def app_spec():
return AppSpec(
name="testapp",
namespace="default",
image="finntech/testimage:version",
replicas=3,
autoscaler=AUTOSCALER_SPEC,
resources=EMPTY_RESOURCE_SPEC,
admin_access=False,
secrets_in_environment=False,
prometheus=PROMETHEUS_SPEC,
datadog=DATADOG_SPEC,
ports=[
PortSpec(protocol="http", name="http", port=80, target_port=8080),
],
health_checks=HealthCheckSpec(
liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10,
period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1),
readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None,
initial_delay_seconds=10, period_seconds=10, success_threshold=1, failure_threshold=3,
timeout_seconds=1)),
teams=[u'foo'],
tags=[u'bar'],
deployment_id="test_app_deployment_id",
labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}),
annotations=LabelAndAnnotationSpec({}, {}, {}, {}, {}),
ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)])],
strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None),
singleton=False,
ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)
)
def app_spec(**kwargs):
default_app_spec = AppSpec(
uid="c1f34517-6f54-11ea-8eaf-0ad3d9992c8c",
name="testapp",
namespace="default",
image="finntech/testimage:version",
autoscaler=AutoscalerSpec(enabled=False, min_replicas=2, max_replicas=3, cpu_threshold_percentage=50),
resources=ResourcesSpec(requests=ResourceRequirementSpec(cpu=None, memory=None),
limits=ResourceRequirementSpec(cpu=None, memory=None)),
admin_access=False,
secrets_in_environment=False,
prometheus=PrometheusSpec(enabled=True, port='http', path='/internal-backstage/prometheus'),
datadog=DatadogSpec(enabled=False, tags={}),
ports=[
PortSpec(protocol="http", name="http", port=80, target_port=8080),
],
health_checks=HealthCheckSpec(
liveness=CheckSpec(tcp=TcpCheckSpec(port=8080), http=None, execute=None, initial_delay_seconds=10,
period_seconds=10, success_threshold=1, failure_threshold=3, timeout_seconds=1),
readiness=CheckSpec(http=HttpCheckSpec(path="/", port=8080, http_headers={}), tcp=None, execute=None,
initial_delay_seconds=10, period_seconds=10, success_threshold=1,
failure_threshold=3, timeout_seconds=1)),
teams=[u'foo'],
tags=[u'bar'],
deployment_id="test_app_deployment_id",
labels=LabelAndAnnotationSpec({}, {}, {}, {}, {}, {}),
annotations=LabelAndAnnotationSpec({}, {}, ANNOTATIONS.copy(), {}, {}, {}),
ingresses=[IngressItemSpec(host=None, pathmappings=[IngressPathMappingSpec(path="/", port=80)], annotations={})],
strongbox=StrongboxSpec(enabled=False, iam_role=None, aws_region="eu-west-1", groups=None),
singleton=False,
ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None),
secrets=[]
)
return default_app_spec._replace(**kwargs)
def test_legacy_strongbox_secrets(self, deployment, app_spec):
config = mock.create_autospec(Configuration([]), spec_set=True)
config.strongbox_init_container_image = STRONGBOX_IMAGE
app_spec = app_spec._replace(
strongbox=StrongboxSpec(enabled=True,
iam_role="iam_role",
aws_region="eu-west-1",
groups=["group1", "group2"]))
generic_init_secrets = mock.create_autospec(GenericInitSecrets(config),
spec_set=True,
instance=True)
generic_init_secrets.supports.side_effect = lambda _type: _type == 'strongbox'
secrets = Secrets(
config,
mock.create_autospec(KubernetesSecrets(),
spec_set=True,
instance=True), generic_init_secrets)
expected_spec = SecretsSpec(
type="strongbox",
parameters={
"AWS_REGION": "eu-west-1",
"SECRET_GROUPS": "group1,group2"
},
annotations={"iam.amazonaws.com/role": "iam_role"})
secrets.apply(deployment, app_spec)
generic_init_secrets.apply.assert_called_once_with(
deployment, app_spec, expected_spec)
def test_secret_selection(self, request, secrets_mode, secrets, deployment,
app_spec, kubernetes_secrets,
generic_init_secrets, config):
generic_enabled, strongbox_enabled, app_strongbox_enabled, app_spec_secrets_enabled, default_enabled, \
wanted_mock_name = secrets_mode
generic_init_secrets.supports.side_effect = self.mock_supports(
generic_enabled, strongbox_enabled, default_enabled)
if not generic_enabled:
assert config.secrets_init_container_image is None
if app_strongbox_enabled:
strongbox = StrongboxSpec(enabled=True,
iam_role="iam_role",
aws_region="eu-west-1",
groups=["group1", "group2"])
else:
strongbox = StrongboxSpec(enabled=False,
iam_role=None,
aws_region="eu-west-1",
groups=None)
if app_spec_secrets_enabled:
app_spec_secrets = APP_SPEC_SECRETS
else:
app_spec_secrets = []
app_spec = app_spec._replace(strongbox=strongbox,
secrets=app_spec_secrets)
secrets.apply(deployment, app_spec)
wanted_mock = request.getfixturevalue(wanted_mock_name)
if wanted_mock == generic_init_secrets:
kubernetes_secrets.apply.assert_not_called()
generic_init_secrets.apply.assert_called_once()
else:
generic_init_secrets.apply.assert_not_called()
kubernetes_secrets.apply.assert_called_once()
def test_secret_selection(self, request, secrets_mode, secrets, deployment,
app_spec, kubernetes_secrets,
generic_init_secrets, strongbox_secrets):
generic_enabled, strongbox_enabled, app_strongbox_enabled, wanted_mock_name = secrets_mode
if app_strongbox_enabled:
strongbox = StrongboxSpec(enabled=True,
iam_role="iam_role",
aws_region="eu-west-1",
groups=["group1"])
else:
strongbox = StrongboxSpec(enabled=False,
iam_role=None,
aws_region="eu-west-1",
groups=None)
app_spec = app_spec._replace(strongbox=strongbox)
secrets.apply(deployment, app_spec)
wanted_mock = request.getfixturevalue(wanted_mock_name)
wanted_mock.apply.assert_called_once_with(deployment, app_spec)
for m in (kubernetes_secrets, generic_init_secrets, strongbox_secrets):
if m != wanted_mock:
m.apply.assert_not_called()
def app_spec(self, app_spec):
strongbox = StrongboxSpec(enabled=True,
iam_role=self.IAM_ROLE,
aws_region=self.AWS_REGION,
groups=self.GROUPS)
return app_spec._replace(strongbox=strongbox)