Merge pull request #112 from GDATASoftwareAG/111-mismatch-between-globalimagepullsecrets-for-vaas-and-redis

accept only object based imagepullsecrets

Author: doxthree

.github/workflows/ci.yaml

@@ -49,6 +49,9 @@ jobs:
       - name: Set up chart-testing
         uses: helm/[email protected]
 
+      - name: Install helm unittest
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest.git
+
       - name: Extract tag
         id: extract_tag
         run: |
@@ -61,6 +64,9 @@ jobs:
       - name: Run chart-testing (lint)
         run: ct lint --validate-maintainers=false --charts vaas-helm/charts/vaas
 
+      - name: Run helm unittest
+        run: helm unittest --strict vaas-helm/charts/vaas
+
       - name: Install Minikube
         uses: manusa/[email protected]
         with:

README.md

@@ -44,7 +44,9 @@ You need to substitute the username and password with the credentials we provide
 ```yaml
 global:
   imagePullSecrets:
-    - my-image-pull-secret
+    - name: my-image-pull-secret
+    - name: my-other-image-pull-secret
+    ...
 ```
 
 

charts/vaas/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 3.0.3
+version: 3.1.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG

charts/vaas/templates/gateway/_helpers.tpl

@@ -25,29 +25,27 @@ If release name contains chart name it will be used as a full name.
 
 {{- define "gateway.imagePullSecrets" -}}
 {{- $ips := .Values.global.imagePullSecrets | default (list) -}}
+
+{{- range $i, $e := $ips }}
+  {{- if not (kindIs "map" $e) -}}
+    {{- fail (printf "global.imagePullSecrets[%d] must be an object with 'name' (or 'secretName'), not %s" $i (kindOf $e)) -}}
+  {{- end -}}
+  {{- $n := (get $e "name") | default (get $e "secretName") -}}
+  {{- if not $n -}}
+    {{- fail (printf "global.imagePullSecrets[%d] must contain key 'name' or 'secretName'. Got keys: %v" $i (keys $e)) -}}
+  {{- end -}}
+{{- end }}
+
 {{- $hasIps := gt (len $ips) 0 -}}
 {{- $hasLocal := .Values.imagePullSecret -}}
 {{- $hasGlobalImagePullSecret := ((.Values.global).secret).imagePullSecret -}}
 {{- $hasGlobalDockerconfig := ((.Values.global).secret).dockerconfigjson -}}
 
 {{- if or $hasIps $hasLocal $hasGlobalImagePullSecret $hasGlobalDockerconfig }}
 imagePullSecrets:
-  {{- range $i, $entry := $ips }}
-    {{- if kindIs "string" $entry }}
-  - name: {{ $entry }}
-    {{- else if kindIs "map" $entry }}
-      {{- if hasKey $entry "name" }}
-  - name: {{ get $entry "name" }}
-      {{- else if hasKey $entry "secretName" }}
-  - name: {{ get $entry "secretName" }}
-      {{- else }}
-      {{- fail (printf "global.imagePullSecrets[%d] must have key 'name' (or 'secretName'). Got keys: %v" $i (keys $entry)) }}
-      {{- end }}
-    {{- else }}
-    {{- fail (printf "global.imagePullSecrets[%d] has unsupported kind %s (type %s)" $i (kindOf $entry) (typeOf $entry)) }}
-    {{- end }}
+  {{- range $i, $e := $ips }}
+  - name: {{ (get $e "name") | default (get $e "secretName") }}
   {{- end }}
-
   {{- if $hasLocal }}
   - name: {{ include "gateway.fullname" . }}-image-pull-secret
   {{- end }}
@@ -58,12 +56,11 @@ imagePullSecrets:
   - name: {{ include "gateway.fullname" . }}-global-dockerconfigjson
   {{- end }}
 {{- else -}}
-{{- fail "You have to set at least one imagePullSecret (global.imagePullSecrets, imagePullSecret, global.secret.imagePullSecret or global.secret.dockerconfigjson)" }}
+{{- fail "You have to set at least one imagePullSecret: use global.imagePullSecrets (objects with 'name'/'secretName') or set imagePullSecret/global.secret.*" }}
 {{- end -}}
 {{- end -}}
 
 
-
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/vaas/templates/gdscan/_helpers.tpl

