diff --git a/CHANGELOG.md b/CHANGELOG.md index a20c68b..e9c2857 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ ## Unreleased +Improvements: +* Added templateConfig.staticSecretRenderInterval annotation for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + ## 0.17.1 (October 25th, 2021) Improvements: diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index f4a796b..0cc1382 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -109,6 +109,10 @@ spec: value: "{{ .Values.injector.agentDefaults.template }}" - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} - name: POD_NAME valueFrom: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 0f475df..3bae2af 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,7 +168,7 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } -@test "injector/deployment: manual TLS adds volume mount" { +@test "injector/deployment: manual TLS adds volume mount" { cd `chart_dir` local object=$(helm template \ --show-only templates/injector-deployment.yaml \ @@ -695,4 +695,29 @@ load _helpers local value=$(echo $object | yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE")) | .[] .value' | tee /dev/stderr) [ "${value}" = "false" ] -} \ No newline at end of file +} + +@test "injector/deployment: agent default template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "" ] +} + +@test "injector/deployment: can set agent template_config.static_secret_render_interval" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set='injector.agentDefaults.templateConfig.staticSecretRenderInterval=1m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local value=$(echo $object | + yq -r 'map(select(.name=="AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL")) | .[] .value' | tee /dev/stderr) + [ "${value}" = "1m" ] +} diff --git a/values.schema.json b/values.schema.json index 4ddbedf..162c773 100644 --- a/values.schema.json +++ b/values.schema.json @@ -205,6 +205,9 @@ "properties": { "exitOnRetryFailure": { "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" } } } diff --git a/values.yaml b/values.yaml index 44869da..425a082 100644 --- a/values.yaml +++ b/values.yaml @@ -85,6 +85,7 @@ injector: # Default values within Agent's template_config stanza. templateConfig: exitOnRetryFailure: true + staticSecretRenderInterval: "" # Mount Path of the Vault Kubernetes Auth Method. authPath: "auth/kubernetes"