Prevent datastore crypto key secret from being created when existing value provided

Fix unit test syntax

Author: bmarick

templates/secrets_datastore_crypto_key.yaml

@@ -2,7 +2,7 @@
 {{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
 {{- if $deprecated_crypto_key }}
 {{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
-{{- else if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
+{{- else if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }}
 ---
 apiVersion: v1
 kind: Secret

tests/unit/labels_test.yaml

@@ -51,61 +51,61 @@ tests:
           # st2client, st2chatops
 
       # each of these should be the same, but there is no test for that:
-      #   metdata.labels.[app.kubernetes.io/name]
-      #   spec.selector.matchLabels.[app.kubernetes.io/name]
-      #   spec.template.metadata.labels.[app.kubernetes.io/name]
+      #   metdata.labels["app.kubernetes.io/name"]
+      #   spec.selector.matchLabels["app.kubernetes.io/name"]
+      #   spec.template.metadata.labels["app.kubernetes.io/name"]
       # So, we use isNotNull instead.
       # see: https://github.com/quintush/helm-unittest/issues/122
       - isNotNull:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
       - isNotNull:
-          path: spec.selector.matchLabels.[app.kubernetes.io/name]
+          path: spec.selector.matchLabels["app.kubernetes.io/name"]
       - isNotNull:
-          path: spec.template.metadata.labels.[app.kubernetes.io/name]
+          path: spec.template.metadata.labels["app.kubernetes.io/name"]
 
       - equal: &metadata_labels_instance
-          path: metadata.labels.[app.kubernetes.io/instance]
+          path: metadata.labels["app.kubernetes.io/instance"]
           value: some-release-name
       - equal:
-          path: spec.selector.matchLabels.[app.kubernetes.io/instance]
+          path: spec.selector.matchLabels["app.kubernetes.io/instance"]
           value: some-release-name
       - equal: &spec_template_metadata_labels_instance
-          path: spec.template.metadata.labels.[app.kubernetes.io/instance]
+          path: spec.template.metadata.labels["app.kubernetes.io/instance"]
           value: some-release-name
 
       - matchRegex: &regex_metadata_labels_component_backend_or_frontend
-          path: metadata.labels.[app.kubernetes.io/component]
+          path: metadata.labels["app.kubernetes.io/component"]
           pattern: ^(backend|frontend)$
       - matchRegex: &regex_spec_template_metadata_labels_component_backend_or_frontend
-          path: spec.template.metadata.labels.[app.kubernetes.io/component]
+          path: spec.template.metadata.labels["app.kubernetes.io/component"]
           pattern: ^(backend|frontend)$
 
       - equal: &metadata_labels_part_of
-          path: metadata.labels.[app.kubernetes.io/part-of]
+          path: metadata.labels["app.kubernetes.io/part-of"]
           value: stackstorm
       - equal: &spec_template_metadata_labels_part_of
-          path: spec.template.metadata.labels.[app.kubernetes.io/part-of]
+          path: spec.template.metadata.labels["app.kubernetes.io/part-of"]
           value: stackstorm
 
       - equal: &metadata_labels_app_version
-          path: metadata.labels.[app.kubernetes.io/version]
+          path: metadata.labels["app.kubernetes.io/version"]
           value: *appVersion
       - equal: &spec_template_metadata_labels_app_version
-          path: spec.template.metadata.labels.[app.kubernetes.io/version]
+          path: spec.template.metadata.labels["app.kubernetes.io/version"]
           value: *appVersion
 
       - equal: &metadata_labels_chart
-          path: metadata.labels.[helm.sh/chart]
+          path: metadata.labels["helm.sh/chart"]
           value: stackstorm-ha-1.0.999
       - equal: &spec_template_metadata_labels_chart
-          path: spec.template.metadata.labels.[helm.sh/chart]
+          path: spec.template.metadata.labels["helm.sh/chart"]
           value: stackstorm-ha-1.0.999
 
       - equal: &metadata_labels_managed_by
-          path: metadata.labels.[app.kubernetes.io/managed-by]
+          path: metadata.labels["app.kubernetes.io/managed-by"]
           value: Helm
       - equal: &spec_template_metadata_labels_managed_by
-          path: spec.template.metadata.labels.[app.kubernetes.io/managed-by]
+          path: spec.template.metadata.labels["app.kubernetes.io/managed-by"]
           value: Helm
 
   - it: Jobs+Pods have requried labels
@@ -152,21 +152,21 @@ tests:
       # unlike deployments, jobs should not have selector.matchLabels
 
       # like deployments each of these should be the same:
-      #   metdata.labels.[app.kubernetes.io/name]
-      #   spec.template.metadata.labels.[app.kubernetes.io/name]
+      #   metdata.labels["app.kubernetes.io/name"]
+      #   spec.template.metadata.labels["app.kubernetes.io/name"]
       - isNotNull:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
       - isNotNull:
-          path: spec.template.metadata.labels.[app.kubernetes.io/name]
+          path: spec.template.metadata.labels["app.kubernetes.io/name"]
 
       - equal: *metadata_labels_instance
       - equal: *spec_template_metadata_labels_instance
 
       - matchRegex:
-          path: metadata.labels.[app.kubernetes.io/component]
+          path: metadata.labels["app.kubernetes.io/component"]
           pattern: ^(backend|tests)$
       - matchRegex:
-          path: spec.template.metadata.labels.[app.kubernetes.io/component]
+          path: spec.template.metadata.labels["app.kubernetes.io/component"]
           pattern: ^(backend|tests)$
 
       - equal: *metadata_labels_part_of
@@ -193,7 +193,7 @@ tests:
           # st2auth, st2api, st2stream, st2web, st2chatops
 
