Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allows the release namespace to be overridden (#909)

Browse source
This commit is contained in:
KhizerJaan 2023-07-04 18:30:35 +05:00 committed by GitHub
parent e2711a2002
commit 9a16496e86
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
69 changed files with 627 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
CHANGELOG.md
View file

@ -1,5 +1,11 @@
## Unreleased
Bugs:
* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
Improvements:
* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909)
## 0.25.0 (June 26, 2023)
Changes:

7
templates/_helpers.tpl
View file

@ -36,6 +36,13 @@ Expand the name of the chart.
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Allow the release namespace to be overridden
*/}}
{{- define "vault.namespace" -}}
{{- default .Release.Namespace .Values.global.namespace -}}
{{- end -}}
{{/*
Compute if the csi driver is enabled.
*/}}

4
templates/csi-agent-configmap.yaml
View file

@ -9,7 +9,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-agent-config
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
@ -21,7 +21,7 @@ data:
{{- if .Values.global.externalVaultAddr }}
"address" = "{{ .Values.global.externalVaultAddr }}"
{{- else }}
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}"
"address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}"
{{- end }}
}

2
templates/csi-clusterrolebinding.yaml
View file

@ -20,5 +20,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{- end }}

4
templates/csi-daemonset.yaml
View file

@ -9,7 +9,7 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
@ -71,7 +71,7 @@ spec:
{{- else if .Values.global.externalVaultAddr }}
value: "{{ .Values.global.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
volumeMounts:
- name: providervol

1
templates/csi-role.yaml
View file

@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}

3
templates/csi-rolebinding.yaml
View file

@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
@ -20,5 +21,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{- end }}

2
templates/csi-serviceaccount.yaml
View file

@ -9,7 +9,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/injector-certs-secret.yaml
View file

@ -10,7 +10,7 @@ apiVersion: v1
kind: Secret
metadata:
name: vault-injector-certs
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/injector-clusterrolebinding.yaml
View file

@ -20,5 +20,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

6
templates/injector-deployment.yaml
View file

@ -10,7 +10,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@ -64,7 +64,7 @@ spec:
{{- else if .Values.injector.externalVaultAddr }}
value: "{{ .Values.injector.externalVaultAddr }}"
{{- else }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- end }}
- name: AGENT_INJECT_VAULT_AUTH_PATH
value: {{ .Values.injector.authPath }}
@ -79,7 +79,7 @@ spec:
- name: AGENT_INJECT_TLS_AUTO
value: {{ template "vault.fullname" . }}-agent-injector-cfg
- name: AGENT_INJECT_TLS_AUTO_HOSTS
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc
value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc
{{- end }}
- name: AGENT_INJECT_LOG_FORMAT
value: {{ .Values.injector.logFormat | default "standard" }}

2
templates/injector-disruptionbudget.yaml
View file

@ -8,7 +8,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector

2
templates/injector-mutating-webhook.yaml
View file

@ -28,7 +28,7 @@ webhooks:
clientConfig:
service:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
path: "/mutate"
caBundle: {{ .Values.injector.certs.caBundle | quote }}
rules:

2
templates/injector-psp-role.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/injector-psp-rolebinding.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/injector-role.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}

4
templates/injector-rolebinding.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
@ -22,6 +22,6 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{- end }}
{{- end }}

2
templates/injector-service.yaml
View file

@ -9,7 +9,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-agent-injector-svc
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/injector-serviceaccount.yaml
View file

@ -9,7 +9,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-agent-injector
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/prometheus-servicemonitor.yaml
View file

@ -45,5 +45,5 @@ spec:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "vault.namespace" . }}
{{ end }}

2
templates/server-clusterrolebinding.yaml
View file

@ -25,5 +25,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}

2
templates/server-config-configmap.yaml
View file

@ -12,7 +12,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "vault.fullname" . }}-config
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-discovery-role.yaml
View file

@ -10,7 +10,7 @@ SPDX-License-Identifier: MPL-2.0
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
name: {{ template "vault.fullname" . }}-discovery-role
labels:
helm.sh/chart: {{ include "vault.chart" . }}

4
templates/server-discovery-rolebinding.yaml
View file

@ -15,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-discovery-rolebinding
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}
@ -28,7 +28,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
{{ end }}
{{ end }}
{{ end }}

2
templates/server-disruptionbudget.yaml
View file

@ -13,7 +13,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-ha-active-service.yaml
View file

@ -14,7 +14,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-active
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-ha-standby-service.yaml
View file

@ -14,7 +14,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-standby
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-headless-service.yaml
View file

@ -12,7 +12,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-ingress.yaml
View file

@ -21,7 +21,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-psp-role.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/server-psp-rolebinding.yaml
View file

@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-psp
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

2
templates/server-route.yaml
View file

@ -14,7 +14,7 @@ kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-service.yaml
View file

@ -12,7 +12,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-serviceaccount.yaml
View file

