kube_cluster 0.3.7 → 0.3.8

data/lib/kube/cluster/middleware/resource_preset.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+if __FILE__ == $0
+  require "bundler/setup"
+  require "kube/cluster"
+end
+
 module Kube
   module Cluster
     class Middleware
@@ -62,3 +67,186 @@ module Kube
     end
   end
 end
+
+if __FILE__ == $0
+  require "minitest/autorun"
+
+  class ResourcePresetMiddlewareTest < Minitest::Test
+    Middleware = Kube::Cluster::Middleware
+
+    def test_injects_small_preset_into_deployment
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/size": "small" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      assert_equal "500m",   container.dig(:resources, :requests, :cpu)
+      assert_equal "512Mi",  container.dig(:resources, :requests, :memory)
+      assert_equal "750m",   container.dig(:resources, :limits, :cpu)
+      assert_equal "768Mi",  container.dig(:resources, :limits, :memory)
+    end
+
+    def test_injects_nano_preset
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "tiny"
+        metadata.labels = { "app.kubernetes.io/size": "nano" }
+        spec.selector.matchLabels = { app: "tiny" }
+        spec.template.metadata.labels = { app: "tiny" }
+        spec.template.spec.containers = [
+          { name: "app", image: "app:latest" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      assert_equal "100m",  container.dig(:resources, :requests, :cpu)
+      assert_equal "128Mi", container.dig(:resources, :requests, :memory)
+    end
+
+    def test_injects_xlarge_preset
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "big"
+        metadata.labels = { "app.kubernetes.io/size": "xlarge" }
+        spec.selector.matchLabels = { app: "big" }
+        spec.template.metadata.labels = { app: "big" }
+        spec.template.spec.containers = [
+          { name: "app", image: "app:latest" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      assert_equal "1",      container.dig(:resources, :requests, :cpu)
+      assert_equal "3072Mi", container.dig(:resources, :requests, :memory)
+      assert_equal "3",      container.dig(:resources, :limits, :cpu)
+      assert_equal "6144Mi", container.dig(:resources, :limits, :memory)
+    end
+
+    def test_applies_to_all_containers
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "multi"
+        metadata.labels = { "app.kubernetes.io/size": "micro" }
+        spec.selector.matchLabels = { app: "multi" }
+        spec.template.metadata.labels = { app: "multi" }
+        spec.template.spec.containers = [
+          { name: "app", image: "app:latest" },
+          { name: "sidecar", image: "sidecar:latest" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+      containers.each do |c|
+        assert_equal "250m",  c.dig(:resources, :requests, :cpu)
+        assert_equal "256Mi", c.dig(:resources, :requests, :memory)
+      end
+    end
+
+    def test_skips_non_pod_bearing_resources
+      resource = Kube::Cluster["ConfigMap"].new {
+        metadata.name = "config"
+        metadata.labels = { "app.kubernetes.io/size": "small" }
+      }
+      m = manifest(resource)
+
+      Middleware::ResourcePreset.new.call(m)
+
+      assert_equal resource.to_h, m.resources.first.to_h
+    end
+
+    def test_skips_resources_without_size_label
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      assert_nil container[:resources]
+    end
+
+    def test_raises_on_unknown_size
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/size": "potato" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      error = assert_raises(ArgumentError) do
+        Middleware::ResourcePreset.new.call(m)
+      end
+
+      assert_includes error.message, "potato"
+      assert_includes error.message, "Valid sizes"
+    end
+
+    def test_applies_to_statefulset
+      m = manifest(Kube::Cluster["StatefulSet"].new {
+        metadata.name = "db"
+        metadata.labels = { "app.kubernetes.io/size": "medium" }
+        spec.selector.matchLabels = { app: "db" }
+        spec.template.metadata.labels = { app: "db" }
+        spec.template.spec.containers = [
+          { name: "postgres", image: "postgres:16" },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      assert_equal "500m",   container.dig(:resources, :requests, :cpu)
+      assert_equal "1024Mi", container.dig(:resources, :requests, :memory)
+    end
+
+    def test_preserves_existing_container_resources_via_deep_merge
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/size": "small" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          {
+            name: "web", image: "nginx:latest",
+            resources: { requests: { cpu: "999m" } },
+          },
+        ]
+      })
+
+      Middleware::ResourcePreset.new.call(m)
+      container = m.resources.first.to_h.dig(:spec, :template, :spec, :containers, 0)
+
+      # The container's explicit value wins over the preset
+      assert_equal "999m", container.dig(:resources, :requests, :cpu)
+      # The preset fills in missing values
+      assert_equal "512Mi", container.dig(:resources, :requests, :memory)
+    end
+
+    private
+
+      def manifest(*resources)
+        m = Kube::Cluster::Manifest.new
+        resources.each { |r| m << r }
+        m
+      end
+  end
+end

data/lib/kube/cluster/middleware/security_context.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+if __FILE__ == $0
+  require "bundler/setup"
+  require "kube/cluster"
+end
+
 module Kube
   module Cluster
     class Middleware
@@ -82,3 +87,168 @@ module Kube
     end
   end
 end
+
+if __FILE__ == $0
+  require "minitest/autorun"
+
+  class SecurityContextMiddlewareTest < Minitest::Test
+    Middleware = Kube::Cluster::Middleware
+
+    def test_applies_restricted_profile_by_default
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new.call(m)
+      h = m.resources.first.to_h
+      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+      container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)
+
+      assert_equal true, pod_sc[:runAsNonRoot]
+      assert_equal 1000, pod_sc[:runAsUser]
+      assert_equal 1000, pod_sc[:fsGroup]
+      assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])
+
+      assert_equal false, container_sc[:allowPrivilegeEscalation]
+      assert_equal true, container_sc[:readOnlyRootFilesystem]
+      assert_equal({ drop: ["ALL"] }, container_sc[:capabilities])
+    end
+
+    def test_applies_baseline_profile_via_label
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/security": "baseline" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new.call(m)
+      h = m.resources.first.to_h
+      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+      container_sc = h.dig(:spec, :template, :spec, :containers, 0, :securityContext)
+
+      assert_equal true, pod_sc[:runAsNonRoot]
+      assert_nil pod_sc[:seccompProfile]
+
+      assert_equal false, container_sc[:allowPrivilegeEscalation]
+      assert_nil container_sc[:readOnlyRootFilesystem]
+    end
+
+    def test_applies_baseline_profile_via_constructor_default
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new(default: :baseline).call(m)
+      h = m.resources.first.to_h
+      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+      assert_nil pod_sc[:seccompProfile]
+    end
+
+    def test_label_overrides_constructor_default
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/security": "restricted" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new(default: :baseline).call(m)
+      h = m.resources.first.to_h
+      pod_sc = h.dig(:spec, :template, :spec, :securityContext)
+
+      assert_equal({ type: "RuntimeDefault" }, pod_sc[:seccompProfile])
+    end
+
+    def test_applies_to_all_containers
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "app", image: "app:latest" },
+          { name: "sidecar", image: "sidecar:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new.call(m)
+      containers = m.resources.first.to_h.dig(:spec, :template, :spec, :containers)
+
+      containers.each do |c|
+        assert_equal false, c.dig(:securityContext, :allowPrivilegeEscalation)
+      end
+    end
+
+    def test_skips_non_pod_bearing_resources
+      resource = Kube::Cluster["ConfigMap"].new { metadata.name = "config" }
+      m = manifest(resource)
+
+      Middleware::SecurityContext.new.call(m)
+
+      assert_equal resource.to_h, m.resources.first.to_h
+    end
+
+    def test_raises_on_unknown_profile
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/security": "yolo" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      error = assert_raises(ArgumentError) do
+        Middleware::SecurityContext.new.call(m)
+      end
+
+      assert_includes error.message, "yolo"
+    end
+
+    def test_preserves_existing_pod_security_context
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.securityContext = { runAsUser: 9999 }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx:latest" },
+        ]
+      })
+
+      Middleware::SecurityContext.new.call(m)
+      pod_sc = m.resources.first.to_h.dig(:spec, :template, :spec, :securityContext)
+
+      # Existing value wins
+      assert_equal 9999, pod_sc[:runAsUser]
+      # Middleware fills in missing values
+      assert_equal true, pod_sc[:runAsNonRoot]
+    end
+
+    private
+
+      def manifest(*resources)
+        m = Kube::Cluster::Manifest.new
+        resources.each { |r| m << r }
+        m
