From 2816f6ab5551c187e3ae4df43e0d46436dbdb841 Mon Sep 17 00:00:00 2001 From: rasta-rocket Date: Wed, 29 Jan 2020 12:23:55 +0100 Subject: [PATCH] feat: add AGENT_INJECT_VAULT_AUTH_PATH option to the injector * Add related unit tests --- templates/injector-deployment.yaml | 2 ++ test/unit/injector-deployment.bats | 45 ++++++++++++++++++++++++++---- values.yaml | 5 +++- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 23629154a..16f622375 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -45,6 +45,8 @@ spec: {{- else }} value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} {{- end }} + - name: AGENT_INJECT_VAULT_AUTH_PATH + value: {{ .Values.injector.authPath }} - name: AGENT_INJECT_VAULT_IMAGE value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" {{- if .Values.injector.certs.secretName }} diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index cb4d56fc3..fb00ee398 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -117,19 +117,19 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) + yq -r '.[5].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_CERT_FILE" ] local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) + yq -r '.[5].value' | tee /dev/stderr) [ "${actual}" = "/etc/webhook/certs/test.crt" ] local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) + yq -r '.[6].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_KEY_FILE" ] local actual=$(echo $object | - yq -r '.[5].value' | tee /dev/stderr) + yq -r '.[6].value' | tee /dev/stderr) [ "${actual}" = "/etc/webhook/certs/test.key" ] } @@ -147,11 +147,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) + yq -r '.[5].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_AUTO" ] local actual=$(echo $object | - yq -r '.[5].name' | tee /dev/stderr) + yq -r '.[6].name' | tee /dev/stderr) [ "${actual}" = "AGENT_INJECT_TLS_AUTO_HOSTS" ] } @@ -189,3 +189,36 @@ load _helpers yq -r '.[2].value' | tee /dev/stderr) [ "${actual}" = "http://not-external-test-vault.default.svc:8200" ] } + +@test "injector/deployment: default authPath" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[3].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] + + local actual=$(echo $object | + yq -r '.[3].value' | tee /dev/stderr) + [ "${actual}" = "auth/kubernetes" ] +} + +@test "injector/deployment: custom authPath" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.authPath=auth/k8s' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.[3].name' | tee /dev/stderr) + [ "${actual}" = "AGENT_INJECT_VAULT_AUTH_PATH" ] + + local actual=$(echo $object | + yq -r '.[3].value' | tee /dev/stderr) + [ "${actual}" = "auth/k8s" ] +} diff --git a/values.yaml b/values.yaml index 23a61f734..24cbfd6f0 100644 --- a/values.yaml +++ b/values.yaml @@ -32,6 +32,9 @@ injector: repository: "vault" tag: "1.3.2" + # Mount Path of the Vault Kubernetes Auth Method. + authPath: "auth/kubernetes" + # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector @@ -124,7 +127,7 @@ server: # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers # This is useful if Vault must be signaled, e.g. to send a SIGHUP for log rotation shareProcessNamespace: false - + # extraArgs is a string containing additional Vault server arguments. extraArgs: ""