$30 off During Our Annual Pro Sale. View Details »

Testing with YAML

BABAROT
February 25, 2019

Testing with YAML

YAML のテストについて Policy as Code の考え方を取り入れて Sentinel のようにテストするツールを作った

BABAROT

February 25, 2019
Tweet

More Decks by BABAROT

Other Decks in Technology

Transcript

  1. YAMLΛςετ͢Δ
    @b4b4r07 (Feb 25, 2019) / mercari.go #6
    %YAML 1.2
    ---
    YAML: YAML Ain't Markup Language
    What It Is: YAML is a human friendly data serialization
    standard for all programming languages.
    YAML Resources:
    YAML 1.2 (3rd Edition): http://yaml.org/spec/1.2/spec.html
    YAML 1.1 (2nd Edition): http://yaml.org/spec/1.1/
    YAML 1.0 (1st Edition): http://yaml.org/spec/1.0/
    YAML Issues Page: https://github.com/yaml/yaml/issues
    ...

    View Slide

  2. BABAROT / @b4b4r07
    Mercari, Inc.

    SRE, Microservices Platform
    Blog / tellme.tokyo

    View Slide

  3. Kubernetes YAML ΍

    Terraform ͸ॻ͖·͔͢ʁ
    Question:

    View Slide

  4. Infrastructure as Code ͷਁಁ
    ˎҎԼʮIaCʯͱه͢

    View Slide

  5. IaC ͷਁಁ
    •Terraform ΍ Kubernetes ͷීٴͰঢ়ଶɾఆٛΛίʔυʹ͢Δ͜ͱ͕

    ଟ͘ͳͬͨ
    •ΠϯϑϥྖҬҎ֎ʹ͓͍ͯ΋ɺιϑτ΢ΣΞͷঢ়ଶ΍ͦͷઃఆΛ

    JSON ΍ YAML ͱ͍ͬͨݴޠͰ࣋ͭ͜ͱ͕ଟ͘ͳͬͨ
    https://trends.google.co.jp/trends/explore?date=today%205-y&q=infrastructure%20as%20code

    View Slide

  6. • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘
    • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ
    • ϨϏϡʔ
    • ςετ
    • etc
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-pod
    spec:
    containers:
    - name: nginx-container
    image: nginx
    ports:
    - containerPort: 80
    IaC ͱ͸
    Kubernetes Pod ͷ YAML

    View Slide

  7. • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘
    • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ
    • ϨϏϡʔ
    • ςετ
    • etc
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-pod
    spec:
    containers:
    - name: nginx-container
    image: nginx
    ports:
    - containerPort: 80
    Kubernetes Pod ͷ YAML
    IaC ͱ͸

    View Slide

  8. YAML Λςετ͢Δ

    View Slide

  9. View Slide

  10. Policy as Code
    •HashiCorp ͕ఏএͨ͠ߟ͑ํ
    •ઃఆϑΝΠϧʹ͓͚Δ “͜͏͋Δ΂͖” ΛϙϦγʔͱͯ͠ه͢
    •੍໿߲໨ (deploy region, etc)
    •ϨϏϡʔ߲໨ (like style guide)
    Why Policy as Code? - HashiCorp Blog
    Code Policy
    Infrastructure
    IaC
    Policy
    as Code

    View Slide

  11. Policy as Code
    Policy as Code - Sentinel by HashiCorp
    •HashiCorp Sentinel ʂ
    •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ

    πʔϧ / ࿈ܞ͕Ͱ͖Δ
    •ྫ͑͹ Terraform ͷઃఆɺ
    •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔
    •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔
    •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ
    •ͦΕΛνΣοΫͰ͖Δ

    View Slide

  12. Policy as Code
    Policy as Code - Sentinel by HashiCorp
    •HashiCorp Sentinel ʂ
    •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ

    πʔϧ / ࿈ܞ͕Ͱ͖Δ
    •ྫ͑͹ Terraform ͷઃఆɺ
    •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔
    •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔
    •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ
    •ͦΕΛνΣοΫͰ͖Δ
    Kubernetes YAML Ͱ΋΍Γ͍ͨ

