-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
allow reference to existing secret as imagePullSecret
allows reference to existing secrets for imagePullSecrets without passing the secret itself. this enables management of secrets by an external system like sealedsecrets and prevents the secret data from being stored in helm. it works by allowing use of the installation's imagePullSecret field directly instead of the toplevel imagePullSecrets field
- Loading branch information
1 parent
4bbda7d
commit 9ca05e4
Showing
8 changed files
with
217 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package charttest | ||
|
||
import ( | ||
"os/exec" | ||
"testing" | ||
|
||
"github.com/onsi/ginkgo/reporters" | ||
"github.com/projectcalico/calico/libcalico-go/lib/testutils" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
func init() { | ||
testutils.HookLogrusForGinkgo() | ||
} | ||
|
||
func TestHelm(t *testing.T) { | ||
// testutils.HookLogrusForGinkgo() | ||
RegisterFailHandler(Fail) | ||
junitReporter := reporters.NewJUnitReporter("../../report/helm_suite.xml") | ||
|
||
_, err := exec.LookPath("helm") | ||
if err != nil { | ||
t.Skip("skipping exec tests since 'helm' is not installed") | ||
} | ||
|
||
RunSpecsWithDefaultAndCustomReporters(t, "Helm Suite", []Reporter{junitReporter}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
// Package charttest uses 'helm template' to render the helm package with various input values, | ||
// unmarshals the resulting yaml into kubernetes resource types, and then tests that the correct fields | ||
// are set accordingly. | ||
package charttest | ||
|
||
import ( | ||
"path/filepath" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
|
||
"github.com/gruntwork-io/terratest/modules/helm" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
var _ = Describe("Tigera Operator Helm Chart", func() { | ||
Describe("image pull secrets", func() { | ||
Context("using toplevel config field", func() { | ||
opts := &helm.Options{ | ||
SetValues: map[string]string{ | ||
"imagePullSecrets.my-secret": "secret1", | ||
}, | ||
} | ||
|
||
It("sets imagePullSecrets on serviceaccount", func() { | ||
var serviceAccount corev1.ServiceAccount | ||
err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount) | ||
Expect(err).ToNot(HaveOccurred()) | ||
Expect(serviceAccount.ImagePullSecrets).To(ConsistOf( | ||
corev1.LocalObjectReference{Name: "my-secret"}, | ||
)) | ||
}) | ||
|
||
It("creates a secret", func() { | ||
var secret corev1.Secret | ||
err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret) | ||
Expect(err).ToNot(HaveOccurred()) | ||
Expect(secret.Name).To(Equal("my-secret")) | ||
Expect(secret.Data).To(Equal(map[string][]byte{ | ||
".dockerconfigjson": []byte("secret1"), | ||
})) | ||
}) | ||
}) | ||
|
||
Context("using installation's config field", func() { | ||
opts := &helm.Options{ | ||
SetValues: map[string]string{ | ||
"installation.imagePullSecrets[0].name": "my-secret", | ||
}, | ||
} | ||
|
||
It("sets imagePullSecrets on serviceaccount", func() { | ||
var serviceAccount corev1.ServiceAccount | ||
err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount) | ||
Expect(err).ToNot(HaveOccurred()) | ||
Expect(serviceAccount.ImagePullSecrets).To(ConsistOf( | ||
corev1.LocalObjectReference{Name: "my-secret"}, | ||
)) | ||
}) | ||
|
||
It("does not create a secret", func() { | ||
// assert an error occured. no other way to assert "file was not rendered" | ||
err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &corev1.Secret{}) | ||
Expect(err).To(HaveOccurred()) | ||
}) | ||
}) | ||
|
||
Describe("using both toplevel and installation fields", func() { | ||
opts := &helm.Options{ | ||
SetValues: map[string]string{ | ||
"imagePullSecrets.secret-1": "secret1", | ||
"installation.imagePullSecrets[0].name": "secret-2", | ||
}, | ||
} | ||
|
||
It("sets both imagePullSecrets on serviceaccount", func() { | ||
var serviceAccount corev1.ServiceAccount | ||
err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount) | ||
Expect(err).ToNot(HaveOccurred()) | ||
Expect(serviceAccount.ImagePullSecrets).To(ConsistOf( | ||
corev1.LocalObjectReference{Name: "secret-1"}, | ||
corev1.LocalObjectReference{Name: "secret-2"}, | ||
)) | ||
}) | ||
|
||
It("only creates a secret for the toplevel secret", func() { | ||
var secret corev1.Secret | ||
err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret) | ||
Expect(err).ToNot(HaveOccurred()) | ||
Expect(secret.Name).To(Equal("secret-1")) | ||
Expect(secret.Data).To(Equal(map[string][]byte{ | ||
".dockerconfigjson": []byte("secret1"), | ||
})) | ||
}) | ||
}) | ||
}) | ||
}) | ||
|
||
func renderChartResource(options *helm.Options, templatePath string, into any) error { | ||
helmChartPath, err := filepath.Abs("../tigera-operator") | ||
if err != nil { | ||
return err | ||
} | ||
|
||
output, err := helm.RenderTemplateE(GinkgoT(), options, helmChartPath, "tigera-operator", []string{templatePath}) | ||
if err != nil { | ||
return err | ||
} | ||
helm.UnmarshalK8SYaml(GinkgoT(), output, &into) | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 1 addition & 7 deletions
8
charts/tigera-operator/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,6 @@ | ||
{{ $secrets := list }} | ||
{{ range $name := keys .Values.imagePullSecrets -}} | ||
{{ $item := dict "name" $name }} | ||
{{ $secrets = append $secrets $item }} | ||
{{ end }} | ||
|
||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: tigera-operator | ||
namespace: {{.Release.Namespace}} | ||
imagePullSecrets: {{- $secrets | toYaml | nindent 2 }} | ||
imagePullSecrets: {{- include "tigera-operator.imagePullSecrets" . | nindent 2 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.