def app_spec(): return AppSpec( name="testapp", namespace="default", image="finntech/testimage:version", replicas=3, autoscaler=AUTOSCALER_SPEC, resources=EMPTY_RESOURCE_SPEC, admin_access=False, secrets_in_environment=False, prometheus=PROMETHEUS_SPEC, datadog=DATADOG_SPEC, ports=[ PortSpec(protocol="http", name="http", port=80, target_port=8080), ], health_checks=HealthCheckSpec( liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1), readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None, initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1)), teams=[u'foo'], tags=[u'bar'], deployment_id="test_app_deployment_id", labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}), annotations=LabelAndAnnotationSpec({}, {}, {}, {}, {}), ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)])], strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None), singleton=False, ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None) )
def app_spec(**kwargs): default_app_spec = AppSpec( uid="c1f34517-6f54-11ea-8eaf-0ad3d9992c8c", name="testapp", namespace="default", image="finntech/testimage:version", autoscaler=AutoscalerSpec(enabled=False, min_replicas=2, max_replicas=3, cpu_threshold_percentage=50), resources=ResourcesSpec(requests=ResourceRequirementSpec(cpu=None, memory=None), limits=ResourceRequirementSpec(cpu=None, memory=None)), admin_access=False, secrets_in_environment=False, prometheus=PrometheusSpec(enabled=True, port='http', path='/internal-backstage/prometheus'), datadog=DatadogSpec(enabled=False, tags={}), ports=[ PortSpec(protocol="http", name="http", port=80, target_port=8080), ], health_checks=HealthCheckSpec( liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1), readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None, initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1)), teams=[u'foo'], tags=[u'bar'], deployment_id="test_app_deployment_id", labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}, {}), annotations=LabelAndAnnotationSpec({}, {}, ANNOTATIONS.copy(), {}, {}, {}), ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={})], strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None), singleton=False, ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None), secrets=[] ) return default_app_spec._replace(**kwargs)
class TestIngressTls(object): HOSTS = [ "host1", "host2", "host3", "this.host.is.so.long.that.it.is.impossible.to.use.as.the.common.name" ] COLLAPSED_HOSTS = ["zgwvxk7m22jnzqmofnboadb6kpuri4st.short.suffix"] + HOSTS INGRESS_SPEC_TLS = [ IngressTLS(hosts=["host1"], secretName="host1"), IngressTLS(hosts=["host2"], secretName="host2"), IngressTLS(hosts=["host3"], secretName="host3"), IngressTLS(hosts=COLLAPSED_HOSTS, secretName="testapp-ingress-tls"), ] @pytest.fixture def config(self): config = mock.create_autospec(Configuration([]), spec_set=True) return config @pytest.fixture def tls(self, request, config): config.use_ingress_tls = request.param["use_ingress_tls"] config.tls_certificate_issuer = request.param["cert_issuer"] config.ingress_suffixes = ["short.suffix", "really.quite.long.suffix"] return IngressTls(config) @pytest.mark.parametrize("tls, app_spec, spec_tls, tls_annotations", [ ({ "use_ingress_tls": "default_off", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, { "kubernetes.io/tls-acme": "true" }), ({ "use_ingress_tls": "default_off", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=False, certificate_issuer=None)), [], None), ({ "use_ingress_tls": "default_on", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, { "kubernetes.io/tls-acme": "true" }), ({ "use_ingress_tls": "default_on", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=False, certificate_issuer=None)), [], None), ({ "use_ingress_tls": "disabled", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer=None)), [], None), ({ "use_ingress_tls": "disabled", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=False, certificate_issuer=None)), [], None), ({ "use_ingress_tls": "default_off", "cert_issuer": "letsencrypt" }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer=None)), INGRESS_SPEC_TLS, { "certmanager.k8s.io/cluster-issuer": "letsencrypt" }), ({ "use_ingress_tls": "default_off", "cert_issuer": "letsencrypt" }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer="myoverwrite")), INGRESS_SPEC_TLS, { "certmanager.k8s.io/cluster-issuer": "myoverwrite" }), ({ "use_ingress_tls": "default_off", "cert_issuer": None }, app_spec(ingress_tls=IngressTlsSpec( enabled=True, certificate_issuer="myoverwrite")), INGRESS_SPEC_TLS, { "certmanager.k8s.io/cluster-issuer": "myoverwrite" }), ], indirect=['tls']) def test_apply_tls(self, tls, app_spec, spec_tls, tls_annotations): ingress = Ingress() ingress.metadata = ObjectMeta() ingress.spec = IngressSpec() tls.apply(ingress, app_spec, self.HOSTS) assert ingress.metadata.annotations == tls_annotations assert ingress.spec.tls == spec_tls @pytest.mark.parametrize("suffix, expected", [ ("short.suffix", "zgwvxk7m22jnzqmofnboadb6kpuri4st.short.suffix"), ("this.is.really.a.quite.extensive.suffix", "zgwvxk7m22jnzqmofnboadb.this.is.really.a.quite.extensive.suffix"), ("extremely.long.suffix.which.pushes.the.boundary.to.the.utmost", "z.extremely.long.suffix.which.pushes.the.boundary.to.the.utmost"), ]) def test_shorten_name(self, config, suffix, expected): config.use_ingress_tls = "default_on" config.ingress_suffixes = [suffix] tls = IngressTls(config) actual = tls._generate_short_host(app_spec()) assert len(actual) < 64 assert expected == actual def test_raise_when_suffix_too_long(self, config): config.use_ingress_tls = "default_on" config.ingress_suffixes = [ "this.suffix.is.so.long.that.it.is.impossible.to.generate.a.short.enough.name" ] tls = IngressTls(config) with pytest.raises(ValueError): tls._generate_short_host(app_spec()) def test_raise_when_name_starts_with_dot(self, config): config.use_ingress_tls = "default_on" config.ingress_suffixes = [ "really.long.suffix.which.goes.to.the.very.edge.of.the.boundary" ] tls = IngressTls(config) with pytest.raises(ValueError): tls._generate_short_host(app_spec())