9fbe720f6b
* Make serviceAccount name a configuration option Follow Helm Best Practices when defining serviceAccount names https://helm.sh/docs/chart_best_practices/#using-rbac-resources * Use enabled instead of create for consistency * Add unit tests for user-defined service account name * ServiceAccount under server Co-authored-by: David Holsgrove <david@apnic.net> * Update ServiceAccount in RoleBindings to address https://github.com/hashicorp/vault-helm/pull/56#pullrequestreview-297856433 Co-authored-by: David Holsgrove <david@apnic.net> * Update tests for helm template arg --show-only Co-authored-by: David Holsgrove <david@apnic.net> * Fix server-serviceaccount tests * serviceAccount: rename enabled to create * statefulSet: add tests for serviceAccount Co-authored-by: Nick Satterly <nick@diabol.se> Co-authored-by: David Holsgrove <david@apnic.net>
119 lines
4 KiB
Bash
Executable file
119 lines
4 KiB
Bash
Executable file
#!/usr/bin/env bats
|
|
|
|
load _helpers
|
|
|
|
@test "server/ServiceAccount: specify service account name" {
|
|
cd `chart_dir`
|
|
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
--set 'server.serviceAccount.create=false' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
--set 'server.serviceAccount.name=user-defined-ksa' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.name' | tee /dev/stderr)
|
|
[ "${actual}" = "user-defined-ksa" ]
|
|
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.name' | tee /dev/stderr)
|
|
[ "${actual}" = "RELEASE-NAME-vault" ]
|
|
|
|
}
|
|
|
|
@test "server/ServiceAccount: specify annotations" {
|
|
cd `chart_dir`
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
--set 'server.serviceAccount.annotations=foo: bar' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
|
[ "${actual}" = "null" ]
|
|
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.ha.enabled=true' \
|
|
--set 'server.serviceAccount.annotations=foo: bar' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
|
[ "${actual}" = "bar" ]
|
|
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.ha.enabled=true' \
|
|
--set 'server.serviceAccount.annotations.foo=bar' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
|
[ "${actual}" = "bar" ]
|
|
|
|
local actual=$(helm template \
|
|
--show-only templates/server-serviceaccount.yaml \
|
|
--set 'server.ha.enabled=true' \
|
|
. | tee /dev/stderr |
|
|
yq -r '.metadata.annotations["foo"]' | tee /dev/stderr)
|
|
[ "${actual}" = "null" ]
|
|
}
|
|
|
|
@test "server/ServiceAccount: disable with global.enabled false" {
|
|
cd `chart_dir`
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
--set 'global.enabled=false' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.ha.enabled=true' \
|
|
--set 'global.enabled=false' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.standalone.enabled=true' \
|
|
--set 'global.enabled=false' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
}
|
|
|
|
@test "server/ServiceAccount: disable by injector.externalVaultAddr" {
|
|
cd `chart_dir`
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.dev.enabled=true' \
|
|
--set 'injector.externalVaultAddr=http://vault-outside' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.ha.enabled=true' \
|
|
--set 'injector.externalVaultAddr=http://vault-outside' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
|
|
local actual=$( (helm template \
|
|
--show-only templates/server-service.yaml \
|
|
--set 'server.standalone.enabled=true' \
|
|
--set 'injector.externalVaultAddr=http://vault-outside' \
|
|
. || echo "---") | tee /dev/stderr |
|
|
yq 'length > 0' | tee /dev/stderr)
|
|
[ "${actual}" = "false" ]
|
|
}
|