testkube: add support for defining image credentials cache ttl

kubeshop · Jul 19, 2024 · 6876643 · 6876643
1 parent a270d2e
commit 6876643
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 16 deletions.
diff --git a/charts/testkube-api/README.md b/charts/testkube-api/README.md
@@ -1,6 +1,6 @@
 # testkube-api
 
-![Version: 1.15.2](https://img.shields.io/badge/Version-1.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square)
+![Version: 2.0.10](https://img.shields.io/badge/Version-2.0.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.10](https://img.shields.io/badge/AppVersion-2.0.10-informational?style=flat-square)
 
 A Helm chart for Testkube api
 
@@ -14,7 +14,11 @@ A Helm chart for Testkube api
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| additionalJobVolumeMounts | list | `[]` |  |
+| additionalJobVolumes | list | `[]` |  |
 | additionalNamespaces | list | `[]` |  |
+| additionalVolumeMounts | list | `[]` |  |
+| additionalVolumes | list | `[]` |  |
 | affinity | object | `{}` |  |
 | analyticsEnabled | bool | `true` |  |
 | autoscaling.annotations | object | `{}` |  |
@@ -44,43 +48,82 @@ A Helm chart for Testkube api
 | cloud.key | string | `""` |  |
 | cloud.migrate | string | `""` |  |
 | cloud.orgId | string | `""` |  |
-| cloud.url | string | `"agent.testkube.io:443"` |  |
+| cloud.tls.certificate.caFile | string | `"/tmp/agent-cert/ca.crt"` |  |
+| cloud.tls.certificate.certFile | string | `"/tmp/agent-cert/cert.crt"` |  |
+| cloud.tls.certificate.keyFile | string | `"/tmp/agent-cert/cert.key"` |  |
+| cloud.tls.certificate.secretRef | string | `""` |  |
+| cloud.tls.customCaDirPath | string | `""` | Specifies the path to the directory (skip the trailing slash) where CA certificates should be mounted. The mounted file should container a PEM encoded CA certificate. |
+| cloud.tls.customCaSecretRef | string | `""` |  |
+| cloud.tls.enabled | bool | `true` |  |
+| cloud.tls.skipVerify | bool | `false` |  |
 | cloud.uiUrl | string | `""` |  |
+| cloud.url | string | `"agent.testkube.io:443"` |  |
 | clusterName | string | `""` |  |
 | configValues | string | `""` |  |
+| containerResources | object | `{}` |  |
 | dashboardUri | string | `""` |  |
-| dnsPolicy | string | `""` |  |
+| defaultStorageClassName | string | `""` | Whether to generate RBAC for test job or use manually provided    generateTestJobRBAC: true # default storage class name for PVC volumes |
 | disableMongoMigrations | bool | `false` |  |
 | disableSecretCreation | bool | `false` |  |
+| dnsPolicy | string | `""` |  |
 | enableK8sEvents | bool | `true` |  |
 | enableSecretsEndpoint | bool | `false` |  |
-| executionNamespaces | list | `[]` |  |
+| enabledExecutors | string | `nil` |  |
+| executionNamespaces | string | `nil` |  |
 | executors | string | `""` |  |
-| extraEnvVars | object | `{}` |  |
+| extraEnvVars | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
+| global.affinity | object | `{}` |  |
 | global.annotations | object | `{}` |  |
+| global.features.logsV2 | bool | `false` |  |
+| global.features.whitelistedContainers | string | `"init,logs,scraper"` |  |
 | global.imagePullSecrets | list | `[]` |  |
 | global.imageRegistry | string | `""` |  |
 | global.labels | object | `{}` |  |
+| global.nodeSelector | object | `{}` |  |
+| global.testWorkflows.createOfficialTemplates | bool | `true` |  |
+| global.testWorkflows.createServiceAccountTemplates | bool | `true` |  |
+| global.testWorkflows.globalTemplate.enabled | bool | `false` |  |
+| global.testWorkflows.globalTemplate.name | string | `"global-template"` |  |
+| global.testWorkflows.globalTemplate.spec | object | `{}` |  |