@ -9,7 +9,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.serviceAccount.name" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}

2
templates/server-statefulset.yaml
View file

@ -12,7 +12,7 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "vault.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

4
templates/tests/server-test.yaml
View file

@ -10,7 +10,7 @@ apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-server-test"
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
annotations:
"helm.sh/hook": test
spec:
@ -21,7 +21,7 @@ spec:
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
env:
- name: VAULT_ADDR
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}
value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }}
command:
- /bin/sh

2
templates/ui-service.yaml
View file

@ -12,7 +12,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "vault.fullname" . }}-ui
namespace: {{ .Release.Namespace }}
namespace: {{ include "vault.namespace" . }}
labels:
helm.sh/chart: {{ include "vault.chart" . }}
app.kubernetes.io/name: {{ include "vault.name" . }}-ui

19
test/unit/csi-agent-configmap.bats
View file

@ -21,6 +21,25 @@ load _helpers
[ "${actual}" = "release-name-vault-csi-provider-agent-config" ]
}
@test "csi/Agent-ConfigMap: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-agent-configmap.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" {
cd `chart_dir`
local actual=$(helm template \

20
test/unit/csi-clusterrolebinding.bats
View file

@ -41,4 +41,24 @@ load _helpers
. | tee /dev/stderr |
yq -r '.subjects[0].name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# ClusterRoleBinding service account namespace
@test "csi/ClusterRoleBinding: service account namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-clusterrolebinding.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-clusterrolebinding.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

20
test/unit/csi-daemonset.bats
View file

@ -30,6 +30,26 @@ load _helpers
[ "${actual}" = "true" ]
}
# namespace
@test "csi/daemonset: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
# priorityClassName
@test "csi/daemonset: priorityClassName not set by default" {

19
test/unit/csi-role.bats
View file

@ -27,6 +27,25 @@ load _helpers
[ "${actual}" = "vault-csi-provider-hmac-key" ]
}
@test "csi/Role: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/Role: HMAC secret name configurable" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/csi-rolebinding.bats
View file

@ -19,4 +19,23 @@ load _helpers
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-rolebinding" ]
}
@test "csi/RoleBinding: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-rolebinding.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-rolebinding.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

20
test/unit/csi-serviceaccount.bats
View file

@ -32,6 +32,26 @@ load _helpers
[ "${actual}" = "release-name-vault-csi-provider" ]
}
# serviceAccountNamespace namespace
@test "csi/daemonset: serviceAccountNamespace namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-serviceaccount.yaml \
--set "csi.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/csi-serviceaccount.yaml \
--set "csi.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "csi/serviceAccount: specify annotations" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/injector-clusterrolebinding.bats
View file

@ -20,3 +20,22 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "injector/ClusterRoleBinding: service account namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-clusterrolebinding.yaml \
--set "injector.enabled=true" \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-clusterrolebinding.yaml \
--set "injector.enabled=true" \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

19
test/unit/injector-deployment.bats
View file

@ -42,6 +42,25 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/deployment: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/deployment: image defaults to injector.image" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/injector-disruptionbudget.bats
View file

@ -11,6 +11,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "injector/DisruptionBudget: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-disruptionbudget.yaml \
--set 'injector.podDisruptionBudget.minAvailable=2' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" {
cd `chart_dir`
local actual=$(helm template \

24
test/unit/injector-leader-elector.bats
View file

@ -96,6 +96,14 @@ load _helpers
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
local actual=$( (helm template \
--show-only templates/injector-certs-secret.yaml \
--set "injector.replicas=2" \
--set 'global.namespace=bar' \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"bar\"" ]
}
@test "injector/role: created/skipped as appropriate" {
@ -147,6 +155,14 @@ load _helpers
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
local actual=$( (helm template \
--show-only templates/injector-role.yaml \
--set "injector.replicas=2" \
--set 'global.namespace=bar' \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"bar\"" ]
}
@test "injector/rolebinding: created/skipped as appropriate" {
@ -198,4 +214,12 @@ load _helpers
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
local actual=$( (helm template \
--show-only templates/injector-rolebinding.yaml \
--set "injector.replicas=2" \
--set 'global.namespace=bar' \
--namespace foo \
. || echo "---") | tee /dev/stderr |
yq '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "\"bar\"" ]
}

8
test/unit/injector-mutating-webhook.bats
View file

@ -40,6 +40,14 @@ load _helpers
. | tee /dev/stderr |
yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr)
[ "${actual}" = "\"foo\"" ]
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr)
[ "${actual}" = "\"bar\"" ]
}
@test "injector/MutatingWebhookConfiguration: caBundle is empty string" {

21
test/unit/injector-psp-role.bats
View file

@ -33,3 +33,24 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-Role: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp-role.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-psp-role.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

21
test/unit/injector-psp-rolebinding.bats
View file

@ -33,3 +33,24 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "injector/PodSecurityPolicy-RoleBinding: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-psp-rolebinding.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-psp-rolebinding.yaml \
--set 'injector.enabled=true' \
--set 'global.psp.enable=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

17
test/unit/injector-service.bats
View file

@ -18,6 +18,23 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/Service: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-service.yaml \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-service.yaml \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/Service: service with default port" {
cd `chart_dir`
local actual=$(helm template \

17
test/unit/injector-serviceaccount.bats
View file

@ -21,6 +21,23 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "injector/ServiceAccount: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-serviceaccount.yaml \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/injector-serviceaccount.yaml \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "injector/ServiceAccount: generic annotations" {
cd `chart_dir`
local actual=$(helm template \

17
test/unit/server-clusterrolebinding.bats
View file

@ -71,3 +71,20 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}
@test "server/ClusterRoleBinding: service account namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-clusterrolebinding.yaml \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-clusterrolebinding.yaml \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.subjects[0].namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

17
test/unit/server-configmap.bats
View file

@ -75,6 +75,23 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/ConfigMap: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-config-configmap.yaml \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-config-configmap.yaml \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/ConfigMap: standalone extraConfig is set" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-discovery-role.bats
View file

@ -39,3 +39,22 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/DiscoveryRole: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-discovery-role.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-discovery-role.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

19
test/unit/server-discovery-rolebinding.bats
View file

@ -39,3 +39,22 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/DiscoveryRoleBinding: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-discovery-rolebinding.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-discovery-rolebinding.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

19
test/unit/server-ha-active-service.bats
View file

@ -47,6 +47,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/ha-active-Service: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-ha-active-service.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/ha-active-Service: type empty by default" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-ha-disruptionbudget.bats
View file

@ -53,6 +53,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/DisruptionBudget: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-disruptionbudget.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/DisruptionBudget: correct maxUnavailable with n=1" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-ha-standby-service.bats
View file

@ -58,6 +58,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/ha-standby-Service: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-ha-standby-service.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/ha-standby-Service: type empty by default" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-headless-service.bats
View file

@ -35,3 +35,22 @@ load _helpers
yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr)
[ "${actual}" = "release-name" ]
}
@test "server/headless-Service: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
--set 'server.ha.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-headless-service.yaml \
--set 'server.ha.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

19
test/unit/server-ingress.bats
View file

@ -11,6 +11,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/ingress: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-ingress.yaml \
--set 'server.ingress.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-ingress.yaml \
--set 'server.ingress.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/ingress: disable by injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \

19
test/unit/server-psp-role.bats
View file

@ -109,3 +109,22 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-Role: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp-role.yaml \
--set 'global.psp.enable=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-psp-role.yaml \
--set 'global.psp.enable=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

19
test/unit/server-psp-rolebinding.bats
View file

@ -109,3 +109,22 @@ load _helpers
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "server/PSP-RoleBinding: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'global.psp.enable=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-psp-rolebinding.yaml \
--set 'global.psp.enable=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

21
test/unit/server-route.bats
View file

@ -24,6 +24,27 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/route: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-route.yaml \
--set 'global.openshift=true' \
--set 'server.route.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-route.yaml \
--set 'global.openshift=true' \
--set 'server.route.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/route: OpenShift - checking host entry gets added and path is /" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-service.bats
View file

@ -113,6 +113,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/Service: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-service.yaml \
--set 'server.service.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-service.yaml \
--set 'server.service.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/Service: disable with injector.externalVaultAddr" {
cd `chart_dir`
local actual=$( (helm template \

19
test/unit/server-serviceaccount.bats
View file

@ -30,6 +30,25 @@ load _helpers
}
@test "server/ServiceAccount: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-serviceaccount.yaml \
--set 'server.serviceAccount.create=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-serviceaccount.yaml \
--set 'server.serviceAccount.create=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/ServiceAccount: specify annotations" {
cd `chart_dir`
local actual=$(helm template \

19
test/unit/server-statefulset.bats
View file

@ -78,6 +78,25 @@ load _helpers
[ "${actual}" = "false" ]
}
@test "server/standalone-StatefulSet: namespace" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "foo" ]
local actual=$(helm template \
--show-only templates/server-statefulset.yaml \
--set 'server.standalone.enabled=true' \
--set 'global.namespace=bar' \
--namespace foo \
. | tee /dev/stderr |
yq -r '.metadata.namespace' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
@test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" {
cd `chart_dir`
local actual=$(helm template \

3
values.schema.json
View file

@ -228,6 +228,9 @@
"enabled": {
"type": "boolean"
},
"namespace": {
"type": "string"
},
"externalVaultAddr": {
"type": "string"
},

3
values.yaml
View file

@ -8,6 +8,9 @@ global:
# will enable or disable all the components within this chart by default.
enabled: true
# The namespace to deploy to. Defaults to the `helm` installation namespace.
namespace: ""
# Image pull secret to use for registry authentication.
# Alternatively, the value may be specified as an array of strings.
imagePullSecrets: []