Testing with YAML

8238c3c0be55b887aa9d6d59bfefa504?s=47 BABAROT
February 25, 2019

Testing with YAML

YAML のテストについて Policy as Code の考え方を取り入れて Sentinel のようにテストするツールを作った

8238c3c0be55b887aa9d6d59bfefa504?s=128

BABAROT

February 25, 2019
Tweet

Transcript

  1. 1.

    YAMLΛςετ͢Δ @b4b4r07 (Feb 25, 2019) / mercari.go #6 %YAML 1.2

    --- YAML: YAML Ain't Markup Language What It Is: YAML is a human friendly data serialization standard for all programming languages. YAML Resources: YAML 1.2 (3rd Edition): http://yaml.org/spec/1.2/spec.html YAML 1.1 (2nd Edition): http://yaml.org/spec/1.1/ YAML 1.0 (1st Edition): http://yaml.org/spec/1.0/ YAML Issues Page: https://github.com/yaml/yaml/issues ...
  2. 5.

    IaC ͷਁಁ •Terraform ΍ Kubernetes ͷීٴͰঢ়ଶɾఆٛΛίʔυʹ͢Δ͜ͱ͕
 ଟ͘ͳͬͨ •ΠϯϑϥྖҬҎ֎ʹ͓͍ͯ΋ɺιϑτ΢ΣΞͷঢ়ଶ΍ͦͷઃఆΛ
 JSON ΍

    YAML ͱ͍ͬͨݴޠͰ࣋ͭ͜ͱ͕ଟ͘ͳͬͨ https://trends.google.co.jp/trends/explore?date=today%205-y&q=infrastructure%20as%20code
  3. 6.

    • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc

    apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 IaC ͱ͸ Kubernetes Pod ͷ YAML
  4. 7.

    • Πϯϑϥͷঢ়ଶΛઃఆϑΝΠϧͰॻ͘ • ιϑτ΢ΣΞ։ൃͷख๏ΛԠ༻Ͱ͖Δ • ϨϏϡʔ • ςετ • etc

    apiVersion: v1 kind: Pod metadata: name: nginx-pod spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 Kubernetes Pod ͷ YAML IaC ͱ͸
  5. 9.
  6. 10.

    Policy as Code •HashiCorp ͕ఏএͨ͠ߟ͑ํ •ઃఆϑΝΠϧʹ͓͚Δ “͜͏͋Δ΂͖” ΛϙϦγʔͱͯ͠ه͢ •੍໿߲໨ (deploy

    region, etc) •ϨϏϡʔ߲໨ (like style guide) Why Policy as Code? - HashiCorp Blog Code Policy Infrastructure IaC Policy as Code
  7. 11.

    Policy as Code Policy as Code - Sentinel by HashiCorp

    •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ
  8. 12.

    Policy as Code Policy as Code - Sentinel by HashiCorp

    •HashiCorp Sentinel ʂ •HashiCorp ੡඼Ͱ࢖͏͜ͱ͕Ͱ͖Δ
 πʔϧ / ࿈ܞ͕Ͱ͖Δ •ྫ͑͹ Terraform ͷઃఆɺ •Ͳ͜ͷ Region ʹσϓϩΠ͢Δ͔ •Instance ͸࠷௿Կ୆֬อ͞ΕΔ͔ •ͳͲΛϙϦγʔͱͯ͠ίʔυԽͰ͖Δ •ͦΕΛνΣοΫͰ͖Δ Kubernetes YAML Ͱ΋΍Γ͍ͨ
  9. 13.
  10. 14.
  11. 15.

    • ઃఆϑΝΠϧͷϙϦγʔΛίʔυԽͰ͖Δ • JSON, YAML, HCL • Policy as Code

    Λ࣮ફ͢Δ Linter • Terraform ͷΑ͏ʹ HCL Ͱϧʔϧ࡞੒Ͱ͖Δ • ๛෋ͳ Interpolations • υΩϡϝϯτ Stein Stein Documentations
  12. 16.

    apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec:

    containers: - name: nginx-container image: nginx ports: - containerPort: 80
  13. 17.

    apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec:

    containers: - name: nginx-container image: nginx ports: - containerPort: 80 লུͰ͖Δ ͚Ͳͤͨ͘͞ͳ͍ ྫ͑͹
  14. 18.

    rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } }
  15. 19.

    rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧͷఆٛ
  16. 20.

    rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕੒ޭ͢Δ͔ࣦഊ͢Δ͔ͷ৚݅
  17. 21.

    rule "namespace_specification" { description = "Check namespace name is not

    empty” conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } ϧʔϧ͕ࣦഊͨ͠Β͜ͷϑΥʔϚοτʹैͬͯ Τϥʔ͕Ϩϙʔτ͞ΕΔ (ऴྃίʔυ1)
  18. 22.

    $ stein apply x-echo-jp/development/Pod/test.yaml [ERROR] rule.namespace_specification Namespace is not specified

    ===================== 7 error(s), 2 warn(s) •Stein Λ࢖͏͜ͱͰɺSentinel ͷΑ͏ʹ Policy as Code Λ࣮ફͰ͖Δ •Sentinel ͸ HashiCorp ੡඼ʹɺStein ͸೚ҙͷઃఆϑΝΠϧʹ •੍໿߲໨ͷݕূ΍ϨϏϡʔ؍఺ͷࢦఠΛػցతʹͰ͖Δ •ʮ஫ҙਂ͘ݟͳ͚Ε͹͍͚ͳ͍ʯʮຖճࢦఠ͢ΔʯͳͲ͸
 ػցతʹνΣοΫͯ͠ϙϦγʔΛϧʔϧԽ͢Δ΂͖
  19. 25.