Testing with YAML

8238c3c0be55b887aa9d6d59bfefa504?s=47 BABAROT
February 25, 2019

Testing with YAML

YAML のテストについて Policy as Code の考え方を取り入れて Sentinel のようにテストするツールを作った

8238c3c0be55b887aa9d6d59bfefa504?s=128

BABAROT

February 25, 2019
Tweet

Transcript

  1. YAMLΛςετ͢Δ @b4b4r07 (Feb 25, 2019) / mercari.go #6 %YAML 1.2

    --- YAML: YAML Ain't Markup Language What It Is: YAML is a human friendly data serialization standard for all programming languages. YAML Resources: YAML 1.2 (3rd Edition): http://yaml.org/spec/1.2/spec.html YAML 1.1 (2nd Edition): http://yaml.org/spec/1.1/ YAML 1.0 (1st Edition): http://yaml.org/spec/1.0/ YAML Issues Page: https://github.com/yaml/yaml/issues ...
  2. BABAROT / @b4b4r07 Mercari, Inc.
 SRE, Microservices Platform Blog /

    tellme.tokyo
  3. Kubernetes YAML ΍
 Terraform ͸ॻ͖·͔͢ʁ Question:

  4. Infrastructure as Code ͷਁಁ ˎҎԼʮIaCʯͱه͢

  5. IaC ͷਁಁ •Terraform ΍ Kubernetes ͷීٴͰঢ়ଶɾఆٛΛίʔυʹ͢Δ͜ͱ͕
 ଟ͘ͳͬͨ •ΠϯϑϥྖҬҎ֎ʹ͓͍ͯ΋ɺιϑτ΢ΣΞͷঢ়ଶ΍ͦͷઃఆΛ
 JSON ΍

    YAML ͱ͍ͬͨݴޠͰ࣋ͭ͜ͱ͕ଟ͘ͳͬͨ https://trends.google.co.jp/trends/explore?date=today%205-y&q=infrastructure%20as%20code
  6. • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc

    apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 IaC ͱ͸ Kubernetes Pod ͷ YAML
  7. • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc

    apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 Kubernetes Pod ͷ YAML IaC ͱ͸
  8. YAML Λςετ͢Δ

  9. None
  10. Policy as Code •HashiCorp ͕ఏএͨ͠ߟ͑ํ •ઃఆϑΝΠϧʹ͓͚Δ “͜͏͋Δ΂͖” ΛϙϦγʔͱͯ͠ه͢ •੍໿߲໨ (deploy

    region, etc) •ϨϏϡʔ߲໨ (like style guide) Why Policy as Code? - HashiCorp Blog Code Policy Infrastructure IaC Policy as Code
  11. Policy as Code Policy as Code - Sentinel by HashiCorp

    •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ
  12. Policy as Code Policy as Code - Sentinel by HashiCorp

    •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ Kubernetes YAML Ͱ΋΍Γ͍ͨ
  13. None
  14. Stein

  15. • ઃఆϑΝΠϧͷϙϦγʔΛίʔυԽͰ͖Δ • JSON, YAML, HCL • Policy as Code

    Λ࣮ફ͢Δ Linter • Terraform ͷΑ͏ʹ HCL Ͱϧʔϧ࡞੒Ͱ͖Δ • ๛෋ͳ Interpolations • υΩϡϝϯτ Stein Stein Documentations
  16. apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec:

    containers: - name: nginx-container image: nginx ports: - containerPort: 80
  17. apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec:

    containers: - name: nginx-container image: nginx ports: - containerPort: 80 লུͰ͖Δ ͚Ͳͤͨ͘͞ͳ͍ ྫ͑͹
  18. rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } }
  19. rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧͷఆٛ
  20. rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕੒ޭ͢Δ͔ࣦഊ͢Δ͔ͷ৚݅
  21. rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕ࣦഊͨ͠Β͜ͷϑΥʔϚοτʹैͬͯ Τϥʔ͕Ϩϙʔτ͞ΕΔ (ऴྃίʔυ1)
  22. $ stein apply x-echo-jp/development/Pod/test.yaml [ERROR] rule.namespace_specification Namespace is not specified

    ===================== 7 error(s), 2 warn(s) •Stein Λ࢖͏͜ͱͰɺSentinel ͷΑ͏ʹ Policy as Code Λ࣮ફͰ͖Δ •Sentinel ͸ HashiCorp ੡඼ʹɺStein ͸೚ҙͷઃఆϑΝΠϧʹ •੍໿߲໨ͷݕূ΍ϨϏϡʔ؍఺ͷࢦఠΛػցతʹͰ͖Δ •ʮ஫ҙਂ͘ݟͳ͚Ε͹͍͚ͳ͍ʯʮຖճࢦఠ͢ΔʯͳͲ͸
 ػցతʹνΣοΫͯ͠ϙϦγʔΛϧʔϧԽ͢Δ΂͖
  23. GoͰ࡞ͬͨܦҢ

  24. ϒϩάʹॻ͍ͨ •hashicorp/hcl2 Λ࢖ͬͯಠࣗ DSL Λఆٛ͢Δ | tellme.tokyo •Kubernetes ͳͲͷ YAML

    ΛಠࣗͷϧʔϧΛ΋ͱʹςετ͢Δ | tellme.tokyo
  25. Thank you