Merge pull request #7 from Conjur-Enterprise/pr186-fork

CNJR-11606: Added unit tests and the ability to define container resources

Author: gl-johnson

.devops/gitleaks.yaml

@@ -0,0 +1,3 @@
+config:
+  exclusions:
+    - "conjur-oss/tests"

.gitignore

@@ -10,3 +10,4 @@ values-private.yaml
 
 # Example temp files
 examples/kubernetes-in-docker/temp*
+.debug/

CHANGELOG.md

@@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
+## [2.1.1] - 2025-11-21
+
+### Added
+
+- Support resource limits on containers
+- Unit tests for the Helm chart, using [Helm plugin: Unittest](https://github.com/helm-unittest/helm-unittest)
+
 ## [2.1.0] - 2025-08-28
 
 ### Added

README.md

@@ -35,6 +35,18 @@ if you would like to contribute.
 
 ## Testing
 
+There is a complete set of unit tests for the chart which are executed using [Helm unittest plugin](https://github.com/helm-unittest/helm-unittest/tree/main) from this root folder. For example:
+
+```bash
+helm unittest conjur-oss -v conjur-oss/unittest-values.yaml
+```
+
+As snapshots of the default rendered templates are used for many of the tests, if you make template changes that affect the defaults you will need to update the snapshots like so:
+
+```bash
+helm unittest conjur-oss -u -v conjur-oss/unittest-values.yaml
+```
+ 
 This repository includes basic smoke testing on GKE. The Conjur OSS Helm Chart is also exercised more thoroughly by the [cyberark/conjur-authn-k8s-client](https://github.com/cyberark/conjur-authn-k8s-client) project, which clones the OSS Helm Chart repo and uses it while testing across several versions of Kubernetes and OpenShift.
 
 ## License

ci/Dockerfile

@@ -17,7 +17,7 @@ RUN apt-get update && \
                        wget && \
     distro="$(. /etc/os-release; echo $ID)" && \
     release="$(lsb_release -cs)" && \
-    curl -fsSL "https://download.docker.com/linux/$distro/gpg" > /tmp/docker_repo_key && \
+    wget -q -O /tmp/docker_repo_key "https://download.docker.com/linux/$distro/gpg" && \
     apt-key add /tmp/docker_repo_key && \
     add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$distro $release stable" && \
     apt-get update && \
@@ -32,6 +32,9 @@ RUN wget https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
     rm helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
     rm -rf linux-amd64
 
+# Install Helm unittest plugin
+RUN helm plugin install https://github.com/helm-unittest/helm-unittest.git
+
 # Install Kubernetes client
-RUN wget -O /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
+RUN wget -O /usr/local/bin/kubectl https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
     chmod +x /usr/local/bin/kubectl

ci/jenkins_build.sh

@@ -17,9 +17,9 @@ source ../utils.sh
 #   HELM_TEST_LOGGING:    Set to true to enable Helm test log collection.
 #                         Defaults to false.
 #   HELM_VERSION:         Helm client version to use for the test.
-#                         Defaults to '3.1.3'.
+#                         Defaults to '3.19.0'.
 #   KUBECTL_VERSION:      Kubectl client version to use for the test.
-#                         Defaults to '1.16.9'.
+#                         Defaults to latest stable release.
 #   SKIP_GCLOUD_LOGIN:    If set to 'true', then skip Gcloud authentication.
 #                         This is useful for local testing whereby you've
 #                         already authenticated with GCP and/or have 'kubectl'
@@ -28,12 +28,13 @@ source ../utils.sh
 #                         authn-k8s, defaults to authn-k8s
 
 test_id="$(random_string)"
+kubectl_curr_ver=$(curl -L -s https://dl.k8s.io/release/stable.txt)
 
 export CONJUR_NAMESPACE="${CONJUR_NAMESPACE:-conjur-oss-test-$test_id}"
 export HELM_INSTALL_TIMEOUT="${HELM_INSTALL_TIMEOUT:-180}"
 export HELM_TEST_LOGGING="${HELM_TEST_LOGGING:-true}"
-export HELM_VERSION="${HELM_VERSION:-3.1.3}"
-export KUBECTL_VERSION="${KUBECTL_VERSION:-1.16.9}"
+export HELM_VERSION="${HELM_VERSION:-3.19.0}"
+export KUBECTL_VERSION="${KUBECTL_VERSION:-$kubectl_curr_ver}"
 export RELEASE_NAME="$CONJUR_NAMESPACE"
 export SKIP_GCLOUD_LOGIN="${SKIP_GCLOUD_LOGIN:-false}"
 export AUTHN_STRATEGY="${AUTHN_STRATEGY:-authn-k8s}"
@@ -130,8 +131,15 @@ else
   helm init --upgrade
 fi
 
