Merge branch 'feature/PB-37679' into 'develop'

feature/PB 37679

See merge request passbolt/passbolt-ops/helm-charts/charts-passbolt!66

.github/workflows/push_pr_main.yaml

@@ -34,7 +34,7 @@ jobs:
         uses: ./.github/actions/setup_helm
 
       - name: Install Helm unit test plugin
-        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.7.0
 
       - name: Run unit tests
         run: bash run_tests.sh --unit

.gitlab-ci.yml

@@ -28,7 +28,7 @@ test Helm Charts:
   stage: test
   script:
     - helm dependency update
-    - helm plugin install https://github.com/helm-unittest/helm-unittest
+    - helm plugin install https://github.com/helm-unittest/helm-unittest --version 0.7.0
     - bash run_tests.sh --unit
 
 integration Tests Helm Charts Mariadb:

run_tests.sh

@@ -10,92 +10,92 @@ RUN_ALL=true
 CLEAN_INTEGRATION_ASSETS=true
 
 function run_linter {
-	if [[ "$RUN_LINT" == "true" || "$RUN_ALL" == "true" ]]; then
-		helm lint .
-	fi
+  if [[ "$RUN_LINT" == "true" || "$RUN_ALL" == "true" ]]; then
+    helm lint .
+  fi
 }
 
 function run_unit_tests {
-	if [[ "$RUN_UNIT" == "true" || "$RUN_ALL" == "true" ]]; then
-		helm unittest --color .
-	fi
+  if [[ "$RUN_UNIT" == "true" || "$RUN_ALL" == "true" ]]; then
+    helm unittest --color .
+  fi
 }
 
 function run_integration_tests {
-	local database="$1"
-	if [[ "$RUN_INTEGRATION" == "true" || "$RUN_ALL" == "true" ]]; then
-		source tests/integration/fixtures/install_dependencies.sh
-		installDependencies
-		bash tests/integration/fixtures/create-cluster-with-passbolt.sh "$database"
-		"$HELM_BINARY" test --logs passbolt -n default
-	fi
+  local database="$1"
+  if [[ "$RUN_INTEGRATION" == "true" || "$RUN_ALL" == "true" ]]; then
+    source tests/integration/fixtures/install_dependencies.sh
+    installDependencies
+    bash tests/integration/fixtures/create-cluster-with-passbolt.sh "$database"
+    "$HELM_BINARY" test --logs passbolt -n default
+  fi
 }
 
 function clean_integration_assets {
-	if [[ "$RUN_INTEGRATION" == "true" ]] || [[ "$RUN_ALL" == "true" ]] && [[ "$CLEAN_INTEGRATION_ASSETS" == "true" ]]; then
-		echo Cleaning integration testing assets...
-		rm -f helm kubectl kind mkcerts passbolt
-	fi
+  if [[ "$RUN_INTEGRATION" == "true" ]] || [[ "$RUN_ALL" == "true" ]] && [[ "$CLEAN_INTEGRATION_ASSETS" == "true" ]]; then
+    echo Cleaning integration testing assets...
+    rm -f helm kubectl kind mkcerts passbolt
+  fi
 }
 
 function showHelp {
-	echo "Run the available tests for passbolt helm charts"
-	echo
-	echo "Syntax: $0 [options]"
-	echo "$0 with no arguments will run all of the available tests."
-	echo
-	echo "options:"
-	echo "-h|--help                 Show this message."
-	echo "-l|--lint                 Run helm lint."
-	echo "-u|--unit                 Run helm unittest tests."
-	echo "-i|--integration          Run integration tests."
-	echo "-d|--database [option]    Database to run integration tests to [mariadb|postgresql]."
-	echo "-no-clean                 Skip cleaning step."
-	echo
-	exit 0
+  echo "Run the available tests for passbolt helm charts"
+  echo
+  echo "Syntax: $0 [options]"
+  echo "$0 with no arguments will run all of the available tests."
+  echo
+  echo "options:"
+  echo "-h|--help                 Show this message."
+  echo "-l|--lint                 Run helm lint."
+  echo "-u|--unit                 Run helm unittest tests."
+  echo "-i|--integration          Run integration tests."
+  echo "-d|--database [option]    Database to run integration tests to [mariadb|postgresql]."
+  echo "-no-clean                 Skip cleaning step."
+  echo
+  exit 0
 }
 
 function run_all {
-	run_linter
-	run_unit_tests
-	run_integration_tests "$DATABASE_ENGINGE"
-	clean_integration_assets
+  run_linter
+  run_unit_tests
+  run_integration_tests "$DATABASE_ENGINGE"
+  clean_integration_assets
 }
 
