d9c3d084be
# What this PR does Short summary: this PR improves security and configuration management for Helm deployment. Please take a look at the details below. ## Which issue(s) this PR fixes Issues: - Cannot explicitly define redis database (only 0 and 1 numbers are used) - Cannot securely use TLS for Redis (cannot set CA certificate; cannot set client certificates) - Cannot securely use TLS for Postgres (cannot set CA certificate; cannot set client certificates; cannot set `verify-full` validation) - ~~Chart option `securityContext.readOnlyRootFilesystem: true` issues CrashLoopBack pod state~~ will be moved to new PR ## Checklist - [x] ~~Unit, integration, and e2e (if applicable) tests updated~~ (not required) - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not required) - [x] Helm tests are fixed and updated - [x] Manually verified the features: - [x] postgres TLS connection with `verify-full` validation - [x] redis TLS connection with `cert_required` validation - [x] redis protocol and database number controls - [x] all containers properly work in read-only root filesystem - [x] all changes are backward compatible (doesn't break old deployments) ## Changelog - Fixed helm tests - Added configuration options for secure TLS communication with dependencies like Redis, MySQL, and Postgres - ~~Added configuration option for relocating `celerybeat` database file (read-only root filesystem issue)~~ will be moved to new PR - Improved redis database configuration options - Now only single redis database is used - Added ability to mount custom volumes (with CA certificates, for example) into Helm chart - ~~Fixed issue with read-only root filesystem for Helm chart~~ will be moved to new PR - Add ability to work with Redis ACL (and AWS ElastiCache)
126 lines
3.8 KiB
YAML
126 lines
3.8 KiB
YAML
suite: test PostgreSQL password envs for deployments
|
|
release:
|
|
name: oncall
|
|
templates:
|
|
- engine/deployment.yaml
|
|
- engine/job-migrate.yaml
|
|
- celery/deployment.yaml
|
|
- telegram-polling/deployment.yaml
|
|
- secrets.yaml
|
|
tests:
|
|
- it: secrets -> should fail if externalPostgresql.password not set
|
|
set:
|
|
database.type: postgresql
|
|
postgresql.enabled: false
|
|
externalPostgresql.host: some-postgres-host
|
|
asserts:
|
|
- failedTemplate:
|
|
errorMessage: >-
|
|
externalPostgresql.password is required if not postgresql.enabled and not externalPostgresql.existingSecret
|
|
template: secrets.yaml
|
|
|
|
- it: externalPostgresql.password -> should create a Secret -postgresql-external
|
|
templates:
|
|
- engine/deployment.yaml
|
|
- engine/job-migrate.yaml
|
|
- celery/deployment.yaml
|
|
- telegram-polling/deployment.yaml
|
|
set:
|
|
telegramPolling.enabled: true
|
|
database.type: postgresql
|
|
postgresql.enabled: false
|
|
externalPostgresql:
|
|
password: abcd123
|
|
host: some-postgres-host
|
|
asserts:
|
|
- contains:
|
|
path: spec.template.spec.containers[0].env
|
|
content:
|
|
name: DATABASE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oncall-postgresql-external
|
|
key: postgres-password
|
|
- containsDocument:
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata.name: oncall-postgresql-external
|
|
template: secrets.yaml
|
|
- equal:
|
|
path: data.postgres-password
|
|
value: abcd123
|
|
decodeBase64: true
|
|
documentIndex: 1
|
|
template: secrets.yaml
|
|
|
|
- it: externalPostgresql.existingSecret -> should use existing secret
|
|
templates:
|
|
- engine/deployment.yaml
|
|
- engine/job-migrate.yaml
|
|
- celery/deployment.yaml
|
|
- telegram-polling/deployment.yaml
|
|
set:
|
|
telegramPolling.enabled: true
|
|
database.type: postgresql
|
|
postgresql.enabled: false
|
|
externalPostgresql:
|
|
existingSecret: some-postgres-secret
|
|
host: some-postgres-host
|
|
passwordKey: postgres-password-key
|
|
asserts:
|
|
- contains:
|
|
path: spec.template.spec.containers[0].env
|
|
content:
|
|
name: DATABASE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: some-postgres-secret
|
|
key: postgres-password-key
|
|
|
|
- it: externalPostgresql.passwordKey -> should be used for existing secret
|
|
templates:
|
|
- engine/deployment.yaml
|
|
- engine/job-migrate.yaml
|
|
- celery/deployment.yaml
|
|
- telegram-polling/deployment.yaml
|
|
set:
|
|
telegramPolling.enabled: true
|
|
database.type: postgresql
|
|
postgresql.enabled: false
|
|
externalPostgresql:
|
|
host: some-postgres-host
|
|
existingSecret: some-postgres-secret
|
|
passwordKey: postgres.key
|
|
asserts:
|
|
- contains:
|
|
path: spec.template.spec.containers[0].env
|
|
content:
|
|
name: DATABASE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: some-postgres-secret
|
|
key: postgres.key
|
|
|
|
- it: postgresql.auth -> should use internal Postgresql custom settings
|
|
templates:
|
|
- engine/deployment.yaml
|
|
- engine/job-migrate.yaml
|
|
- celery/deployment.yaml
|
|
- telegram-polling/deployment.yaml
|
|
set:
|
|
telegramPolling.enabled: true
|
|
database.type: postgresql
|
|
postgresql:
|
|
enabled: true
|
|
auth:
|
|
database: grafana_oncall
|
|
username: grafana_oncall
|
|
asserts:
|
|
- contains:
|
|
path: spec.template.spec.containers[0].env
|
|
content:
|
|
name: DATABASE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: oncall-postgresql
|
|
key: password
|