From cb9329733167a1408c2d03368614aad4dabb8560 Mon Sep 17 00:00:00 2001
From: ozdanborne <dan@projectcalico.org>
Date: Fri, 19 May 2023 15:11:27 -0400
Subject: [PATCH] feedback

---
 charts/test/tigera_operator_chart_test.go | 80 ++++++++++++-----------
 charts/tigera-operator/README.md          | 15 ++++-
 charts/tigera-operator/values.yaml        |  5 +-
 3 files changed, 56 insertions(+), 44 deletions(-)

diff --git a/charts/test/tigera_operator_chart_test.go b/charts/test/tigera_operator_chart_test.go
index 37731f967a5..64d061e375d 100644
--- a/charts/test/tigera_operator_chart_test.go
+++ b/charts/test/tigera_operator_chart_test.go
@@ -5,68 +5,72 @@ package charttest
 
 import (
 	"path/filepath"
+	"testing"
 
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/gruntwork-io/terratest/modules/helm"
 
-	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
 
-var _ = Describe("Tigera Operator Helm Chart", func() {
-	Describe("image pull secrets", func() {
-		Context("using toplevel config field", func() {
+func TestTigeraOperatorHelmChart(t *testing.T) {
+	t.Run("image pull secrets", func(t *testing.T) {
+		t.Run("using toplevel config field", func(t *testing.T) {
 			opts := &helm.Options{
 				SetValues: map[string]string{
 					"imagePullSecrets.my-secret": "secret1",
 				},
 			}
 
-			It("sets imagePullSecrets on serviceaccount", func() {
+			t.Run("sets imagePullSecrets on serviceaccount", func(t *testing.T) {
+				g := NewWithT(t)
 				var serviceAccount corev1.ServiceAccount
-				err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
-				Expect(err).ToNot(HaveOccurred())
-				Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
+				err := renderChartResource(t, opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
 					corev1.LocalObjectReference{Name: "my-secret"},
 				))
 			})
 
-			It("creates a secret", func() {
+			t.Run("creates a secret", func(t *testing.T) {
+				g := NewWithT(t)
 				var secret corev1.Secret
-				err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret)
-				Expect(err).ToNot(HaveOccurred())
-				Expect(secret.Name).To(Equal("my-secret"))
-				Expect(secret.Data).To(Equal(map[string][]byte{
+				err := renderChartResource(t, opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret)
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(secret.Name).To(Equal("my-secret"))
+				g.Expect(secret.Data).To(Equal(map[string][]byte{
 					".dockerconfigjson": []byte("secret1"),
 				}))
 			})
 		})
 
-		Context("using installation's config field", func() {
+		t.Run("using installation's config field", func(t *testing.T) {
 			opts := &helm.Options{
 				SetValues: map[string]string{
 					"installation.imagePullSecrets[0].name": "my-secret",
 				},
 			}
 
-			It("sets imagePullSecrets on serviceaccount", func() {
+			t.Run("sets imagePullSecrets on serviceaccount", func(t *testing.T) {
+				g := NewWithT(t)
 				var serviceAccount corev1.ServiceAccount
-				err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
-				Expect(err).ToNot(HaveOccurred())
-				Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
+				err := renderChartResource(t, opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
 					corev1.LocalObjectReference{Name: "my-secret"},
 				))
 			})
 
-			It("does not create a secret", func() {
+			t.Run("does not create a secret", func(t *testing.T) {
+				g := NewWithT(t)
 				// assert an error occured. no other way to assert "file was not rendered"
-				err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &corev1.Secret{})
-				Expect(err).To(HaveOccurred())
+				err := renderChartResource(t, opts, "templates/tigera-operator/01-imagepullsecret.yaml", &corev1.Secret{})
+				g.Expect(err).To(HaveOccurred())
 			})
 		})
 
-		Describe("using both toplevel and installation fields", func() {
+		t.Run("using both toplevel and installation fields", func(t *testing.T) {
 			opts := &helm.Options{
 				SetValues: map[string]string{
 					"imagePullSecrets.secret-1":             "secret1",
@@ -74,39 +78,39 @@ var _ = Describe("Tigera Operator Helm Chart", func() {
 				},
 			}
 
-			It("sets both imagePullSecrets on serviceaccount", func() {
+			t.Run("sets both imagePullSecrets on serviceaccount", func(t *testing.T) {
+				g := NewWithT(t)
 				var serviceAccount corev1.ServiceAccount
-				err := renderChartResource(opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
-				Expect(err).ToNot(HaveOccurred())
-				Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
+				err := renderChartResource(t, opts, "templates/tigera-operator/02-serviceaccount-tigera-operator.yaml", &serviceAccount)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(serviceAccount.ImagePullSecrets).To(ConsistOf(
 					corev1.LocalObjectReference{Name: "secret-1"},
 					corev1.LocalObjectReference{Name: "secret-2"},
 				))
 			})
 