 while [[ $# -gt 0 ]]; do
-	case $1 in
-	-h | --help)
-		showHelp
-		;;
-	-l | --lint)
-		RUN_ALL=false
-		RUN_LINT=true
-		shift
-		;;
-	-u | --unit)
-		RUN_ALL=false
-		RUN_UNIT=true
-		shift
-		;;
-	-i | --integration)
-		RUN_ALL=false
-		RUN_INTEGRATION=true
-		shift
-		;;
-	-d | --database)
-		shift
-		DATABASE_ENGINGE=$1
-		shift
-		;;
-	--no-clean)
-		CLEAN_INTEGRATION_ASSETS=false
-		shift
-		;;
-	*)
-		echo "Unknown argurment $1"
-		shift
-		;;
-	esac
+  case $1 in
+  -h | --help)
+    showHelp
+    ;;
+  -l | --lint)
+    RUN_ALL=false
+    RUN_LINT=true
+    shift
+    ;;
+  -u | --unit)
+    RUN_ALL=false
+    RUN_UNIT=true
+    shift
+    ;;
+  -i | --integration)
+    RUN_ALL=false
+    RUN_INTEGRATION=true
+    shift
+    ;;
+  -d | --database)
+    shift
+    DATABASE_ENGINGE=$1
+    shift
+    ;;
+  --no-clean)
+    CLEAN_INTEGRATION_ASSETS=false
+    shift
+    ;;
+  *)
+    echo "Unknown argurment $1"
+    shift
+    ;;
+  esac
 done
 
 run_all

templates/tests/integration-tests-runner.yaml

@@ -9,14 +9,15 @@ spec:
   #serviceAccountName: -sa-common
   containers:
     - name: tests
-      image: alpine
-      command: ["/bin/sh"]
+      image: debian:stable-slim
+      command: ["/bin/bash"]
       args:
         - -c
         - |
           set -e
-          apk update && apk add -U curl bash jq gpg gpg-agent
+          apt-get update && apt-get install -y curl jq gpg gpg-agent
           cd
+          sleep 10
           bash /tests/run_tests.sh
       env:
         - name: TESTS_DEBUG

tests/deployment_redis_sidecar_test.yaml

@@ -25,6 +25,7 @@ tests:
                 subPath: haproxy.cfg
                 name: sec-redis-proxy
                 readOnly: true
+          any: true
 
   - it: should have only one redis sidecar and mount its configuration
     templates:
@@ -59,12 +60,12 @@ tests:
       app.cache.redis.enabled: false
       app.cache.redis.sentinelProxy.enabled: false
     asserts:
-      - contains:
+      - notContains:
           path: spec.template.spec.volumes
           content:
+            name: sec-redis-proxy
             secret:
               secretName: test-passbolt-sec-redis-proxy
-          count: 0
           any: true
 
   - it: should contain a volumes section
@@ -81,6 +82,7 @@ tests:
       - contains:
           path: spec.template.spec.volumes
           content:
+            name: sec-redis-proxy
             secret:
               secretName: test-passbolt-sec-redis-proxy
           count: 1

tests/integration/fixtures/create-cluster-with-passbolt.sh

@@ -5,32 +5,32 @@ set -eo pipefail
 
 DATABASE_ENGINE="${1:-mariadb}"
 KIND_CLUSTER_CONFIG_FILE="tests/integration/fixtures/kind-config.yaml"
-HELM_TESTING_VALUES="tests/integration/fixtures/testing-$DATABASE_ENGINE.yaml"
+HELM_TESTING_VALUES="tests/integration/fixtures/testing-${DATABASE_ENGINE}.yaml"
 KIND_CLUSTER_NAME="charts-passbolt-integration"
 K8S_LOCAL_TLS_SECRET="local-tls-secret"
 SSL_KEY_PATH="/tmp/ssl.key"
 SSL_CERT_PATH="/tmp/ssl.crt"
 
 function createKindCluster {
-  echo "Creating kind cluster: $KIND_CLUSTER_NAME"
-  "$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME"
+  echo "Creating kind cluster: ${KIND_CLUSTER_NAME}"
+  "${KIND_BINARY}" create cluster --config "${KIND_CLUSTER_CONFIG_FILE}" --name "${KIND_CLUSTER_NAME}"
 }
 
 function installNginxIngress {
-  "$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-  "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
+  "${KUBECTL_BINARY}" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+  "${KUBECTL_BINARY}" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
 }
 
 function http_port {
-  if [ "$ROOTLESS" == true ]; then
+  if [ "${ROOTLESS}" == true ]; then
     echo 8080
   else
     echo 80
   fi
 }
 
 function https_port {
-  if [ "$ROOTLESS" == true ]; then
+  if [ "${ROOTLESS}" == true ]; then
     echo 4433
   else
     echo 443
@@ -39,10 +39,10 @@ function https_port {
 
 function image_tag {
   tag="$(awk -F ' ' '/^    tag:/ {print $2}' values.yaml)"
-  if [ "$ROOTLESS" == true ]; then
-    echo "$tag"-non-root
+  if [ "${ROOTLESS}" == true ]; then
+    echo "${tag}"-non-root
   else
-    echo "$tag"
+    echo "${tag}"
   fi
 }
 