+| global.tls.caCertPath | string | `""` |  |
+| global.tolerations | list | `[]` |  |
+| global.volumes.additionalVolumeMounts | list | `[]` |  |
+| global.volumes.additionalVolumes | list | `[]` |  |
 | hostNetwork | string | `""` |  |
 | httpReadBufferSize | int | `8192` |  |
 | image.digest | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.pullSecret | list | `[]` |  |
+| image.pullSecrets | list | `[]` |  |
 | image.registry | string | `"docker.io"` |  |
 | image.repository | string | `"kubeshop/testkube-api-server"` |  |
-| enabledExecutors | object | `{}` |  |
+| imageInspectionCache.enabled | bool | `true` |  |
+| imageInspectionCache.name | string | `"testkube-image-cache"` |  |
+| imageInspectionCache.ttl | string | `"30m"` |  |
+| imageTwInit.digest | string | `""` |  |
+| imageTwInit.registry | string | `"docker.io"` |  |
+| imageTwInit.repository | string | `"kubeshop/testkube-tw-init"` |  |
+| imageTwToolkit.digest | string | `""` |  |
+| imageTwToolkit.registry | string | `"docker.io"` |  |
+| imageTwToolkit.repository | string | `"kubeshop/testkube-tw-toolkit"` |  |
+| initContainerResources | object | `{}` |  |
+| jobAnnotations | object | `{}` |  |
 | jobContainerTemplate | string | `""` |  |
+| jobPodAnnotations | object | `{}` |  |
 | jobScraperTemplate | string | `""` |  |
 | jobServiceAccountName | string | `""` |  |
 | kubeVersion | string | `""` |  |
 | livenessProbe.initialDelaySeconds | int | `30` |  |
 | logs.bucket | string | `"testkube-logs"` |  |
 | logs.storage | string | `"minio"` |  |
+| logsServiceAccount.annotations | object | `{}` |  |
+| logsServiceAccount.create | bool | `true` |  |
+| logsServiceAccount.name | string | `""` |  |
+| logsV2ContainerResources | object | `{}` |  |
 | minio.accessModes[0] | string | `"ReadWriteOnce"` |  |
 | minio.affinity | object | `{}` |  |
 | minio.enabled | bool | `true` |  |
-| minio.extraEnvVars | object | `{}` |  |
+| minio.extraEnvVars | list | `[]` |  |
 | minio.extraVolumeMounts | list | `[]` |  |
 | minio.extraVolumes | list | `[]` |  |
 | minio.image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -106,13 +149,27 @@ A Helm chart for Testkube api
 | minio.secretUserName | string | `""` |  |
 | minio.securityContext | object | `{}` |  |
 | minio.serviceAccountName | string | `""` |  |
+| minio.serviceMonitor.enabled | bool | `false` |  |
+| minio.serviceMonitor.interval | string | `"15s"` |  |
+| minio.serviceMonitor.labels | object | `{}` |  |
+| minio.serviceMonitor.matchLabels | list | `[]` |  |
 | minio.storage | string | `"10Gi"` |  |
 | minio.tolerations | list | `[]` |  |
 | mongodb.allowDiskUse | bool | `true` |  |
 | mongodb.dsn | string | `"mongodb://testkube-mongodb:27017"` |  |
 | multinamespace.enabled | bool | `false` |  |
 | nameOverride | string | `""` |  |
+| nats.embedded | bool | `false` |  |
 | nats.enabled | bool | `true` |  |
+| nats.tls.certSecret.baseMountPath | string | `"/etc/client-certs/nats"` |  |
+| nats.tls.certSecret.caFile | string | `"ca.crt"` |  |
+| nats.tls.certSecret.certFile | string | `"cert.crt"` |  |
+| nats.tls.certSecret.enabled | bool | `false` |  |
+| nats.tls.certSecret.keyFile | string | `"cert.key"` |  |
+| nats.tls.certSecret.name | string | `"nats-client-cert"` |  |
+| nats.tls.enabled | bool | `false` |  |
+| nats.tls.mountCACertificate | bool | `false` |  |
+| nats.tls.skipVerify | bool | `false` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
@@ -126,6 +183,7 @@ A Helm chart for Testkube api
 | readinessProbe.initialDelaySeconds | int | `45` |  |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
