From 9a16496e869abd8b5c6d63ee5119427e9cf2d353 Mon Sep 17 00:00:00 2001 From: KhizerJaan <73934880+KhizerJaan@users.noreply.github.com> Date: Tue, 4 Jul 2023 18:30:35 +0500 Subject: [PATCH] Allows the release namespace to be overridden (#909) --- CHANGELOG.md | 6 ++++++ templates/_helpers.tpl | 7 ++++++ templates/csi-agent-configmap.yaml | 4 ++-- templates/csi-clusterrolebinding.yaml | 2 +- templates/csi-daemonset.yaml | 4 ++-- templates/csi-role.yaml | 1 + templates/csi-rolebinding.yaml | 3 ++- templates/csi-serviceaccount.yaml | 2 +- templates/injector-certs-secret.yaml | 2 +- templates/injector-clusterrolebinding.yaml | 2 +- templates/injector-deployment.yaml | 6 +++--- templates/injector-disruptionbudget.yaml | 2 +- templates/injector-mutating-webhook.yaml | 2 +- templates/injector-psp-role.yaml | 2 +- templates/injector-psp-rolebinding.yaml | 2 +- templates/injector-role.yaml | 2 +- templates/injector-rolebinding.yaml | 4 ++-- templates/injector-service.yaml | 2 +- templates/injector-serviceaccount.yaml | 2 +- templates/prometheus-servicemonitor.yaml | 2 +- templates/server-clusterrolebinding.yaml | 2 +- templates/server-config-configmap.yaml | 2 +- templates/server-discovery-role.yaml | 2 +- templates/server-discovery-rolebinding.yaml | 4 ++-- templates/server-disruptionbudget.yaml | 2 +- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- templates/server-headless-service.yaml | 2 +- templates/server-ingress.yaml | 2 +- templates/server-psp-role.yaml | 2 +- templates/server-psp-rolebinding.yaml | 2 +- templates/server-route.yaml | 2 +- templates/server-service.yaml | 2 +- templates/server-serviceaccount.yaml | 2 +- templates/server-statefulset.yaml | 2 +- templates/tests/server-test.yaml | 4 ++-- templates/ui-service.yaml | 2 +- test/unit/csi-agent-configmap.bats | 19 ++++++++++++++++ test/unit/csi-clusterrolebinding.bats | 20 +++++++++++++++++ test/unit/csi-daemonset.bats | 20 +++++++++++++++++ test/unit/csi-role.bats | 19 ++++++++++++++++ test/unit/csi-rolebinding.bats | 19 ++++++++++++++++ test/unit/csi-serviceaccount.bats | 20 +++++++++++++++++ test/unit/injector-clusterrolebinding.bats | 19 ++++++++++++++++ test/unit/injector-deployment.bats | 19 ++++++++++++++++ test/unit/injector-disruptionbudget.bats | 19 ++++++++++++++++ test/unit/injector-leader-elector.bats | 24 +++++++++++++++++++++ test/unit/injector-mutating-webhook.bats | 8 +++++++ test/unit/injector-psp-role.bats | 21 ++++++++++++++++++ test/unit/injector-psp-rolebinding.bats | 21 ++++++++++++++++++ test/unit/injector-service.bats | 17 +++++++++++++++ test/unit/injector-serviceaccount.bats | 17 +++++++++++++++ test/unit/server-clusterrolebinding.bats | 17 +++++++++++++++ test/unit/server-configmap.bats | 17 +++++++++++++++ test/unit/server-discovery-role.bats | 19 ++++++++++++++++ test/unit/server-discovery-rolebinding.bats | 19 ++++++++++++++++ test/unit/server-ha-active-service.bats | 19 ++++++++++++++++ test/unit/server-ha-disruptionbudget.bats | 19 ++++++++++++++++ test/unit/server-ha-standby-service.bats | 19 ++++++++++++++++ test/unit/server-headless-service.bats | 19 ++++++++++++++++ test/unit/server-ingress.bats | 19 ++++++++++++++++ test/unit/server-psp-role.bats | 19 ++++++++++++++++ test/unit/server-psp-rolebinding.bats | 19 ++++++++++++++++ test/unit/server-route.bats | 21 ++++++++++++++++++ test/unit/server-service.bats | 19 ++++++++++++++++ test/unit/server-serviceaccount.bats | 19 ++++++++++++++++ test/unit/server-statefulset.bats | 19 ++++++++++++++++ values.schema.json | 3 +++ values.yaml | 3 +++ 69 files changed, 627 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3c466f..3e59ade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + ## 0.25.0 (June 26, 2023) Changes: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index dafac37..d796ab5 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -36,6 +36,13 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + {{/* Compute if the csi driver is enabled. */}} diff --git a/templates/csi-agent-configmap.yaml b/templates/csi-agent-configmap.yaml index 7af08e8..18cdb04 100644 --- a/templates/csi-agent-configmap.yaml +++ b/templates/csi-agent-configmap.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-csi-provider-agent-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider @@ -21,7 +21,7 @@ data: {{- if .Values.global.externalVaultAddr }} "address" = "{{ .Values.global.externalVaultAddr }}" {{- else }} - "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" {{- end }} } diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml index d5a9346..506ec94 100644 --- a/templates/csi-clusterrolebinding.yaml +++ b/templates/csi-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 28e7cd0..1436ff9 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -9,7 +9,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -71,7 +71,7 @@ spec: {{- else if .Values.global.externalVaultAddr }} value: "{{ .Values.global.