feat(admission-controller): internal test (#1297)

charts/admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: admission-controller
 description: Sysdig Admission Controller using Sysdig Secure inline image scanner
 type: application
-version: 0.12.3
+version: 0.12.4
 appVersion: 3.9.26
 home: https://sysdiglabs.github.io/admission-controller/
 icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4

charts/admission-controller/README.md

@@ -68,7 +68,7 @@ For example:
 
 ```bash
 helm upgrade --install admission-controller sysdig/admission-controller \
-    --create-namespace -n sysdig-admission-controller --version=0.12.3  \
+    --create-namespace -n sysdig-admission-controller --version=0.12.4  \
     --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
 ```
 
@@ -80,7 +80,7 @@ For example:
 
 ```bash
 helm upgrade --install admission-controller sysdig/admission-controller \
-     --create-namespace -n sysdig-admission-controller --version=0.12.3  \
+     --create-namespace -n sysdig-admission-controller --version=0.12.4  \
     --values values.yaml
 
 ```

charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml

@@ -0,0 +1,13 @@
+# Warning! This file is for internal tests only.
+{{- if .Values.webhook.acConfig }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: admissioncontrollerconfigmap
+  namespace: {{ include "admissionController.namespace" . }}
+  labels:
+    {{ include "admissionController.webhook.labels" . | nindent 4 }}
+data:
+  acConfig: |
+    {{ .Values.webhook.acConfig | nindent 4 }}
+{{- end }}

charts/admission-controller/templates/webhook/admissionregistration.yaml

@@ -30,7 +30,7 @@ metadata:
   labels:
     app.kubernetes.io/managed-by: Helm
 webhooks:
-{{- if .Values.scanner.enabled }}
+{{- if or .Values.scanner.enabled .Values.webhook.acConfig }}
 - name: scanning.secure.sysdig.com
   matchPolicy: Equivalent
   rules:

charts/admission-controller/templates/webhook/clusterrole.yaml

@@ -16,8 +16,21 @@ rules:
   - ""
   resources:
   - pods
+{{- if .Values.webhook.acConfig }}
+  - configmaps
+{{- end }}
+  verbs:
+  - get
+{{- if .Values.webhook.acConfig }}
+- apiGroups:
+  - "batch"
+  resources:
+  - jobs
   verbs:
+  - create
   - get
+  - delete
+{{- end }}
 - apiGroups:
   - "apps"
   resources:

charts/admission-controller/templates/webhook/deployment.yaml

@@ -83,11 +83,17 @@ spec:
               value: {{ include "webhook.httpsProxy" . }}
             - name: NO_PROXY
               value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
+            - name: AC_NAMESPACE
+              value: {{ include "admissionController.namespace" . }}
             {{- end }}
             {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
             - name: SSL_CERT_DIR
               value: /ca-certs
             {{- end }}
+            {{- if .Values.webhook.acConfig }}
+            - name: VM_ENGINE_V2_ENABLED
+              value: "true"
+            {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.webhook.http.port }}

charts/admission-controller/tests/configmap_test.yaml

@@ -0,0 +1,56 @@
+suite: Test admissioncontrollerconfigmap
+templates:
+  - templates/webhook/admissioncontrollerconfigmap.yaml
+  - templates/webhook/clusterrole.yaml
+tests:
+  - it: Creates the configmap if webhook.acConfig is present
+    set:
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+        template: templates/webhook/admissioncontrollerconfigmap.yaml
+  - it: Creates the clusterrole if webhook.acConfig is present
+    set:
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - isSubset:
+          path: rules[2]
+          content:
+            apiGroups: ["batch"]
+            resources: ["jobs"]
+            verbs: ["create", "get", "delete"]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [""]
+            resources: ["pods", "configmaps"]
+            verbs: ["get"]
+        template: templates/webhook/clusterrole.yaml
+  - it: Does not create the configmap if webhook.acConfig is not present
+    set: {}
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups: [ "batch" ]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [""]
+            resources: ["pods"]
+            verbs: ["get"]
+        template: templates/webhook/clusterrole.yaml
+#    asserts:
+#      - isNullOrEmpty:
+#          path: data
+#        template: templates/webhook/admissioncontrollerconfigmap.yaml

charts/admission-controller/values.yaml

@@ -208,6 +208,7 @@ webhook:
 
   # The image pull secrets for webhook.
   imagePullSecrets: []
+
   # Resource request and limits for webhook.
   resources:  # +doc-gen:break
     limits: