Add k8s test: init container can reach HTTPS endpoints (CA trust store)#7239
Open
knusbaum wants to merge 3 commits into
Open
Add k8s test: init container can reach HTTPS endpoints (CA trust store)#7239knusbaum wants to merge 3 commits into
knusbaum wants to merge 3 commits into
Conversation
Companion to DataDog/libdatadog-build#235 (init images busybox -> scratch + dash/toybox/curl). Asserts the init image can complete a TLS-verified HTTPS request via a throwaway probe pod, guarding the CA trust store against regression on the base-image change.
Contributor
|
|
🎉 All green!🧪 All tests passed 🔗 Commit SHA: 3713e76 | Docs | Datadog PR Page | Give us feedback! |
context.scenario is typed as the base Scenario; access the init image through a helper that asserts isinstance(K8sScenario) (mirrors get_cluster_info's narrowing).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Adds a
k8s_lib_injectiontest asserting the init container can complete a TLS-verified HTTPS request — i.e. the image ships a working CA trust store. Init images carry CA certs so admission-controller wrappers that dial HTTPS from inside the init container (e.g. bank-vaults'vault-env) keep working.There was no coverage for this. It becomes important now because DataDog/libdatadog-build#235 moves the
dd-lib-*-initimages off busybox to aFROM scratch+ statically-linked dash/toybox/curl base — the kind of base change where a cert store can silently regress. This test guards against that.What it does
run_https_probe_pod()(tests/k8s_lib_injection/utils.py): runs a one-shot pod from the init image doingcurl -fsS https://app.datadoghq.com(verification on, no-k), waits for the pod phase, and always cleans the pod up.TestK8sLibInjection::test_k8s_init_container_https_egress: asserts the probe pod reachesSucceeded. A missing/invalid CA store makes curl exit non-zero → podFailed→ test fails.The test is fully isolated (its own throwaway pod, separate
test_*method) so a cert regression fails only this test, not the injection/traces assertions. It reuses the existing scenarios +@features.k8s_admission_controller; no manifest changes.How this was tested
registry.ddbuild.io/ssi/dd-lib-js-init:<sha>):curl https://… → HTTP 200, ssl_verify_result=0, CAfile/etc/ssl/certs/ca-certificates.crt../format.shin this environment — CI--checkwill confirm).