Conversation
Signed-off-by: Peter Fiddes <peter.fiddes@jetstack.io>
Signed-off-by: Peter Fiddes <peter.fiddes@jetstack.io>
|
I have left in draft to find out if we are not using the helm unittests? Test do not run though when run manually: > helm unittest deploy/charts/venafi-kubernetes-agent/ --strict
### Chart [ venafi-kubernetes-agent ] deploy/charts/venafi-kubernetes-agent/
PASS test deployment deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml
Charts: 1 passed, 1 total
Test Suites: 1 passed, 1 total
Tests: 8 passed, 8 total
Snapshot: 0 passed, 0 total
Time: 79.913708ms |
| - name: POD_NODE | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: spec.nodeName |
…o existing test Signed-off-by: Peter Fiddes <peter.fiddes@jetstack.io>
|
If testing manually, then you have to escape the helm template venafi-kubernetes-agent deploy/charts/venafi-kubernetes-agent \
--version v1.5.0 -n venafi \
--set http_proxy='http://<proxy server>:<port>' \
--set no_proxy='127.0.0.1\,kubernetes.default.svc\,kubernetes.default.svc.cluster.local' \
--set https_proxy='https://<proxy server>:<port>'Don't believe this affects YAML values files as this is handled for you there. |
|
I was curious to know why this bug wasn't picked up by the kubeconform check, and the answer is that the duplicate env stanza only appears if we supply the the proxy values. --- a/deploy/charts/venafi-kubernetes-agent/values.yaml
+++ b/deploy/charts/venafi-kubernetes-agent/values.yaml
@@ -106,7 +106,7 @@ podSecurityContext: {}
# Configures the NO_PROXY environment variable where a HTTP proxy is required,
# but certain domains should be excluded.
# +docs:property
-# no_proxy: 127.0.0.1,localhost
+no_proxy: 127.0.0.1,localhost
# Add Container specific SecurityContext settings to the container. Takes
# precedence over `podSecurityContext` when set. SeeBranch: master: Branch: pf/env: An idea for the future is that we could (somehow) extract all the example values (commented out) and the kube-conform check with those values enabled. |
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
There was a problem hiding this comment.
Thanks for fixing this @hawksight
I gave up trying to get the agent running in a cluster with a proxy available, but the changes to the Helm templates make perfect sense to me and the tests demonstrate that the correct proxy environment variables are added to the right part of the Deployment.
wallrj
changed the title
| config.organisation: test_org | ||
| config.cluster: test_cluster | ||
| # config.organisation: test_org -> Should be removed? | ||
| # config.cluster: test_cluster -> Should be config.clusterName? |
There was a problem hiding this comment.
@maelvls Will know more about this. It was introduced in #543 but the tests were originally written for the jetstack-secure chart, so perhaps there's been some mixup when running the tests for each chart, which went unnoticed because the helm unittests weren't being run in CI.
jetstack-secure/deploy/charts/jetstack-agent/values.yaml
Lines 90 to 99 in 076f734
Better resolve this before merging this PR.
There was a problem hiding this comment.
Looking at the test, its validating mounting custom volumes / volumeMount for a CA cert, which still works. I think the config option as you say is for the previous revision of the agent / chart.
Given it works without those set, let's remove the values and leave the test as it. Sorry I probably indeed added this based on some customer options.
Signed-off-by: Peter Fiddes <peter.fiddes@jetstack.io>
deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: spec.nodeName | ||
| {{- if or .Values.http_proxy .Values.https_proxy .Values.no_proxy }} |
There was a problem hiding this comment.
I think this if statement can be removed, because its original purpose was to omit the env stanza if no proxy env vars were needed. Now the env stanza is always included. I'll remove it.
| ## Run `helm unittest`. | ||
| ## @category Testing | ||
| test-helm: | $(NEEDS_HELM-UNITTEST) | ||
| $(HELM-UNITTEST) ./deploy/charts/venafi-kubernetes-agent/ |
There was a problem hiding this comment.
Not including the jetstack-secure chart here because it is soon to be removed: #672
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
|
I've done some further testing. I then modified the values for the test to include the proxy settings. diff --git a/hack/e2e/values.venafi-kubernetes-agent.yaml b/hack/e2e/values.venafi-kubernetes-agent.yaml
index 630d76e..99d1757 100644
--- a/hack/e2e/values.venafi-kubernetes-agent.yaml
+++ b/hack/e2e/values.venafi-kubernetes-agent.yaml
@@ -11,3 +11,7 @@ authentication:
extraArgs:
- --logging-format=json
- --log-level=6
+
+https_proxy: "https://proxy:8080"
+
+no_proxy: 127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.localThe test fail, because I hadn't deployed a proxy. |
|
@maelvls, @hawksight I stumbled on this comment in the Kubernetes code today:
Perhaps we should use that wrapper too, to support CIDR in NO_PROXY? |
3 participants
This fixes an issue that meant the proxy settings were always ignored. The
spec.template.spec.containers[0].envkey was specified twice in the template:Because the second invocation was never gated, it always took effect. This meant that even when specified, the proxy settings would be overridden.
Here is an example of what happened when set:
What happens now: