From d27121c223368fcc77f6eb2eaf29eee1500c1c9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ricardo=20G=C3=A2ndara=20Pinto?= <rpinto@gmail.com>
Date: Thu, 10 Jun 2021 23:32:22 +0100
Subject: [PATCH] Added webhook-certs volume mount to sidecar injector (#545)

* Removed webhook-certs volume mount from leader-elector container

* Added test: injector deployment manual TLS adds volume mount
---
 templates/injector-deployment.yaml | 10 ++++++----
 test/unit/injector-deployment.bats | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 5dd3553..4756a25 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -131,6 +131,12 @@ spec:
             periodSeconds: 2
             successThreshold: 1
             timeoutSeconds: 5
+{{- if .Values.injector.certs.secretName }}
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+{{- end }}
         {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }}
         - name: leader-elector
           image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }}
@@ -161,10 +167,6 @@ spec:
             timeoutSeconds: 5
         {{- end }}
 {{- if .Values.injector.certs.secretName }}
-          volumeMounts:
-            - name: webhook-certs
-              mountPath: /etc/webhook/certs
-              readOnly: true
       volumes:
         - name: webhook-certs
           secret:
diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats
index 3b6efbc..cd6f1dd 100755
--- a/test/unit/injector-deployment.bats
+++ b/test/unit/injector-deployment.bats
@@ -168,6 +168,24 @@ load _helpers
   [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ]
 }
 
+@test "injector/deployment: manual TLS adds volume mount" { 
+   cd `chart_dir`
+   local object=$(helm template \
+       --show-only templates/injector-deployment.yaml  \
+       --set 'injector.enabled=true' \
+       --set 'injector.certs.secretName=vault-tls' \
+       . | tee /dev/stderr |
+       yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr)
+
+   local actual=$(echo $object |
+       yq -r '.mountPath' | tee /dev/stderr)
+   [ "${actual}" = "/etc/webhook/certs" ]
+
+   local actual=$(echo $object |
+       yq -r '.readOnly' | tee /dev/stderr)
+   [ "${actual}" = "true" ]
+}
+
 @test "injector/deployment: with externalVaultAddr" {
   cd `chart_dir`
   local object=$(helm template \