feat: add AGENT_INJECT_VAULT_AUTH_PATH option to the injector (#185)
* Add related unit tests
This commit is contained in:
parent
8a6419e623
commit
1ccc64788a
3 changed files with 45 additions and 7 deletions
|
@ -45,6 +45,8 @@ spec:
|
|||
{{- else }}
|
||||
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
|
||||
{{- end }}
|
||||
- name: AGENT_INJECT_VAULT_AUTH_PATH
|
||||
value: {{ .Values.injector.authPath }}
|
||||
- name: AGENT_INJECT_VAULT_IMAGE
|
||||
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
|
||||
{{- if .Values.injector.certs.secretName }}
|
||||
|
|
|
@ -117,19 +117,19 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[4].name' | tee /dev/stderr)
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[4].value' | tee /dev/stderr)
|
||||
yq -r '.[5].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "/etc/webhook/certs/test.crt" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].value' | tee /dev/stderr)
|
||||
yq -r '.[6].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "/etc/webhook/certs/test.key" ]
|
||||
}
|
||||
|
||||
|
@ -147,11 +147,11 @@ load _helpers
|
|||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[4].name' | tee /dev/stderr)
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_TLS_AUTO" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[5].name' | tee /dev/stderr)
|
||||
yq -r '.[6].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
|
||||
}
|
||||
|
||||
|
@ -189,3 +189,36 @@ load _helpers
|
|||
yq -r '.[2].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
|
||||
}
|
||||
|
||||
@test "injector/deployment: default authPath" {
|
||||
cd `chart_dir`
|
||||
local object=$(helm template \
|
||||
--show-only templates/injector-deployment.yaml \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[3].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[3].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "auth/kubernetes" ]
|
||||
}
|
||||
|
||||
@test "injector/deployment: custom authPath" {
|
||||
cd `chart_dir`
|
||||
local object=$(helm template \
|
||||
--show-only templates/injector-deployment.yaml \
|
||||
--set 'injector.authPath=auth/k8s' \
|
||||
. | tee /dev/stderr |
|
||||
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[3].name' | tee /dev/stderr)
|
||||
[ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
|
||||
|
||||
local actual=$(echo $object |
|
||||
yq -r '.[3].value' | tee /dev/stderr)
|
||||
[ "${actual}" = "auth/k8s" ]
|
||||
}
|
||||
|
|
|
@ -32,6 +32,9 @@ injector:
|
|||
repository: "vault"
|
||||
tag: "1.3.2"
|
||||
|
||||
# Mount Path of the Vault Kubernetes Auth Method.
|
||||
authPath: "auth/kubernetes"
|
||||
|
||||
# namespaceSelector is the selector for restricting the webhook to only
|
||||
# specific namespaces. This should be set to a multiline string.
|
||||
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
|
||||
|
@ -124,7 +127,7 @@ server:
|
|||
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
|
||||
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
|
||||
shareProcessNamespace: false
|
||||
|
||||
|
||||
# extraArgs is a string containing additional Vault server arguments.
|
||||
extraArgs: ""
|
||||
|
||||
|
|
Loading…
Reference in a new issue