    View Slide

  13. View Slide

  14. Stein

    View Slide

  15. • ઃఆϑΝΠϧͷϙϦγʔΛίʔυԽͰ͖Δ
    • JSON, YAML, HCL
    • Policy as Code Λ࣮ફ͢Δ Linter
    • Terraform ͷΑ͏ʹ HCL Ͱϧʔϧ࡞੒Ͱ͖Δ
    • ๛෋ͳ Interpolations
    • υΩϡϝϯτ
    Stein
    Stein Documentations

    View Slide

  16. apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-pod
    namespace: x-echo-jp-dev
    spec:
    containers:
    - name: nginx-container
    image: nginx
    ports:
    - containerPort: 80

    View Slide

  17. apiVersion: v1
    kind: Pod
    metadata:
    name: nginx-pod
    namespace: x-echo-jp-dev
    spec:
    containers:
    - name: nginx-container
    image: nginx
    ports:
    - containerPort: 80
    লུͰ͖Δ
    ͚Ͳͤͨ͘͞ͳ͍
    ྫ͑͹

    View Slide

  18. rule "namespace_specification" {
    description = "Check namespace name is not empty”
    conditions = [
    "${jsonpath("metadata.namespace") != ""}",
    ]
    report {
    level = "ERROR"
    message = "Namespace is not specified"
    }
    }

    View Slide

  19. rule "namespace_specification" {
    description = "Check namespace name is not empty”
    conditions = [
    "${jsonpath("metadata.namespace") != ""}",
    ]
    report {
    level = "ERROR"
    message = "Namespace is not specified"
    }
    }
    ϧʔϧͷఆٛ

    View Slide

  20. rule "namespace_specification" {
    description = "Check namespace name is not empty”
    conditions = [
    "${jsonpath("metadata.namespace") != ""}",
    ]
    report {
    level = "ERROR"
    message = "Namespace is not specified"
    }
    }
    ϧʔϧ͕੒ޭ͢Δ͔ࣦഊ͢Δ͔ͷ৚݅

    View Slide

  21. rule "namespace_specification" {
    description = "Check namespace name is not empty”
    conditions = [
    "${jsonpath("metadata.namespace") != ""}",
    ]
    report {
    level = "ERROR"
    message = "Namespace is not specified"
    }
    }
    ϧʔϧ͕ࣦഊͨ͠Β͜ͷϑΥʔϚοτʹैͬͯ
    Τϥʔ͕Ϩϙʔτ͞ΕΔ (ऴྃίʔυ1)

    View Slide

  22. $ stein apply
    x-echo-jp/development/Pod/test.yaml
    [ERROR] rule.namespace_specification Namespace is not specified
    =====================
    7 error(s), 2 warn(s)
    •Stein Λ࢖͏͜ͱͰɺSentinel ͷΑ͏ʹ Policy as Code Λ࣮ફͰ͖Δ
    •Sentinel ͸ HashiCorp ੡඼ʹɺStein ͸೚ҙͷઃఆϑΝΠϧʹ
    •੍໿߲໨ͷݕূ΍ϨϏϡʔ؍఺ͷࢦఠΛػցతʹͰ͖Δ
    •ʮ஫ҙਂ͘ݟͳ͚Ε͹͍͚ͳ͍ʯʮຖճࢦఠ͢ΔʯͳͲ͸

    ػցతʹνΣοΫͯ͠ϙϦγʔΛϧʔϧԽ͢Δ΂͖

    View Slide

  23. GoͰ࡞ͬͨܦҢ

    View Slide

  24. ϒϩάʹॻ͍ͨ
    •hashicorp/hcl2 Λ࢖ͬͯಠࣗ DSL Λఆٛ͢Δ | tellme.tokyo
    •Kubernetes ͳͲͷ YAML ΛಠࣗͷϧʔϧΛ΋ͱʹςετ͢Δ |
    tellme.tokyo

    View Slide

  25. Thank you

    View Slide