CR fixes, add tests, add helm chart checks

Signed-off-by: Anton Troshin <anton@diagrid.io>
QaColony · Sep 17, 2024 · 9d126c4 · 9d126c4
1 parent f052d54
commit 9d126c4
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 7 deletions.
diff --git a/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml b/charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml
@@ -154,6 +154,12 @@ spec:
         - name: SIDECAR_RUN_AS_USER
           value: {{ .Values.sidecarRunAsUser | toString | toYaml }}
 {{- end }}
+{{- if and (eq .Values.sidecarRunAsNonRoot false) (ne (.Values.sidecarRunAsUser | int) 0) }}
+{{- fail "sidecarRunAsUser must be 0 or value ommited when sidecarRunAsNonRoot is false"  }}
+{{- end }}
+{{- if and (eq .Values.sidecarRunAsNonRoot true) (and (hasKey .Values "sidecarRunAsUser") (le (.Values.sidecarRunAsUser | int) 0)) }}
+{{- fail "sidecarRunAsUser must positive when sidecarRunAsNonRoot is true (or default)"  }}
+{{- end }}
 {{- if and (.Values.sidecarRunAsGroup) (gt (.Values.sidecarRunAsGroup | int) 0) }}
         - name: SIDECAR_RUN_AS_GROUP
           value: {{ .Values.sidecarRunAsGroup | toString | toYaml }}

diff --git a/pkg/injector/patcher/sidecar_container_test.go b/pkg/injector/patcher/sidecar_container_test.go
@@ -27,6 +27,7 @@ import (
 	"github.com/dapr/dapr/pkg/injector/annotations"
 	injectorConsts "github.com/dapr/dapr/pkg/injector/consts"
 	securityConsts "github.com/dapr/dapr/pkg/security/consts"
+	"github.com/dapr/kit/ptr"
 )
 
 func TestParseEnvString(t *testing.T) {
@@ -850,6 +851,58 @@ func TestGetSidecarContainer(t *testing.T) {
 				assert.Nil(t, container.SecurityContext.SeccompProfile)
 			},
 		},
+		{
+			name: "set run as non root explicitly true",
+			sidecarConfigModifierFn: func(c *SidecarConfig) {
+				c.RunAsNonRoot = true
+			},
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.NotNil(t, container.SecurityContext.RunAsNonRoot, "SecurityContext.RunAsNonRoot should not be nil")
+				assert.Equal(t, ptr.Of(true), container.SecurityContext.RunAsNonRoot, "SecurityContext.RunAsNonRoot should be true")
+			},
+		},
+		{
+			name: "set run as non root explicitly false",
+			sidecarConfigModifierFn: func(c *SidecarConfig) {
+				c.RunAsNonRoot = false
+			},
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.NotNil(t, container.SecurityContext.RunAsNonRoot, "SecurityContext.RunAsNonRoot should not be nil")
+				assert.Equal(t, ptr.Of(false), container.SecurityContext.RunAsNonRoot, "SecurityContext.RunAsNonRoot should be false")
+			},
+		},
+		{
+			name: "set run as user 1000",
+			sidecarConfigModifierFn: func(c *SidecarConfig) {
+				c.RunAsUser = ptr.Of(int64(1000))
+			},
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.NotNil(t, container.SecurityContext.RunAsUser, "SecurityContext.RunAsUser should not be nil")
+				assert.Equal(t, ptr.Of(int64(1000)), container.SecurityContext.RunAsUser, "SecurityContext.RunAsUser should be 1000")
+			},
+		},
+		{
+			name: "do not set run as user leave it as default",
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.Nil(t, container.SecurityContext.RunAsUser, "SecurityContext.RunAsUser should be nil")
+			},
+		},
+		{
+			name: "set run as group 3000",
+			sidecarConfigModifierFn: func(c *SidecarConfig) {
+				c.RunAsGroup = ptr.Of(int64(3000))
+			},
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.NotNil(t, container.SecurityContext.RunAsGroup, "SecurityContext.RunAsGroup should not be nil")
+				assert.Equal(t, ptr.Of(int64(3000)), container.SecurityContext.RunAsGroup, "SecurityContext.RunAsGroup should be 3000")
+			},
+		},
+		{
+			name: "do not set run as group leave it as default",
+			assertFn: func(t *testing.T, container *corev1.Container) {
+				assert.Nil(t, container.SecurityContext.RunAsGroup, "SecurityContext.RunAsGroup should be nil")
+			},
+		},
 	}))
 
 	t.Run("app health checks", testSuiteGenerator([]testCase{

diff --git a/pkg/injector/service/config.go b/pkg/injector/service/config.go
@@ -192,8 +192,14 @@ func (c *Config) parse() (err error) {
 	c.parsedSidecarDropALLCapabilities = kitutils.IsTruthy(c.SidecarDropALLCapabilities)
 
 	// Parse the runAsUser and runAsGroup
-	c.parsedRunAsUser = parseStringToInt64Pointer(c.RunAsUser)
-	c.parsedRunAsGroup = parseStringToInt64Pointer(c.RunAsGroup)
+	c.parsedRunAsUser, err = parseStringToInt64Pointer(c.RunAsUser)
+	if err != nil {
+		return fmt.Errorf("failed to parse runAsUser: %w", err)
+	}
+	c.parsedRunAsGroup, err = parseStringToInt64Pointer(c.RunAsGroup)
+	if err != nil {
+		return fmt.Errorf("failed to parse runAsGroup: %w", err)
+	}
 
 	return nil
 }
@@ -222,15 +228,14 @@ func isTruthyDefaultTrue(val string) bool {
 	return kitutils.IsTruthy(val)
 }
 
-func parseStringToInt64Pointer(intStr string) *int64 {
+func parseStringToInt64Pointer(intStr string) (*int64, error) {
 	if intStr == "" {
-		return nil
+		return nil, nil
 	}
 	i, err := strconv.Atoi(intStr)
 	if err != nil {
-		log.Warnf("couldn't parse %s to int: %v", intStr, err)
-		return nil
+		return nil, err
 	}
 	i64 := int64(i)
-	return &i64
+	return &i64, nil
 }