Coverage for /pythoncovmergedfiles/medio/medio/src/airflow/helm_tests/security/test_kerberos.py: 0%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

32 statements  

1# Licensed to the Apache Software Foundation (ASF) under one 

2# or more contributor license agreements. See the NOTICE file 

3# distributed with this work for additional information 

4# regarding copyright ownership. The ASF licenses this file 

5# to you under the Apache License, Version 2.0 (the 

6# "License"); you may not use this file except in compliance 

7# with the License. You may obtain a copy of the License at 

8# 

9# http://www.apache.org/licenses/LICENSE-2.0 

10# 

11# Unless required by applicable law or agreed to in writing, 

12# software distributed under the License is distributed on an 

13# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 

14# KIND, either express or implied. See the License for the 

15# specific language governing permissions and limitations 

16# under the License. 

17from __future__ import annotations 

18 

19import json 

20 

21import jmespath 

22 

23from tests.charts.helm_template_generator import render_chart 

24 

25 

26class TestKerberos: 

27 """Tests kerberos.""" 

28 

29 def test_kerberos_not_mentioned_in_render_if_disabled(self): 

30 # the name is deliberately shorter as we look for "kerberos" in the rendered chart 

31 k8s_objects = render_chart(name="no-krbros", values={"kerberos": {"enabled": False}}) 

32 # ignore airflow config map 

33 k8s_objects_to_consider = [ 

34 obj for obj in k8s_objects if obj["metadata"]["name"] != "no-krbros-config" 

35 ] 

36 k8s_objects_to_consider_str = json.dumps(k8s_objects_to_consider) 

37 assert k8s_objects_to_consider_str.count("kerberos") == 1 

38 

39 def test_kerberos_envs_available_in_worker_with_persistence(self): 

40 docs = render_chart( 

41 values={ 

42 "executor": "CeleryExecutor", 

43 "workers": { 

44 "kerberosSidecar": {"enabled": True}, 

45 "persistence": { 

46 "enabled": True, 

47 }, 

48 }, 

49 "kerberos": { 

50 "enabled": True, 

51 "configPath": "/etc/krb5.conf", 

52 "ccacheMountPath": "/var/kerberos-ccache", 

53 "ccacheFileName": "ccache", 

54 }, 

55 }, 

56 show_only=["templates/workers/worker-deployment.yaml"], 

57 ) 

58 

59 assert {"name": "KRB5_CONFIG", "value": "/etc/krb5.conf"} in jmespath.search( 

60 "spec.template.spec.containers[0].env", docs[0] 

61 ) 

62 assert {"name": "KRB5CCNAME", "value": "/var/kerberos-ccache/ccache"} in jmespath.search( 

63 "spec.template.spec.containers[0].env", docs[0] 

64 ) 

65 

66 def test_kerberos_sidecar_resources(self): 

67 docs = render_chart( 

68 values={ 

69 "executor": "CeleryExecutor", 

70 "workers": { 

71 "kerberosSidecar": { 

72 "enabled": True, 

73 "resources": { 

74 "requests": { 

75 "cpu": "200m", 

76 "memory": "200Mi", 

77 }, 

78 "limits": { 

79 "cpu": "201m", 

80 "memory": "201Mi", 

81 }, 

82 }, 

83 }, 

84 }, 

85 }, 

86 show_only=["templates/workers/worker-deployment.yaml"], 

87 ) 

88 

89 assert jmespath.search("spec.template.spec.containers[2].resources.requests.cpu", docs[0]) == "200m" 

90 assert ( 

91 jmespath.search("spec.template.spec.containers[2].resources.requests.memory", docs[0]) == "200Mi" 

92 ) 

93 assert jmespath.search("spec.template.spec.containers[2].resources.limits.cpu", docs[0]) == "201m" 

94 assert jmespath.search("spec.template.spec.containers[2].resources.limits.memory", docs[0]) == "201Mi" 

95 

96 def test_keberos_sidecar_resources_are_not_added_by_default(self): 

97 docs = render_chart( 

98 show_only=["templates/workers/worker-deployment.yaml"], 

99 ) 

100 assert jmespath.search("spec.template.spec.containers[0].resources", docs[0]) == {} 

101 

102 def test_kerberos_keytab_exists_in_worker_when_enable(self): 

103 docs = render_chart( 

104 values={ 

105 "executor": "CeleryExecutor", 

106 "kerberos": { 

107 "enabled": True, 

108 "keytabBase64Content": "dGVzdGtleXRhYg==", 

109 "configPath": "/etc/krb5.conf", 

110 "ccacheMountPath": "/var/kerberos-ccache", 

111 "ccacheFileName": "ccache", 

112 }, 

113 }, 

114 show_only=["templates/workers/worker-deployment.yaml"], 

115 ) 

116 

117 assert { 

118 "name": "kerberos-keytab", 

119 "subPath": "kerberos.keytab", 

120 "mountPath": "/etc/airflow.keytab", 

121 "readOnly": True, 

122 } in jmespath.search("spec.template.spec.containers[0].volumeMounts", docs[0]) 

123 

124 def test_kerberos_keytab_secret_available(self): 

125 docs = render_chart( 

126 values={ 

127 "executor": "CeleryExecutor", 

128 "kerberos": { 

129 "enabled": True, 

130 "keytabBase64Content": "dGVzdGtleXRhYg==", 

131 "configPath": "/etc/krb5.conf", 

132 "ccacheMountPath": "/var/kerberos-ccache", 

133 "ccacheFileName": "ccache", 

134 }, 

135 }, 

136 show_only=["templates/secrets/kerberos-keytab-secret.yaml"], 

137 ) 

138 

139 assert jmespath.search('data."kerberos.keytab"', docs[0]) == "dGVzdGtleXRhYg==" 

140 

141 def test_kerberos_keytab_secret_unavailable_when_not_specified(self): 

142 docs = render_chart( 

143 values={ 

144 "executor": "CeleryExecutor", 

145 "kerberos": { 

146 "enabled": True, 

147 "configPath": "/etc/krb5.conf", 

148 "ccacheMountPath": "/var/kerberos-ccache", 

149 "ccacheFileName": "ccache", 

150 }, 

151 }, 

152 show_only=["templates/secrets/kerberos-keytab-secret.yaml"], 

153 ) 

154 

155 assert 0 == len(docs)