From aa09ab8a2344e3a4f6271542185ca566183ada86 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 10 Oct 2022 10:45:32 -0600 Subject: [PATCH 01/11] set up individual secrets for what used to be HCPConfig secret --- charts/consul/templates/_helpers.tpl | 4 +- .../consul/templates/server-statefulset.yaml | 38 +- charts/consul/values.yaml | 49 ++- cli/preset/cloud_preset.go | 244 +++++++----- cli/preset/cloud_preset_test.go | 357 ++++++++++++++---- 5 files changed, 492 insertions(+), 200 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 06a82fe0b7..79469c8fdd 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -377,7 +377,7 @@ Usage: {{ template "consul.validateCloudConfiguration" . }} */}} {{- define "consul.validateCloudConfiguration" -}} -{{- if and .Values.global.cloud.enabled (not .Values.global.cloud.secretName) }} -{{fail "When global.cloud.enabled is true, global.cloud.secretName must also be set."}} +{{- if and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} {{ end }} {{- end -}} diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 2986b85b72..2c88c92f5e 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -254,42 +254,54 @@ spec: name: {{ .Values.global.acls.replicationToken.secretName | quote }} key: {{ .Values.global.acls.replicationToken.secretKey | quote }} {{- end }} - {{- if and .Values.global.cloud.enabled .Values.global.cloud.secretName }} + {{- if and .Values.global.cloud.enabled}} # These are mounted as secrets so that the consul server agent can use them. # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. # - HCP_RESOURCE_ID is created for use in the # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} - name: HCP_CLIENT_ID valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: client-id + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} - name: HCP_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: client-secret + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} - name: HCP_RESOURCE_ID valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: resource-id + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} - name: HCP_AUTH_URL valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: auth-url + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} - name: HCP_API_HOST valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: api-hostname + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} - name: HCP_SCADA_ADDRESS valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.secretName }} - key: scada-address + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} {{- end }} {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} command: diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 1d89eed9b1..28b0447ec7 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -654,11 +654,50 @@ global: # self-managed cluster. enabled: false - # The name of the Kubernetes secret that holds the HCP cloud configuration. - # It contains the HCP service principal client_id and client_secret as well - # as the HCP resource_id. - # @type: string - secretName: null + # The name of the Kubernetes secret that holds the HCP cloud client id. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null # Server, when enabled, configures a server cluster to run. This should # be disabled if you plan on connecting to a Consul cluster external to diff --git a/cli/preset/cloud_preset.go b/cli/preset/cloud_preset.go index 6eef562f3f..9a85ae4d34 100644 --- a/cli/preset/cloud_preset.go +++ b/cli/preset/cloud_preset.go @@ -21,19 +21,24 @@ import ( ) const ( - secretNameHCPConfig = "consul-hcp-config" - secretNameGossipKey = "consul-gossip-key" - secretNameBootstrapToken = "consul-bootstrap-token" - secretNameServerCA = "consul-server-ca" - secretNameServerCert = "consul-server-cert" - secretKeyHCPClientID = "client-id" - secretKeyHCPClientSecret = "client-secret" - secretKeyHCPResourceID = "resource-id" - secretKeyHCPAuthURL = "auth-url" - secretKeyHCPAPIHostname = "api-hostname" - secretKeyHCPScadaAddress = "scada-address" - secretKeyGossipKey = "key" - secretKeyBootstrapToken = "token" + secretNameHCPClientID = "consul-hcp-client-id" + secretNameHCPClientSecret = "consul-hcp-client-secret" + secretNameHCPAPIHostname = "consul-hcp-api-host" + secretNameHCPAuthURL = "consul-hcp-auth-url" + secretNameHCPScadaAddress = "consul-hcp-scada-address" + secretNameHCPResourceID = "consul-hcp-resource-id" + secretNameGossipKey = "consul-gossip-key" + secretNameBootstrapToken = "consul-bootstrap-token" + secretNameServerCA = "consul-server-ca" + secretNameServerCert = "consul-server-cert" + secretKeyHCPClientID = "client-id" + secretKeyHCPClientSecret = "client-secret" + secretKeyHCPResourceID = "resource-id" + secretKeyHCPAuthURL = "auth-url" + secretKeyHCPAPIHostname = "api-hostname" + secretKeyHCPScadaAddress = "scada-address" + secretKeyGossipKey = "key" + secretKeyBootstrapToken = "token" ) // CloudBootstrapConfig represents the response fetched from the agent @@ -156,10 +161,26 @@ func (i *CloudPreset) parseBootstrapConfigResponse(bootstrapRepsonse *models.Has return &cbc, nil } +func getOptionalSecretFromHCPConfig(hcpConfigValue, valuesConfigKey, secretName, secretKey string) string { + if hcpConfigValue != "" { + // Need to make sure the below has strict spaces and no tabs + return fmt.Sprintf(`%s: + secretName: %s + secretKey: %s + `, valuesConfigKey, secretName, secretKey) + } + return "" +} + // getHelmConfigWithMapSecretNames maps the secret names were agent bootstrap // config values have been saved, maps them into the Helm values template for // the cloud preset, and returns the value map. func (i *CloudPreset) getHelmConfigWithMapSecretNames(cfg *CloudBootstrapConfig) map[string]interface{} { + apiHostCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.APIHostname, "apiHost", secretNameHCPAPIHostname, secretKeyHCPAPIHostname) + authURLCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.AuthURL, "authUrl", secretNameHCPAuthURL, secretKeyHCPAuthURL) + scadaAddressCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.ScadaAddress, "scadaAddress", secretNameHCPScadaAddress, secretKeyHCPScadaAddress) + + // Need to make sure the below has strict spaces and no tabs values := fmt.Sprintf(` global: datacenter: %s @@ -179,7 +200,18 @@ global: secretKey: %s cloud: enabled: true - secretName: %s + resourceId: + secretName: %s + secretKey: %s + clientId: + secretName: %s + secretKey: %s + clientSecret: + secretName: %s + secretKey: %s + %s + %s + %s server: replicas: %d serverCert: @@ -188,9 +220,14 @@ connectInject: enabled: true controller: enabled: true -`, cfg.BootstrapResponse.Cluster.ID, secretNameServerCA, corev1.TLSCertKey, secretNameGossipKey, - secretKeyGossipKey, secretNameBootstrapToken, secretKeyBootstrapToken, - secretNameHCPConfig, cfg.BootstrapResponse.Cluster.BootstrapExpect, secretNameServerCert) +`, cfg.BootstrapResponse.Cluster.ID, secretNameServerCA, corev1.TLSCertKey, + secretNameGossipKey, secretKeyGossipKey, secretNameBootstrapToken, + secretKeyBootstrapToken, + secretNameHCPResourceID, secretKeyHCPResourceID, + secretNameHCPClientID, secretKeyHCPClientID, + secretNameHCPClientSecret, secretKeyHCPClientSecret, + apiHostCfg, authURLCfg, scadaAddressCfg, + cfg.BootstrapResponse.Cluster.BootstrapExpect, secretNameServerCert) valuesMap := config.ConvertToMap(values) return valuesMap } @@ -198,47 +235,124 @@ controller: // saveSecretsFromBootstrapConfig takes the following items from the // agent bootstrap config from HCP and saves them into known secret names and // keys: -// - HCP config (resource-id, client-id, client-secret). +// - HCP configresource-id. +// - HCP client-id. +// - HCP client-secret. +// - HCP auth URL (optional) +// - HCP api hostname (optional) +// - HCP scada address (optional) // - ACL bootstrap token. // - gossip encryption key. // - server tls cert and key. // - server CA cert. func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfig) error { + // create namespace if err := i.createNamespaceIfNotExists(); err != nil { return err } - i.UI.Output(fmt.Sprintf("Saving HCP configuration as secrets in %s namespace", i.KubernetesNamespace), terminal.WithHeaderStyle()) - if err := i.saveServerHCPConfigSecret(config); err != nil { + // HCP resource id + data := map[string][]byte{ + secretKeyHCPResourceID: []byte(config.HCPConfig.ResourceID), + } + if err := i.saveSecret(secretNameHCPResourceID, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP resource id saved in '%s' secret in namespace '%s'.", + secretKeyHCPResourceID, i.KubernetesNamespace), terminal.WithSuccessStyle()) + + // HCP client id + data = map[string][]byte{ + secretKeyHCPClientID: []byte(config.HCPConfig.ClientID), + } + if err := i.saveSecret(secretNameHCPClientID, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP client id saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientID, i.KubernetesNamespace), terminal.WithSuccessStyle()) + + // HCP client secret + data = map[string][]byte{ + secretKeyHCPClientSecret: []byte(config.HCPConfig.ClientSecret), + } + if err := i.saveSecret(secretNameHCPClientSecret, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP config saved in '%s' secret in namespace '%s'.", - secretNameHCPConfig, i.KubernetesNamespace), terminal.WithSuccessStyle()) + i.UI.Output(fmt.Sprintf("HCP client secret saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientSecret, i.KubernetesNamespace), terminal.WithSuccessStyle()) - if err := i.saveBootstrapTokenSecret(config); err != nil { + // bootstrap token + data = map[string][]byte{ + secretKeyBootstrapToken: []byte(config.ConsulConfig.ACL.Tokens.InitialManagement), + } + if err := i.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { return err } i.UI.Output(fmt.Sprintf("ACL bootstrap token saved as '%s' key in '%s' secret in namespace '%s'.", secretKeyBootstrapToken, secretNameBootstrapToken, i.KubernetesNamespace), terminal.WithSuccessStyle()) - if err := i.saveGossipKeySecret(config); err != nil { + // gossip key + data = map[string][]byte{ + secretKeyGossipKey: []byte(config.BootstrapResponse.Bootstrap.GossipKey), + } + if err := i.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { return err } i.UI.Output(fmt.Sprintf("Gossip encryption key saved as '%s' key in '%s' secret in namespace '%s'.", secretKeyGossipKey, secretNameGossipKey, i.KubernetesNamespace), terminal.WithSuccessStyle()) - if err := i.saveServerCertSecret(config); err != nil { + // server cert secret + data = map[string][]byte{ + corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.Cert), + corev1.TLSPrivateKeyKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey), + } + if err := i.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { return err } i.UI.Output(fmt.Sprintf("Server TLS cert and key saved as '%s' and '%s' key in '%s secret in namespace '%s'.", corev1.TLSCertKey, corev1.TLSPrivateKeyKey, secretNameServerCert, i.KubernetesNamespace), terminal.WithSuccessStyle()) - if err := i.saveServerCASecret(config); err != nil { + // server CA + data = map[string][]byte{ + corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0]), + } + if err := i.