Helm Chart Unit: helps to unit test rendering of your templates using policies
https://github.com/xchapter7x/hcunit/releases/latest
- Uses OPA and Rego to evaluate the yaml to see if it meets your expectations
- By convention hcunit will run any rules in your given rego file or recursively in a given directory as long as that rule takes the form
expect ["..."] { ... }. it is a good idea to define the hash value within the rule so it prints during a--verbosecall - Your policy rules will have access to a input object. This object will be a hashmap of your rendered templates, with the hash being the filename, and the value being an object representation of the rendered yaml. It will also contain a hash for the NOTES file, which will be a string.
- uses helm's packages to render the templates so, it should yield identical output as the
helm templatecommand
-> % hcunit --help
Usage:
hcunit [OPTIONS] <eval | render | version>
Help Options:
-h, --help Show this help message
Available commands:
eval evaluate a policy on a chart + values
render Render a template yaml
version display version info000@000-000 [00:00:00] [helm-charts/concourse] [master *]
-> % cat policy/testing.rego
───────┬───────────────────────────────────────────────────────────────
│ File: policy/testing.rego
───────┼───────────────────────────────────────────────────────────────
1 │ package main
2 │
3 │ expect [msg] {
4 │ msg = "noop pass rule"
5 │ true
6 │ }
7 │
8 │ expect [msg] {
9 │ msg = "we should have values and secrets"
10 │ input["values.yaml"]
11 │ n = input["web-secrets.yaml"].metadata.name
12 │ n == "hcunit-name-web"
13 │ }
───────┴───────────────────────────────────────────────────────────────
000@000-000 [00:00:00] [helm-charts/concourse] [master *]
-> % hcunit eval -t templates/ -c values.yaml -p policy/testing.rego
[PASS] Your policy rules have been run successfully!
000@000-000 [00:00:00] [helm-charts/concourse] [master *]
-> % cat policy/testing_fail.rego
───────┬───────────────────────────────────────────────────────────────
│ File: policy/testing_fail.rego
───────┼───────────────────────────────────────────────────────────────
1 │ package main
2 │
3 │ expect [msg] {
4 │ msg = "noop pass rule"
5 │ true
6 │ }
7 │
8 │ expect [msg] {
9 │ msg = "we should have values and secrets"
10 │ input["values.yaml"]
11 │ n = input["web-secrets.yaml"].metadata.name
12 │ n == "WRONGNAME"
13 │ }
───────┴───────────────────────────────────────────────────────────────
000@000-000 [00:00:00] [helm-charts/concourse] [master *]
-> % hcunit eval -t templates/ -c values.yaml -p policy/testing_fail.rego
[FAIL] Your policy rules are violated in your rendered output!
your policy failed