diff --git a/bin/common.bash b/bin/common.bash index d15c4ebb36..2c541736b5 100644 --- a/bin/common.bash +++ b/bin/common.bash @@ -344,13 +344,41 @@ validate_version() { # future. validate_config() { log_info "Validating $1 config" + + check_conditionals() { + merged_config="${1}" + template_config="${2}" + + # Loop all lines in ${template_config} and checks if same option has conditional set-me in ${merged_config} + options="$(yq_read_block "${template_config}" "set-me-if-*")" + for opt in ${options}; do + opt_value="$(yq4 "${opt}" "${merged_config}")" + opt_value_no_list="$(yq4 "[.] | flatten | .[0]" <<< "${opt_value}")" + + if [[ "${opt_value_no_list}" =~ ^set-me-if-.*$ ]]; then + required_condition="$(sed -rn 's/^set-me-if-(.*)/\1/p' <<< "${opt_value_no_list}")" + if [[ "$(yq4 "${required_condition}" "${merged_config}")" == "true" ]]; then + # If the option is a list, set the first element in the list + if [[ "$(yq4 "${opt} | tag" "${merged_config}")" == "!!seq" ]]; then + yq4 "${opt}[0] = \"set-me\"" -i "${merged_config}" + yq4 "${opt}[0] = \"set-me\"" -i "${template_config}" + log_info "Set-me condition matched for ${opt}" + else + yq4 "${opt} = \"set-me\"" -i "${merged_config}" + yq4 "${opt} = \"set-me\"" -i "${template_config}" + log_info "Set-me condition matched for ${opt}" + fi + fi + fi + done + } + validate() { merged_config="${1}" template_config="${2}" # Loop all lines in ${template_config} and warns if same option is not available in ${merged_config} options=$(yq_read_block "${template_config}" "set-me") - maybe_exit="false" for opt in ${options}; do compare=$(diff <(yq4 -oj "${opt}" "${template_config}") <(yq4 -oj "${opt}" "${merged_config}") || true) if [[ -z "${compare}" ]]; then @@ -358,10 +386,6 @@ validate_config() { maybe_exit="true" fi done - - if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then - ask_abort - fi } schema_validate() { @@ -376,20 +400,19 @@ validate_config() { sed -r 's/^.*_(..-config\.yaml): fail: (.*)/\1: \2/; / failed validation$/q' < "${schema_validation_result}" grep -oP '(?<=fail: )[^:]+' "${schema_validation_result}" | sort -u | while read -r jpath; do - echo -n ".$jpath = " - yq4 -oj ".$jpath" "${merged_config}" + if [[ $jpath != "(root)" ]]; then + echo -n ".$jpath = " + yq4 -oj ".$jpath" "${merged_config}" + fi done maybe_exit="true" fi - - if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then - ask_abort - fi } template_file=$(mktemp --suffix="-tpl.yaml") append_trap "rm ${template_file}" EXIT + maybe_exit="false" if [[ $1 == "sc" ]]; then check_config "${config_template_path}/common-config.yaml" \ "${config_template_path}/sc-config.yaml" \ @@ -397,10 +420,7 @@ validate_config() { yq_merge "${config_template_path}/common-config.yaml" \ "${config_template_path}/sc-config.yaml" \ > "${template_file}" - validate "${config[config_file_sc]}" "${template_file}" - schema_validate "${config[config_file_sc]}" "${config_template_path}/schemas/config.yaml" - validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml" - schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml" + config_to_validate="${config[config_file_sc]}" elif [[ $1 == "wc" ]]; then check_config "${config_template_path}/common-config.yaml" \ "${config_template_path}/wc-config.yaml" \ @@ -408,14 +428,22 @@ validate_config() { yq_merge "${config_template_path}/common-config.yaml" \ "${config_template_path}/wc-config.yaml" \ > "${template_file}" - validate "${config[config_file_wc]}" "${template_file}" - schema_validate "${config[config_file_wc]}" "${config_template_path}/schemas/config.yaml" - validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml" - schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml" + config_to_validate="${config[config_file_wc]}" else log_error "ERROR: usage validate_config " exit 1 fi + + check_conditionals "${config_to_validate}" "${template_file}" + validate "${config_to_validate}" "${template_file}" + schema_validate "${config_to_validate}" "${config_template_path}/schemas/config.yaml" + check_conditionals "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml" + validate "${secrets[secrets_file]}" "${config_template_path}/secrets.yaml" + schema_validate "${secrets[secrets_file]}" "${config_template_path}/schemas/secrets.yaml" + + if ${maybe_exit} && ! ${CK8S_AUTO_APPROVE}; then + ask_abort + fi } validate_sops_config() { diff --git a/bin/init.bash b/bin/init.bash index 410e7b5a4c..676636a258 100755 --- a/bin/init.bash +++ b/bin/init.bash @@ -86,18 +86,6 @@ generate_sops_config() { sops_config_write_fingerprints "${fingerprint}" } -# Only writes value if it is set to "set-me*" -# Usage: replace_set_me -replace_set_me(){ - if [[ $# -ne 3 ]]; then - log_error "ERROR: number of args in replace_set_me must be 3. #=[$#]" - exit 1 - fi - if [[ $(yq4 "${2}" "${1}") =~ ^set-me.* ]]; then - yq4 --inplace "${2} = ${3}" "${1}" - fi -} - # Usage: generate_default_config generate_default_config() { if [[ $# -ne 1 ]]; then diff --git a/config/common-config.yaml b/config/common-config.yaml index f089b7fe3e..f81f5de863 100644 --- a/config/common-config.yaml +++ b/config/common-config.yaml @@ -583,11 +583,11 @@ ingressNginx: ## Type of service. ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: set-me + type: set-me-if-(.ingressNginx.controller.service.enabled) ## Annotations to add to service ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - annotations: set-me + annotations: set-me-if-(.ingressNginx.controller.service.enabled) ## Enable node port allocation ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation @@ -670,7 +670,7 @@ issuers: enabled: true prod: ## Mail through which letsencrypt can contact you. - email: set-me + email: set-me-if-(.issuers.letsencrypt.enabled) ## Solvers, sets a default http01 when empty. solvers: [] # - selector: @@ -687,7 +687,7 @@ issuers: # key: secretKey staging: ## Mail through which letsencrypt can contact you. - email: set-me + email: set-me-if-(.issuers.letsencrypt.enabled) ## Solvers, sets a default http01 when empty. solvers: [] @@ -1024,14 +1024,14 @@ networkPolicies: ingressUsingHostNetwork: set-me trivy: ips: - - set-me + - set-me-if-(.trivy.enabled) port: 443 kured: enabled: true notificationSlack: ips: - - set-me-if-kured.notification.slack.enabled + - set-me-if-(.kured.enabled and .kured.notification.slack.enabled) ports: - 443 @@ -1043,7 +1043,7 @@ networkPolicies: # letsencrypt ip addresses letsencrypt: ips: - - set-me + - set-me-if-(.networkPolicies.certManager.enabled) # Configure this if DNS-01 challenges are enabled in cert-manager dns01: ips: [] @@ -1053,20 +1053,20 @@ networkPolicies: ingressOverride: enabled: set-me ips: - - set-me-if-enabled + - set-me-if-(.networkPolicies.ingressNginx.ingressOverride.enabled) falco: enabled: true plugins: ips: - - set-me + - set-me-if-(.falco.enabled and .networkPolicies.falco.enabled) ports: - 443 externalDns: enabled: false ips: - - set-me-if-externalDns.enabled + - set-me-if-(.externalDns.enabled and .networkPolicies.externalDns.enabled) ports: - 443 @@ -1091,9 +1091,10 @@ networkPolicies: enabled: true externalDns: ips: - - set-me + - set-me-if-(.networkPolicies.coredns.enabled) serviceIp: - ips: set-me + ips: + - set-me-if-(.networkPolicies.coredns.enabled) dnsAutoscaler: enabled: true @@ -1131,7 +1132,7 @@ externalDns: # Example: https://kubernetes-sigs.github.io/external-dns/v0.14.1/tutorials/aws/ enabled: false provider: aws - txtOwnerId: set-me-if-externalDns.enabled + txtOwnerId: set-me-if-(.externalDns.enabled) sources: crd: false ingress: true diff --git a/config/flavors/prod/sc-config.yaml b/config/flavors/prod/sc-config.yaml index 45d6d7762e..c40306bd7f 100644 --- a/config/flavors/prod/sc-config.yaml +++ b/config/flavors/prod/sc-config.yaml @@ -5,7 +5,6 @@ alerts: alertTo: opsgenie opsGenieHeartbeat: enabled: true - name: set-me prometheus: retention: diff --git a/config/providers/baremetal/common-config.yaml b/config/providers/baremetal/common-config.yaml index c0b0d14187..7554056677 100644 --- a/config/providers/baremetal/common-config.yaml +++ b/config/providers/baremetal/common-config.yaml @@ -9,8 +9,6 @@ ingressNginx: useHostPort: true service: enabled: false - type: set-me-if-ingressNginx.controller.service.enabled - annotations: set-me-if-ingressNginx.controller.service.enabled allocateLoadBalancerNodePorts: true networkPolicies: global: diff --git a/config/providers/exoscale/common-config.yaml b/config/providers/exoscale/common-config.yaml index 6565417636..4d95018c1f 100644 --- a/config/providers/exoscale/common-config.yaml +++ b/config/providers/exoscale/common-config.yaml @@ -14,8 +14,6 @@ ingressNginx: service: enabled: false allocateLoadBalancerNodePorts: true - type: set-me-if-ingressNginx.controller.service.enabled - annotations: set-me-if-ingressNginx.controller.service.enabled networkPolicies: global: externalLoadBalancer: true diff --git a/config/providers/safespring/common-config.yaml b/config/providers/safespring/common-config.yaml index 2bbed1ad0c..ed27a6ad2f 100644 --- a/config/providers/safespring/common-config.yaml +++ b/config/providers/safespring/common-config.yaml @@ -36,8 +36,6 @@ ingressNginx: service: enabled: false allocateLoadBalancerNodePorts: true - type: set-me-if-ingressNginx.controller.service.enabled - annotations: set-me-if-ingressNginx.controller.service.enabled externalTrafficPolicy: local: false opa: diff --git a/config/providers/upcloud/common-config.yaml b/config/providers/upcloud/common-config.yaml index 260ff13eb5..4a4216baa2 100644 --- a/config/providers/upcloud/common-config.yaml +++ b/config/providers/upcloud/common-config.yaml @@ -32,8 +32,6 @@ ingressNginx: service: enabled: false allocateLoadBalancerNodePorts: true - type: set-me-if-ingressNginx.controller.service.enabled - annotations: set-me-if-ingressNginx.controller.service.enabled externalTrafficPolicy: local: false opa: diff --git a/config/sc-config.yaml b/config/sc-config.yaml index d4acc9cd53..c11fada75a 100644 --- a/config/sc-config.yaml +++ b/config/sc-config.yaml @@ -1097,9 +1097,9 @@ alerts: opsGenieHeartbeat: enabled: false url: https://api.eu.opsgenie.com/v2/heartbeats - name: set-me-if-enabled + name: set-me-if-(.alerts.opsGenieHeartbeat.enabled) slack: - channel: set-me-if-enabled + channel: set-me-if-(.alerts.alertTo == "slack") # Alertmanager templating: https://prometheus.io/docs/alerting/notifications/ customTemplate: {} ## Example: @@ -1182,7 +1182,7 @@ networkPolicies: global: objectStorageSwift: ips: - - "set-me-if-enabled" + - set-me-if-(.harbor.persistence.type == "swift" or .thanos.objectStorage.type == "swift") ports: - 5000 scApiserver: @@ -1199,12 +1199,12 @@ networkPolicies: # For replication, added to core and jobservice registries: ips: - - "set-me" + - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled) ports: - 443 jobservice: ips: - - "set-me" + - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled) ports: - 443 database: @@ -1244,7 +1244,7 @@ networkPolicies: trivy: # IP to trivy vulnerability database ips: - - "set-me" + - set-me-if-(.harbor.enabled and .networkPolicies.harbor.enabled) ports: - 443 monitoring: @@ -1254,9 +1254,9 @@ networkPolicies: externalDataSources: enabled: false ips: - - "set-me-if-externalDataSources.enabled" + - set-me-if-(.networkPolicies.monitoring.enabled and .networkPolicies.monitoring.grafana.externalDataSources.enabled) ports: - - "set-me-if-externalDataSources.enabled" + - set-me-if-(.networkPolicies.monitoring.enabled and .networkPolicies.monitoring.grafana.externalDataSources.enabled) # loading dashboards from