+      end
+  end
+end

data/lib/kube/cluster/middleware/service_for_deployment.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+if __FILE__ == $0
+  require "bundler/setup"
+  require "kube/cluster"
+end
+
 module Kube
   module Cluster
     class Middleware
@@ -69,3 +74,165 @@ module Kube
     end
   end
 end
+
+if __FILE__ == $0
+  require "minitest/autorun"
+
+  class ServiceForDeploymentMiddlewareTest < Minitest::Test
+    Middleware = Kube::Cluster::Middleware
+
+    def test_generates_service_from_deployment
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.namespace = "production"
+        metadata.labels = { app: "web" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080, protocol: "TCP" }] },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 2, m.resources.size
+
+      deploy, service = m.resources
+      assert_equal "Deployment", deploy.to_h[:kind]
+      assert_equal "Service", service.to_h[:kind]
+
+      sh = service.to_h
+      assert_equal "web", sh.dig(:metadata, :name)
+      assert_equal "production", sh.dig(:metadata, :namespace)
+      assert_equal({ app: "web" }, sh.dig(:spec, :selector))
+
+      port = sh.dig(:spec, :ports, 0)
+      assert_equal "http", port[:name]
+      assert_equal 8080, port[:port]
+      assert_equal "http", port[:targetPort]
+      assert_equal "TCP", port[:protocol]
+    end
+
+    def test_maps_multiple_ports
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          {
+            name: "web", image: "nginx",
+            ports: [
+              { name: "http", containerPort: 8080 },
+              { name: "metrics", containerPort: 9090 },
+            ],
+          },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+      service = m.resources.last
+      ports = service.to_h.dig(:spec, :ports)
+
+      assert_equal 2, ports.size
+      assert_equal "http", ports[0][:name]
+      assert_equal "metrics", ports[1][:name]
+    end
+
+    def test_copies_labels_from_source
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        metadata.labels = { "app.kubernetes.io/name": "web", "app.kubernetes.io/size": "small" }
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080 }] },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+      service_labels = m.resources.last.to_h.dig(:metadata, :labels)
+
+      assert_equal "web", service_labels[:"app.kubernetes.io/name"]
+      assert_equal "small", service_labels[:"app.kubernetes.io/size"]
+    end
+
+    def test_skips_deployment_without_named_ports
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.selector.matchLabels = { app: "web" }
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx", ports: [{ containerPort: 8080 }] },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 1, m.resources.size
+    end
+
+    def test_skips_deployment_without_ports
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "worker"
+        spec.selector.matchLabels = { app: "worker" }
+        spec.template.metadata.labels = { app: "worker" }
+        spec.template.spec.containers = [
+          { name: "worker", image: "worker:latest" },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 1, m.resources.size
+    end
+
+    def test_skips_non_pod_bearing_resources
+      m = manifest(Kube::Cluster["ConfigMap"].new { metadata.name = "config" })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 1, m.resources.size
+    end
+
+    def test_skips_deployment_without_match_labels
+      m = manifest(Kube::Cluster["Deployment"].new {
+        metadata.name = "web"
+        spec.template.metadata.labels = { app: "web" }
+        spec.template.spec.containers = [
+          { name: "web", image: "nginx", ports: [{ name: "http", containerPort: 8080 }] },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 1, m.resources.size
+    end
+
+    def test_works_with_statefulset
+      m = manifest(Kube::Cluster["StatefulSet"].new {
+        metadata.name = "db"
+        metadata.namespace = "database"
+        spec.selector.matchLabels = { app: "db" }
+        spec.template.metadata.labels = { app: "db" }
+        spec.template.spec.containers = [
+          { name: "postgres", image: "postgres:16", ports: [{ name: "tcp-pg", containerPort: 5432 }] },
+        ]
+      })
+
+      Middleware::ServiceForDeployment.new.call(m)
+
+      assert_equal 2, m.resources.size
+      assert_equal "Service", m.resources.last.to_h[:kind]
+      assert_equal "db", m.resources.last.to_h.dig(:metadata, :name)
+      assert_equal "database", m.resources.last.to_h.dig(:metadata, :namespace)
+    end
+
+    private
+
+      def manifest(*resources)
+        m = Kube::Cluster::Manifest.new
+        resources.each { |r| m << r }
+        m
+      end
+  end
+end