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { return err } i.UI.Output(fmt.Sprintf("Server TLS CA saved as '%s' key in '%s' secret in namespace '%s'.", corev1.TLSCertKey, secretNameServerCA, i.KubernetesNamespace), terminal.WithSuccessStyle()) + // Optional secrets + // HCP auth url + if config.HCPConfig.AuthURL != "" { + data[secretKeyHCPAuthURL] = []byte(config.HCPConfig.AuthURL) + if err := i.saveSecret(secretNameHCPAuthURL, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP auth url saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPAuthURL, secretNameHCPAuthURL, i.KubernetesNamespace), terminal.WithSuccessStyle()) + } + + // HCP api hostname + if config.HCPConfig.APIHostname != "" { + data[secretKeyHCPAPIHostname] = []byte(config.HCPConfig.APIHostname) + if err := i.saveSecret(secretNameHCPAPIHostname, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP api hostname saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPAPIHostname, secretNameHCPAPIHostname, i.KubernetesNamespace), terminal.WithSuccessStyle()) + } + + // HCP scada address + if config.HCPConfig.ScadaAddress != "" { + data[secretKeyHCPScadaAddress] = []byte(config.HCPConfig.ScadaAddress) + if err := i.saveSecret(secretNameHCPScadaAddress, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP scada address saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPScadaAddress, secretNameHCPScadaAddress, i.KubernetesNamespace), terminal.WithSuccessStyle()) + } + return nil } @@ -290,83 +404,7 @@ func (i *CloudPreset) saveSecret(secretName string, kvps map[string][]byte, secr } else if err != nil { return err } else { - return fmt.Errorf("'%s' secret in '%s' namespace already exists.", secretName, i.KubernetesNamespace) - } - return nil -} - -// saveServerHCPConfigSecret saves the resource-id, client-id, and client-secret -// to a given secret in a given namespace. -func (i *CloudPreset) saveServerHCPConfigSecret(config *CloudBootstrapConfig) error { - data := map[string][]byte{ - secretKeyHCPClientID: []byte(config.HCPConfig.ClientID), - secretKeyHCPClientSecret: []byte(config.HCPConfig.ClientSecret), - secretKeyHCPResourceID: []byte(config.HCPConfig.ResourceID), - } - - if config.HCPConfig.AuthURL != "" { - data[secretKeyHCPAuthURL] = []byte(config.HCPConfig.AuthURL) - } - - if config.HCPConfig.APIHostname != "" { - data[secretKeyHCPAPIHostname] = []byte(config.HCPConfig.APIHostname) - } - - if config.HCPConfig.ScadaAddress != "" { - data[secretKeyHCPScadaAddress] = []byte(config.HCPConfig.ScadaAddress) - } - - if err := i.saveSecret(secretNameHCPConfig, data, corev1.SecretTypeOpaque); err != nil { - return err - } - return nil -} - -// saveBootstrapTokenSecret saves the ACL bootstrap token to a given secret in -// a given namespace. -func (i *CloudPreset) saveBootstrapTokenSecret(config *CloudBootstrapConfig) error { - data := map[string][]byte{ - secretKeyBootstrapToken: []byte(config.ConsulConfig.ACL.Tokens.InitialManagement), - } - if err := i.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { - return err - } - return nil -} - -// saveGossipKeySecret saves the gossip encryption key to a given secret -// in a given namespace. -func (i *CloudPreset) saveGossipKeySecret(config *CloudBootstrapConfig) error { - data := map[string][]byte{ - secretKeyGossipKey: []byte(config.BootstrapResponse.Bootstrap.GossipKey), - } - if err := i.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { - return err - } - return nil -} - -// saveServerCertSecret saves the server TLS cert and key to a given secret -// in a given namespace. -func (i *CloudPreset) saveServerCertSecret(config *CloudBootstrapConfig) error { - data := map[string][]byte{ - corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.Cert), - corev1.TLSPrivateKeyKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey), - } - if err := i.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { - return err - } - return nil -} - -// saveServerCASecret saves the server CA cert to a given secret in a -// given namespace. -func (i *CloudPreset) saveServerCASecret(config *CloudBootstrapConfig) error { - data := map[string][]byte{ - corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0]), - } - if err := i.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { - return err + return fmt.Errorf("'%s' secret in '%s' namespace already exists", secretName, i.KubernetesNamespace) } return nil } diff --git a/cli/preset/cloud_preset_test.go b/cli/preset/cloud_preset_test.go index 3fc0196da9..41b3e5526b 100644 --- a/cli/preset/cloud_preset_test.go +++ b/cli/preset/cloud_preset_test.go @@ -22,16 +22,21 @@ import ( ) const ( - hcpClientID = "RAxJflDbxDXw8kLY6jWmwqMz3kVe7NnL" - hcpClientSecret = "1fNzurLatQPLPwf7jnD4fRtU9f5nH31RKBHayy08uQ6P-6nwI1rFZjMXb4m3cCKH" - hcpResourceID = "organization/ccbdd191-5dc3-4a73-9e05-6ac30ca67992/project/36019e0d-ed59-4df6-9990-05bb7fc793b6/hashicorp.consul.global-network-manager.cluster/prod-on-prem" - expectedSecretNameHCPConfig = "consul-hcp-config" - expectedSecretNameGossipKey = "consul-gossip-key" - expectedSecretNameBootstrap = "consul-bootstrap-token" - expectedSecretNameServerCA = "consul-server-ca" - expectedSecretNameServerCert = "consul-server-cert" - namespace = "consul" - validResponse = ` + hcpClientID = "RAxJflDbxDXw8kLY6jWmwqMz3kVe7NnL" + hcpClientSecret = "1fNzurLatQPLPwf7jnD4fRtU9f5nH31RKBHayy08uQ6P-6nwI1rFZjMXb4m3cCKH" + hcpResourceID = "organization/ccbdd191-5dc3-4a73-9e05-6ac30ca67992/project/36019e0d-ed59-4df6-9990-05bb7fc793b6/hashicorp.consul.global-network-manager.cluster/prod-on-prem" + expectedSecretNameHCPClientId = "consul-hcp-client-id" + expectedSecretNameHCPClientSecret = "consul-hcp-client-secret" + expectedSecretNameHCPResourceId = "consul-hcp-resource-id" + expectedSecretNameHCPAuthURL = "consul-hcp-auth-url" + expectedSecretNameHCPApiHostname = "consul-hcp-api-host" + expectedSecretNameHCPScadaAddress = "consul-hcp-scada-address" + expectedSecretNameGossipKey = "consul-gossip-key" + expectedSecretNameBootstrap = "consul-bootstrap-token" + expectedSecretNameServerCA = "consul-server-ca" + expectedSecretNameServerCert = "consul-server-cert" + namespace = "consul" + validResponse = ` { "cluster": { @@ -183,14 +188,43 @@ func TestGetValueMap(t *testing.T) { deleteSecrets(k8s) }, func() { - hcpConfigSecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPConfig, metav1.GetOptions{}) - require.NoError(t, err) - require.Equal(t, bsConfig.HCPConfig.ClientID, string(hcpConfigSecret.Data[secretKeyHCPClientID])) - require.Equal(t, bsConfig.HCPConfig.ClientSecret, string(hcpConfigSecret.Data[secretKeyHCPClientSecret])) - require.Equal(t, bsConfig.HCPConfig.ResourceID, string(hcpConfigSecret.Data[secretKeyHCPResourceID])) - require.Nil(t, hcpConfigSecret.Data[secretKeyHCPAuthURL]) - require.Nil(t, hcpConfigSecret.Data[secretKeyHCPScadaAddress]) - require.Nil(t, hcpConfigSecret.Data[secretKeyHCPAPIHostname]) + // Check the hcp resource id secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPResourceID, secretKeyHCPResourceID, + bsConfig.HCPConfig.ResourceID, corev1.SecretTypeOpaque) + + // Check the hcp client id secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPClientID, secretKeyHCPClientID, + bsConfig.HCPConfig.ClientID, corev1.SecretTypeOpaque) + + // Check the hcp client secret secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPClientSecret, secretKeyHCPClientSecret, + bsConfig.HCPConfig.ClientSecret, corev1.SecretTypeOpaque) + + // Check the bootstrap token secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameBootstrapToken, secretKeyBootstrapToken, + bsConfig.ConsulConfig.ACL.Tokens.InitialManagement, corev1.SecretTypeOpaque) + + // Check the gossip key secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameGossipKey, secretKeyGossipKey, + bsConfig.BootstrapResponse.Bootstrap.GossipKey, corev1.SecretTypeOpaque) + + // Check the server cert secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCert, corev1.TLSCertKey, + bsConfig.BootstrapResponse.Bootstrap.ServerTLS.Cert, corev1.SecretTypeTLS) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCert, corev1.TLSPrivateKeyKey, + bsConfig.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey, corev1.SecretTypeTLS) + + // Check the server CA secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCA, corev1.TLSCertKey, + bsConfig.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0], corev1.SecretTypeOpaque) + + // Check that HCP scada address, auth url, and api hostname are not saved + hcpAuthURLSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPAuthURL, metav1.GetOptions{}) + require.Nil(t, hcpAuthURLSecret) + hcpApiHostnameSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPAPIHostname, metav1.GetOptions{}) + require.Nil(t, hcpApiHostnameSecret) + hcpScadaAddress, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPScadaAddress, metav1.GetOptions{}) + require.Nil(t, hcpScadaAddress) }, }, } @@ -266,20 +300,75 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { }, }, { - "Errors when hcp config secret already exists.", + "Errors when hcp client id secret already exists", + true, + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPClientId, namespace), + func() { + savePlaceholderSecret(expectedSecretNameHCPClientId, k8s) + }, + func() { + deleteSecrets(k8s) + }, + }, + { + "Errors when hcp client secret secret already exists", + true, + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPClientSecret, namespace), + func() { + savePlaceholderSecret(expectedSecretNameHCPClientSecret, k8s) + }, + func() { + deleteSecrets(k8s) + }, + }, + { + "Errors when hcp resource id secret already exists", + true, + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPResourceId, namespace), + func() { + savePlaceholderSecret(expectedSecretNameHCPResourceId, k8s) + }, + func() { + deleteSecrets(k8s) + }, + }, + { + "Errors when hcp auth url secret already exists", + true, + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPAuthURL, namespace), + func() { + savePlaceholderSecret(expectedSecretNameHCPAuthURL, k8s) + }, + func() { + deleteSecrets(k8s) + }, + }, + { + "Errors when hcp api hostname secret already exists", + true, + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPApiHostname, namespace), + func() { + savePlaceholderSecret(expectedSecretNameHCPApiHostname, k8s) + }, + func() { + deleteSecrets(k8s) + }, + }, + { + "Errors when hcp scada address secret already exists", true, - fmt.Sprintf("'%s' secret in '%s' namespace already exists.", expectedSecretNameHCPConfig, namespace), + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameHCPScadaAddress, namespace), func() { - savePlaceholderSecret(expectedSecretNameHCPConfig, k8s) + savePlaceholderSecret(expectedSecretNameHCPScadaAddress, k8s) }, func() { deleteSecrets(k8s) }, }, { - "Errors when bootstrap token secret already exists.", + "Errors when bootstrap token secret already exists", true, - fmt.Sprintf("'%s' secret in '%s' namespace already exists.", expectedSecretNameBootstrap, namespace), + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameBootstrap, namespace), func() { savePlaceholderSecret(expectedSecretNameBootstrap, k8s) }, @@ -288,9 +377,9 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { }, }, { - "Errors when gossip key secret already exists.", + "Errors when gossip key secret already exists", true, - fmt.Sprintf("'%s' secret in '%s' namespace already