test(redis): add helm unit tests for TLS support

Signed-off-by: Arsolitt <arsolitt@gmail.com>
This commit is contained in:
Arsolitt 2026-04-29 19:32:55 +03:00
parent 3dfde08242
commit d482d1e56a
No known key found for this signature in database
GPG key ID: 4D8302CE6A9247C4
5 changed files with 261 additions and 0 deletions

View file

@ -0,0 +1,29 @@
suite: Dashboard RBAC includes TLS secret
templates:
- templates/dashboard-resourcemap.yaml
release:
namespace: tenant-test
tests:
- it: TLS secret not in RBAC when tls.enabled is false
set:
tls:
enabled: false
documentSelector:
path: kind
value: Role
asserts:
- notContains:
path: rules[?(@.resources[0]=='secrets')].resourceNames
content: RELEASE-NAME-redis-tls
- it: TLS secret added to RBAC when tls.enabled is true
set:
tls:
enabled: true
documentSelector:
path: kind
value: Role
asserts:
- contains:
path: rules[?(@.resources[0]=='secrets')].resourceNames
content: RELEASE-NAME-redis-tls

View file

@ -0,0 +1,84 @@
suite: RedisFailover TLS sidecar injection
templates:
- templates/redisfailover.yaml
tests:
- it: does not inject extraContainers when tls.enabled is false
set:
tls:
enabled: false
documentSelector:
path: kind
value: RedisFailover
asserts:
- notExists:
path: spec.redis.extraContainers
- notExists:
path: spec.redis.extraVolumes
- it: injects nginx tls-proxy sidecar when tls.enabled is true
set:
tls:
enabled: true
documentSelector:
path: kind
value: RedisFailover
asserts:
- equal:
path: spec.redis.extraContainers[0].name
value: tls-proxy
- matchRegex:
path: spec.redis.extraContainers[0].image
pattern: "nginx"
- equal:
path: spec.redis.extraContainers[0].ports[0].containerPort
value: 6380
- equal:
path: spec.redis.extraContainers[0].ports[0].name
value: redis-tls
- it: extraVolumes reference auto-generated TLS secret when secretName empty
set:
tls:
enabled: true
secretName: ""
documentSelector:
path: kind
value: RedisFailover
asserts:
- contains:
path: spec.redis.extraVolumes
content:
name: tls-certs
secret:
secretName: RELEASE-NAME-redis-tls
- it: extraVolumes reference user-provided secret when secretName is set
set:
tls:
enabled: true
secretName: my-custom-secret
documentSelector:
path: kind
value: RedisFailover
asserts:
- contains:
path: spec.redis.extraVolumes
content:
name: tls-certs
secret:
secretName: my-custom-secret
- it: extraVolumes include nginx config ConfigMap
set:
tls:
enabled: true
documentSelector:
path: kind
value: RedisFailover
asserts:
- contains:
path: spec.redis.extraVolumes
content:
name: nginx-tls-config
configMap:
name: RELEASE-NAME-redis-tls-nginx

View file

@ -0,0 +1,48 @@
suite: External service TLS port switching
templates:
- templates/service.yaml
tests:
- it: no service when external is false
set:
external: false
tls:
enabled: true
asserts:
- hasDocuments:
count: 0
- it: external true and TLS false renders port 6379 plaintext
set:
external: true
tls:
enabled: false
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.ports[0].port
value: 6379
- equal:
path: spec.ports[0].name
value: redis
- equal:
path: spec.ports[0].targetPort
value: redis
- it: external true and TLS true renders port 6380 TLS
set:
external: true
tls:
enabled: true
asserts:
- hasDocuments:
count: 1
- equal:
path: spec.ports[0].port
value: 6380
- equal:
path: spec.ports[0].name
value: redis-tls
- equal:
path: spec.ports[0].targetPort
value: redis-tls

View file

@ -0,0 +1,56 @@
suite: TLS Certificate
templates:
- templates/tls-certificate.yaml
tests:
- it: does not render when tls.enabled is false
set:
tls:
enabled: false
asserts:
- hasDocuments: { count: 0 }
- it: does not render when tls.secretName is provided (user owns secret)
set:
tls:
enabled: true
secretName: my-existing-secret
asserts:
- hasDocuments: { count: 0 }
- it: renders Certificate when tls.enabled and secretName empty
set:
tls:
enabled: true
secretName: ""
asserts:
- hasDocuments: { count: 1 }
- isKind: { of: Certificate }
- equal: { path: apiVersion, value: cert-manager.io/v1 }
- equal: { path: spec.secretName, value: RELEASE-NAME-redis-tls }
- it: uses default issuerRef
set:
tls:
enabled: true
asserts:
- equal: { path: spec.issuerRef.name, value: selfsigned-cluster-issuer }
- equal: { path: spec.issuerRef.kind, value: ClusterIssuer }
- it: respects custom issuerRef
set:
tls:
enabled: true
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
asserts:
- equal: { path: spec.issuerRef.name, value: letsencrypt-prod }
- it: dnsNames include external-lb and rfs- service variants
set:
tls:
enabled: true
asserts:
- contains: { path: spec.dnsNames, content: RELEASE-NAME-external-lb }
- contains: { path: spec.dnsNames, content: rfs-RELEASE-NAME }
- contains: { path: spec.dnsNames, content: rfs-RELEASE-NAME.NAMESPACE.svc.cluster.local }

View file

@ -0,0 +1,44 @@
suite: TLS nginx ConfigMap
templates:
- templates/tls-nginx-config.yaml
tests:
- it: does not render when tls.enabled is false
set:
tls:
enabled: false
asserts:
- hasDocuments: { count: 0 }
- it: renders ConfigMap when tls.enabled is true
set:
tls:
enabled: true
asserts:
- hasDocuments: { count: 1 }
- isKind: { of: ConfigMap }
- equal:
path: metadata.name
value: RELEASE-NAME-redis-tls-nginx
- exists:
path: data["nginx.conf"]
- it: nginx config contains required directives
set:
tls:
enabled: true
asserts:
- matchRegex:
path: data["nginx.conf"]
pattern: "listen 6380 ssl"
- matchRegex:
path: data["nginx.conf"]
pattern: "127\\.0\\.0\\.1:6379"
- matchRegex:
path: data["nginx.conf"]
pattern: "ssl_certificate /etc/nginx/tls/tls\\.crt"
- matchRegex:
path: data["nginx.conf"]
pattern: "ssl_certificate_key /etc/nginx/tls/tls\\.key"
- matchRegex:
path: data["nginx.conf"]
pattern: "ssl_protocols TLSv1\\.2 TLSv1\\.3"