From 9c094d0581c46d3d107facdc55cb2cc7a1d9f765 Mon Sep 17 00:00:00 2001 From: Jack Lucas Date: Tue, 25 Jun 2019 18:52:55 -0400 Subject: Add TLS support for client-only apps Also enhance unit tests to do more robust checking of results. Issue-ID: DCAEGEN2-1550 Change-Id: Icf6e5357d828e19db73bb58b98fd60e9f111d0dc Signed-off-by: Jack Lucas --- k8s/configure/configure.py | 14 +++- k8s/k8s-node-type.yaml | 5 +- k8s/k8sclient/k8sclient.py | 53 ++++++++++----- k8s/k8splugin/tasks.py | 10 ++- k8s/pom.xml | 2 +- k8s/setup.py | 2 +- k8s/tests/common.py | 135 +++++++++++++++++++++++++++++++++++++ k8s/tests/conftest.py | 53 ++++++++++++--- k8s/tests/test_k8sclient.py | 100 +-------------------------- k8s/tests/test_k8sclient_deploy.py | 48 +++++++++++++ 10 files changed, 290 insertions(+), 132 deletions(-) create mode 100644 k8s/tests/common.py create mode 100644 k8s/tests/test_k8sclient_deploy.py (limited to 'k8s') diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py index e15939a..9f7929e 100644 --- a/k8s/configure/configure.py +++ b/k8s/configure/configure.py @@ -35,6 +35,10 @@ FB_IMAGE = "docker.elastic.co/beats/filebeat:5.5.0" TLS_CERT_PATH = "/opt/tls/shared" TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.0" +TLS_CA_CERT_PATH = "/opt/dcae/cacert/cacert.pem" +TLS_CA_CONFIGMAP = "dcae-cacert-configmap" + +CBS_BASE_URL = "https://config-binding-service:10443/service_component_all" def _set_defaults(): """ Set default configuration parameters """ @@ -51,10 +55,16 @@ def _set_defaults(): "config_map" : FB_CONFIG_MAP, # ConfigMap holding the filebeat configuration "image": FB_IMAGE # Docker image to use for filebeat }, - "tls": { # Configuration for setting up TLS init container + "tls": { # Configuration for setting up TLS "cert_path" : TLS_CERT_PATH, # mount point for certificate volume in TLS init container - "image": TLS_IMAGE # Docker image to use for TLS init container + "image": TLS_IMAGE, # Docker image to use for TLS init container + "component_ca_cert_path": TLS_CA_CERT_PATH, # Mount point for CA cert for components that are clients only + "ca_cert_configmap": TLS_CA_CONFIGMAP # ConfigMap holding CA cert for components that are clients only + }, + "cbs": { + "base_url" : CBS_BASE_URL # URL prefix for accessing config binding service } + } def configure(config_path=_CONFIG_PATH, key = _CONSUL_KEY): diff --git a/k8s/k8s-node-type.yaml b/k8s/k8s-node-type.yaml index 273da7a..c32d834 100644 --- a/k8s/k8s-node-type.yaml +++ b/k8s/k8s-node-type.yaml @@ -18,14 +18,11 @@ tosca_definitions_version: cloudify_dsl_1_3 -imports: - - http://www.getcloudify.org/spec/cloudify/3.4/types.yaml - plugins: k8s: executor: 'central_deployment_agent' package_name: k8splugin - package_version: 1.4.13 + package_version: 1.5.0 data_types: diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py index 681ea6b..273b9f3 100644 --- a/k8s/k8sclient/k8sclient.py +++ b/k8s/k8sclient/k8sclient.py @@ -93,7 +93,7 @@ def _parse_interval(t): raise ValueError("Bad interval specification: {0}".format(t)) return time -def _create_probe(hc, port, use_tls=False): +def _create_probe(hc, port): ''' Create a Kubernetes probe based on info in the health check dictionary hc ''' probe_type = hc['type'] probe = None @@ -133,7 +133,7 @@ def _create_resources(resources=None): else: return None -def _create_container_object(name, image, always_pull, use_tls=False, env={}, container_ports=[], volume_mounts = [], resources = None, readiness = None, liveness = None): +def _create_container_object(name, image, always_pull, env={}, container_ports=[], volume_mounts = [], resources = None, readiness = None, liveness = None): # Set up environment variables # Copy any passed in environment variables env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env.keys()] @@ -150,12 +150,12 @@ def _create_container_object(name, image, always_pull, use_tls=False, env={}, co hc_port = None if len(container_ports) > 0: (hc_port, proto) = container_ports[0] - probe = _create_probe(readiness, hc_port, use_tls) + probe = _create_probe(readiness, hc_port) if liveness: hc_port = None if len(container_ports) > 0: (hc_port, proto) = container_ports[0] - live_probe = _create_probe(liveness, hc_port, use_tls) + live_probe = _create_probe(liveness, hc_port) if resources: resources_obj = _create_resources(resources) @@ -376,9 +376,11 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, r "config_subpath" : subpath for config data in filebeat container "config_map" : ConfigMap holding the filebeat configuration "image": Docker image to use for filebeat - - tls: a dictionary of TLS init container parameters: + - tls: a dictionary of TLS-related information: "cert_path": mount point for certificate volume in init container "image": Docker image to use for TLS init container + "component_ca_cert_path" : mount point for CA cert for client-only containers + "ca_cert_configmap": the name of the ConfigMap where the CA cert is stored kwargs may have: - volumes: array of volume objects, where a volume object is: {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"} @@ -453,7 +455,7 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, r sidecar_volume_mounts.append(client.V1VolumeMount(name="filebeat-data", mount_path=fb["data_path"])) # Create the container for the sidecar - containers.append(_create_container_object("filebeat", fb["image"], False, False, {}, [], sidecar_volume_mounts)) + containers.append(_create_container_object("filebeat", fb["image"], False, {}, [], sidecar_volume_mounts)) # Create the volume for the sidecar configuration data and the volume mount for it # The configuration data is in a k8s ConfigMap that should be created when DCAE is installed. @@ -462,25 +464,44 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, r sidecar_volume_mounts.append( client.V1VolumeMount(name="filebeat-conf", mount_path=fb["config_path"], sub_path=fb["config_subpath"])) - # Set up the TLS init container, if needed - tls_info = kwargs.get("tls_info") - use_tls = False - if tls_info and "use_tls" in tls_info and tls_info["use_tls"]: - if "cert_directory" in tls_info and len(tls_info["cert_directory"]) > 0: - use_tls = True - tls_config = k8sconfig["tls"] + # Set up TLS information + # Two different ways of doing this, depending on whether the container will act as a TLS server or as a client only + # If a server, then tls_info will be passed, and tls_info["use_tls"] will be set to true. We create an InitContainer + # that sets up the CA cert, the server cert, and the keys. + # If a client only, only the CA cert is needed. We mount the CA cert from a ConfigMap that has been created as part + # of the installation process. If there is cert_directory information in tls_info, we use that directory in the mount path. + # Otherwise, we use the configured default path in tls_config. + tls_info = kwargs.get("tls_info") + tls_config = k8sconfig["tls"] + tls_server = False + cert_directory = None + + if tls_info and "cert_directory" in tls_info and len(tls_info["cert_directory"]) > 0: + cert_directory = tls_info["cert_directory"] + if tls_info and tls_info.get("use_tls", False): + tls_server = True + # Use an InitContainer to set up the certificate information # Create the certificate volume and volume mounts volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource())) - volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=tls_info["cert_directory"])) + volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory)) init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])] # Create the init container - init_containers.append(_create_container_object("init-tls", tls_config["image"], False, False, {}, [], init_volume_mounts)) + init_containers.append(_create_container_object("init-tls", tls_config["image"], False, {}, [], init_volume_mounts)) + + if not tls_server: + # Use a config map + # Create the CA cert volume + volumes.append(client.V1Volume(name="tls-cacert", config_map=client.V1ConfigMapVolumeSource(name=tls_config["ca_cert_configmap"]))) + + # Create the volume mount + mount_path= cert_directory if cert_directory else os.path.dirname(tls_config["component_ca_cert_path"]) + volume_mounts.append(client.V1VolumeMount(name="tls-cacert", mount_path=mount_path)) # Create the container for the component # Make it the first container in the pod - containers.insert(0, _create_container_object(component_name, image, always_pull, use_tls, kwargs.get("env", {}), container_ports, volume_mounts, resources, kwargs["readiness"], kwargs.get("liveness"))) + containers.insert(0, _create_container_object(component_name, image, always_pull, kwargs.get("env", {}), container_ports, volume_mounts, resources, kwargs["readiness"], kwargs.get("liveness"))) # Build the k8s Deployment object labels = kwargs.get("labels", {}) diff --git a/k8s/k8splugin/tasks.py b/k8s/k8splugin/tasks.py index ab72b57..ecd3ffa 100644 --- a/k8s/k8splugin/tasks.py +++ b/k8s/k8splugin/tasks.py @@ -44,6 +44,8 @@ CONSUL_INTERNAL_NAME = plugin_conf.get("consul_dns_name") DCAE_NAMESPACE = plugin_conf.get("namespace") DEFAULT_MAX_WAIT = plugin_conf.get("max_wait", 1800) DEFAULT_K8S_LOCATION = plugin_conf.get("default_k8s_location") +COMPONENT_CA_CERT_PATH = plugin_conf.get("tls").get("component_ca_cert_path") +CBS_BASE_URL = plugin_conf.get("cbs").get("base_url") # Used to construct delivery urls for data router subscribers. Data router in FTL # requires https but this author believes that ONAP is to be defaulted to http. @@ -279,13 +281,19 @@ def _create_and_start_container(container_name, image, **kwargs): - msb_list: array of msb objects, where an msb object is as described in msb/msb.py. - log_info: an object with info for setting up ELK logging, with the form: {"log_directory": "/path/to/container/log/directory", "alternate_fb_path" : "/alternate/sidecar/log/path"}" + - tls_info: an object with information for setting up the component to act as a TLS server, with the form: + {"use_tls" : true_or_false, "cert_directory": "/path/to/directory_where_certs_should_be_placed" } - replicas: number of replicas to be launched initially - readiness: object with information needed to create a readiness check - liveness: object with information needed to create a liveness check - k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed ''' + tls_info = kwargs.get("tls_info") env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME, - "CONFIG_BINDING_SERVICE": "config-binding-service" } + "CONFIG_BINDING_SERVICE": "config-binding-service", + "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(tls_info["cert_directory"]) if (tls_info and tls_info["cert_directory"]) else COMPONENT_CA_CERT_PATH, + "CBS_CONFIG_URL" : "{0}/{1}".format(CBS_BASE_URL, container_name) + } env.update(kwargs.get("envs", {})) ctx.logger.info("Starting k8s deployment for {}, image: {}, env: {}, kwargs: {}".format(container_name, image, env, kwargs)) ctx.logger.info("Passing k8sconfig: {}".format(plugin_conf)) diff --git a/k8s/pom.xml b/k8s/pom.xml index b99816a..d96ebe1 100644 --- a/k8s/pom.xml +++ b/k8s/pom.xml @@ -28,7 +28,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform.plugins k8s k8s-plugin - 1.4.13-SNAPSHOT + 1.5.0-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/k8s/setup.py b/k8s/setup.py index 6a9dcac..5d27438 100644 --- a/k8s/setup.py +++ b/k8s/setup.py @@ -23,7 +23,7 @@ from setuptools import setup setup( name='k8splugin', description='Cloudify plugin for containerized components deployed using Kubernetes', - version="1.4.13", + version="1.5.0", author='J. F. Lucas, Michael Hwang, Tommy Carpenter', packages=['k8splugin','k8sclient','msb','configure'], zip_safe=False, diff --git a/k8s/tests/common.py b/k8s/tests/common.py new file mode 100644 index 0000000..67f70a6 --- /dev/null +++ b/k8s/tests/common.py @@ -0,0 +1,135 @@ +# ============LICENSE_START======================================================= +# org.onap.dcae +# ================================================================================ +# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +# Common functions for unit testing +def _set_k8s_configuration(): + ''' Set up the basic k8s configuration ''' + return { + "image_pull_secrets" : ["secret0", "secret1"], + "filebeat" : { + "log_path": "/var/log/onap", + "data_path": "/usr/share/filebeat/data", + "config_path": "/usr/share/filebeat/filebeat.yml", + "config_subpath": "filebeat.yml", + "image" : "filebeat-repo/filebeat:latest", + "config_map" : "dcae-filebeat-configmap" + }, + "tls" : { + "cert_path": "/opt/certs", + "image": "tlsrepo/tls-init-container:1.2.3", + "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem", + "ca_cert_configmap": "dcae-cacert-configmap" + }, + "cbs": { + "base_url": "https://config-binding-service:10443/service_component_all/test-component" + } + } + +def _set_resources(): + ''' Set resources ''' + return { + "limits": { + "cpu" : 0.5, + "memory" : "2Gi" + }, + "requests": { + "cpu" : 0.5, + "memory" : "2Gi" + } + } + +def _set_common_kwargs(): + ''' Set kwargs common to all test cases ''' + return { + "volumes": [ + {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw"}} + ], + "ports": ["80:0", "443:0"], + "env": {"NAME0": "value0", "NAME1": "value1"}, + "log_info": {"log_directory": "/path/to/container/log/directory"}, + "readiness": {"type": "http", "endpoint" : "/ready"} + } + +def _get_item_by_name(list, name): + ''' Search a list of k8s API objects with the specified name ''' + for item in list: + if item.name == name: + return item + return None + +def check_env_var(env_list, name, value): + e = _get_item_by_name(env_list, name) + assert e and e.value == value + +def verify_common(dep, deployment_description): + ''' Check results common to all test cases ''' + assert deployment_description["deployment"] == "dep-testcomponent" + assert deployment_description["namespace"] == "k8stest" + assert deployment_description["services"][0] == "testcomponent" + + # For unit test purposes, we want to make sure that the deployment object + # we're passing to the k8s API is correct + app_container = dep.spec.template.spec.containers[0] + assert app_container.image == "example.com/testcomponent:1.4.3" + assert app_container.image_pull_policy == "IfNotPresent" + assert len(app_container.ports) == 2 + assert app_container.ports[0].container_port == 80 + assert app_container.ports[1].container_port == 443 + assert app_container.readiness_probe.http_get.path == "/ready" + assert app_container.readiness_probe.http_get.scheme == "HTTP" + assert len(app_container.volume_mounts) == 3 + assert app_container.volume_mounts[0].mount_path == "/path/on/container" + assert app_container.volume_mounts[1].mount_path == "/path/to/container/log/directory" + + # Check environment variables + env = app_container.env + check_env_var(env, "NAME0", "value0") + check_env_var(env, "NAME1", "value1") + + # Should have a log container with volume mounts + log_container = dep.spec.template.spec.containers[1] + assert log_container.image == "filebeat-repo/filebeat:latest" + assert log_container.volume_mounts[0].mount_path == "/var/log/onap/testcomponent" + assert log_container.volume_mounts[0].name == "component-log" + assert log_container.volume_mounts[1].mount_path == "/usr/share/filebeat/data" + assert log_container.volume_mounts[1].name == "filebeat-data" + assert log_container.volume_mounts[2].mount_path == "/usr/share/filebeat/filebeat.yml" + assert log_container.volume_mounts[2].name == "filebeat-conf" + + # Needs to be correctly labeled so that the Service can find it + assert dep.spec.template.metadata.labels["app"] == "testcomponent" + + +def do_deploy(tls_info=None): + ''' Common deployment operations ''' + import k8sclient.k8sclient + + k8s_test_config = _set_k8s_configuration() + + resources = _set_resources() + + kwargs = _set_common_kwargs() + if tls_info: + kwargs["tls_info"] = tls_info + + dep, deployment_description = k8sclient.k8sclient.deploy("k8stest","testcomponent","example.com/testcomponent:1.4.3",1,False, k8s_test_config, resources, **kwargs) + + # Make sure all of the basic k8s parameters are correct + verify_common(dep, deployment_description) + + return dep, deployment_description \ No newline at end of file diff --git a/k8s/tests/conftest.py b/k8s/tests/conftest.py index 572a510..4716b5a 100644 --- a/k8s/tests/conftest.py +++ b/k8s/tests/conftest.py @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,13 +22,48 @@ import pytest @pytest.fixture() def mockconfig(monkeypatch): + from configure import configure """ Override the regular configure() routine that reads a file and calls Consul""" def altconfig(): - return { - "consul_host": "consul", - "namespace":"dcae", - "consul_dns_name" : "consul", - "image_pull_secrets" : [] - } - from configure import configure - monkeypatch.setattr(configure, 'configure', altconfig) \ No newline at end of file + config = configure._set_defaults() + config["consul_host"] = config["consul_dns_name"] + return config + monkeypatch.setattr(configure, 'configure', altconfig) + +@pytest.fixture() +def mockk8sapi(monkeypatch): + import k8sclient.k8sclient + from kubernetes import client + + # We need to patch the kubernetes 'client' module + # Awkward because of the way it requires a function call + # to get an API object + core = client.CoreV1Api() + ext = client.ExtensionsV1beta1Api() + + def pseudo_deploy(namespace, dep): + return dep + + def pseudo_service(namespace, svc): + return svc + + # patched_core returns a CoreV1Api object with the + # create_namespaced_service method stubbed out so that there + # is no attempt to call the k8s API server + def patched_core(): + monkeypatch.setattr(core, "create_namespaced_service", pseudo_service) + return core + + # patched_ext returns an ExtensionsV1beta1Api object with the + # create_namespaced_deployment method stubbed out so that there + # is no attempt to call the k8s API server + def patched_ext(): + monkeypatch.setattr(ext,"create_namespaced_deployment", pseudo_deploy) + return ext + + def pseudo_configure(loc): + pass + + monkeypatch.setattr(k8sclient.k8sclient,"_configure_api", pseudo_configure) + monkeypatch.setattr(client, "CoreV1Api", patched_core) + monkeypatch.setattr(client,"ExtensionsV1beta1Api", patched_ext) diff --git a/k8s/tests/test_k8sclient.py b/k8s/tests/test_k8sclient.py index 70ebf05..079748c 100644 --- a/k8s/tests/test_k8sclient.py +++ b/k8s/tests/test_k8sclient.py @@ -16,6 +16,8 @@ # limitations under the License. # ============LICENSE_END========================================================= +# Basic sanity tests for k8sclient functions + import pytest def test_parse_interval(): @@ -174,101 +176,3 @@ def test_create_probe(): for hc in script_checks: probe = _create_probe(hc, 13131) assert probe._exec.command[0] == hc["script"] - -def test_deploy(monkeypatch): - import k8sclient.k8sclient - from kubernetes import client - - # We need to patch the kubernetes 'client' module - # Awkward because of the way it requires a function call - # to get an API object - core = client.CoreV1Api() - ext = client.ExtensionsV1beta1Api() - - def pseudo_deploy(namespace, dep): - return dep - - def pseudo_service(namespace, svc): - return svc - - # patched_core returns a CoreV1Api object with the - # create_namespaced_service method stubbed out so that there - # is no attempt to call the k8s API server - def patched_core(): - monkeypatch.setattr(core, "create_namespaced_service", pseudo_service) - return core - - # patched_ext returns an ExtensionsV1beta1Api object with the - # create_namespaced_deployment method stubbed out so that there - # is no attempt to call the k8s API server - def patched_ext(): - monkeypatch.setattr(ext,"create_namespaced_deployment", pseudo_deploy) - return ext - - def pseudo_configure(loc): - pass - - monkeypatch.setattr(k8sclient.k8sclient,"_configure_api", pseudo_configure) - monkeypatch.setattr(client, "CoreV1Api", patched_core) - monkeypatch.setattr(client,"ExtensionsV1beta1Api", patched_ext) - - k8s_test_config = { - "image_pull_secrets" : ["secret0", "secret1"], - "filebeat" : { - "log_path": "/var/log/onap", - "data_path": "/usr/share/filebeat/data", - "config_path": "/usr/share/filebeat/filebeat.yml", - "config_subpath": "filebeat.yml", - "image" : "filebeat-repo/filebeat:latest", - "config_map" : "dcae-filebeat-configmap" - }, - "tls" : { - "cert_path": "/opt/certs", - "image": "tlsrepo/tls-init-container:1.2.3" - } - } - - resources = { - "limits": { - "cpu" : 0.5, - "memory" : "2Gi" - }, - "requests": { - "cpu" : 0.5, - "memory" : "2Gi" - } - } - - kwargs = { - "volumes": [ - {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw"}} - ], - "ports": ["80:0", "443:0"], - "env": {"name0": "value0", "name1": "value1"}, - "log_info": {"log_directory": "/path/to/container/log/directory"}, - "tls_info": {"use_tls": True, "cert_directory": "/path/to/container/cert/directory" }, - "readiness": {"type": "http", "endpoint" : "/ready"} - } - dep, deployment_description = k8sclient.k8sclient.deploy("k8stest","testcomponent","example.com/testcomponent:1.4.3",1,False, k8s_test_config, resources, **kwargs) - - assert deployment_description["deployment"] == "dep-testcomponent" - assert deployment_description["namespace"] == "k8stest" - assert deployment_description["services"][0] == "testcomponent" - - # For unit test purposes, we want to make sure that the deployment object - # we're passing to the k8s API is correct - app_container = dep.spec.template.spec.containers[0] - assert app_container.image == "example.com/testcomponent:1.4.3" - assert app_container.image_pull_policy == "IfNotPresent" - assert len(app_container.ports) == 2 - assert app_container.ports[0].container_port == 80 - assert app_container.ports[1].container_port == 443 - assert app_container.readiness_probe.http_get.path == "/ready" - assert app_container.readiness_probe.http_get.scheme == "HTTP" - assert len(app_container.volume_mounts) == 3 - assert app_container.volume_mounts[0].mount_path == "/path/on/container" - assert app_container.volume_mounts[1].mount_path == "/path/to/container/log/directory" - assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory" - - # Needs to be correctly labeled so that the Service can find it - assert dep.spec.template.metadata.labels["app"] == "testcomponent" diff --git a/k8s/tests/test_k8sclient_deploy.py b/k8s/tests/test_k8sclient_deploy.py new file mode 100644 index 0000000..4e8a11d --- /dev/null +++ b/k8s/tests/test_k8sclient_deploy.py @@ -0,0 +1,48 @@ +# ============LICENSE_START======================================================= +# org.onap.dcae +# ================================================================================ +# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +# Test k8sclient deployment functions +# Verify that for a given configuration and set of inputs, k8sclient generates the proper +# Kubernetes entities + +import pytest +from common import do_deploy + +def test_deploy_full_tls(mockk8sapi): + ''' Deploy component with a full TLS configuration, to act as a server ''' + + dep, deployment_description = do_deploy({"use_tls": True, "cert_directory": "/path/to/container/cert/directory" }) + + app_container = dep.spec.template.spec.containers[0] + assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory" + +def test_deploy_tls_off(mockk8sapi): + ''' TLS client only, but with cert directory configured ''' + + dep, deployment_description = do_deploy({"use_tls": False, "cert_directory": "/path/to/container/cert/directory" }) + + app_container = dep.spec.template.spec.containers[0] + assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory" + +def test_deploy_no_tls_info(mockk8sapi): + ''' TLS client only, but with cert directory configured ''' + + dep, deployment_description = do_deploy() + + app_container = dep.spec.template.spec.containers[0] + assert app_container.volume_mounts[2].mount_path == "/opt/dcae/cacert" -- cgit 1.2.3-korg