Fix deployment templates (#547)

Author: bosesuneha

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine
+FROM golang:1.23-alpine
 
 WORKDIR /draft
 

pkg/fixtures/deployments/kustomize/base/deployment-override-workload-identity.yaml

@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testapp
+  labels:
+    app.kubernetes.io/name: testapp
+    kubernetes.azure.com/generator: draft
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: testapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: testapp
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: testsa
+      containers:
+        - name: testapp
+          image: testimage:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+          resources:
+            requests:
+              cpu: "0.5"
+              memory: "0.5Gi"
+            limits:
+              cpu: "1"
+              memory: "1Gi"
+          envFrom:
+            - configMapRef:
+                name: testapp-config
+            - secretRef:
+                name: secret-ref
+                optional: true
+          livenessProbe:
+            tcpSocket:
+              port: 80
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            periodSeconds: 5
+            timeoutSeconds: 5
+            failureThreshold: 1
+            successThreshold: 1
+            initialDelaySeconds: 3
+          startupProbe:
+            tcpSocket:
+              port: 80
+            periodSeconds: 10
+            timeoutSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 0
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - SETPCAP
+                - MKNOD
+                - AUDIT_WRITE
+                - CHOWN
+                - DAC_OVERRIDE
+                - FOWNER
+                - FSETID
+                - KILL
+                - SETGID
+                - SETUID
+                - NET_BIND_SERVICE
+                - SYS_CHROOT
+                - SETFCAP
+                - SYS_PTRACE
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: testapp
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: testapp

pkg/fixtures/deployments/kustomize/overlays/production/deployment-override-workload-identity.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testapp
+  labels:
+    app.kubernetes.io/name: testapp
+    kubernetes.azure.com/generator: draft
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: testapp
+  template:
+    spec:
+      containers:
+        - name: testapp
+          image: testimage:latest

pkg/fixtures/deployments/manifest/manifests/deployment-override-workload-identity.yaml

@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testapp
+  labels:
+    app.kubernetes.io/name: testapp
+    kubernetes.azure.com/generator: draft
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: testapp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: testapp
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: testsa
+      containers:
+        - name: testapp
+          image: testimage:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+          resources:
+            requests:
+              cpu: "0.5"
+              memory: "0.5Gi"
+            limits:
+              cpu: "1"
+              memory: "1Gi"
+          envFrom:
+            - configMapRef:
+                name: testapp-config
+            - secretRef:
+                name: secret-ref
+                optional: true
+          livenessProbe:
+            tcpSocket:
+              port: 80
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            periodSeconds: 5
+            timeoutSeconds: 5
+            failureThreshold: 1
+            successThreshold: 1
+            initialDelaySeconds: 3
+          startupProbe:
+            tcpSocket:
+              port: 80
+            periodSeconds: 10
+            timeoutSeconds: 1
+            failureThreshold: 3
+            successThreshold: 1
+            initialDelaySeconds: 0
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - SETPCAP
+                - MKNOD
+                - AUDIT_WRITE
+                - CHOWN
+                - DAC_OVERRIDE
+                - FOWNER
+                - FSETID
+                - KILL
+                - SETGID
+                - SETUID
+                - NET_BIND_SERVICE
+                - SYS_CHROOT
+                - SETFCAP
+                - SYS_PTRACE
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              topologyKey: kubernetes.io/hostname
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: testapp
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: testapp

pkg/handlers/templatetests/deployment_kustomize_test.go

@@ -25,6 +25,28 @@ func TestDeploymentKustomizeTemplates(t *testing.T) {
 				"SERVICEPORT":    "80",
 			},
 		},
+		{
+			Name:            "valid kustomize deployment with workload identity enabled",
+			TemplateName:    "deployment-kustomize",
+			FixturesBaseDir: "../../fixtures/deployments/kustomize",
+			Version:         "0.0.1",
+			Dest:            ".",
+			TemplateWriter:  &writers.FileMapWriter{},
+			VarMap: map[string]string{
+				"APPNAME":                "testapp",
+				"NAMESPACE":              "default",
+				"PORT":                   "80",
+				"IMAGENAME":              "testimage",
+				"IMAGETAG":               "latest",
+				"GENERATORLABEL":         "draft",
+				"SERVICEPORT":            "80",
+				"ENABLEWORKLOADIDENTITY": "true",
+				"SERVICEACCOUNT":         "testsa",
+			},
+			FileNameOverride: map[string]string{
+				"deployment.yaml": "deployment-override-workload-identity.yaml",
+			},
+		},
 	}
 
 	for _, test := range tests {

pkg/handlers/templatetests/deployment_manifest_test.go

@@ -27,6 +27,30 @@ func TestDeploymentManifestTemplates(t *testing.T) {
 				"ENVVARS":        `{"key1":"value1","key2":"value2"}`,
 			},
 		},
+		{
+			Name:            "valid manifest deployment with workload identity enabled",
+			TemplateName:    "deployment-manifests",
+			FixturesBaseDir: "../../fixtures/deployments/manifest",
+			Version:         "0.0.1",
+			Dest:            ".",
+			TemplateWriter:  &writers.FileMapWriter{},
+			VarMap: map[string]string{
+				"APPNAME":                "testapp",
+				"NAMESPACE":              "default",
+				"PORT":                   "80",
+				"IMAGENAME":              "testimage",
+				"IMAGETAG":               "latest",
+				"GENERATORLABEL":         "draft",
+				"SERVICEPORT":            "80",
+				"ENVVARS":                `{"key1":"value1","key2":"value2"}`,
+				"ENABLEWORKLOADIDENTITY": "true",
+				"SERVICEACCOUNT":         "testsa",
+			},
+			FileNameOverride: map[string]string{
+				"deployment.yaml": "deployment-override-workload-identity.yaml",
+			},
+			GenerateBaseTemplate: true,
+		},
 		{
 			Name:            "valid manifest deployment with filename override",
 			TemplateName:    "deployment-manifests",

template/deployments/kustomize/base/deployment.yaml

@@ -5,9 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }}
     kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }}
-    {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
-    azure.workload.identity/use: "true"
-    {{- end}}
   namespace: {{ .Config.GetVariableValue "NAMESPACE" }}
 spec:
   replicas: 1
@@ -18,6 +15,9 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }}
+        {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
+        azure.workload.identity/use: "true"
+        {{- end}}
     spec:
       {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
       serviceAccountName: {{ .Config.GetVariableValue "SERVICEACCOUNT" }}

template/deployments/manifests/manifests/deployment.yaml

@@ -5,9 +5,6 @@ metadata:
   labels:
     app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }}
     kubernetes.azure.com/generator: {{ .Config.GetVariableValue "GENERATORLABEL" }}
-    {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
-    azure.workload.identity/use: "true"
-    {{- end}}
   namespace: {{ .Config.GetVariableValue "NAMESPACE" }}
 spec:
   replicas: 1
@@ -18,6 +15,9 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: {{ .Config.GetVariableValue "APPNAME" }}
+        {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
+        azure.workload.identity/use: "true"
+        {{- end}}
     spec:
       {{- if eq (.Config.GetVariableValue "ENABLEWORKLOADIDENTITY") "true" }}
       serviceAccountName: {{ .Config.GetVariableValue "SERVICEACCOUNT" }}