       - isNotNull:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
       - equal: *metadata_labels_instance
       - matchRegex: *regex_metadata_labels_component_backend_or_frontend
       - equal: *metadata_labels_part_of
@@ -211,11 +211,11 @@ tests:
       - hasDocuments:
           count: 1
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: stackstorm-ha
       - equal: *metadata_labels_instance
       - equal: &metadata_labels_component_backend
-          path: metadata.labels.[app.kubernetes.io/component]
+          path: metadata.labels["app.kubernetes.io/component"]
           value: backend
       - equal: *metadata_labels_part_of
       - equal: *metadata_labels_app_version
@@ -253,11 +253,11 @@ tests:
       - hasDocuments:
           count: 1
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: ingress
       - equal: *metadata_labels_instance
       - equal:
-          path: metadata.labels.[app.kubernetes.io/component]
+          path: metadata.labels["app.kubernetes.io/component"]
           value: frontend
       - equal: *metadata_labels_part_of
       - equal: *metadata_labels_app_version
@@ -284,7 +284,7 @@ tests:
       - hasDocuments:
           count: 1
       - equal: &metadata_labels_app_eq_st2
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: st2
       - equal: *metadata_labels_instance
       - equal: *metadata_labels_component_backend
@@ -323,7 +323,7 @@ tests:
       - hasDocuments:
           count: 1
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: st2chatops
       - equal: *metadata_labels_instance
       - equal: *metadata_labels_component_backend
@@ -347,11 +347,11 @@ tests:
       - hasDocuments:
           count: 1
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: st2 # should this be st2web?
       - equal: *metadata_labels_instance
       - equal:
-          path: metadata.labels.[app.kubernetes.io/component]
+          path: metadata.labels["app.kubernetes.io/component"]
           value: backend # should this be frontend?
       - equal: *metadata_labels_part_of
       - equal: *metadata_labels_app_version

tests/unit/post_start_script_test.yaml

@@ -32,9 +32,9 @@ tests:
       - isAPIVersion:
           of: v1
       - isNotEmpty:
-          path: data.[post-start.sh]
+          path: data["post-start.sh"]
       - equal:
-          path: data.[post-start.sh]
+          path: data["post-start.sh"]
           value: |
             #!/bin/bash
             mkdir -p /home/yelnats/.ssh
@@ -85,9 +85,9 @@ tests:
       - isAPIVersion:
           of: v1
       - isNotEmpty:
-          path: data.[post-start.sh]
+          path: data["post-start.sh"]
       - matchRegex:
-          path: data.[post-start.sh]
+          path: data["post-start.sh"]
           # (?m) = multi-line mode: ^ and $ match begin/end line in addition to begin/end text
           # (?s) = let . match \n
           # .*? = any character zero or more times, prefer fewer
@@ -107,7 +107,7 @@ tests:
       # st2actionrunner and st2client do not have checksum annotations
       # (even though they probably should)
       - isNull: &assert_checksum
-          path: spec.template.metadata.annotations.[checksum/post-start-script]
+          path: spec.template.metadata.annotations["checksum/post-start-script"]
 
       # only st2actionrunner and st2client have default postStart scripts
       - equal: &assert_lifecycle

tests/unit/secrets_test.yaml

@@ -2,6 +2,7 @@
 suite: Secret files
 templates:
   # primary template files
+  - secrets_datastore_crypto_key.yaml
   - secrets_st2auth.yaml
   - deployments.yaml
   - jobs.yaml
@@ -113,3 +114,111 @@ tests:
           path: spec.template.spec.initContainers[1].envFrom[1].secretRef.name
           value: "hello-world"
         documentIndex: 1 # st2-key-load
+
+  - it: ST2 Datastore Crypto Key Secret include by default
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2: {}
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: data.datastore_crypto_key
+        documentIndex: 0
+
+  - it: ST2 Datastore Crypto Key Secret set custom username and password
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2:
+        datastore_crypto_key: >-
+          {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: data.datastore_crypto_key
+          value: "eyJobWFjS2V5IjogeyJobWFjS2V5U3RyaW5nIjogIiIsICJzaXplIjogMjU2fSwgInNpemUiOiAyNTYsICJhZXNLZXlTdHJpbmciOiAiIiwgIm1vZGUiOiAiQ0JDIn0=" # Base64 encoded value
+
+  - it: ST2 Datastore Crypto Key Secret disable generation
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2:
+        existingDatastoreSecret: "hello-world"
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: ST2 Datastore Crypto Key Secret custom secret Name
+    template: deployments.yaml
+    set:
+      st2:
+        existingDatastoreSecret: "hello-world"
+      st2chatops:
+        enabled: true
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 14
+      - equal:
+          path: metadata.name
+          value: st2ha-st2api
+        documentIndex:  &deployment_st2api_doc 1
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2api_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2rulesengine
+        documentIndex:  &deployment_st2rulesengine_doc 4
+      - equal:
+          path: spec.template.spec.volumes[1].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2rulesengine_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2workflowengine
+        documentIndex:  &deployment_st2workflowengine_doc 6
+      - equal:
+          path: spec.template.spec.volumes[1].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2workflowengine_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2scheduler
+        documentIndex:  &deployment_st2scheduler_doc 7
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2scheduler_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2sensorcontainer
+        documentIndex:  &deployment_st2sensorcontainer_doc 9
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2sensorcontainer_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2actionrunner
+        documentIndex:  &deployment_st2actionrunner_doc 10
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2actionrunner_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2client
+        documentIndex:  &deployment_st2client_doc 12
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2client_doc