grafana website externalDashboardProvider: ips: @@ -1270,7 +1270,7 @@ networkPolicies: enabled: true plugins: ips: - - "set-me" + - set-me-if-(.networkPolicies.opensearch.enabled) ports: - 443 @@ -1283,20 +1283,19 @@ networkPolicies: sync: objectStorage: ips: - - set-me-if-objectStorage.sync.enabled + - set-me-if-(.objectStorage.sync.enabled and .objectStorage.type == "s3") ports: - 443 objectStorageSwift: ips: - - set-me-if-objectStorage.sync.enabled-and-any-target-use-swift-as-destination + - set-me-if-(.objectStorage.sync.enabled and (.harbor.persistence.type == "swift" or .thanos.objectStorage.type == "swift")) ports: - 5000 secondaryUrl: ips: - - set-me-if-objectStorage.sync.secondaryUrl-has-an-url + - set-me-if-(.objectStorage.sync.secondaryUrl != null and .objectStorage.sync.secondaryUrl != "") ports: - 443 - s3Exporter: enabled: true @@ -1313,7 +1312,7 @@ networkPolicies: # Ip to connector, e.g. Google, LDAP, ... connectors: ips: - - "set-me" + - set-me-if-(.networkPolicies.dex.enabled) ports: - 443 diff --git a/config/schemas/config.yaml b/config/schemas/config.yaml index c281a56115..20592756db 100644 --- a/config/schemas/config.yaml +++ b/config/schemas/config.yaml @@ -208,7 +208,7 @@ $defs: List of IP netmasks items: type: string - regex: ^[0-9a-f.:]{2,45}/[0-9]{1,3}$ + pattern: ^[0-9a-f.:]{2,45}/[0-9]{1,3}$ description: A IP address with netmask examples: - 0.0.0.0/0 @@ -835,6 +835,265 @@ $defs: type: object required: - global +allOf: +- if: + properties: + trivy: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + global: + properties: + trivy: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + kured: + properties: + enabled: + type: boolean + const: true + notification: + properties: + slack: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + kured: + properties: + notificationSlack: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + falco: + properties: + enabled: + type: boolean + const: true + networkPolicies: + properties: + falco: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + falco: + properties: + plugins: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + externalDns: + properties: + enabled: + type: boolean + const: true + networkPolicies: + properties: + externalDns: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + externalDns: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + harbor: + properties: + persistence: + properties: + type: + type: string + const: swift + thanos: + properties: + objectStorage: + properties: + type: + type: string + const: swift + then: + properties: + networkPolicies: + properties: + global: + properties: + objectStorageSwift: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + harbor: + properties: + enabled: + type: boolean + const: true + networkPolicies: + properties: + harbor: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + harbor: + properties: + registries: + properties: + ips: + $ref: '#/$defs/iplist' + jobservice: + properties: + ips: + $ref: '#/$defs/iplist' + trivy: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + objectStorage: + properties: + sync: + properties: + enabled: + type: boolean + const: true + type: + type: string + const: s3 + then: + properties: + networkPolicies: + properties: + rclone: + properties: + sync: + properties: + objectStorage: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + objectStorage: + properties: + sync: + properties: + enabled: + type: boolean + const: true + anyOf: + - properties: + harbor: + properties: + persistence: + properties: + type: + type: string + const: swift + - properties: + thanos: + properties: + objectStorage: + properties: + type: + type: string + const: swift + then: + properties: + networkPolicies: + properties: + rclone: + properties: + sync: + properties: + objectStorageSwift: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + objectStorage: + properties: + sync: + properties: + secondaryUrl: + type: string + format: uri + not: + properties: + objectStorage: + properties: + sync: + properties: + secondaryUrl: + const: "" + then: + properties: + networkPolicies: + properties: + rclone: + properties: + sync: + properties: + secondaryUrl: + properties: + ips: + $ref: '#/$defs/iplist' +- if: + properties: + networkPolicies: + properties: + ingressNginx: + properties: + ingressOverride: + properties: + enabled: + type: boolean + const: true + then: + properties: + networkPolicies: + properties: + ingressNginx: + properties: + ingressOverride: + properties: + ips: + title: Network Policies Ingress Override IPs + $ref: '#/$defs/iplist' properties: global: title: Global options @@ -1993,6 +2252,10 @@ properties: - gcs - s3 - swift + secondaryUrl: + title: Rclone Sync Secondary URL + type: string + format: uri azure: $ref: '#/properties/objectStorage/properties/azure' s3: @@ -3259,6 +3522,18 @@ properties: description: Configure alerting. type: object additionalProperties: false + if: + properties: + alertTo: + type: string + const: slack + then: + properties: + slack: + properties: + channel: + title: Slack Channel + type: string properties: alertTo: title: Alert To @@ -3282,39 +3557,40 @@ properties: description: Configure heartbeats to OpsGenie. type: object additionalProperties: false - properties: - enabled: - title: OpsGenie Heartbeat Enabled - type: boolean - default: false - name: - title: OpsGenie Heartbeat Name - type: string - url: - title: OpsGenie Heartbeat URL - type: string - format: uri - default: https://api.eu.opsgenie.com/v2/heartbeats - required: - - enabled if: properties: enabled: - title: OpsGenie Heartbeat Enabled + type: boolean const: true then: required: - name - url + properties: + name: + title: OpsGenie Heartbeat Name + type: string + url: + title: OpsGenie Heartbeat URL + type: string + format: uri + default: https://api.eu.opsgenie.com/v2/heartbeats + properties: + enabled: + title: OpsGenie Heartbeat Enabled + type: boolean + default: false + name: true + url: true + required: + - enabled slack: title: Alert Slack Config description: Configure alerting to Slack. type: object additionalProperties: false properties: - channel: - title: Slack Channel - type: string + channel: true customTemplate: title: Slack Custom Template type: object @@ -5571,6 +5847,23 @@ properties: description: Configure issuers for cert-manager using Let's Encrypt. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + prod: + properties: + email: + title: Issuer Email + type: string + staging: + properties: + email: + title: Issuer Email + type: string properties: enabled: title: Let's Encrypt Enabled @@ -5582,9 +5875,7 @@ properties: type: object additionalProperties: false properties: - email: - title: Issuer Email - type: string + email: true solvers: title: Issuer Solver type: array @@ -5594,9 +5885,7 @@ properties: type: object additionalProperties: false properties: - email: - title: Issuer Email - type: string + email: true solvers: title: Issuer Solver type: array @@ -5666,8 +5955,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -5767,8 +6055,7 @@ properties: Used for Trivy to fetch vulnerability databases both in Harbor and Trivy Operator. additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true port: $ref: '#/$defs/port' default: 443 @@ -5801,17 +6088,23 @@ properties: title: Network Policies Ingress Override Enabled type: boolean default: false - ips: - title: Network Policies Ingress Override IPs - oneOf: - - $ref: '#/$defs/iplist' - - type: string - const: set-me-if-enabled + ips: true certManager: title: Network Policies cert-manager description: Configure cert-manager network policy rules. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + letsencrypt: + properties: + ips: + $ref: '#/$defs/iplist' properties: enabled: title: Network Policies cert-manager Enabled @@ -5827,8 +6120,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true dns01: title: Network Policies cert-manager DNS-01 description: Configure network policy rule to allow cert-manager perform DNS-01 challenges. @@ -5852,12 +6144,32 @@ properties: - opensearch-system - thanos externalDns: - $ref: '#/$defs/netpolRule' + title: Network Policies ExternalDNS + description: Configure ExternalDNS [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) rules. + additionalProperties: false + properties: + enabled: + type: boolean + ips: true + ports: + $ref: '#/$defs/portlist' + type: object dex: title: Network Policies Dex description: Configure Dex network policy rules. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + connectors: + properties: + ips: + $ref: '#/$defs/iplist' properties: enabled: title: Network Policies Dex Enabled @@ -5869,8 +6181,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -5957,8 +6268,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -5969,8 +6279,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -5981,8 +6290,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -6015,6 +6323,17 @@ properties: description: Configure OpenSearch network policy rules. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + plugins: + properties: + ips: + $ref: '#/$defs/iplist' properties: enabled: title: Network Policies OpenSearch Enabled @@ -6026,8 +6345,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -6037,6 +6355,30 @@ properties: description: Configure monitoring network policy rules. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + grafana: + properties: + externalDataSources: + properties: + enabled: + type: boolean + const: true + then: + properties: + grafana: + properties: + externalDataSources: + properties: + ips: + $ref: '#/$defs/iplist' + ports: + $ref: '#/$defs/portlist' + default: + - 443 properties: enabled: title: Network Policies Monitoring Enabled @@ -6061,29 +6403,16 @@ properties: default: - 443 externalDataSources: - if: - title: Grafana External Datasources - description: Configure network policy rules to allow Grafana to use external datasources. - type: object - properties: - enabled: - title: Grafana External Datasources Enabled - type: boolean - default: false - const: true - then: - title: Grafana External Datasources - description: Configure network policy rules to allow Grafana to use external datasources. - type: object - properties: - enabled: - title: Grafana External Datasources Enabled - default: false - type: boolean - ips: - $ref: '#/$defs/iplist' - ports: - $ref: '#/$defs/portlist' + title: Grafana External Datasources + description: Configure network policy rules to allow Grafana to use external datasources. + type: object + properties: + enabled: + title: Grafana External Datasources Enabled + default: false + type: boolean + ips: true + ports: true alertmanager: title: Network Policies Alertmanager description: Configure Alertmanager network policy rules. @@ -6158,8 +6487,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -6180,8 +6508,7 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true ports: $ref: '#/$defs/portlist' default: @@ -6194,6 +6521,42 @@ properties: enabled: title: Network Policies Rclone Enabled type: boolean + sync: + title: Network Policies Rclone Sync + description: Configure network policy rules to allow rclone to sync. + type: object + additionalProperties: false + properties: + objectStorage: + title: Network Policies Rclone Sync Object Storage + description: Configure network policy rules to allow rclone to sync object storage. + type: object + properties: + ips: true + ports: + $ref: '#/$defs/portlist' + default: + - 443 + objectStorageSwift: + title: Network Policies Rclone Sync Object Storage + description: Configure network policy rules to allow rclone to sync object storage with Swift. + type: object + properties: + ips: true + ports: + $ref: '#/$defs/portlist' + default: + - 5000 + secondaryUrl: + title: Network Policies Rclone Sync Object Storage + description: Configure network policy rules to allow rclone to sync with a secondary URL. + type: object + properties: + ips: true + ports: + $ref: '#/$defs/portlist' + default: + - 443 velero: title: Network Policies Velero description: Configure Velero network policy rules. @@ -6253,6 +6616,21 @@ properties: description: Configure CoreDNS network policy rules. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + externalDns: + properties: + ips: + $ref: '#/$defs/iplist' + serviceIp: + properties: + ips: + $ref: '#/$defs/iplist' properties: enabled: title: Network Policies CoreDNS @@ -6264,16 +6642,14 @@ properties: type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true serviceIp: title: Network Policies CoreDNS Service IP description: Configure network policy rule to allow CoreDNS to query the internal service IP. type: object additionalProperties: false properties: - ips: - $ref: '#/$defs/iplist' + ips: true rookCeph: title: Network Policies Rook Ceph description: Configure Rook Ceph network policy rules. @@ -6345,6 +6721,16 @@ properties: > See [the upstream documentation](https://kubernetes-sigs.github.io/external-dns/) for reference. type: object additionalProperties: false + if: + properties: + enabled: + type: boolean + const: true + then: + properties: + txtOwnerId: + title: External DNS TXT Owner ID + type: string properties: enabled: title: External DNS Enabled @@ -6379,11 +6765,7 @@ properties: items: title: External DNS Domain type: string - txtOwnerId: - title: External DNS TXT Owner ID - type: string - examples: - - set-me-if-externalDns.enabled + txtOwnerId: true txtPrefix: title: External DNS TXT Prefix type: string diff --git a/scripts/migration/lib.sh b/scripts/migration/lib.sh index 465e84f116..a53a3389bd 100644 --- a/scripts/migration/lib.sh +++ b/scripts/migration/lib.sh @@ -113,6 +113,7 @@ config_validate() { defaults="$(yq_merge "${CK8S_CONFIG_PATH}/defaults/common-config.yaml" "${CK8S_CONFIG_PATH}/defaults/${1}-config.yaml")" setmes="$(yq_paths "set-me" <<< "${defaults}")" + conditional_setmes="$(yq_paths "set-me-if-*" <<< "${defaults}")" for setme in ${setmes}; do compare=$(diff <(yq4 -oj "${setme}" <<< "${defaults}") <(yq4 -oj "${setme}" <<< "${CONFIG["${1}"]}") || true) @@ -122,6 +123,17 @@ config_validate() { fi done + for condsetme in ${conditional_setmes}; do + required_condition=$(yq4 "${condsetme}" <<< "${defaults}" | sed -rn 's/set-me-if-(.*)/\1/p' | yq4 "[.] | flatten | .[0]") + if [[ $(yq4 "${required_condition}" <<< "${CONFIG["${1}"]}") == "true" ]]; then + compare=$(diff <(yq4 -oj "${condsetme}" <<< "${defaults}") <(yq4 -oj "${condsetme}" <<< "${CONFIG["${1}"]}") || true) + if [[ -z "${compare}" ]]; then + log_error "error: \"${condsetme//\"/}\" is unset in ${1}-config" + pass="false" + fi + fi + done + sync_enabled=$(yq4 '.objectStorage.sync.enabled' <<< "${CONFIG["${1}"]}") sync_default_enabled=$(yq4 '.objectStorage.sync.syncDefaultBuckets' <<< "${CONFIG["${1}"]}") if [[ "${1}" = "sc" ]] && [[ "${sync_enabled}" = "true" ]] && [[ "${sync_default_enabled}" = "true" ]]; then diff --git a/tests/common/lib/env.bash b/tests/common/lib/env.bash index d352a94b15..4a2f8b1323 100644 --- a/tests/common/lib/env.bash +++ b/tests/common/lib/env.bash @@ -43,6 +43,10 @@ env.init() { yq_set 'secrets' '["objectStorage"]["swift"]["username"]' '"example-username"' yq_set 'secrets' '["objectStorage"]["swift"]["password"]' '"example-password"' fi + + if [[ "$(yq_dig sc .harbor.persistence.type)" == "swift" || "$(yq_dig sc .thanos.objectStorage.type)" == "swift" ]]; then + yq_set 'sc' '.networkPolicies.global.objectStorageSwift.ips' '["0.0.0.0/0"]' + fi fi yq_set 'common' '.clusterAdmin.users' '["admin@example.com"]' @@ -58,6 +62,8 @@ env.init() { yq_set 'sc' '.opensearch.extraRoleMappings' '[]' + yq_set 'sc' '.alerts.opsGenieHeartbeat.name' '"example"' + if ! [[ "$*" =~ --skip-network-policies ]]; then yq_set 'common' '.networkPolicies.global.objectStorage.ips' '["0.0.0.0/0"]' yq_set 'common' '.networkPolicies.global.objectStorage.ports' '[443]' @@ -89,6 +95,10 @@ env.init() { yq_set 'sc' '.networkPolicies.monitoring.grafana.externalDashboardProvider.ips' '["0.0.0.0/0"]' yq_set 'sc' '.networkPolicies.opensearch.plugins.ips' '["0.0.0.0/0"]' + + if [[ "$(yq_dig sc .networkPolicies.kubeSystem.openstack.enabled)" == "true" ]]; then + yq_set 'common' '.networkPolicies.kubeSystem.openstack.ips' '["0.0.0.0/0"]' + fi fi yq_set 'wc' '.opa.imageRegistry.URL' '["harbor.ck8s.example.com"]' diff --git a/tests/unit/bin/conditional-set-me/main.bats b/tests/unit/bin/conditional-set-me/main.bats new file mode 100644 index 0000000000..d12b4090f1 --- /dev/null +++ b/tests/unit/bin/conditional-set-me/main.bats @@ -0,0 +1,439 @@ +#!/usr/bin/env bats + +# bats file_tags=static,general,bin:conditional_set_me + +setup_file() { + load "../../../common/lib" + load "../../../common/lib/env" + load "../../../common/lib/gpg" + + env.setup + gpg.setup + + common_setup + + export CK8S_FLAVOR=dev + export CK8S_CLOUD_PROVIDER=baremetal + ck8s init both +} + +teardown_file() { + env.teardown + gpg.teardown +} + +setup() { + load "../../../common/lib" + load "../../../common/lib/env" + + common_setup + + env.private +} + +_apply_normalise_sc() { + CK8S_AUTO_APPROVE=true ck8s validate sc 2>&1 | sed "s#${CK8S_CONFIG_PATH}#/tmp/ck8s-apps-config#g" +} + +_apply_normalise_wc() { + CK8S_AUTO_APPROVE=true ck8s validate wc 2>&1 | sed "s#${CK8S_CONFIG_PATH}#/tmp/ck8s-apps-config#g" +} + +_assert_condition_and_warn() { + assert_output --partial "Set-me condition matched for ${1}" + assert_output --partial "WARN: ${1} is not set in config" +} + +_refute_condition_and_warn() { + refute_output --partial "Set-me condition matched for ${1}" + refute_output --partial "WARN: ${1} is not set in config" +} + +# bats test_tags=conditional_set_me_ingress_nginx +@test "conditional-set-me - singular conditions: ingressNginx" { + + yq_set common .ingressNginx.controller.service.