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} volumeMounts: - name: providervol diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml index dd23af6..17e1918 100644 --- a/templates/csi-role.yaml +++ b/templates/csi-role.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml index e61f2dc..3d3b981 100644 --- a/templates/csi-rolebinding.yaml +++ b/templates/csi-rolebinding.yaml @@ -9,6 +9,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} @@ -20,5 +21,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml index 25e123e..6327a7b 100644 --- a/templates/csi-serviceaccount.yaml +++ b/templates/csi-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-csi-provider - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml index 3e5ddb7..f6995af 100644 --- a/templates/injector-certs-secret.yaml +++ b/templates/injector-certs-secret.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Secret metadata: name: vault-injector-certs - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml index 9253e4f..82cbce0 100644 --- a/templates/injector-clusterrolebinding.yaml +++ b/templates/injector-clusterrolebinding.yaml @@ -20,5 +20,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index fbf32c0..822e8e4 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -10,7 +10,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -64,7 +64,7 @@ spec: {{- else if .Values.injector.externalVaultAddr }} value: "{{ .Values.injector.externalVaultAddr }}" {{- else }} - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- end }} - name: AGENT_INJECT_VAULT_AUTH_PATH value: {{ .Values.injector.authPath }} @@ -79,7 +79,7 @@ spec: - name: AGENT_INJECT_TLS_AUTO value: {{ template "vault.fullname" . }}-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS - value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc {{- end }} - name: AGENT_INJECT_LOG_FORMAT value: {{ .Values.injector.logFormat | default "standard" }} diff --git a/templates/injector-disruptionbudget.yaml b/templates/injector-disruptionbudget.yaml index 6ae714b..2b2a61c 100644 --- a/templates/injector-disruptionbudget.yaml +++ b/templates/injector-disruptionbudget.yaml @@ -8,7 +8,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector diff --git a/templates/injector-mutating-webhook.yaml b/templates/injector-mutating-webhook.yaml index d03cd13..b1de1ee 100644 --- a/templates/injector-mutating-webhook.yaml +++ b/templates/injector-mutating-webhook.yaml @@ -28,7 +28,7 @@ webhooks: clientConfig: service: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} path: "/mutate" caBundle: {{ .Values.injector.certs.caBundle | quote }} rules: diff --git a/templates/injector-psp-role.yaml b/templates/injector-psp-role.yaml index 65d8e9b..a07f8f6 100644 --- a/templates/injector-psp-role.yaml +++ b/templates/injector-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-psp-rolebinding.yaml b/templates/injector-psp-rolebinding.yaml index 48a3a26..3c97e8d 100644 --- a/templates/injector-psp-rolebinding.yaml +++ b/templates/injector-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml index df7b0ed..b2ad0c7 100644 --- a/templates/injector-role.yaml +++ b/templates/injector-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml index 0848e43..6ad25ca 100644 --- a/templates/injector-rolebinding.yaml +++ b/templates/injector-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} @@ -22,6 +22,6 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{- end }} {{- end }} \ No newline at end of file diff --git a/templates/injector-service.yaml b/templates/injector-service.yaml index 5b20692..1479cd1 100644 --- a/templates/injector-service.yaml +++ b/templates/injector-service.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-agent-injector-svc - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml index 9b5c2f6..2f91c3d 100644 --- a/templates/injector-serviceaccount.yaml +++ b/templates/injector-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.fullname" . }}-agent-injector - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/prometheus-servicemonitor.yaml b/templates/prometheus-servicemonitor.yaml index 60f2729..25d30a4 100644 --- a/templates/prometheus-servicemonitor.yaml +++ b/templates/prometheus-servicemonitor.yaml @@ -45,5 +45,5 @@ spec: insecureSkipVerify: true namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "vault.namespace" . }} {{ end }} diff --git a/templates/server-clusterrolebinding.yaml b/templates/server-clusterrolebinding.yaml index b694129..14ec838 100644 --- a/templates/server-clusterrolebinding.yaml +++ b/templates/server-clusterrolebinding.yaml @@ -25,5 +25,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} \ No newline at end of file diff --git a/templates/server-config-configmap.yaml b/templates/server-config-configmap.yaml index 5d29e98..5c66057 100644 --- a/templates/server-config-configmap.yaml +++ b/templates/server-config-configmap.