Allow overriding test images (#186)

spiffe · Jun 14, 2023 · 4c0a1d5 · 4c0a1d5
1 parent 250fd5d
commit 4c0a1d5
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 10 deletions.
diff --git a/.github/workflows/helm-chart-ci.yaml b/.github/workflows/helm-chart-ci.yaml
@@ -56,7 +56,7 @@ jobs:
           set -o pipefail
           # Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
           # test to pass. Ignore tests for now...
-          grep "image:" charts/spire/charts/*/templates/*.* | grep -v 'image: {{ template "' > /tmp/findings
+          grep -r "image:" charts/spire  | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings
           res=$?
           if [ $res -eq 0 ]; then
             {

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/templates/tests/test-connection.yaml
@@ -12,26 +12,26 @@ spec:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: curl-service-name
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
     - name: curl-service-name-namespace
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
     - name: curl-service-name-namespace-svc-cluster-local
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-s', '-f', 'http://{{ include "spiffe-oidc-discovery-provider.fullname" . }}.{{ include "spiffe-oidc-discovery-provider.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/.well-known/openid-configuration']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
     {{- if .Values.ingress.enabled }}
     - name: curl-ingress
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-s', '-f', 'http://{{ index .Values.config.domains 0 }}/.well-known/openid-configuration']
       securityContext:

diff --git a/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml b/charts/spire/charts/spiffe-oidc-discovery-provider/values.yaml
@@ -200,3 +200,18 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - oidc-discovery.example.org
+
+# @ignored
+tests:
+  bash:
+    image:
+      # -- The OCI registry to pull the tests image from
+      registry: cgr.dev
+      # -- The repository within the registry
+      repository: chainguard/bash
+      # -- The tests image pull policy
+      pullPolicy: IfNotPresent
+      # -- This value is deprecated in favor of tag. (Will be removed in a future release)
+      version: ""
+      # -- Overrides the image tag
+      tag: 5.2.15
diff --git a/charts/spire/charts/spire-server/templates/tests/test-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-connection.yaml
@@ -12,7 +12,7 @@ spec:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: curl
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['bash']
       args:
         - -c
@@ -31,7 +31,7 @@ spec:
         {{- toYaml .Values.securityContext | nindent 8 }}
     {{- if eq (.Values.federation.enabled | toString) "true" }}
     - name: curl-federation-bundle-endpoint
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-k', '-s', '-f', 'https://{{ include "spire-server.fullname" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.federation.bundleEndpoint.port }}']
       securityContext:

diff --git a/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/spire-server/templates/tests/test-tornjak-connection.yaml
@@ -13,13 +13,13 @@ spec:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: curl-tornjak-backend
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/tornjak/serverinfo']
       securityContext:
         {{- toYaml .Values.securityContext | nindent 8 }}
     - name: curl-tornjak-backend-and-spire
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-k', '-s', '-f', 'http://{{ include "spire-tornjak.backend" . }}.{{ include "spire-server.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.tornjak.service.port }}/api/healthcheck']
       securityContext:

diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml
@@ -370,3 +370,18 @@ tornjak:
     # requests:
     #   cpu: 100m
     #   memory: 128Mi
+
+# @ignored
+tests:
+  bash:
+    image:
+      # -- The OCI registry to pull the image from
+      registry: cgr.dev
+      # -- The repository within the registry
+      repository: chainguard/bash
+      # -- The image pull policy
+      pullPolicy: IfNotPresent
+      # -- This value is deprecated in favor of tag. (Will be removed in a future release)
+      version: ""
+      # -- Overrides the image tag
+      tag: 5.2.15
diff --git a/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml b/charts/spire/charts/tornjak-frontend/templates/tests/test-tornjak-connection.yaml
@@ -12,7 +12,7 @@ spec:
     {{- toYaml .Values.podSecurityContext | nindent 4 }}
   containers:
     - name: curl-tornjak-frontend
-      image: cgr.dev/chainguard/bash:latest
+      image: {{ template "spire-lib.image" (dict "image" .Values.tests.bash.image "global" .Values.global) }}
       command: ['curl']
       args: ['-k', '-s', '-f', 'http://{{ include "tornjak-frontend.fullname" . }}.{{ include "tornjak-frontend.namespace" . }}.svc.{{ include "spire-lib.cluster-domain" . }}:{{ .Values.service.port }}/tornjak/serverinfo']
       securityContext:

diff --git a/charts/spire/charts/tornjak-frontend/values.yaml b/charts/spire/charts/tornjak-frontend/values.yaml
@@ -91,3 +91,18 @@ startupProbe:
   failureThreshold: 6
   # -- Success threshold count for startupProbe
   successThreshold: 1
+
+# @ignored
+tests:
+  bash:
+    image:
+      # -- The OCI registry to pull the image from
+      registry: cgr.dev
+      # -- The repository within the registry
+      repository: chainguard/bash
+      # -- The image pull policy
+      pullPolicy: IfNotPresent
+      # -- This value is deprecated in favor of tag. (Will be removed in a future release)
+      version: ""
+      # -- Overrides the image tag
+      tag: 5.2.15