+| scraperContainerResources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.annotations | object | `{}` |  |
 | service.labels | object | `{}` |  |
@@ -141,33 +199,56 @@ A Helm chart for Testkube api
 | storage.accessKey | string | `""` |  |
 | storage.accessKeyId | string | `""` |  |
 | storage.bucket | string | `"testkube-artifacts"` |  |
+| storage.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` |  |
+| storage.certSecret.caFile | string | `"ca.crt"` |  |
+| storage.certSecret.certFile | string | `"cert.crt"` |  |
+| storage.certSecret.enabled | bool | `false` |  |
+| storage.certSecret.keyFile | string | `"cert.key"` |  |
+| storage.certSecret.name | string | `"nats-client-cert"` |  |
 | storage.compressArtifacts | bool | `true` |  |
 | storage.endpoint | string | `""` |  |
 | storage.endpoint_port | string | `"9000"` |  |
 | storage.expiration | int | `0` |  |
+| storage.mountCACertificate | bool | `false` |  |
 | storage.region | string | `""` |  |
 | storage.scrapperEnabled | bool | `true` |  |
 | storage.secretKeyAccessKeyId | string | `""` |  |
 | storage.secretKeySecretAccessKey | string | `""` |  |
 | storage.secretNameAccessKeyId | string | `""` |  |
 | storage.secretNameSecretAccessKey | string | `""` |  |
+| storage.skipVerify | bool | `false` |  |
 | storage.token | string | `""` |  |
+| storageRequest | string | `"1Gi"` |  |
 | templates.job | string | `""` |  |
 | templates.jobContainer | string | `""` |  |
 | templates.pvcContainer | string | `""` |  |
 | templates.scraperContainer | string | `""` |  |
 | templates.slavePod | string | `""` |  |
+| testConnection.affinity | object | `{}` |  |
 | testConnection.enabled | bool | `false` |  |
+| testConnection.nodeSelector | object | `{}` |  |
+| testConnection.tolerations | list | `[]` |  |
 | testServiceAccount.annotations | object | `{}` |  |
 | testServiceAccount.create | bool | `true` |  |
+| testkubeLogs.grpcAddress | string | `"testkube-logs:9090"` | GRPC address |
+| testkubeLogs.tls.certSecret.baseMountPath | string | `"/etc/client-certs/grpc"` | Base path to mount the client certificate secret |
+| testkubeLogs.tls.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) |
+| testkubeLogs.tls.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file |
+| testkubeLogs.tls.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains GRPC client certificate (cert.crt, cert.key, ca.crt) |
+| testkubeLogs.tls.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file |
+| testkubeLogs.tls.certSecret.name | string | `"grpc-client-cert"` | Name of the grpc client certificate secret |
+| testkubeLogs.tls.enabled | bool | `false` | Toggle whether to enable TLS in GRPC client |
+| testkubeLogs.tls.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided |
+| testkubeLogs.tls.skipVerify | bool | `false` | Toggle whether to verify certificates |
 | tolerations | list | `[]` |  |
 | uiIngress.annotations | object | `{}` |  |
 | uiIngress.enabled | bool | `false` |  |
 | uiIngress.hosts | list | `[]` |  |
 | uiIngress.labels | object | `{}` |  |
 | uiIngress.path | string | `"/results/(v\\d/executions.*)"` |  |
+| uiIngress.pathType | string | `"Prefix"` |  |
 | uiIngress.tls | list | `[]` |  |
 | uiIngress.tlsenabled | bool | `false` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml
@@ -215,6 +215,8 @@ spec:
             {{- end }}
             - name: WHITELISTED_CONTAINERS
               value: "{{ .Values.global.features.whitelistedContainers }}"
+            - name: TESTKUBE_IMAGE_CREDENTIALS_CACHE_TTL
+              value: "{{ .Values.imageInspectionCache.ttl }}"
           image: {{ include "testkube-api.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