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "vault.fullname" . }}-config - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-discovery-role.yaml b/templates/server-discovery-role.yaml index adae42a..0cbdefa 100644 --- a/templates/server-discovery-role.yaml +++ b/templates/server-discovery-role.yaml @@ -10,7 +10,7 @@ SPDX-License-Identifier: MPL-2.0 apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} name: {{ template "vault.fullname" . }}-discovery-role labels: helm.sh/chart: {{ include "vault.chart" . }} diff --git a/templates/server-discovery-rolebinding.yaml b/templates/server-discovery-rolebinding.yaml index 853ee87..87b0f61 100644 --- a/templates/server-discovery-rolebinding.yaml +++ b/templates/server-discovery-rolebinding.yaml @@ -15,7 +15,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-discovery-rolebinding - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} @@ -28,7 +28,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} {{ end }} {{ end }} {{ end }} diff --git a/templates/server-disruptionbudget.yaml b/templates/server-disruptionbudget.yaml index 3ff1109..bbe9eb2 100644 --- a/templates/server-disruptionbudget.yaml +++ b/templates/server-disruptionbudget.yaml @@ -13,7 +13,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 58d540f..2a3375a 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-active - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index b9f6435..27fdfce 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -14,7 +14,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-standby - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml index 42e1aa0..4df81e2 100644 --- a/templates/server-headless-service.yaml +++ b/templates/server-headless-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-ingress.yaml b/templates/server-ingress.yaml index 3aba668..d796bae 100644 --- a/templates/server-ingress.yaml +++ b/templates/server-ingress.yaml @@ -21,7 +21,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-psp-role.yaml b/templates/server-psp-role.yaml index 0c8c983..64cd6c5 100644 --- a/templates/server-psp-role.yaml +++ b/templates/server-psp-role.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-psp-rolebinding.yaml b/templates/server-psp-rolebinding.yaml index 9b975d5..342f553 100644 --- a/templates/server-psp-rolebinding.yaml +++ b/templates/server-psp-rolebinding.yaml @@ -10,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "vault.fullname" . }}-psp - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/server-route.yaml b/templates/server-route.yaml index 3f35aef..4e95555 100644 --- a/templates/server-route.yaml +++ b/templates/server-route.yaml @@ -14,7 +14,7 @@ kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-service.yaml b/templates/server-service.yaml index 8e34c88..444b15e 100644 --- a/templates/server-service.yaml +++ b/templates/server-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-serviceaccount.yaml b/templates/server-serviceaccount.yaml index e154f8d..216ea61 100644 --- a/templates/server-serviceaccount.yaml +++ b/templates/server-serviceaccount.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "vault.serviceAccount.name" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 7ab7de8..519d421 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -12,7 +12,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "vault.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/templates/tests/server-test.yaml b/templates/tests/server-test.yaml index 59b1501..2c577aa 100644 --- a/templates/tests/server-test.yaml +++ b/templates/tests/server-test.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: Pod metadata: name: "{{ .Release.Name }}-server-test" - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} annotations: "helm.sh/hook": test spec: @@ -21,7 +21,7 @@ spec: imagePullPolicy: {{ .Values.server.image.pullPolicy }} env: - name: VAULT_ADDR - value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} command: - /bin/sh diff --git a/templates/ui-service.yaml b/templates/ui-service.yaml index 4b2e8f7..261732b 100644 --- a/templates/ui-service.yaml +++ b/templates/ui-service.yaml @@ -12,7 +12,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "vault.fullname" . }}-ui - namespace: {{ .Release.Namespace }} + namespace: {{ include "vault.namespace" . }} labels: helm.sh/chart: {{ include "vault.chart" . }} app.kubernetes.io/name: {{ include "vault.name" . }}-ui diff --git a/test/unit/csi-agent-configmap.bats b/test/unit/csi-agent-configmap.bats index 4ae4a30..515e4c8 100644 --- a/test/unit/csi-agent-configmap.bats +++ b/test/unit/csi-agent-configmap.bats @@ -21,6 +21,25 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider-agent-config" ] } +@test "csi/Agent-ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-agent-configmap.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Agent-ConfigMap: Vault addr not affected by injector setting" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-clusterrolebinding.bats b/test/unit/csi-clusterrolebinding.bats index ccd98c5..6490d2c 100644 --- a/test/unit/csi-clusterrolebinding.bats +++ b/test/unit/csi-clusterrolebinding.bats @@ -41,4 +41,24 @@ load _helpers . | tee /dev/stderr | yq -r '.subjects[0].name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider" ] +} + +# ClusterRoleBinding service account namespace +@test "csi/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-clusterrolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index e1fd0ef..d3d4221 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -30,6 +30,26 @@ load _helpers [ "${actual}" = "true" ] } +# namespace +@test "csi/daemonset: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + # priorityClassName @test "csi/daemonset: priorityClassName not set by default" { diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats index e7eb7e6..88f7d05 100644 --- a/test/unit/csi-role.bats +++ b/test/unit/csi-role.bats @@ -27,6 +27,25 @@ load _helpers [ "${actual}" = "vault-csi-provider-hmac-key" ] } +@test "csi/Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/Role: HMAC secret name configurable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats index caf368b..dc4a1af 100644 --- a/test/unit/csi-rolebinding.bats +++ b/test/unit/csi-rolebinding.bats @@ -19,4 +19,23 @@ load _helpers . | tee /dev/stderr | yq -r '.metadata.name' | tee /dev/stderr) [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} + +@test "csi/RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] } \ No newline at end of file diff --git a/test/unit/csi-serviceaccount.bats b/test/unit/csi-serviceaccount.bats index 41c1734..aa89749 100644 --- a/test/unit/csi-serviceaccount.bats +++ b/test/unit/csi-serviceaccount.bats @@ -32,6 +32,26 @@ load _helpers [ "${actual}" = "release-name-vault-csi-provider" ] } +# serviceAccountNamespace namespace +@test "csi/daemonset: serviceAccountNamespace namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/csi-serviceaccount.yaml \ + --set "csi.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "csi/serviceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-clusterrolebinding.bats b/test/unit/injector-clusterrolebinding.bats index 6e21787..e997ebd 100755 --- a/test/unit/injector-clusterrolebinding.bats +++ b/test/unit/injector-clusterrolebinding.bats @@ -20,3 +20,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "injector/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-clusterrolebinding.yaml \ + --set "injector.enabled=true" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 7723a15..7b2bb5a 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -42,6 +42,25 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/deployment: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/deployment: image defaults to injector.image" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-disruptionbudget.bats b/test/unit/injector-disruptionbudget.bats index 72be93f..4ce5515 100755 --- a/test/unit/injector-disruptionbudget.bats +++ b/test/unit/injector-disruptionbudget.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-disruptionbudget.yaml \ + --set 'injector.podDisruptionBudget.minAvailable=2' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/DisruptionBudget: configure with injector.podDisruptionBudget minAvailable" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats index bbd4829..e72354a 100644 --- a/test/unit/injector-leader-elector.bats +++ b/test/unit/injector-leader-elector.bats @@ -96,6 +96,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-certs-secret.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/role: created/skipped as appropriate" { @@ -147,6 +155,14 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-role.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/rolebinding: created/skipped as appropriate" { @@ -198,4 +214,12 @@ load _helpers . || echo "---") | tee /dev/stderr | yq '.metadata.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$( (helm template \ + --show-only templates/injector-rolebinding.yaml \ + --set "injector.replicas=2" \ + --set 'global.namespace=bar' \ + --namespace foo \ + . || echo "---") | tee /dev/stderr | + yq '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } diff --git a/test/unit/injector-mutating-webhook.bats b/test/unit/injector-mutating-webhook.bats index 0a8be0a..fcf4e7b 100755 --- a/test/unit/injector-mutating-webhook.bats +++ b/test/unit/injector-mutating-webhook.bats @@ -40,6 +40,14 @@ load _helpers . | tee /dev/stderr | yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) [ "${actual}" = "\"foo\"" ] + local actual=$(helm template \ + --show-only templates/injector-mutating-webhook.yaml \ + --set 'injector.