test: validate volume mounts in config and at runtime

ivanstanev · ivanstanev · commit 71d0c0a0741d · 2019-11-07T09:03:13.000Z
diff --git a/test/helpers/deployment.ts b/test/helpers/deployment.ts
@@ -40,3 +40,51 @@ export function validateSecureConfiguration(test: tap, deployment: V1Deployment)
   );
 }
 
+export function validateVolumeMounts(test: tap, deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].volumeMounts
+  ) {
+    test.fail('bad container spec or missing volumeMounts');
+    return;
+  }
+
+  const volumeMounts = deployment.spec.template.spec.containers[0].volumeMounts;
+
+  const temporaryStorageMount = volumeMounts.find(
+    (mount) => mount.name === 'temporary-storage',
+  );
+  if (!temporaryStorageMount) {
+    test.fail('missing deployment mount "temporary-storage"');
+    return;
+  }
+
+  test.same(
+    temporaryStorageMount.mountPath,
+    '/var/tmp',
+    'deployment file mounts temporary storage at the expected path',
+  );
+
+  const dockerConfigMount = volumeMounts.find(
+    (mount) => mount.name === 'docker-config',
+  );
+  if (!dockerConfigMount) {
+    test.fail('missing deployment mount "docker-config"');
+    return;
+  }
+
+  test.same(
+    dockerConfigMount.readOnly,
+    true,
+    'docker-config is a read-only mount',
+  );
+
+  test.same(
+    dockerConfigMount.mountPath,
+    '/root/.docker',
+    'docker-config mount path is as expected',
+  );
+}
diff --git a/test/integration/kubernetes.test.ts b/test/integration/kubernetes.test.ts
@@ -9,7 +9,7 @@ import {
   validateHomebaseStoredMetadata,
   getHomebaseResponseBody,
 } from '../helpers/homebase';
-import { validateSecureConfiguration } from '../helpers/deployment';
+import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
 
 let integrationId: string;
 
@@ -178,4 +178,5 @@ tap.test('snyk-monitor secure configuration is as expected', async (t) => {
   const deployment = response.body;
 
   validateSecureConfiguration(t, deployment);
+  validateVolumeMounts(t, deployment);
 });
diff --git a/test/unit/deployment-files.test.ts b/test/unit/deployment-files.test.ts
@@ -3,7 +3,7 @@ import { parse } from 'yaml';
 import { readFileSync } from 'fs';
 import { V1Deployment } from '@kubernetes/client-node';
 import * as snykConfig from '../../src/common/config';
-import { validateSecureConfiguration } from '../helpers/deployment';
+import { validateSecureConfiguration, validateVolumeMounts } from '../helpers/deployment';
 
 /**
  * Note that these checks are also performed at runtime on the deployed snyk-monitor, see the integration tests.
@@ -19,5 +19,6 @@ tap.test('ensure the security properties of the deployment files are unchanged',
     const deployment: V1Deployment = parse(fileContent);
 
     validateSecureConfiguration(t, deployment);
+    validateVolumeMounts(t, deployment);
   }
 });