diff --git a/charts/testkube-api/values.yaml b/charts/testkube-api/values.yaml
@@ -175,6 +175,8 @@ imageInspectionCache:
   enabled: true
   ## ConfigMap name to persist cache
   name: "testkube-image-cache"
+  ## TTL for image pull secrets cache (set to 0 to disable)
+  ttl: 30m
 
 ## Multinamespace feature. Disabled by default
 multinamespace:

diff --git a/charts/testkube/README.md b/charts/testkube/README.md
@@ -2,7 +2,7 @@
 
 Testkube is an open-source platform that simplifies the deployment and management of automated testing infrastructure.
 
-![Version: 2.0.13](https://img.shields.io/badge/Version-2.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 2.0.17](https://img.shields.io/badge/Version-2.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 ## Install
 
@@ -136,7 +136,7 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag
 | Repository | Name | Version |
 |------------|------|---------|
 | file://../global | global | 0.1.2 |
-| file://../testkube-api | testkube-api | 2.0.8 |
+| file://../testkube-api | testkube-api | 2.0.10 |
 | file://../testkube-logs | testkube-logs | 0.2.0 |
 | file://../testkube-operator | testkube-operator | 2.0.0 |
 | https://charts.bitnami.com/bitnami | mongodb | 13.10.1 |
@@ -256,8 +256,9 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag
 | testkube-api.image.pullSecrets | list | `[]` | Testkube API k8s secret for private registries |
 | testkube-api.image.registry | string | `"docker.io"` | Testkube API image registry |
 | testkube-api.image.repository | string | `"kubeshop/testkube-api-server"` | Testkube API image name |
-| testkube-api.imageInspectionCache.enabled | bool | `true` |  |
-| testkube-api.imageInspectionCache.name | string | `"testkube-image-cache"` |  |
+| testkube-api.imageInspectionCache.enabled | bool | `true` | Status of the persistent cache |
+| testkube-api.imageInspectionCache.name | string | `"testkube-image-cache"` | ConfigMap name to persist cache |
+| testkube-api.imageInspectionCache.ttl | string | `"30m"` | TTL for image pull secrets cache (set to 0 to disable) |
 | testkube-api.imageTwInit.digest | string | `""` | Test Workflows image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
 | testkube-api.imageTwInit.pullSecrets | list | `[]` | Test Workflows image k8s secret for private registries |
 | testkube-api.imageTwInit.registry | string | `"docker.io"` | Test Workflows image registry |
@@ -408,7 +409,7 @@ kubectl label --overwrite crds scripts.tests.testkube.io app.kubernetes.io/manag
 | testkube-logs.storage.secretKeySecretAccessKey | string | `""` | Key for storage secretAccessKeyId taken from k8s secret |
 | testkube-logs.storage.secretNameAccessKeyId | string | `""` | k8s Secret name for storage accessKeyId |
 | testkube-logs.storage.secretNameSecretAccessKey | string | `""` | K8s Secret Name for storage secretAccessKeyId |
-| testkube-logs.storage.skipVerify | bool | `true` | Toggle whether to verify TLS certificates |
+| testkube-logs.storage.skipVerify | bool | `false` | Toggle whether to verify TLS certificates |
 | testkube-logs.storage.token | string | `""` | MinIO Token |
 | testkube-logs.testConnection | object | `{"enabled":false}` | Test Connection pod |
 | testkube-logs.tls.certSecret.baseMountPath | string | `"/etc/server-certs/grpc"` | Base path to mount the server certificate secret |

diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml
@@ -522,10 +522,12 @@ testkube-api:
 
   ## Persistent cache for Docker
   imageInspectionCache:
-    ## Status of the persistent cache
+    # -- Status of the persistent cache
     enabled: true
-    ## ConfigMap name to persist cache
+    # -- ConfigMap name to persist cache
     name: "testkube-image-cache"
+    # -- TTL for image pull secrets cache (set to 0 to disable)
+    ttl: 30m
 
   # ref: https://cloud.google.com/kubernetes-engine/docs/how-to/prepare-arm-workloads-for-deployment#node-affinity-multi-arch-arm
   # -- Tolerations to schedule a workload to nodes with any architecture type. Required for deployment to GKE cluster.