diff --git a/e2e/fixtures/E2E_CLI_083_RESULT.json b/e2e/fixtures/E2E_CLI_083_RESULT.json new file mode 100644 index 00000000000..48e32c5c69e --- /dev/null +++ b/e2e/fixtures/E2E_CLI_083_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 86, + "lines_ignored": 3, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T12:29:45.3845776Z", + "end": "2024-02-06T12:29:49.5261723Z", + "paths": [ + "/path/test/fixtures/helm_ignore" + ], + "queries": [] +} diff --git a/e2e/fixtures/E2E_CLI_084_RESULT.json b/e2e/fixtures/E2E_CLI_084_RESULT.json new file mode 100644 index 00000000000..5ba65bc25cd --- /dev/null +++ b/e2e/fixtures/E2E_CLI_084_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 34, + "lines_ignored": 55, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T12:29:45.3845776Z", + "end": "2024-02-06T12:29:49.5261723Z", + "paths": [ + "/path/test/fixtures/helm_ignore_block" + ], + "queries": [] +} diff --git a/e2e/fixtures/E2E_CLI_085_RESULT.json b/e2e/fixtures/E2E_CLI_085_RESULT.json new file mode 100644 index 00000000000..1923c8afc79 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_085_RESULT.json @@ -0,0 +1,28 @@ +{ + "kics_version": "development", + "files_scanned": 3, + "lines_scanned": 89, + "files_parsed": 3, + "lines_parsed": 86, + "lines_ignored": 3, + "files_failed_to_scan": 0, + "queries_total": 1, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "HIGH": 0, + "INFO": 0, + "LOW": 0, + "MEDIUM": 0, + "TRACE": 0 + }, + "total_counter": 0, + "total_bom_resources": 0, + "start": "2024-02-06T15:01:20.657455Z", + "end": "2024-02-06T15:01:25.1183483Z", + "paths": [ + "/path/test/fixtures/helm_disable_query" + ], + "queries": [] +} diff --git a/e2e/testcases/e2e-cli-083_helm_ignore.go b/e2e/testcases/e2e-cli-083_helm_ignore.go new file mode 100644 index 00000000000..450b9439d62 --- /dev/null +++ b/e2e/testcases/e2e-cli-083_helm_ignore.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-083 - KICS scan +// should perform a scan and return zero results ignoring the file +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return zero results ignoring the file [E2E-CLI-083]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_083_RESULT", + "-p", "\"/path/test/fixtures/helm_ignore\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_083_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{0}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-084_helm_ignore_block.go b/e2e/testcases/e2e-cli-084_helm_ignore_block.go new file mode 100644 index 00000000000..9511bd14da4 --- /dev/null +++ b/e2e/testcases/e2e-cli-084_helm_ignore_block.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-084 - KICS scan +// should perform a scan and return zero results ignoring the block +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return zero results ignoring the block [E2E-CLI-084]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_084_RESULT", + "-p", "\"/path/test/fixtures/helm_ignore_block\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_084_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{0}, + } + + Tests = append(Tests, testSample) +} diff --git a/e2e/testcases/e2e-cli-085_helm_disable_query.go b/e2e/testcases/e2e-cli-085_helm_disable_query.go new file mode 100644 index 00000000000..d120a35eeb8 --- /dev/null +++ b/e2e/testcases/e2e-cli-085_helm_disable_query.go @@ -0,0 +1,27 @@ +package testcases + +// E2E-CLI-085 - KICS scan +// should perform a scan and return zero results ignoring the query +func init() { //nolint + testSample := TestCase{ + Name: "should perform a scan and return zero results ignoring the query [E2E-CLI-085]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_085_RESULT", + "-p", "\"/path/test/fixtures/helm_disable_query\"", + "-i", "b7652612-de4e-4466-a0bf-1cd81f0c6063", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_085_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + }, + WantStatus: []int{0}, + } + + Tests = append(Tests, testSample) +} diff --git a/internal/tracker/ci.go b/internal/tracker/ci.go