3, timeout_seconds=1)),
teams=[u'foo'],
tags=[u'bar'],
deployment_id="test_app_deployment_id",
labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}, {}),
annotations=LabelAndAnnotationSpec({}, {}, ANNOTATIONS.copy(), {}, {}, {}),
ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={})],
strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None),
singleton=False,
ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None),
secrets=[]
)
return default_app_spec._replace(**kwargs)
class TestIngressTls(object):
HOSTS = [
"host1", "host2", "host3",
"this.host.is.so.long.that.it.is.impossible.to.use.as.the.common.name"
]
COLLAPSED_HOSTS = ["zgwvxk7m22jnzqmofnboadb6kpuri4st.short.suffix"] + HOSTS
INGRESS_SPEC_TLS = [
IngressTLS(hosts=["host1"], secretName="host1"),
IngressTLS(hosts=["host2"], secretName="host2"),
IngressTLS(hosts=["host3"], secretName="host3"),
IngressTLS(hosts=COLLAPSED_HOSTS, secretName="testapp-ingress-tls"),
]
@pytest.fixture
def config(self):
config = mock.create_autospec(Configuration([]), spec_set=True)
return config
@pytest.fixture
def tls(self, request, config):
config.use_ingress_tls = request.param["use_ingress_tls"]
config.tls_certificate_issuer = request.param["cert_issuer"]
config.ingress_suffixes = ["short.suffix", "really.quite.long.suffix"]
return IngressTls(config)
@pytest.mark.parametrize("tls, app_spec, spec_tls, tls_annotations", [
({
"use_ingress_tls": "default_off",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, {
"kubernetes.io/tls-acme": "true"
}),
({
"use_ingress_tls": "default_off",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=False, certificate_issuer=None)), [], None),
({
"use_ingress_tls": "default_on",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, {
"kubernetes.io/tls-acme": "true"
}),
({
"use_ingress_tls": "default_on",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=False, certificate_issuer=None)), [], None),
({
"use_ingress_tls": "disabled",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer=None)), [], None),
({
"use_ingress_tls": "disabled",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=False, certificate_issuer=None)), [], None),
({
"use_ingress_tls": "default_off",
"cert_issuer": "letsencrypt"
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, {
"certmanager.k8s.io/cluster-issuer": "letsencrypt"
}),
({
"use_ingress_tls": "default_off",
"cert_issuer": "letsencrypt"
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer="myoverwrite")),
INGRESS_SPEC_TLS, {
"certmanager.k8s.io/cluster-issuer": "myoverwrite"
}),
({
"use_ingress_tls": "default_off",
"cert_issuer": None
},
app_spec(ingress_tls=IngressTlsSpec(
enabled=True, certificate_issuer="myoverwrite")),
INGRESS_SPEC_TLS, {
"certmanager.k8s.io/cluster-issuer": "myoverwrite"
}),
],
indirect=['tls'])
def test_apply_tls(self, tls, app_spec, spec_tls, tls_annotations):
ingress = Ingress()
ingress.metadata = ObjectMeta()
ingress.spec = IngressSpec()
tls.apply(ingress, app_spec, self.HOSTS)
assert ingress.metadata.annotations == tls_annotations
assert ingress.spec.tls == spec_tls
@pytest.mark.parametrize("suffix, expected", [
("short.suffix", "zgwvxk7m22jnzqmofnboadb6kpuri4st.short.suffix"),
("this.is.really.a.quite.extensive.suffix",
"zgwvxk7m22jnzqmofnboadb.this.is.really.a.quite.extensive.suffix"),
("extremely.long.suffix.which.pushes.the.boundary.to.the.utmost",
"z.extremely.long.suffix.which.pushes.the.boundary.to.the.utmost"),
])
def test_shorten_name(self, config, suffix, expected):
config.use_ingress_tls = "default_on"
config.ingress_suffixes = [suffix]
tls = IngressTls(config)
actual = tls._generate_short_host(app_spec())
assert len(actual) < 64
assert expected == actual
def test_raise_when_suffix_too_long(self, config):
config.use_ingress_tls = "default_on"
config.ingress_suffixes = [
"this.suffix.is.so.long.that.it.is.impossible.to.generate.a.short.enough.name"
]
tls = IngressTls(config)
with pytest.raises(ValueError):
tls._generate_short_host(app_spec())
def test_raise_when_name_starts_with_dot(self, config):
config.use_ingress_tls = "default_on"
config.ingress_suffixes = [
"really.long.suffix.which.goes.to.the.very.edge.of.the.boundary"
]
tls = IngressTls(config)
with pytest.raises(ValueError):
tls._generate_short_host(app_spec())