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"type\" + _assert_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"annotations\" + run _apply_normalise_wc + _assert_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"type\" + _assert_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"annotations\" + + yq_set common .ingressNginx.controller.service.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"type\" + _refute_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"annotations\" + run _apply_normalise_wc + _refute_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"type\" + _refute_condition_and_warn .\"ingressNginx\".\"controller\".\"service\".\"annotations\" +} + +# bats test_tags=conditional_set_me_letsencrypt +@test "conditional-set-me - singular conditions: letsencrypt" { + + yq_set common .issuers.letsencrypt.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"issuers\".\"letsencrypt\".\"prod\".\"email\" + _assert_condition_and_warn .\"issuers\".\"letsencrypt\".\"staging\".\"email\" + run _apply_normalise_wc + _assert_condition_and_warn .\"issuers\".\"letsencrypt\".\"prod\".\"email\" + _assert_condition_and_warn .\"issuers\".\"letsencrypt\".\"staging\".\"email\" + + yq_set common .issuers.letsencrypt.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"issuers\".\"letsencrypt\".\"prod\".\"email\" + _refute_condition_and_warn .\"issuers\".\"letsencrypt\".\"staging\".\"email\" + run _apply_normalise_wc + _refute_condition_and_warn .\"issuers\".\"letsencrypt\".\"prod\".\"email\" + _refute_condition_and_warn .\"issuers\".\"letsencrypt\".\"staging\".\"email\" +} + +# bats test_tags=conditional_set_me_opsgenie_alerts +@test "conditional-set-me - singular conditions: opsgenie alerts" { + + yq_set common .alerts.opsGenieHeartbeat.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"alerts\".\"opsGenieHeartbeat\".\"name\" + + yq_set common .alerts.opsGenieHeartbeat.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"alerts\".\"opsGenieHeartbeat\".\"name\" +} + +# bats test_tags=conditional_set_me_slack_alerts +@test "conditional-set-me - singular conditions: slack alerts" { + + yq_set common .alerts.alertTo \"slack\" + run _apply_normalise_sc + _assert_condition_and_warn .\"alerts\".\"slack\".\"channel\" + + yq_set common .alerts.alertTo \"\" + run _apply_normalise_sc + _refute_condition_and_warn .\"alerts\".\"slack\".\"channel\" +} + +# bats test_tags=conditional_set_me_netpol_singular_sc +@test "conditional-set-me - singular conditions: network policies sc" { + + yq_set common .trivy.enabled 'true' + yq_set common .networkPolicies.certManager.enabled 'true' + yq_set common .networkPolicies.coredns.enabled 'true' + yq_set sc .networkPolicies.opensearch.enabled 'true' + yq_set sc .objectStorage.sync.secondaryUrl \"example.com\" + yq_set sc .networkPolicies.ingressNginx.ingressOverride.enabled 'true' + yq_set sc .networkPolicies.dex.enabled 'true' + + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"opensearch\".\"plugins\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"secondaryUrl\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"dex\".\"connectors\".\"ips\" + + yq_set common .trivy.enabled 'false' + yq_set common .networkPolicies.certManager.enabled 'false' + yq_set common .networkPolicies.coredns.enabled 'false' + yq_set sc .networkPolicies.opensearch.enabled 'false' + yq_set sc .objectStorage.sync.secondaryUrl \"\" + yq_set sc .networkPolicies.ingressNginx.ingressOverride.enabled 'false' + yq_set sc .networkPolicies.dex.enabled 'false' + + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"opensearch\".\"plugins\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"secondaryUrl\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"dex\".\"connectors\".\"ips\" + +} + +# bats test_tags=conditional_set_me_netpol_singular_wc +@test "conditional-set-me - singular conditions: network policies wc" { + + yq_set common .trivy.enabled 'true' + yq_set common .networkPolicies.certManager.enabled 'true' + yq_set common .networkPolicies.coredns.enabled 'true' + yq_set wc .networkPolicies.ingressNginx.ingressOverride.enabled 'true' + + run _apply_normalise_wc + _assert_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\" + + yq_set common .trivy.enabled 'false' + yq_set common .networkPolicies.certManager.enabled 'false' + yq_set common .networkPolicies.coredns.enabled 'false' + yq_set wc .networkPolicies.ingressNginx.ingressOverride.enabled 'false' + + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"global\".\"trivy\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"certManager\".\"letsencrypt\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"coredns\".\"externalDns\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"ingressNginx\".\"ingressOverride\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_kured +@test "conditional-set-me - multiple conditions: network policies kured" { + + yq_set common .kured.enabled 'true' + yq_set common .kured.notification.slack.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + run _apply_normalise_wc + _assert_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + + yq_set common .kured.enabled 'true' + yq_set common .kured.notification.slack.