@@ -52,75 +52,75 @@ function upgradePassboltChart {
   local fingerprint=""
   local jwt_private_key=""
   local jwt_public_key=""
-  private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s 
+  private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")
   public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}")
   fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}')
   jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}")
   jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}")
-  "$HELM_BINARY" upgrade -i passbolt . \
-    -f "$HELM_TESTING_VALUES" \
+  "${HELM_BINARY}" upgrade -i passbolt . \
+    -f "${HELM_TESTING_VALUES}" \
     -n default \
-    --set integrationTests.debug="$DEBUG" \
-    --set integrationTests.rootless="$ROOTLESS" \
+    --set integrationTests.debug="${DEBUG}" \
+    --set integrationTests.rootless="${ROOTLESS}" \
     --set app.image.tag="$(image_tag)" \
-    --set gpgServerKeyPrivate="$private_key" \
-    --set gpgServerKeyPublic="$public_key" \
-    --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \
-    --set jwtServerPrivate="$jwt_private_key" \
-    --set jwtServerPublic="$jwt_public_key" \
+    --set gpgServerKeyPrivate="${private_key}" \
+    --set gpgServerKeyPublic="${public_key}" \
+    --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="${fingerprint}" \
+    --set jwtServerPrivate="${jwt_private_key}" \
+    --set jwtServerPublic="${jwt_public_key}" \
     --set service.ports.https.targetPort="$(https_port)" \
     --set service.ports.http.targetPort="$(http_port)"
 }
 
 function installPassboltChart {
-  if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then
-    "$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami
-    "$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
-    "$HELM_BINARY" dependency build
+  if [[ -n "${GITLAB_CI}" || -n "${GITHUB_WORKFLOW}" ]]; then
+    "${HELM_BINARY}" repo add bitnami https://charts.bitnami.com/bitnami
+    "${HELM_BINARY}" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
+    "${HELM_BINARY}" dependency build
   fi
-  if "$HELM_BINARY" status passbolt; then
+  if "${HELM_BINARY}" status passbolt; then
     upgradePassboltChart
   else
-    "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \
+    "${HELM_BINARY}" install passbolt . -f "${HELM_TESTING_VALUES}" -n default \
       --set service.ports.https.targetPort="$(https_port)" \
       --set service.ports.http.targetPort="$(http_port)" \
       --set app.image.tag="$(image_tag)" \
-      --set integrationTests.debug="$DEBUG" \
-      --set integrationTests.rootless="$ROOTLESS"
+      --set integrationTests.debug="${DEBUG}" \
+      --set integrationTests.rootless="${ROOTLESS}"
   fi
-  "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default
+  "${KUBECTL_BINARY}" rollout status deployment passbolt-depl-srv --timeout=120s -n default
 }
 
 function createAndInstallSSLCertificates {
-  local domain="${1-passbolt.local}"
-  local ssl_key_path="$SSL_KEY_PATH"
-  local ssl_cert_path="$SSL_CERT_PATH"
-  "$MKCERT_BINARY" -install
-  "$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain"
-  "$KUBECTL_BINARY" create secret generic mkcert-ca \
-    --from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \
-    --from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \
+  local domain="passbolt.local"
+  local ssl_key_path="${SSL_KEY_PATH}"
+  local ssl_cert_path="${SSL_CERT_PATH}"
+  "${MKCERT_BINARY}" -install
+  "${MKCERT_BINARY}" -cert-file "${ssl_cert_path}" -key-file "${ssl_key_path}" "${domain}"
+  "${KUBECTL_BINARY}" create secret generic mkcert-ca \
+    --from-file=rootCA-key.pem="$(${MKCERT_BINARY} -CAROOT)"/rootCA-key.pem \
+    --from-file=rootCA.pem="$(${MKCERT_BINARY} -CAROOT)"/rootCA.pem \
     -n default
 }
 
 function createSecretWithTLS {
-  local secret_name="$K8S_LOCAL_TLS_SECRET"
-  local ssl_key_path="$SSL_KEY_PATH"
-  local ssl_cert_path="$SSL_CERT_PATH"
-  if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then
-    "$KUBECTL_BINARY" delete secret $secret_name -n default
+  local secret_name="${K8S_LOCAL_TLS_SECRET}"
+  local ssl_key_path="${SSL_KEY_PATH}"
+  local ssl_cert_path="${SSL_CERT_PATH}"
+  if "${KUBECTL_BINARY}" get secret ${secret_name} -n default &>/dev/null; then
+    "${KUBECTL_BINARY}" delete secret ${secret_name} -n default
   fi
-  "$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default
+  "${KUBECTL_BINARY}" create secret tls ${secret_name} --cert="${ssl_cert_path}" --key="${ssl_key_path}" -n default
 }
 function createInfraAndInstallPassboltChart {
-  if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then
+  if ! "${KUBECTL_BINARY}" config view -o jsonpath='{.contexts[*].name}' | grep -q "${KIND_CLUSTER_NAME}"; then
     createKindCluster
     createAndInstallSSLCertificates
     createSecretWithTLS
     installNginxIngress
     installPassboltChart
   else
-    echo "Cluster $KIND_CLUSTER_NAME already exists"
+    echo "Cluster ${KIND_CLUSTER_NAME} already exists"
   fi
 }