-announce "Deploying and testing Conjur OSS"
 cd ..
+announce "Running Helm unit tests..."
+helm unittest conjur-oss -v conjur-oss/unittest-values.yaml
+if [ $? -ne 0 ]; then
+  announce "Helm unit tests failed"
+  exit 1
+fi
+
+announce "Deploying and testing Conjur OSS"
 trap delete_namespace EXIT
 if ! ./test.sh; then
   announce "                 FAILED"

conjur-oss/README.md

@@ -385,15 +385,18 @@ The following table lists the configurable parameters of the Conjur Open Source
 |`nginx.image.repository`|NGINX Docker image repository|`"nginx"`|
 |`nginx.image.tag`|NGINX Docker image tag|`"1.15"`|
 |`nginx.image.pullPolicy`|Pull policy for NGINX Docker image|`"IfNotPresent"`|
+|`nginx.resources`|Resource requests and limits for nginx pod|`{}`|
 |`openshift.enabled`|Indicates that Conjur is to be installed on an OpenShift platform|`false`|
 |`postgres.image.pullPolicy`|Pull policy for postgres Docker image|`"IfNotPresent"`|
 |`postgres.image.repository`|postgres Docker image repository|`"postgres"`|
 |`postgres.image.tag`|postgres Docker image tag|`"10.16"`|
 |`postgres.persistentVolume.create`|Create a peristent volume to back the PostgreSQL data|`true`|
 |`postgres.persistentVolume.size`|Size of persistent volume to be created for PostgreSQL|`"8Gi"`|
 |`postgres.persistentVolume.storageClass`|Storage class to be used for PostgreSQL persistent volume claim|`nil`|
+|`postgres.resources`|Resource requests and limits for postgres pod|`{}`|
 |`rbac.create`|Controls whether or not RBAC resources are created. This setting is deprecated and will be replaced in the next major release with two separate settings: `rbac.createClusterRole` (defaulting to true) and `rbac.createClusterRoleBinding` (defaulting to false), and the creation of RoleBindings will be recommended over relying on this ClusterRoleBinding.|`true`|
 |`replicaCount`|Number of desired Conjur pods|`1`|
+|`resources`|Resource requests and limits for conjur pod|`{}`|
 |`service.external.annotations`|Annotations for the external LoadBalancer|`[service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp]`|
 |`service.external.enabled`|Expose service to the Internet|`true`|
 |`service.external.port`|Conjur external service port|`443`|

conjur-oss/templates/NOTES.txt

@@ -75,16 +75,16 @@
 
   Start a container with Conjur CLI and authenticate with the new user:
 
-      docker run --rm -it --entrypoint bash cyberark/conjur-cli:8
-      # Or if using MiniKube, use the following command from the host:
-      # docker run --rm -it --network host --entrypoint bash cyberark/conjur-cli:8
+      docker run --rm -it --entrypoint bash cyberark/conjur-cli:9
+      # Or if using MiniKube/KinD/Docker Desktop, use the following command from the host:
+      # docker run --rm -it --add-host conjur.myorg.com:host-gateway --entrypoint bash cyberark/conjur-cli:9
 
       # Here ENDPOINT is the DNS name https endpoint for your Conjur service.
       # NOTE: Ensure that the target endpoint matches at least one of the expected server
       #       SSL certificate names otherwise SSL verification will fail and you will not
       #       be able to log in.
       # NOTE: Also ensure that the URL does not contain a slash (`/`) at the end of the URL
-      conjur init -u <ENDPOINT> -a {{ .Values.account.name | quote }} --self-signed
+      conjur init oss -u <ENDPOINT> -a {{ .Values.account.name | quote }} --self-signed
 
       # API key here is the key that creation of the account provided you in step #2
       conjur login -i admin -p <API_KEY>

conjur-oss/templates/_helpers.tpl

@@ -28,7 +28,7 @@ If release name contains chart name it will be used as a full name.
 Create chart name and version as used by the chart label.
 */}}
 {{- define "conjur-oss.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- printf "%s-%s" .Chart.Name (.Values.unittestChartVersion | default .Chart.Version) | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*

conjur-oss/templates/deployment.yaml

@@ -104,7 +104,9 @@ spec:
           mountPath: /etc/nginx
           readOnly: true
         {{- end }}
-
+        {{- if .Values.nginx.resources }}
+        resources: {{- toYaml .Values.nginx.resources | nindent 10 }}
+        {{- end }}
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -173,9 +175,10 @@ spec:
         - name: {{ .Release.Name }}-authn-local-socket-volume
           mountPath: /run/authn-local
           readOnly: false
-        {{- end }}          
-        resources:
-{{ toYaml .Values.resources | indent 12 }}
+        {{- end }}         
+        {{- if .Values.resources }} 
+        resources: {{- toYaml .Values.resources | nindent 10 }}
+        {{- end }}
       {{- if .Values.exportAPIkey.enabled }}
       - name: {{ .Release.Name }}-export-api-key
         image: "{{ .Values.exportAPIkey.image.repository }}:{{ .Values.exportAPIkey.image.tag }}"