feat: add AGENT_INJECT_VAULT_AUTH_PATH option to the injector (#185)

* Add related unit tests
This commit is contained in:
Bruno FERNANDO 2020-03-03 19:32:50 +01:00 committed by GitHub
parent 8a6419e623
commit 1ccc64788a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 45 additions and 7 deletions

View file

@ -45,6 +45,8 @@ spec:
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
- name: AGENT_INJECT_VAULT_IMAGE
value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}"
{{- if .Values.injector.certs.secretName }}

View file

@ -117,19 +117,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[4].name' | tee /dev/stderr)
yq -r '.[5].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ]
local actual=$(echo $object |
yq -r '.[4].value' | tee /dev/stderr)
yq -r '.[5].value' | tee /dev/stderr)
[ "${actual}" = "/etc/webhook/certs/test.crt" ]
local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr)
yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ]
local actual=$(echo $object |
yq -r '.[5].value' | tee /dev/stderr)
yq -r '.[6].value' | tee /dev/stderr)
[ "${actual}" = "/etc/webhook/certs/test.key" ]
}
@ -147,11 +147,11 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[4].name' | tee /dev/stderr)
yq -r '.[5].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_TLS_AUTO" ]
local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr)
yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ]
}
@ -189,3 +189,36 @@ load _helpers
yq -r '.[2].value' | tee /dev/stderr)
[ "${actual}" = "http://not-external-test-vault.default.svc:8200" ]
}
@test "injector/deployment: default authPath" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[3].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
local actual=$(echo $object |
yq -r '.[3].value' | tee /dev/stderr)
[ "${actual}" = "auth/kubernetes" ]
}
@test "injector/deployment: custom authPath" {
cd `chart_dir`
local object=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.authPath=auth/k8s' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)
local actual=$(echo $object |
yq -r '.[3].name' | tee /dev/stderr)
[ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ]
local actual=$(echo $object |
yq -r '.[3].value' | tee /dev/stderr)
[ "${actual}" = "auth/k8s" ]
}

View file

@ -32,6 +32,9 @@ injector:
repository: "vault"
tag: "1.3.2"
# Mount Path of the Vault Kubernetes Auth Method.
authPath: "auth/kubernetes"
# namespaceSelector is the selector for restricting the webhook to only
# specific namespaces. This should be set to a multiline string.
# See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector
@ -124,7 +127,7 @@ server:
# shareProcessNamespace enables process namespace sharing between Vault and the extraContainers
# This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation
shareProcessNamespace: false
# extraArgs is a string containing additional Vault server arguments.
extraArgs: ""