index af939a805ee..98ee8c1827f 100644 --- a/internal/tracker/ci.go +++ b/internal/tracker/ci.go @@ -29,6 +29,9 @@ type CITracker struct { ParsedCountLines int IgnoreCountLines int Version model.Version + BagOfFilesParse map[string]int + BagOfFilesFound map[string]int + syncFileMutex sync.Mutex } // NewTracker will create a new instance of a tracker with the number of lines to display in results output @@ -39,7 +42,9 @@ func NewTracker(previewLines int) (*CITracker, error) { fmt.Errorf("output lines minimum is %v and maximum is %v", constants.MinimumPreviewLines, constants.MaximumPreviewLines) } return &CITracker{ - lines: previewLines, + lines: previewLines, + BagOfFilesParse: make(map[string]int), + BagOfFilesFound: make(map[string]int), }, nil } @@ -66,13 +71,29 @@ func (c *CITracker) TrackQueryExecution(queryAggregation int) { } // TrackFileFound adds a found file to be scanned -func (c *CITracker) TrackFileFound() { - c.FoundFiles++ +func (c *CITracker) TrackFileFound(path string) { + c.syncFileMutex.Lock() + defer c.syncFileMutex.Unlock() + count, value := c.BagOfFilesFound[path] + if !value { + c.BagOfFilesFound[path] = 1 + c.FoundFiles++ + } else { + c.BagOfFilesFound[path] = count + 1 + } } // TrackFileParse adds a successful parsed file to be scanned -func (c *CITracker) TrackFileParse() { - c.ParsedFiles++ +func (c *CITracker) TrackFileParse(path string) { + c.syncFileMutex.Lock() + defer c.syncFileMutex.Unlock() + count, value := c.BagOfFilesParse[path] + if !value { + c.BagOfFilesParse[path] = 1 + c.ParsedFiles++ + } else { + c.BagOfFilesParse[path] = count + 1 + } } // FailedDetectLine - queries that fail to detect line are counted as failed to execute queries diff --git a/internal/tracker/ci_test.go b/internal/tracker/ci_test.go index 8e317346298..a0e3e899b1d 100644 --- a/internal/tracker/ci_test.go +++ b/internal/tracker/ci_test.go @@ -70,6 +70,8 @@ func TestCITracker(t *testing.T) { ParsedCountLines: tt.fields.ParsedCountLines, IgnoreCountLines: tt.fields.IgnoreCountLines, lines: tt.fields.lines, + BagOfFilesParse: make(map[string]int), + BagOfFilesFound: make(map[string]int), } t.Run(fmt.Sprintf(tt.name+"_LoadedQueries"), func(t *testing.T) { c.TrackQueryLoad(1) @@ -82,12 +84,12 @@ func TestCITracker(t *testing.T) { }) t.Run(fmt.Sprintf(tt.name+"_TrackFileFound"), func(t *testing.T) { - c.TrackFileFound() + c.TrackFileFound(tt.name) require.Equal(t, 1, c.FoundFiles) }) t.Run(fmt.Sprintf(tt.name+"_TrackFileParse"), func(t *testing.T) { - c.TrackFileParse() + c.TrackFileParse(tt.name) require.Equal(t, 1, c.ParsedFiles) }) t.Run(fmt.Sprintf(tt.name+"_TrackQueryExecuting"), func(t *testing.T) { @@ -152,7 +154,9 @@ func TestNewTracker(t *testing.T) { outputLines: 3, }, want: CITracker{ - lines: 3, + lines: 3, + BagOfFilesFound: make(map[string]int), + BagOfFilesParse: make(map[string]int), }, wantErr: false, }, diff --git a/pkg/detector/helm/helm_detect.go b/pkg/detector/helm/helm_detect.go index 1ddf4f7b747..5614aeb315f 100644 --- a/pkg/detector/helm/helm_detect.go +++ b/pkg/detector/helm/helm_detect.go @@ -39,7 +39,10 @@ const ( func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, outputLines int, logWithFields *zerolog.Logger) model.VulnerabilityLines { searchKey = fmt.Sprintf("%s.%s", strings.TrimRight(strings.TrimLeft(file.HelmID, "# "), ":"), searchKey) - lines := *file.LinesOriginalData + + lines := make([]string, len(*file.LinesOriginalData)) + copy(lines, *file.LinesOriginalData) + curLineRes := detectCurlLine{ foundRes: false, lineRes: 0, diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go index d7d24a4c877..de005b8a4eb 100644 --- a/pkg/kics/resolver_sink.go +++ b/pkg/kics/resolver_sink.go @@ -5,6 +5,7 @@ import ( "context" "encoding/json" "fmt" + "regexp" "sort" sentryReport "github.com/Checkmarx/kics/internal/sentry" @@ -27,9 +28,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope } for _, rfile := range resFiles.File { - s.Tracker.TrackFileFound() - countLines := bytes.Count(rfile.Content, []byte{'\n'}) + 1 - s.Tracker.TrackFileFoundCountLines(countLines) + s.Tracker.TrackFileFound(rfile.FileName) isMinified := minified.IsMinified(rfile.FileName, rfile.Content) documents, err := s.Parser.Parse(rfile.FileName, rfile.Content, openAPIResolveReferences, isMinified) @@ -40,6 +39,21 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope log.Err(err).Msgf("failed to parse file content") return []string{}, nil } + + if kind == model.KindHELM { + ignoreList, errorIL := s.getOriginalIgnoreLines(rfile.FileName, rfile.OriginalData, openAPIResolveReferences, isMinified) + if errorIL == nil { + documents.IgnoreLines = ignoreList + + // Need to ignore #KICS_HELM_ID Line + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + } + } else { + documents.CountLines = bytes.Count(rfile.OriginalData, []byte{'\n'}) + 1 + } + + fileCommands := s.Parser.CommentsCommands(rfile.FileName, rfile.OriginalData) + for _, document := range documents.Docs { _, err = json.Marshal(document) if err != nil { @@ -67,6 +81,7 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope FilePath: rfile.FileName, Content: string(rfile.Content), HelmID: rfile.SplitID, + Commands: fileCommands, IDInfo: rfile.IDInfo, LinesIgnore: documents.IgnoreLines, ResolvedFiles: documents.ResolvedFiles, @@ -75,9 +90,23 @@ func (s *Service) resolverSink(ctx context.Context, filename, scanID string, ope } s.saveToFile(ctx, &file) } - s.Tracker.TrackFileParse() + s.Tracker.TrackFileParse(rfile.FileName) + s.Tracker.TrackFileFoundCountLines(documents.CountLines) s.Tracker.TrackFileParseCountLines(documents.CountLines - len(documents.IgnoreLines)) s.Tracker.TrackFileIgnoreCountLines(len(documents.IgnoreLines)) } return resFiles.Excluded, nil } + +func (s *Service) getOriginalIgnoreLines(filename string, + originalFile []uint8, + openAPIResolveReferences, isMinified bool) (ignoreLines []int, err error) { + refactor := regexp.MustCompile(`.*\n?.*KICS\_HELM\_ID.+\n`).ReplaceAll(originalFile, []uint8{}) + refactor = regexp.MustCompile(`{{-\s*(.*?)\s*}}`).ReplaceAll(refactor, []uint8{}) + + documentsOriginal, err := s.Parser.Parse(filename, refactor, openAPIResolveReferences, isMinified) + if err == nil { + ignoreLines = documentsOriginal.IgnoreLines + } + return +} diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 5bc18e6bfc9..dd7618afd5f 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -40,8 +40,8 @@ type Storage interface { // TrackFileFound should increment the number of files to be scanned // TrackFileParse should increment the number of files parsed successfully to be scanned type Tracker interface { - TrackFileFound() - TrackFileParse() + TrackFileFound(path string) + TrackFileParse(path string) TrackFileFoundCountLines(countLines int) TrackFileParseCountLines(countLines int) TrackFileIgnoreCountLines(countLines int) diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go index b165d399144..960b57fa74e 100644 --- a/pkg/kics/sink.go +++ b/pkg/kics/sink.go @@ -29,7 +29,7 @@ var ( func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader, data []byte, openAPIResolveReferences bool) error { - s.Tracker.TrackFileFound() + s.Tracker.TrackFileFound(filename) log.Debug().Msgf("Starting to process file %s", filename) c, err := getContent(rc, data, s.MaxFileSize, filename) @@ -92,7 +92,7 @@ func (s *Service) sink(ctx context.Context, filename, scanID string, s.saveToFile(ctx, &file) } - s.Tracker.TrackFileParse() + s.Tracker.TrackFileParse(filename) log.Debug().Msgf("Finished to process file %s", filename) s.Tracker.TrackFileParseCountLines(documents.CountLines - len(documents.IgnoreLines)) diff --git a/pkg/model/comment_yaml.go b/pkg/model/comment_yaml.go index 543f19ce05e..31b2f85b42d 100644 --- a/pkg/model/comment_yaml.go +++ b/pkg/model/comment_yaml.go @@ -1,6 +1,7 @@ package model import ( + "reflect" "strings" "sync" @@ -150,6 +151,7 @@ func processLine(kind yaml.Kind, content *yaml.Node, position int) (linesIgnore } else { nodeToIgnore = content.Content[position] } + linesIgnore = append(linesIgnore, nodeToIgnore.Line-1, nodeToIgnore.Line) return } @@ -175,13 +177,17 @@ func processBlock(kind yaml.Kind, content []*yaml.Node, position int) (linesIgno // getNodeLastLine returns the last line of a node func getNodeLastLine(node *yaml.Node) (lastLine int) { lastLine = node.Line - for _, content := range node.Content { - if content.Line > lastLine { - lastLine = content.Line - } - if lineContent := getNodeLastLine(content); lineContent > lastLine { - lastLine = lineContent + if len(node.Content) > 0 { + for _, content := range node.Content { + if content.Line > lastLine { + lastLine = content.Line + } + if lineContent := getNodeLastLine(content); lineContent > lastLine { + lastLine = lineContent + } } + } else if reflect.TypeOf(node.Value).Kind() == reflect.String { + lastLine += strings.Count(node.Value, "\n") } return @@ -190,6 +196,12 @@ func getNodeLastLine(node *yaml.Node) (lastLine int) { // value returns the value of the comment func (c *comment) value() (value CommentCommand) { comment := strings.ToLower(string(*c)) + if isHelm(comment) { + res := KICSGetContentCommentRgxp.FindString(comment) + if len(res) > 0 { + comment = res + } + } // check if we are working with kics command if KICSCommentRgxp.MatchString(comment) { comment = KICSCommentRgxp.ReplaceAllString(comment, "") @@ -200,3 +212,7 @@ func (c *comment) value() (value CommentCommand) { } return CommentCommand(comment) } + +func isHelm(comment string) bool { + return strings.Contains(comment, "helm") +} diff --git a/pkg/model/comment_yaml_test.go b/pkg/model/comment_yaml_test.go index fbbd3a9301a..926a60ed3fb 100644 --- a/pkg/model/comment_yaml_test.go +++ b/pkg/model/comment_yaml_test.go @@ -1,6 +1,7 @@ package model import ( + "github.com/stretchr/testify/assert" "sort" "testing" @@ -634,6 +635,30 @@ func Test_ignoreCommentsYAML(t *testing.T) { }, }, }, + { + name: "test_7: ignore_multiline_string", + want: []int{4, 5, 6, 7, 8, 9}, + args: args{ + &yaml.Node{ + Kind: yaml.MappingNode, + Content: []*yaml.Node{ + { + Kind: yaml.ScalarNode, + Value: "deploy.yml", + HeadComment: "# kics-scan ignore-block", + Line: 5, + Column: 3, + }, + { + Kind: yaml.ScalarNode, + Value: "---\nfoo\n bar: abc\nuploader-token: my-awesome-token\n", + Line: 5, + Column: 15, + }, + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -647,3 +672,29 @@ func Test_ignoreCommentsYAML(t *testing.T) { }) } } + +func Test_value(t *testing.T) { + tests := []struct { + name string + input comment + want string + }{ + { + name: "Should return ignore-block", + input: comment("# source: test/templates/deployment.yaml\n# kics-scan ignore-block\n# kics_helm_id_2:"), + want: "ignore-block", + }, + { + name: "Should Not return ignore-block", + input: comment("# source: test/templates/deployment.yaml\n# kics ignore-block\n# kics_helm_id_2:"), + want: "# source: test/templates/deployment.yaml\n# kics ignore-block\n# kics_helm_id_2:", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + res := tt.input.value() + assert.Equal(t, string(res), tt.want) + }) + } +} diff --git a/pkg/model/model.go b/pkg/model/model.go index aa59cae7255..c25b3bc8d78 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -67,7 +67,9 @@ var ( var ( // KICSCommentRgxp is the regexp to identify if a comment is a KICS comment - KICSCommentRgxp = regexp.MustCompile(`^((/{2})|#|;)*\s*kics-scan\s*`) + KICSCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*kics-scan\s*`) + // KICSGetContentCommentRgxp to gets the kics comment on the hel case + KICSGetContentCommentRgxp = regexp.MustCompile(`(^|\n)((/{2})|#|;)*\s*kics-scan([^\n]*)\n`) // KICSCommentRgxpYaml is the regexp to identify if the comment has KICS comment at the end of the comment in YAML KICSCommentRgxpYaml = regexp.MustCompile(`((/{2})|#)*\s*kics-scan\s*(ignore-line|ignore-block)\s*\n*$`) ) diff --git a/pkg/parser/buildah/parser_test.go b/pkg/parser/buildah/parser_test.go index cb27ee87f17..9704a2a9982 100644 --- a/pkg/parser/buildah/parser_test.go +++ b/pkg/parser/buildah/parser_test.go @@ -93,7 +93,8 @@ func