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + + yq_set common .kured.enabled 'false' + yq_set common .kured.notification.slack.enabled 'true' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + + yq_set common .kured.enabled 'false' + yq_set common .kured.notification.slack.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"kured\".\"notificationSlack\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_falco +@test "conditional-set-me - multiple conditions: network policies falco" { + + yq_set common .falco.enabled 'true' + yq_set common .networkPolicies.falco.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + run _apply_normalise_wc + _assert_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + + yq_set common .falco.enabled 'true' + yq_set common .networkPolicies.falco.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + + yq_set common .falco.enabled 'false' + yq_set common .networkPolicies.falco.enabled 'true' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + + yq_set common .falco.enabled 'false' + yq_set common .networkPolicies.falco.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"falco\".\"plugins\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_externaldns +@test "conditional-set-me - multiple conditions: network policies externalDns" { + + yq_set common .externalDns.enabled 'true' + yq_set common .networkPolicies.externalDns.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + run _apply_normalise_wc + _assert_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + + yq_set common .externalDns.enabled 'true' + yq_set common .networkPolicies.externalDns.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + + yq_set common .externalDns.enabled 'false' + yq_set common .networkPolicies.externalDns.enabled 'true' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + + yq_set common .externalDns.enabled 'false' + yq_set common .networkPolicies.externalDns.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" + run _apply_normalise_wc + _refute_condition_and_warn .\"networkPolicies\".\"externalDns\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_object_storage_swift +@test "conditional-set-me - multiple conditions: network policies swift" { + + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"swift\" + + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"global\".\"objectStorageSwift\".\"ips\" + + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"swift\" + + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"global\".\"objectStorageSwift\".\"ips\" + + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"s3\" + + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"global\".\"objectStorageSwift\".\"ips\" + + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"s3\" + + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"global\".\"objectStorageSwift\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_harbor +@test "conditional-set-me - multiple conditions: network policies harbor" { + + yq_set sc .harbor.enabled 'true' + yq_set sc .networkPolicies.harbor.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"harbor\".\"registries\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"harbor\".\"jobservice\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"harbor\".\"trivy\".\"ips\" + + yq_set sc .harbor.enabled 'true' + yq_set sc .networkPolicies.harbor.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"registries\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"jobservice\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"trivy\".\"ips\" + + yq_set sc .harbor.enabled 'false' + yq_set sc .networkPolicies.harbor.enabled 'true' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"registries\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"jobservice\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"trivy\".\"ips\" + + yq_set sc .harbor.enabled 'false' + yq_set sc .networkPolicies.harbor.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"registries\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"jobservice\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"harbor\".\"trivy\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_monitoring +@test "conditional-set-me - multiple conditions: network policies monitoring" { + + yq_set sc .networkPolicies.monitoring.enabled 'true' + yq_set sc .networkPolicies.monitoring.grafana.externalDataSources.enabled 'true' + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ips\" + _assert_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ports\" + + yq_set sc .networkPolicies.monitoring.enabled 'true' + yq_set sc .networkPolicies.monitoring.grafana.externalDataSources.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ports\" + + yq_set sc .networkPolicies.monitoring.enabled 'false' + yq_set sc .networkPolicies.monitoring.grafana.externalDataSources.enabled 'true' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ports\" + + yq_set sc .networkPolicies.monitoring.enabled 'false' + yq_set sc .networkPolicies.monitoring.grafana.externalDataSources.enabled 'false' + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ips\" + _refute_condition_and_warn .\"networkPolicies\".\"monitoring\".\"grafana\".\"externalDataSources\".\"ports\" +} + +# bats test_tags=conditional_set_me_netpol_rclone_s3 +@test "conditional-set-me - multiple conditions: network policies rclone s3" { + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .objectStorage.type \"s3\" + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorage\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .objectStorage.type \"swift\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorage\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .objectStorage.type \"s3\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorage\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .objectStorage.type \"swift\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorage\".\"ips\" +} + +# bats test_tags=conditional_set_me_netpol_rclone_swift +@test "conditional-set-me - multiple conditions: network policies rclone swift" { + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"swift\" + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"s3\" + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"swift\" + run _apply_normalise_sc + _assert_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'true' + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"s3\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"swift\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .harbor.persistence.type \"swift\" + yq_set sc .thanos.objectStorage.type \"s3\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"swift\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" + + yq_set sc .objectStorage.sync.enabled 'false' + yq_set sc .harbor.persistence.type \"s3\" + yq_set sc .thanos.objectStorage.type \"s3\" + run _apply_normalise_sc + _refute_condition_and_warn .\"networkPolicies\".\"rclone\".\"sync\".\"objectStorageSwift\".\"ips\" +} diff --git a/tests/unit/bin/update-ips/resources/maximal-run-full-diff.out b/tests/unit/bin/update-ips/resources/maximal-run-full-diff.out index f39c8682d9..d0ccfe2ae8 100644 --- a/tests/unit/bin/update-ips/resources/maximal-run-full-diff.out +++ b/tests/unit/bin/update-ips/resources/maximal-run-full-diff.out @@ -1,6 +1,6 @@ --- common-config.yaml +++ expected -@@ -23,7 +23,7 @@ +@@ -17,7 +17,7 @@ global: objectStorage: ips: @@ -12,7 +12,7 @@ [ck8s] Diff found for .networkPolicies.global.objectStorage.ips in common-config.yaml (diff shows actions needed to be up to date) --- common-config.yaml +++ expected -@@ -25,7 +25,7 @@ +@@ -19,7 +19,7 @@ ips: - set-me ports: @@ -24,7 +24,7 @@ [ck8s] Diff found for .networkPolicies.global.objectStorage.ports in common-config.yaml (diff shows actions needed to be up to date) --- common-config.yaml +++ expected -@@ -28,7 +28,7 @@ +@@ -22,7 +22,7 @@ - set-me scIngress: ips: @@ -36,15 +36,15 @@ [ck8s] Diff found for .networkPolicies.global.scIngress.ips in common-config.yaml (diff shows actions needed to be up to date) --- common-config.yaml +++ expected -@@ -31,7 +31,7 @@ +@@ -25,7 +25,7 @@ - set-me wcIngress: ips: - - set-me + - 127.0.0.3/32 - trivy: + alertmanager: + alertReceivers: ips: - - set-me [ck8s] Diff found for .networkPolicies.global.wcIngress.ips in common-config.yaml (diff shows actions needed to be up to date) [ck8s] Using unencrypted kubeconfig /tmp/ck8s-apps-config/.state/kube_config_sc.yaml [ck8s] Using unencrypted kubeconfig /tmp/ck8s-apps-config/.state/kube_config_sc.yaml @@ -96,9 +96,9 @@ + - 127.0.3.8/32 + - 127.0.3.9/32 + - 127.0.3.81/32 - harbor: - registries: - ips: + monitoring: + grafana: + externalDashboardProvider: [ck8s] Diff found for .networkPolicies.global.scNodes.ips in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected @@ -110,9 +110,9 @@ + ips: + - 127.1.0.4/32 + - 127.1.0.5/32 - harbor: - registries: - ips: + monitoring: + grafana: + externalDashboardProvider: [ck8s] Diff found for .networkPolicies.global.objectStorageSwift.ips in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected @@ -124,9 +124,9 @@ + ports: + - 5678 + - 91011 - harbor: - registries: - ips: + monitoring: + grafana: + externalDashboardProvider: [ck8s] Diff found for .networkPolicies.global.objectStorageSwift.ports in sc-config.yaml (diff shows actions needed to be up to date) [ck8s] Using unencrypted kubeconfig /tmp/ck8s-apps-config/.state/kube_config_wc.yaml [ck8s] Using unencrypted kubeconfig /tmp/ck8s-apps-config/.state/kube_config_wc.yaml @@ -184,36 +184,36 @@ [ck8s] Diff found for .networkPolicies.global.wcNodes.ips in wc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,10 @@ - - set-me +@@ -31,6 +31,10 @@ + - set-me rclone: enabled: true + sync: + objectStorage: + ips: + - 127.1.0.6/32 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.objectStorage.ips in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,10 @@ - - set-me +@@ -31,6 +31,10 @@ + - set-me rclone: enabled: true + sync: + objectStorage: + ports: + - 1234 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.objectStorage.ports in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,11 @@ - - set-me +@@ -31,6 +31,11 @@ + - set-me rclone: enabled: true + sync: @@ -221,14 +221,14 @@ + ips: + - 127.1.0.7/32 + - 127.1.0.8/32 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.objectStorageSwift.ips in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,11 @@ - - set-me +@@ -31,6 +31,11 @@ + - set-me rclone: enabled: true + sync: @@ -236,35 +236,35 @@ + ports: + - 443 + - 5678 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.objectStorageSwift.ports in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,10 @@ - - set-me +@@ -31,6 +31,10 @@ + - set-me rclone: enabled: true + sync: + secondaryUrl: + ips: + - 127.1.0.9/32 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.secondaryUrl.ips in sc-config.yaml (diff shows actions needed to be up to date) --- sc-config.yaml +++ expected -@@ -49,6 +49,10 @@ - - set-me +@@ -31,6 +31,10 @@ + - set-me rclone: enabled: true + sync: + secondaryUrl: + ports: + - 1234 - objectStorage: - swift: - authUrl: https://keystone.foo.dev-ck8s.com:5678 + alerts: + opsGenieHeartbeat: + name: example [ck8s] Diff found for .networkPolicies.rclone.sync.secondaryUrl.ports in sc-config.yaml (diff shows actions needed to be up to date) diff --git a/tests/unit/schema.bats b/tests/unit/schema.bats index 1fde8ad333..0da73edd3f 100644 --- a/tests/unit/schema.bats +++ b/tests/unit/schema.bats @@ -102,6 +102,7 @@ find_schemas() { run yq4 '{ filename: [ .. | select( + (. != "true") and (has("$ref") | not) and (has("allOf") | not) and (has("oneOf") | not) and