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq '.webhooks[0].clientConfig.service.namespace' | tee /dev/stderr) + [ "${actual}" = "\"bar\"" ] } @test "injector/MutatingWebhookConfiguration: caBundle is empty string" { diff --git a/test/unit/injector-psp-role.bats b/test/unit/injector-psp-role.bats index 8e7acd7..3dda504 100644 --- a/test/unit/injector-psp-role.bats +++ b/test/unit/injector-psp-role.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-role.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-psp-rolebinding.bats b/test/unit/injector-psp-rolebinding.bats index 88bfe79..62afe7b 100644 --- a/test/unit/injector-psp-rolebinding.bats +++ b/test/unit/injector-psp-rolebinding.bats @@ -33,3 +33,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "injector/PodSecurityPolicy-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-psp-rolebinding.yaml \ + --set 'injector.enabled=true' \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/injector-service.bats b/test/unit/injector-service.bats index 027eaa0..b5eea49 100755 --- a/test/unit/injector-service.bats +++ b/test/unit/injector-service.bats @@ -18,6 +18,23 @@ load _helpers [ "${actual}" = "true" ] } +@test "injector/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-service.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/Service: service with default port" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/injector-serviceaccount.bats b/test/unit/injector-serviceaccount.bats index bf178a3..f7ba319 100755 --- a/test/unit/injector-serviceaccount.bats +++ b/test/unit/injector-serviceaccount.bats @@ -21,6 +21,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "injector/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/injector-serviceaccount.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "injector/ServiceAccount: generic annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-clusterrolebinding.bats b/test/unit/server-clusterrolebinding.bats index 9d05aea..d80f05f 100755 --- a/test/unit/server-clusterrolebinding.bats +++ b/test/unit/server-clusterrolebinding.bats @@ -71,3 +71,20 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "server/ClusterRoleBinding: service account namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-clusterrolebinding.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.subjects[0].namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-configmap.bats b/test/unit/server-configmap.bats index fe2ac12..eea7e70 100755 --- a/test/unit/server-configmap.bats +++ b/test/unit/server-configmap.bats @@ -75,6 +75,23 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ConfigMap: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-config-configmap.yaml \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ConfigMap: standalone extraConfig is set" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-discovery-role.bats b/test/unit/server-discovery-role.bats index 11473a0..f17dcf4 100755 --- a/test/unit/server-discovery-role.bats +++ b/test/unit/server-discovery-role.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRole: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-role.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-discovery-rolebinding.bats b/test/unit/server-discovery-rolebinding.bats index 568c240..83e8def 100755 --- a/test/unit/server-discovery-rolebinding.bats +++ b/test/unit/server-discovery-rolebinding.bats @@ -39,3 +39,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/DiscoveryRoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-discovery-rolebinding.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats index d78f5d4..b7e2ec5 100755 --- a/test/unit/server-ha-active-service.bats +++ b/test/unit/server-ha-active-service.bats @@ -47,6 +47,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-active-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-active-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-active-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-disruptionbudget.bats b/test/unit/server-ha-disruptionbudget.bats index 4cb3ae6..4daff30 100755 --- a/test/unit/server-ha-disruptionbudget.bats +++ b/test/unit/server-ha-disruptionbudget.bats @@ -53,6 +53,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/DisruptionBudget: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-disruptionbudget.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/DisruptionBudget: correct maxUnavailable with n=1" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats index 6698314..5f2654e 100755 --- a/test/unit/server-ha-standby-service.bats +++ b/test/unit/server-ha-standby-service.bats @@ -58,6 +58,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ha-standby-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ha-standby-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ha-standby-Service: type empty by default" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-headless-service.bats b/test/unit/server-headless-service.bats index 7c0e441..8a1f52f 100644 --- a/test/unit/server-headless-service.bats +++ b/test/unit/server-headless-service.bats @@ -35,3 +35,22 @@ load _helpers yq -r '.spec.selector["app.kubernetes.io/instance"]' | tee /dev/stderr) [ "${actual}" = "release-name" ] } + +@test "server/headless-Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-headless-service.yaml \ + --set 'server.ha.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-ingress.bats b/test/unit/server-ingress.bats index 0cc5b26..90ed0a2 100755 --- a/test/unit/server-ingress.bats +++ b/test/unit/server-ingress.bats @@ -11,6 +11,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/ingress: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-ingress.yaml \ + --set 'server.ingress.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ingress: disable by injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-psp-role.bats b/test/unit/server-psp-role.bats index 1d3e62c..28239b0 100644 --- a/test/unit/server-psp-role.bats +++ b/test/unit/server-psp-role.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-Role: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-role.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-psp-rolebinding.bats b/test/unit/server-psp-rolebinding.bats index 4171219..4a4bae3 100644 --- a/test/unit/server-psp-rolebinding.bats +++ b/test/unit/server-psp-rolebinding.bats @@ -109,3 +109,22 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "false" ] } + +@test "server/PSP-RoleBinding: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-psp-rolebinding.yaml \ + --set 'global.psp.enable=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} \ No newline at end of file diff --git a/test/unit/server-route.bats b/test/unit/server-route.bats index 51b1a30..a1716fb 100755 --- a/test/unit/server-route.bats +++ b/test/unit/server-route.bats @@ -24,6 +24,27 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/route: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-route.yaml \ + --set 'global.openshift=true' \ + --set 'server.route.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/route: OpenShift - checking host entry gets added and path is /" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats index 70a5445..b84e5b1 100755 --- a/test/unit/server-service.bats +++ b/test/unit/server-service.bats @@ -113,6 +113,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/Service: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-service.yaml \ + --set 'server.service.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/Service: disable with injector.externalVaultAddr" { cd `chart_dir` local actual=$( (helm template \ diff --git a/test/unit/server-serviceaccount.bats b/test/unit/server-serviceaccount.bats index 2c82603..9a688a9 100755 --- a/test/unit/server-serviceaccount.bats +++ b/test/unit/server-serviceaccount.bats @@ -30,6 +30,25 @@ load _helpers } +@test "server/ServiceAccount: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-serviceaccount.yaml \ + --set 'server.serviceAccount.create=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/ServiceAccount: specify annotations" { cd `chart_dir` local actual=$(helm template \ diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index 67cde81..7dc01f5 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -78,6 +78,25 @@ load _helpers [ "${actual}" = "false" ] } +@test "server/standalone-StatefulSet: namespace" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "foo" ] + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'global.namespace=bar' \ + --namespace foo \ + . | tee /dev/stderr | + yq -r '.metadata.namespace' | tee /dev/stderr) + [ "${actual}" = "bar" ] +} + @test "server/standalone-StatefulSet: image defaults to server.image.repository:tag" { cd `chart_dir` local actual=$(helm template \ diff --git a/values.schema.json b/values.schema.json index ecb97de..2aefb06 100644 --- a/values.schema.json +++ b/values.schema.json @@ -228,6 +228,9 @@ "enabled": { "type": "boolean" }, + "namespace": { + "type": "string" + }, "externalVaultAddr": { "type": "string" }, diff --git a/values.yaml b/values.yaml index 58eb8a2..8538cd6 100644 --- a/values.yaml +++ b/values.yaml @@ -8,6 +8,9 @@ global: # will enable or disable all the components within this chart by default. enabled: true + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + # Image pull secret to use for registry authentication. # Alternatively, the value may be specified as an array of strings. imagePullSecrets: []