TestParser_Parse(t *testing.T) { ]`, want1: []int{1, 3, 5}, wantErr: false, - }, { + }, + { name: "Buildah with normal comments + kics-scan ignore-line parse", p: &Parser{}, args: args{ @@ -137,7 +138,8 @@ func TestParser_Parse(t *testing.T) { ]`, want1: []int{1, 3, 4, 6}, wantErr: false, - }, { + }, + { name: "Buildah with kics-scan ignore-block related to from parse", p: &Parser{}, args: args{ diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index 7be45c0823b..bd209ff300a 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -97,9 +97,14 @@ func (c *Parser) CommentsCommands(filePath string, fileContent []byte) model.Com if line == "" { continue } + if strings.HasSuffix(filePath, ".yaml") && strings.HasPrefix(line, "---") { + continue + } + if !strings.HasPrefix(line, commentToken) { break } + fields := strings.Fields(strings.TrimSpace(strings.TrimPrefix(line, commentToken))) if len(fields) > 1 && fields[0] == "kics-scan" && fields[1] != "" { commandParameters := strings.SplitN(fields[1], "=", 2) diff --git a/test/fixtures/helm_disable_query/test/.helmignore b/test/fixtures/helm_disable_query/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/helm_disable_query/test/Chart.yaml b/test/fixtures/helm_disable_query/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/helm_disable_query/test/templates/NOTES.txt b/test/fixtures/helm_disable_query/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/_helpers.tpl b/test/fixtures/helm_disable_query/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/deployment.yaml b/test/fixtures/helm_disable_query/test/templates/deployment.yaml new file mode 100644 index 00000000000..fb51959472e --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan disable=b7652612-de4e-4466-a0bf-1cd81f0c6063 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/hpa.yaml b/test/fixtures/helm_disable_query/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/ingress.yaml b/test/fixtures/helm_disable_query/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/service.yaml b/test/fixtures/helm_disable_query/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml b/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml b/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/helm_disable_query/test/values.yaml b/test/fixtures/helm_disable_query/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/helm_disable_query/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/test/fixtures/helm_ignore/test/.helmignore b/test/fixtures/helm_ignore/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/helm_ignore/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/helm_ignore/test/Chart.yaml b/test/fixtures/helm_ignore/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/helm_ignore/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/helm_ignore/test/templates/NOTES.txt b/test/fixtures/helm_ignore/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/_helpers.tpl b/test/fixtures/helm_ignore/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/deployment.yaml b/test/fixtures/helm_ignore/test/templates/deployment.yaml new file mode 100644 index 00000000000..7141dc146b6 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan ignore +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/hpa.yaml b/test/fixtures/helm_ignore/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/ingress.yaml b/test/fixtures/helm_ignore/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/service.yaml b/test/fixtures/helm_ignore/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/helm_ignore/test/templates/serviceaccount.yaml b/test/fixtures/helm_ignore/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/helm_ignore/test/templates/tests/test-connection.yaml b/test/fixtures/helm_ignore/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/helm_ignore/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/helm_ignore/test/values.yaml b/test/fixtures/helm_ignore/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/helm_ignore/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/test/fixtures/helm_ignore_block/test/.helmignore