| Team Lead | Members | | --- | --- | | Andrew Shoell | | [P1BIGROCKS-2041](https://jira.il2.dso.mil/browse/P1BIGROCKS-2041) Current situation: Many of the packages have test resources in `chart/templates/tests` without conditions on their deployment. For example, [Velero](https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/templates/tests/network-policy.yaml) and [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/chart/templates/tests/constraints.yaml). During a production deployment these resources get deployed. Most of the time the resource deployment is benign and takes up minimal resources. However, adding broad service accounts or network policies for testing could inadvertently create vulnerabilities in the cluster. Solution (for each package): One of the following conditions should be true on the test resource: 1. The test resource inherits from the gluon library, which uses `bbtest.enabled` 1. The test resource has `helm-test: enabled` label 1. The test resource has a `bbtest.enabled` conditional Anything missing these conditions would need to be fixed. - [ ] Identify if there are resources deployed in `chart/templates/tests` without one of the above conditions. If none, you are done with the package - [ ] Add label or conditional on resources in `chart/templates/tests` to prevent it from deployment in production - [ ] If you use the conditional, make sure to add a check for the `bbtests.enabled` key before checking the value - [ ] Add `bbtests.enabled: true` into `tests/test-values.yaml` - [ ] Deploy package with the default `values.yaml` and verify test resources do not get deployed - [ ] Verify CICD pipeline passes