@@ -44,29 +44,27 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 
 {{- define "gdscan.imagePullSecrets" -}}
 {{- $ips := .Values.global.imagePullSecrets | default (list) -}}
+
+{{- range $i, $e := $ips }}
+  {{- if not (kindIs "map" $e) -}}
+    {{- fail (printf "global.imagePullSecrets[%d] must be an object with 'name' (or 'secretName'), not %s" $i (kindOf $e)) -}}
+  {{- end -}}
+  {{- $n := (get $e "name") | default (get $e "secretName") -}}
+  {{- if not $n -}}
+    {{- fail (printf "global.imagePullSecrets[%d] must contain key 'name' or 'secretName'. Got keys: %v" $i (keys $e)) -}}
+  {{- end -}}
+{{- end }}
+
 {{- $hasIps := gt (len $ips) 0 -}}
 {{- $hasLocal := .Values.imagePullSecret -}}
 {{- $hasGlobalImagePullSecret := ((.Values.global).secret).imagePullSecret -}}
 {{- $hasGlobalDockerconfig := ((.Values.global).secret).dockerconfigjson -}}
 
 {{- if or $hasIps $hasLocal $hasGlobalImagePullSecret $hasGlobalDockerconfig }}
 imagePullSecrets:
-  {{- range $i, $entry := $ips }}
-    {{- if kindIs "string" $entry }}
-  - name: {{ $entry }}
-    {{- else if kindIs "map" $entry }}
-      {{- if hasKey $entry "name" }}
-  - name: {{ get $entry "name" }}
-      {{- else if hasKey $entry "secretName" }}
-  - name: {{ get $entry "secretName" }}
-      {{- else }}
-      {{- fail (printf "global.imagePullSecrets[%d] must have key 'name' (or 'secretName'). Got keys: %v" $i (keys $entry)) }}
-      {{- end }}
-    {{- else }}
-    {{- fail (printf "global.imagePullSecrets[%d] has unsupported kind %s (type %s)" $i (kindOf $entry) (typeOf $entry)) }}
-    {{- end }}
+  {{- range $i, $e := $ips }}
+  - name: {{ (get $e "name") | default (get $e "secretName") }}
   {{- end }}
-
   {{- if $hasLocal }}
   - name: {{ include "gdscan.fullname" . }}-image-pull-secret
   {{- end }}
@@ -77,7 +75,7 @@ imagePullSecrets:
   - name: {{ include "gdscan.fullname" . }}-global-dockerconfigjson
   {{- end }}
 {{- else -}}
-{{- fail "You have to set at least one imagePullSecret (global.imagePullSecrets, imagePullSecret, global.secret.imagePullSecret or global.secret.dockerconfigjson)" }}
+{{- fail "You have to set at least one imagePullSecret: use global.imagePullSecrets (objects with 'name'/'secretName') or set imagePullSecret/global.secret.*" }}
 {{- end -}}
 {{- end -}}
 

charts/vaas/templates/imagepullsecrets-test.yaml

@@ -0,0 +1,13 @@
+{{- $tests := .Values._tests | default dict -}}
+{{- if (get $tests "enableImagePullSecretsTest") }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: imagepullsecrets-test
+spec:
+  {{- $_ := include "gateway.imagePullSecrets" . -}}
+  {{- include "gateway.imagePullSecrets" . | nindent 2 }}
+  containers:
+    - name: noop
+      image: scratch
+{{- end }}

charts/vaas/tests/imagepullsecrets_test.yaml

@@ -0,0 +1,29 @@
+suite: imagePullSecrets helper
+templates:
+  - templates/imagepullsecrets-test.yaml
+
+tests:
+  - it: renders with object {name}
+    values: [values/ok_object.yaml]
+    asserts:
+      - isKind: { of: Pod }
+      - contains:
+          path: spec.imagePullSecrets
+          content: { name: ghcr-pull }
+
+  - it: renders with global.secret.* only
+    values: [values/ok_global_secret.yaml]
+    asserts:
+      - isKind: { of: Pod }
+      - contains:
+          path: spec.imagePullSecrets
+          content: { name: gateway-global-image-pull-secret }
+      - contains:
+          path: spec.imagePullSecrets
+          content: { name: gateway-global-dockerconfigjson }
+
+  - it: fails on string entry
+    values: [values/fail_string.yaml]
+    asserts:
+      - failedTemplate:
+          errorPattern: "must be an object with 'name'"

charts/vaas/tests/values/fail_string.yaml

@@ -0,0 +1,7 @@
+_tests:
+  enableImagePullSecretsTest: true
+global:
+  imagePullSecrets:
+    - my-secret
+redis:
+  enabled: false

charts/vaas/tests/values/ok_global_secret.yaml

@@ -0,0 +1,11 @@
+_tests:
+  enableImagePullSecretsTest: true
+
+global:
+  imagePullSecrets: []
+  secret:
+    imagePullSecret: "e30K"
+    dockerconfigjson: "e30K"
+
+redis:
+  enabled: false

charts/vaas/tests/values/ok_object.yaml

@@ -0,0 +1,7 @@
+_tests:
+  enableImagePullSecretsTest: true
+global:
+  imagePullSecrets:
+    - name: ghcr-pull
+redis:
+  enabled: false