b/test/fixtures/helm_ignore_block/test/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/test/fixtures/helm_ignore_block/test/Chart.yaml b/test/fixtures/helm_ignore_block/test/Chart.yaml new file mode 100644 index 00000000000..3ebad470cb4 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: test +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/test/fixtures/helm_ignore_block/test/templates/NOTES.txt b/test/fixtures/helm_ignore_block/test/templates/NOTES.txt new file mode 100644 index 00000000000..5577ecc59d6 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/test/fixtures/helm_ignore_block/test/templates/_helpers.tpl b/test/fixtures/helm_ignore_block/test/templates/_helpers.tpl new file mode 100644 index 00000000000..7286a2d8fa9 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "test.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "test.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "test.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "test.labels" -}} +helm.sh/chart: {{ include "test.chart" . }} +{{ include "test.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "test.selectorLabels" -}} +app.kubernetes.io/name: {{ include "test.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "test.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "test.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore_block/test/templates/deployment.yaml b/test/fixtures/helm_ignore_block/test/templates/deployment.yaml new file mode 100644 index 00000000000..b67f7ab2cd1 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/deployment.yaml @@ -0,0 +1,72 @@ +--- +# kics-scan ignore-block +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "test.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "test.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "test.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: dir1 + mountPath: /var/dir1 + volumes: + - name: dir1 + emptyDir: {} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/test/fixtures/helm_ignore_block/test/templates/hpa.yaml b/test/fixtures/helm_ignore_block/test/templates/hpa.yaml new file mode 100644 index 00000000000..7afd4c98e87 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "test.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore_block/test/templates/ingress.yaml b/test/fixtures/helm_ignore_block/test/templates/ingress.yaml new file mode 100644 index 00000000000..62771cf66b6 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "test.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/test/fixtures/helm_ignore_block/test/templates/service.yaml b/test/fixtures/helm_ignore_block/test/templates/service.yaml new file mode 100644 index 00000000000..af7828aff53 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "test.fullname" . }} + labels: + {{- include "test.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "test.selectorLabels" . | nindent 4 }} diff --git a/test/fixtures/helm_ignore_block/test/templates/serviceaccount.yaml b/test/fixtures/helm_ignore_block/test/templates/serviceaccount.yaml new file mode 100644 index 00000000000..0fc75716d29 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "test.serviceAccountName" . }} + labels: + {{- include "test.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/test/fixtures/helm_ignore_block/test/templates/tests/test-connection.yaml b/test/fixtures/helm_ignore_block/test/templates/tests/test-connection.yaml new file mode 100644 index 00000000000..f78ec6dc1c4 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test.fullname" . }}-test-connection" + labels: + {{- include "test.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/test/fixtures/helm_ignore_block/test/values.yaml b/test/fixtures/helm_ignore_block/test/values.yaml new file mode 100644 index 00000000000..f3cc6241180 --- /dev/null +++ b/test/fixtures/helm_ignore_block/test/values.yaml @@ -0,0 +1,98 @@ +# Default values for test. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {}