v3.0.770

sanity-tests/README.md

@@ -0,0 +1,7 @@
+# Sanity tests for the agent helm chart
+
+It runs the `helm install --dry-run -f ./default.values.yaml,<values file>` command for each yaml file in `test-cases` directory. The `values` file is the `values.yaml` file in the `test-cases` directory.
+Dry run validates the rendered k8s manifests using schema from the actual k8s cluster, so you need cluster credentials available (works with local cluster too).
+It does not deploy the resources to the cluster.
+
+To add a new test create a new file in the `test-cases` directory and helm values as needed.

sanity-tests/default.values.yaml

@@ -0,0 +1,9 @@
+"agentKey": "shag-test"
+"apiGatewayUrl": "https://shag-test.agent.env0.com/shag-test"
+"awsAccessKeyIdEncoded": "dGVzdF9hY2Nlc3Nfa2V5"
+"awsSecretAccessKeyEncoded": "dGVzdF9zZWNyZXRfa2V5"
+"env0ApiGwKeyEncoded": "dGVzdF9hcGlfZ3dfa2V5"
+"isSelfHosted": "true"
+"outputLogsLogGroupName": "prerequisites-dev-k8s-shag-logs"
+stage: dev
+dockerImage: ghcr.io/env0/deployment-agent:dev

sanity-tests/env0.yaml

@@ -0,0 +1,9 @@
+version: 2
+deploy:
+  steps:
+    setupVariables:
+      after:
+        - name: EKS update kubeconfig
+          run: aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME
+        - name: Helm dry run
+          run: ./helm_dry_run.sh

sanity-tests/helm_dry_run.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+GREEN='\033[1;32m'
+RED='\033[1;31m'
+NC='\033[0m' # No Color
+
+info() {
+    echo "$1"
+}
+
+success() {
+    echo -e "${GREEN}$1${NC}"
+}
+
+error() {
+    echo -e "${RED}$1${NC}"
+}
+
+all_successful=true
+failed_tests=()
+
+for values_file in ./test-cases/*.yaml
+do
+    # Check if the file is a regular file
+    if [ -f "$values_file" ]; then
+        info "------------------------------------------------------------------------------------------------------"
+        info "Running dry-run for values file: $values_file"
+        info "------------------------------------------------------------------------------------------------------"
+
+        helm install agent ../ --dry-run  -f "./default.values.yaml,$values_file"
+
+        if [ $? -ne 0 ]; then
+            error "Dry-run failed for values file: $values_file"
+            all_successful=false
+            failed_tests+=("$values_file")
+        else
+            success "Dry-run succeeded for values file: $values_file"
+        fi
+
+    fi
+done
+
+if ! $all_successful; then
+    error "\n\n------------------------------------------------------------------------------------------------------"
+    error "The following tests failed:"
+    error "------------------------------------------------------------------------------------------------------"
+    for failed_test in "${failed_tests[@]}"
+    do
+        error "$failed_test"
+    done
+    error "------------------------------------------------------------------------------------------------------"
+    exit 1
+else
+    success "\n\n------------------------------------------------------------------------------------------------------"
+    success "All tests passed successfully!"
+    success "------------------------------------------------------------------------------------------------------"
+    exit 0
+fi

sanity-tests/main.tf

@@ -0,0 +1 @@
+resource "null_resource" "test" {}

sanity-tests/test-cases/additional-env-vars-and-custom-secrests.values.yaml

@@ -0,0 +1,11 @@
+podAdditionalEnvVars:
+  SOME_API_URL: https://api.example.com
+  TENANT_ID: "12345"
+
+customSecrets:
+  - envVarName: SOME_API_KEY
+    secretName: some-api-key
+    key: api_key
+  - envVarName: SOME_API_SECRET
+    secretName: some-api-secret
+    key: api_secret

sanity-tests/test-cases/additional-env-vars.values.yaml

@@ -0,0 +1,3 @@
+podAdditionalEnvVars:
+  SOME_API_URL: https://api.example.com
+  TENANT_ID: "12345"

sanity-tests/test-cases/additional-labels-and-annotations.values.yaml

@@ -0,0 +1,12 @@
+podAdditionalLabels:
+  deployment-label1: value1
+  deployment-label2: value2
+podAdditionalAnnotations:
+  deployment-annotation1: value1
+  deployment-annotation2: value2
+agentAdditionalLabels:
+  agent-label1: value1
+  agent-label2: value2
+agentAdditionalAnnotations:
+  agent-annotation1: value1
+  agent-annotation2: value2

sanity-tests/test-cases/affinity-with-override.values.yaml

@@ -0,0 +1,17 @@
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: nodegroup
+              operator: In
+              values:
+                - env0-system
+deploymentAffinity:
+  requiredDuringSchedulingIgnoredDuringExecution:
+    nodeSelectorTerms:
+      - matchExpressions:
+          - key: nodegroup
+            operator: In
+            values:
+              - env0-deployment