-			It("only creates a secret for the toplevel secret", func() {
+			t.Run("only creates a secret for the toplevel secret", func(t *testing.T) {
+				g := NewWithT(t)
 				var secret corev1.Secret
-				err := renderChartResource(opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret)
-				Expect(err).ToNot(HaveOccurred())
-				Expect(secret.Name).To(Equal("secret-1"))
-				Expect(secret.Data).To(Equal(map[string][]byte{
+				err := renderChartResource(t, opts, "templates/tigera-operator/01-imagepullsecret.yaml", &secret)
+				g.Expect(err).ToNot(HaveOccurred())
+				g.Expect(secret.Name).To(Equal("secret-1"))
+				g.Expect(secret.Data).To(Equal(map[string][]byte{
 					".dockerconfigjson": []byte("secret1"),
 				}))
 			})
 		})
 	})
-})
+}
 
-func renderChartResource(options *helm.Options, templatePath string, into any) error {
+func renderChartResource(t *testing.T, options *helm.Options, templatePath string, into any) error {
 	helmChartPath, err := filepath.Abs("../tigera-operator")
-	if err != nil {
-		return err
-	}
+	Expect(err).ToNot(HaveOccurred())
 
-	output, err := helm.RenderTemplateE(GinkgoT(), options, helmChartPath, "tigera-operator", []string{templatePath})
+	output, err := helm.RenderTemplateE(t, options, helmChartPath, "tigera-operator", []string{templatePath})
 	if err != nil {
 		return err
 	}
-	helm.UnmarshalK8SYaml(GinkgoT(), output, &into)
+	helm.UnmarshalK8SYaml(t, output, &into)
 	return nil
 }
diff --git a/charts/tigera-operator/README.md b/charts/tigera-operator/README.md
index 229f71eaa84..6953eac4a4a 100644
--- a/charts/tigera-operator/README.md
+++ b/charts/tigera-operator/README.md
@@ -87,9 +87,11 @@ ownership of the helm resources to the new chart location.
 The default values.yaml should be suitable for most basic deployments.
 
 ```
-# Image pull secrets to provision for pulling images from private registries.
-# This field is a map of desired Secret name to .dockerconfigjson formatted data to use for the secret.
-# Populates the `imagePullSecrets` property for all Pods controlled by the `Installation` resource.
+# imagePullSecrets is a special helm field which, when specified, creates a secret
+# containing the pull secret which is used to pull all images deployed by this helm chart and the resulting operator.
+# this field is a map where the key is the desired secret name and the value is the contents of the imagePullSecret.
+#
+# Example: --set-file imagePullSecrets.gcr=./pull-secret.json
 imagePullSecrets: {}
 
 # Configures general installation parameters for Calico. Schema is based
@@ -99,6 +101,13 @@ installation:
   enabled: true
   kubernetesProvider: ""
 
+  # imagePullSecrets are configured on all images deployed by the tigera-operator.
+  # secrets specified here must exist in the tigera-operator namespace; they won't be created by the operator or helm.
+  # imagePullSecrets are a slice of LocalObjectReferences, which is the same format they appear as on deployments.
+  #
+  # Example: --set installation.imagePullSecrets[0].name=my-existing-secret
+  imagePullSecrets: []
+
 # Configures general installation parameters for Calico. Schema is based
 # on the operator.tigera.io/Installation API documented
 # here: https://projectcalico.docs.tigera.io/reference/installation/api#operator.tigera.io/v1.APIServerSpec
diff --git a/charts/tigera-operator/values.yaml b/charts/tigera-operator/values.yaml
index 43db79b5d53..566bdb259a3 100644
--- a/charts/tigera-operator/values.yaml
+++ b/charts/tigera-operator/values.yaml
@@ -1,6 +1,5 @@
-# imagePullSecrets are a special helm field which, when specified, creates a secret
-# containing the pull secret and configures operator's serviceaccount to use it to pull the operator image
-# as well as configuring the installation resource so that images launched by the operator will use it as well.
+# imagePullSecrets is a special helm field which, when specified, creates a secret
+# containing the pull secret which is used to pull all images deployed by this helm chart and the resulting operator.
 # this field is a map where the key is the desired secret name and the value is the contents of the imagePullSecret.
 #
 # Example: --set-file imagePullSecrets.gcr=./pull-secret.json