sanity-tests/test-cases/affinity.values.yaml

@@ -0,0 +1,9 @@
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: nodegroup
+              operator: In
+              values:
+                - env0-system

sanity-tests/test-cases/custom-cerificates.values.yaml

@@ -0,0 +1,3 @@
+customCertificates:
+  - db-self-signed
+  - org-root-cert

sanity-tests/test-cases/custom-secrests.values.yaml

@@ -0,0 +1,7 @@
+customSecrets:
+  - envVarName: SOME_API_KEY
+    secretName: some-api-key
+    key: api_key
+  - envVarName: SOME_API_SECRET
+    secretName: some-api-secret
+    key: api_secret

sanity-tests/test-cases/strict-security.values.yaml

@@ -0,0 +1,3 @@
+strictSecurityContext: true
+runAsUser: '1000000000'
+runAsGroup: '1000000000'

sanity-tests/test-cases/toleration.values.yaml

@@ -0,0 +1,8 @@
+tolerations:
+  - key: "key1"
+    operator: "Equal"
+    value: "value1"
+    effect: "NoSchedule"
+  - key: "key2"
+    operator: "Exists"
+    effect: "NoExecute"

sanity-tests/test-cases/with-agent-proxy.values.yaml

@@ -0,0 +1,9 @@
+agentProxy:
+  install: true
+  enableVcsWebhooksProxy: true
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 512Mi

templates/_additional_env_vars_and_custom_secrets.tpl

@@ -0,0 +1,38 @@
+{{- define "env0-agent.additional-env-vars-and-custom-secrets" -}}
+
+{{- $additional_env_vars := list -}}
+{{- $additional_secrets := list -}}
+
+{{- range $key, $value := .Values.podAdditionalEnvVars -}}
+    {{- $additional_env_vars = append $additional_env_vars (printf "\"%s\"" $key) -}}
+{{- end -}}
+
+{{- range $index, $secret := .Values.customSecrets -}}
+    {{- $additional_env_vars = append $additional_env_vars (printf "\"%s\"" $secret.envVarName) -}}
+    {{- $additional_secrets = append $additional_secrets (printf "\"%s\"" $secret.envVarName) -}}
+{{- end -}}
+
+{{- if $additional_env_vars }}
+- name: ADDITIONAL_ENV_VARS
+  value: '[{{ $additional_env_vars | join "," }}]'
+{{- end -}}
+
+{{- if $additional_secrets }}
+- name: ADDITIONAL_SECRETS_NAMES
+  value: '{{ $additional_secrets | join "," }}'
+{{- end -}}
+
+{{- range $key, $value := .Values.podAdditionalEnvVars }}
+- name: {{ $key }}
+  value: {{ $value | quote }}
+{{- end -}}
+
+{{- range $index, $secret := .Values.customSecrets }}
+- name: {{ $secret.envVarName }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $secret.secretName }}
+      key: {{ $secret.key }}
+{{- end -}}
+
+{{- end -}}

templates/_affinity_and_toleration.tpl

@@ -0,0 +1,11 @@
+{{- define "env0-agent.affinity" }}
+    {{- if . -}}
+        affinity: {{ . | toYaml | trim | nindent 2 }}
+    {{- end -}}
+{{- end -}}
+
+{{- define "env0-agent.tolerations" -}}
+    {{- if . -}}
+        tolerations: {{ . | toYaml | trim | nindent 2 }}
+    {{- end -}}
+{{- end -}}

templates/_custom_certificates.tpl

@@ -0,0 +1,30 @@
+{{- define "env0-agent.customCertificatesVolumes" -}}
+{{- if .Values.customCertificates -}}
+- name: etc-ssl-certs
+  emptyDir: { }
+- name: custom-certificates
+  projected:
+    sources:
+      {{- range .Values.customCertificates }}
+      - secret:
+          name: {{ . }}
+    {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "env0-agent.customCertificatesVolumesMounts" -}}
+{{- if .Values.customCertificates -}}
+- name: etc-ssl-certs
+  mountPath: /etc/ssl/certs
+- name: custom-certificates
+  mountPath: /usr/local/share/ca-certificates
+  readOnly: true
+{{- end -}}
+{{- end -}}
+
+{{- define "env0-agent.customCertificatesNodeOptions" -}}
+{{- if .Values.customCertificates -}}
+- name: NODE_EXTRA_CA_CERTS
+  value: /etc/ssl/certs/ca-certificates.crt
+{{- end -}}
+{{- end -}}

templates/agent-proxy.yml

@@ -1,6 +1,5 @@
-{{ if .Values.agentProxy }}
-{{ if .Values.agentProxy.install }}
-
+{{- if .Values.agentProxy }}
+{{- if .Values.agentProxy.install }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,30 +16,16 @@ spec:
       labels:
         env0: agent-proxy
         {{- if .Values.agentAdditionalLabels }}
-        {{- range $k, $v := .Values.agentAdditionalLabels }}
-        {{ $k }}: {{ $v }}
+          {{- .Values.agentAdditionalLabels | toYaml | nindent 8 -}}
         {{- end }}
-        {{ end }}
       annotations:
         forcePodRestart: {{ randAlphaNum 5 | quote }}
         {{- if .Values.agentAdditionalAnnotations }}
-        {{- range $k, $v := .Values.agentAdditionalAnnotations }}
-        "{{ $k }}": "{{ $v }}"
+          {{- .Values.agentAdditionalAnnotations | toYaml | nindent 8 -}}
         {{- end }}
-        {{ end }}  
     spec:
-      {{ if .Values.customCertificates }}
       volumes:
-        - name: etc-ssl-certs
-          emptyDir: { }
-        - name: custom-certificates
-          projected:
-            sources:
-            {{- range .Values.customCertificates }}
-            - secret:
-                name: {{ . }}
-            {{- end }}
-      {{ end }}
+        {{- include "env0-agent.customCertificatesVolumes" . | nindent 10 }}
       restartPolicy: Always
       {{ if hasKey .Values "agentImagePullSecret" }}
       imagePullSecrets:
@@ -73,14 +58,8 @@ spec:
               cpu: "{{ .Values.agentProxy.requests.cpu }}"
               memory: "{{ .Values.agentProxy.requests.memory }}"
             {{ end }}
-          {{ if .Values.customCertificates }}
           volumeMounts:
-            - name: etc-ssl-certs
-              mountPath: /etc/ssl/certs
-            - name: custom-certificates
-              mountPath: /usr/local/share/ca-certificates
-              readOnly: true          
-          {{ end }}
+            {{- include "env0-agent.customCertificatesVolumesMounts" . | nindent 12 }}
           ports:
             - containerPort: 8000
           envFrom:
@@ -111,10 +90,7 @@ spec:
               ### For calling the API GW
             - name: AGENT_API_GATEWAY_URL
               value: "{{ .Values.apiGatewayUrl }}"
-            {{ if .Values.customCertificates }}
-            - name: NODE_EXTRA_CA_CERTS
-              value: /etc/ssl/certs/ca-certificates.crt
-            {{ end }}
+            {{- include "env0-agent.customCertificatesNodeOptions" . | nindent 12 }}
             {{ if .Values.agentProxy.enableVcsWebhooksProxy }}
             - name: ENABLE_VCS_WEBHOOKS_PROXY
               value: "true"
@@ -130,15 +106,7 @@ spec:
             - name: CONSOLE_LOGS_LEVEL
               value: {{ .Values.logger.level }}
             {{ end }}
-      {{ if .Values.tolerations }}
-      # Warning - every whitespace here matters
-      tolerations: {{ range $i, $toleration := .Values.tolerations }}
-        -
-        {{ range $k, $v := $toleration }}  {{ $k }}: {{ $v }}
-        {{ end }}{{ end }}
-      {{ end }}
-      {{ if .Values.affinity }}
-      affinity: {{ .Values.affinity | toYaml | trim | nindent 8 }}
-      {{ end }}
-{{ end }}
-{{ end }}
+      {{- include "env0-agent.tolerations" .Values.tolerations | nindent 6 -}}
+      {{- include "env0-agent.affinity" .Values.affinity | nindent 6 -}}
+{{- end }}
+{{- end }}

templates/agent-trigger.yml

@@ -14,17 +14,13 @@ spec:
       labels:
         env0: agent-trigger
         {{- if .Values.agentAdditionalLabels }}
-        {{- range $k, $v := .Values.agentAdditionalLabels }}
-        {{ $k }}: {{ $v }}
+          {{- .Values.agentAdditionalLabels | toYaml | nindent 8 -}}
         {{- end }}
-        {{ end }}
       annotations:
-        forcePodRestart: {{ randAlphaNum 5 | quote }}     
+        forcePodRestart: {{ randAlphaNum 5 | quote }}
         {{- if .Values.agentAdditionalAnnotations }}
-        {{- range $k, $v := .Values.agentAdditionalAnnotations }}
-        "{{ $k }}": "{{ $v }}"
+          {{- .Values.agentAdditionalAnnotations | toYaml | nindent 8 -}}
         {{- end }}
-        {{ end }}  
     spec:
       serviceAccountName: agent-trigger-service-account
       restartPolicy: Always
@@ -104,13 +100,5 @@ spec:
             - name: CONSOLE_LOGS_LEVEL
               value: {{ .Values.logger.level }}
             {{ end }}
-      {{ if .Values.tolerations }}
-      # Warning - every whitespace here matters
-      tolerations: {{ range $i, $toleration := .Values.tolerations }}
-        -
-        {{ range $k, $v := $toleration }}  {{ $k }}: {{ $v }}
-        {{ end }}{{ end }}
-      {{ end }}
-      {{ if .Values.affinity }}
-      affinity: {{ .Values.affinity | toYaml | trim | nindent 8 }}
-      {{ end }}
+      {{- include "env0-agent.tolerations" .Values.tolerations | nindent 6 }}
+      {{- include "env0-agent.affinity" .Values.affinity | nindent 6 }}