exists.", expectedSecretNameGossipKey, namespace), + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameGossipKey, namespace), func() { savePlaceholderSecret(expectedSecretNameGossipKey, k8s) }, @@ -299,9 +388,9 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { }, }, { - "Errors when server cert secret already exists.", + "Errors when server cert secret already exists", true, - fmt.Sprintf("'%s' secret in '%s' namespace already exists.", expectedSecretNameServerCert, namespace), + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameServerCert, namespace), func() { savePlaceholderSecret(expectedSecretNameServerCert, k8s) }, @@ -310,9 +399,9 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { }, }, { - "Errors when server CA secret already exists.", + "Errors when server CA secret already exists", true, - fmt.Sprintf("'%s' secret in '%s' namespace already exists.", expectedSecretNameServerCA, namespace), + fmt.Sprintf("'%s' secret in '%s' namespace already exists", expectedSecretNameServerCA, namespace), func() { savePlaceholderSecret(expectedSecretNameServerCA, k8s) }, @@ -339,7 +428,9 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { require.NoError(t, err) require.Equal(t, expectedSecretNameBootstrap, secretNameBootstrapToken) require.Equal(t, expectedSecretNameGossipKey, secretNameGossipKey) - require.Equal(t, expectedSecretNameHCPConfig, secretNameHCPConfig) + require.Equal(t, expectedSecretNameHCPClientId, secretNameHCPClientID) + require.Equal(t, expectedSecretNameHCPClientSecret, secretNameHCPClientSecret) + require.Equal(t, expectedSecretNameHCPResourceId, secretNameHCPResourceID) require.Equal(t, expectedSecretNameServerCA, secretNameServerCA) require.Equal(t, expectedSecretNameServerCert, secretNameServerCert) @@ -355,7 +446,7 @@ func TestSaveSecretsFromBootstrapConfig(t *testing.T) { func TestGetHelmConfigWithMapSecretNames(t *testing.T) { t.Parallel() - const expected = `connectInject: + const expectedFull = `connectInject: enabled: true controller: enabled: true @@ -366,8 +457,62 @@ global: secretName: consul-bootstrap-token manageSystemACLs: true cloud: + apiHost: + secretKey: api-hostname + secretName: consul-hcp-api-host + authUrl: + secretKey: auth-url + secretName: consul-hcp-auth-url + clientId: + secretKey: client-id + secretName: consul-hcp-client-id + clientSecret: + secretKey: client-secret + secretName: consul-hcp-client-secret enabled: true - secretName: consul-hcp-config + resourceId: + secretKey: resource-id + secretName: consul-hcp-resource-id + scadaAddress: + secretKey: scada-address + secretName: consul-hcp-scada-address + datacenter: dc1 + gossipEncryption: + secretKey: key + secretName: consul-gossip-key + tls: + caCert: + secretKey: tls.crt + secretName: consul-server-ca + enableAutoEncrypt: true + enabled: true +server: + replicas: 3 + serverCert: + secretName: consul-server-cert +` + + const expectedWithoutOptional = `connectInject: + enabled: true +controller: + enabled: true +global: + acls: + bootstrapToken: + secretKey: token + secretName: consul-bootstrap-token + manageSystemACLs: true + cloud: + clientId: + secretKey: client-id + secretName: consul-hcp-client-id + clientSecret: + secretKey: client-secret + secretName: consul-hcp-client-secret + enabled: true + resourceId: + secretKey: resource-id + secretName: consul-hcp-resource-id datacenter: dc1 gossipEncryption: secretKey: key @@ -385,20 +530,59 @@ server: ` cloudPreset := &CloudPreset{} - cfg := &CloudBootstrapConfig{ - BootstrapResponse: &models.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse{ - Cluster: &models.HashicorpCloudGlobalNetworkManager20220215Cluster{ - BootstrapExpect: 3, - ID: "dc1", + + testCases := []struct { + description string + config *CloudBootstrapConfig + expectedYaml string + }{ + {"Config including optional parameters", + &CloudBootstrapConfig{ + BootstrapResponse: &models.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse{ + Cluster: &models.HashicorpCloudGlobalNetworkManager20220215Cluster{ + BootstrapExpect: 3, + ID: "dc1", + }, + }, + HCPConfig: HCPConfig{ + ResourceID: "consul-hcp-resource-id", + ClientID: "consul-hcp-client-id", + ClientSecret: "consul-hcp-client-secret", + AuthURL: "consul-hcp-auth-url", + APIHostname: "consul-hcp-api-host", + ScadaAddress: "consul-hcp-scada-address", + }, + }, + expectedFull, + }, + {"Config without optional parameters", + &CloudBootstrapConfig{ + BootstrapResponse: &models.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse{ + Cluster: &models.HashicorpCloudGlobalNetworkManager20220215Cluster{ + BootstrapExpect: 3, + ID: "dc1", + }, + }, + HCPConfig: HCPConfig{ + ResourceID: "consul-hcp-resource-id", + ClientID: "consul-hcp-client-id", + ClientSecret: "consul-hcp-client-secret", + }, }, + expectedWithoutOptional, }, } - cloudHelmValues := cloudPreset.getHelmConfigWithMapSecretNames(cfg) - require.NotNil(t, cloudHelmValues) - valuesYaml, err := yaml.Marshal(cloudHelmValues) - yml := string(valuesYaml) - require.NoError(t, err) - require.Equal(t, expected, yml) + for _, tc := range testCases { + t.Run(tc.description, func(t *testing.T) { + cloudHelmValues := cloudPreset.getHelmConfigWithMapSecretNames(tc.config) + require.NotNil(t, cloudHelmValues) + valuesYaml, err := yaml.Marshal(cloudHelmValues) + yml := string(valuesYaml) + require.NoError(t, err) + require.Equal(t, tc.expectedYaml, yml) + }) + } + } func savePlaceholderSecret(secretName string, k8sClient kubernetes.Interface) { @@ -416,7 +600,12 @@ func savePlaceholderSecret(secretName string, k8sClient kubernetes.Interface) { } func deleteSecrets(k8sClient kubernetes.Interface) { - k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPConfig, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPClientId, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPClientSecret, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPResourceId, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPAuthURL, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPApiHostname, metav1.DeleteOptions{}) + k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameHCPScadaAddress, metav1.DeleteOptions{}) k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameBootstrap, metav1.DeleteOptions{}) k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameGossipKey, metav1.DeleteOptions{}) k8sClient.CoreV1().Secrets(namespace).Delete(context.Background(), expectedSecretNameServerCert, metav1.DeleteOptions{}) @@ -429,56 +618,70 @@ func checkAllSecretsWereSaved(t require.TestingT, k8s kubernetes.Interface, expe _, err := k8s.CoreV1().Namespaces().Get(context.Background(), namespace, metav1.GetOptions{}) require.NoError(t, err) - // Check the hcp config secret is as expected. - hcpConfigSecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPConfig, metav1.GetOptions{}) - require.NoError(t, err) - require.Equal(t, expectedConfig.HCPConfig.ClientID, string(hcpConfigSecret.Data[secretKeyHCPClientID])) - require.Equal(t, expectedConfig.HCPConfig.ClientSecret, string(hcpConfigSecret.Data[secretKeyHCPClientSecret])) - require.Equal(t, expectedConfig.HCPConfig.ResourceID, string(hcpConfigSecret.Data[secretKeyHCPResourceID])) - require.Equal(t, expectedConfig.HCPConfig.AuthURL, string(hcpConfigSecret.Data[secretKeyHCPAuthURL])) - require.Equal(t, expectedConfig.HCPConfig.ScadaAddress, string(hcpConfigSecret.Data[secretKeyHCPScadaAddress])) - require.Equal(t, expectedConfig.HCPConfig.APIHostname, string(hcpConfigSecret.Data[secretKeyHCPAPIHostname])) - require.Equal(t, corev1.SecretTypeOpaque, hcpConfigSecret.Type) - require.Equal(t, common.CLILabelValue, hcpConfigSecret.Labels[common.CLILabelKey]) + // Check the hcp resource id secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPResourceID, secretKeyHCPResourceID, + expectedConfig.HCPConfig.ResourceID, corev1.SecretTypeOpaque) + + // Check the hcp client id secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPClientID, secretKeyHCPClientID, + expectedConfig.HCPConfig.ClientID, corev1.SecretTypeOpaque) + + // Check the hcp client secret secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPClientSecret, secretKeyHCPClientSecret, + expectedConfig.HCPConfig.ClientSecret, corev1.SecretTypeOpaque) + + // Check the hcp auth URL secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPAuthURL, secretKeyHCPAuthURL, + expectedConfig.HCPConfig.AuthURL, corev1.SecretTypeOpaque) + + // Check the hcp api hostname secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPAPIHostname, secretKeyHCPAPIHostname, + expectedConfig.HCPConfig.APIHostname, corev1.SecretTypeOpaque) + + // Check the hcp scada address secret is as expected. + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameHCPScadaAddress, secretKeyHCPScadaAddress, + expectedConfig.HCPConfig.ScadaAddress, corev1.SecretTypeOpaque) // Check the bootstrap token secret is as expected. - bootstrapSecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameBootstrapToken, metav1.GetOptions{}) - require.NoError(t, err) - require.Equal(t, expectedConfig.ConsulConfig.ACL.Tokens.InitialManagement, string(bootstrapSecret.Data["token"])) - require.Equal(t, corev1.SecretTypeOpaque, bootstrapSecret.Type) - require.Equal(t, common.CLILabelValue, bootstrapSecret.Labels[common.CLILabelKey]) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameBootstrapToken, secretKeyBootstrapToken, + expectedConfig.ConsulConfig.ACL.Tokens.InitialManagement, corev1.SecretTypeOpaque) // Check the gossip key secret is as expected. - gossipKeySecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameGossipKey, metav1.GetOptions{}) - require.NoError(t, err) - require.Equal(t, expectedConfig.BootstrapResponse.Bootstrap.GossipKey, string(gossipKeySecret.Data["key"])) - require.Equal(t, corev1.SecretTypeOpaque, gossipKeySecret.Type) - require.Equal(t, common.CLILabelValue, gossipKeySecret.Labels[common.CLILabelKey]) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameGossipKey, secretKeyGossipKey, + expectedConfig.BootstrapResponse.Bootstrap.GossipKey, corev1.SecretTypeOpaque) // Check the server cert secret is as expected. - serverCertSecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameServerCert, metav1.GetOptions{}) - require.NoError(t, err) - require.Equal(t, expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.Cert, string(serverCertSecret.Data[corev1.TLSCertKey])) - require.Equal(t, expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey, string(serverCertSecret.Data[corev1.TLSPrivateKeyKey])) - require.Equal(t, corev1.SecretTypeTLS, serverCertSecret.Type) - require.Equal(t, common.CLILabelValue, serverCertSecret.Labels[common.CLILabelKey]) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCert, corev1.TLSCertKey, + expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.Cert, corev1.SecretTypeTLS) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCert, corev1.TLSPrivateKeyKey, + expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey, corev1.SecretTypeTLS) // Check the server CA secret is as expected. - serverCASecret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameServerCA, metav1.GetOptions{}) + ensureSecretKeyValueMatchesExpected(t, k8s, secretNameServerCA, corev1.TLSCertKey, + expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0], corev1.SecretTypeOpaque) +} + +func ensureSecretKeyValueMatchesExpected(t require.TestingT, k8s kubernetes.Interface, + secretName, secretKey, + expectedValue string, expectedSecretType corev1.SecretType) { + secret, err := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretName, metav1.GetOptions{}) require.NoError(t, err) - require.Equal(t, expectedConfig.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0], string(serverCASecret.Data[corev1.TLSCertKey])) - require.Equal(t, corev1.SecretTypeOpaque, serverCASecret.Type) - require.Equal(t, common.CLILabelValue, serverCASecret.Labels[common.CLILabelKey]) + require.Equal(t, expectedValue, string(secret.Data[secretKey])) + require.Equal(t, expectedSecretType, secret.Type) + require.Equal(t, common.CLILabelValue, secret.Labels[common.CLILabelKey]) } func checkSecretsWereNotSaved(k8s kubernetes.Interface) bool { ns, _ := k8s.CoreV1().Namespaces().Get(context.Background(), namespace, metav1.GetOptions{}) - hcpConfigSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPConfig, metav1.GetOptions{}) + hcpClientIdSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPClientID, metav1.GetOptions{}) + hcpClientSecretSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPClientSecret, metav1.GetOptions{}) + hcpResourceIdSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameHCPResourceID, metav1.GetOptions{}) bootstrapSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameBootstrapToken, metav1.GetOptions{}) gossipKeySecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameGossipKey, metav1.GetOptions{}) serverCertSecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameServerCert, metav1.GetOptions{}) serverCASecret, _ := k8s.CoreV1().Secrets(namespace).Get(context.Background(), secretNameServerCA, metav1.GetOptions{}) - return ns == nil && hcpConfigSecret == nil && bootstrapSecret == nil && + return ns == nil && hcpClientIdSecret == nil && hcpClientSecretSecret == nil && + hcpResourceIdSecret == nil && bootstrapSecret == nil && gossipKeySecret == nil && serverCASecret == nil && serverCertSecret == nil } From 9a1a9f5ee36cdef3adf675854b0a68614ceb4cde Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 10 Oct 2022 14:00:01 -0600 Subject: [PATCH 02/11] add initial validation for clour config in the helm chart. --- charts/consul/templates/_helpers.tpl | 47 +++- .../api-gateway-controller-deployment.yaml | 3 +- charts/consul/templates/client-daemonset.yaml | 2 +- .../client-snapshot-agent-deployment.yaml | 2 +- .../templates/connect-inject-deployment.yaml | 2 +- .../templates/controller-deployment.yaml | 2 +- .../create-federation-secret-job.yaml | 2 +- .../ingress-gateways-deployment.yaml | 2 +- .../templates/mesh-gateway-deployment.yaml | 2 +- .../consul/templates/server-acl-init-job.yaml | 2 +- .../consul/templates/server-statefulset.yaml | 2 +- .../templates/sync-catalog-deployment.yaml | 2 +- .../terminating-gateways-deployment.yaml | 2 +- .../api-gateway-controller-deployment.bats | 222 +++++++++++++++++- charts/consul/values.yaml | 9 + 15 files changed, 284 insertions(+), 19 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 79469c8fdd..4e3b735be7 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -371,13 +371,50 @@ Consul server environment variables for consul-k8s commands. {{- end -}} {{/* -Fails global.cloud.enabled is true and global.cloud.secretName is nil or tempty. +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName -Usage: {{ template "consul.validateCloudConfiguration" . }} +Usage: {{ template "consul.validateCloudSecretNames" . }} */}} -{{- define "consul.validateCloudConfiguration" -}} -{{- if and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName)) }} +{{- define "consul.validateCloudSecretNames" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} {{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} -{{ end }} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} {{- end -}} diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml index bdb3d90d68..044e81f069 100644 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ b/charts/consul/templates/api-gateway-controller-deployment.yaml @@ -2,7 +2,8 @@ {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} {{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index e79e1fd8e1..fb98e55778 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -10,7 +10,7 @@ {{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} # DaemonSet to run the Consul clients on every node. apiVersion: apps/v1 kind: DaemonSet diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml index d9d01e4521..870b9c7050 100644 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ b/charts/consul/templates/client-snapshot-agent-deployment.yaml @@ -2,7 +2,7 @@ {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} {{- if .Values.client.snapshotAgent.enabled }} {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 01285dd410..58563955f5 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -7,7 +7,7 @@ {{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}} {{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 6a700c5beb..842de1cce6 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -2,7 +2,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateVaultWebhookCertConfiguration" . }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml index 48c4c1514a..e7b1856ba4 100644 --- a/charts/consul/templates/create-federation-secret-job.yaml +++ b/charts/consul/templates/create-federation-secret-job.yaml @@ -2,7 +2,7 @@ {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} {{- if eq (int .Values.server.updatePartition) 0 }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 0bc1a41979..841dbabd27 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -2,7 +2,7 @@ {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} {{- $root := . }} {{- $defaults := .Values.ingressGateways.defaults }} diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index d55f8756a4..a7e03aa8f9 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -5,7 +5,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 601c977b67..4890874a33 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -7,7 +7,7 @@ {{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} {{- /* We don't render this job when server.updatePartition > 0 because that means a server rollout is in progress and this job won't complete unless diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 2c88c92f5e..1c82002776 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -15,7 +15,7 @@ {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} # StatefulSet to run the actual Consul server cluster. apiVersion: apps/v1 kind: StatefulSet diff --git a/charts/consul/templates/sync-catalog-deployment.yaml b/charts/consul/templates/sync-catalog-deployment.yaml index 6821cd90b4..2a7e0d18c2 100644 --- a/charts/consul/templates/sync-catalog-deployment.yaml +++ b/charts/consul/templates/sync-catalog-deployment.yaml @@ -1,7 +1,7 @@ {{- $clientEnabled := (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} {{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} # The deployment for running the sync-catalog pod apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 568a46e220..2e12b45337 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -1,7 +1,7 @@ {{- if .Values.terminatingGateways.enabled }} {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validateCloudConfiguration" . }} +{{ template "consul.validateCloudSecretNames" . }} {{- $root := . }} {{- $defaults := .Values.terminatingGateways.defaults }} diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index 9858533366..f6b3446579 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -908,7 +908,7 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -919,8 +919,226 @@ load _helpers --set 'global.datacenter=dc-foo' \ --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set,thetemplate fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.scadaAddress is defined, both must be set." ]] +} + +@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set,the template fails." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 28b0447ec7..cef93abd43 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -654,6 +654,15 @@ global: # self-managed cluster. enabled: false + # The name of the Kubernetes secret that holds the HCP resource id. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + # The name of the Kubernetes secret that holds the HCP cloud client id. clientId: # The name of the Kubernetes secret that holds the client id. From b66e38461a27d81dd3f39de598eefc1e78615f19 Mon Sep 17 00:00:00 2001 From: John Murret Date: Mon, 10 Oct 2022 15:30:43 -0600 Subject: [PATCH 03/11] adding bats tests --- charts/consul/templates/client-daemonset.yaml | 1 + .../client-snapshot-agent-deployment.yaml | 1 + .../templates/connect-inject-deployment.yaml | 1 + .../templates/controller-deployment.yaml | 1 + .../create-federation-secret-job.yaml | 1 + .../ingress-gateways-deployment.yaml | 1 + .../templates/mesh-gateway-deployment.yaml | 2 + .../consul/templates/server-acl-init-job.yaml | 1 + .../consul/templates/server-statefulset.yaml | 3 +- .../templates/sync-catalog-deployment.yaml | 1 + .../terminating-gateways-deployment.yaml | 1 + .../api-gateway-controller-deployment.bats | 16 +- charts/consul/test/unit/client-daemonset.bats | 218 ++++++++++++- .../client-snapshot-agent-deployment.bats | 214 ++++++++++++- .../test/unit/connect-inject-deployment.bats | 208 ++++++++++++- .../test/unit/controller-deployment.bats | 203 ++++++++++++- .../unit/ingress-gateways-deployment.bats | 233 +++++++++++++- .../test/unit/mesh-gateway-deployment.bats | 213 ++++++++++++- .../consul/test/unit/partition-init-job.bats | 287 +++++++++++++++++- .../consul/test/unit/server-acl-init-job.bats | 197 +++++++++++- .../consul/test/unit/server-statefulset.bats | 272 +++++++++++++++-- .../test/unit/sync-catalog-deployment.bats | 181 ++++++++++- .../unit/terminating-gateways-deployment.bats | 189 +++++++++++- 23 files changed, 2370 insertions(+), 75 deletions(-) diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index fb98e55778..fcb703d604 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -11,6 +11,7 @@ {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} # DaemonSet to run the Consul clients on every node. apiVersion: apps/v1 kind: DaemonSet diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml index 870b9c7050..010a7ee87f 100644 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ b/charts/consul/templates/client-snapshot-agent-deployment.yaml @@ -3,6 +3,7 @@ {{- if .Values.client.snapshotAgent.enabled }} {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 58563955f5..ea6eac42da 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -8,6 +8,7 @@ {{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 842de1cce6..16c5ed30de 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -3,6 +3,7 @@ {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateVaultWebhookCertConfiguration" . }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml index e7b1856ba4..963c07abc9 100644 --- a/charts/consul/templates/create-federation-secret-job.yaml +++ b/charts/consul/templates/create-federation-secret-job.yaml @@ -3,6 +3,7 @@ {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} {{- if eq (int .Values.server.updatePartition) 0 }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} apiVersion: batch/v1 kind: Job metadata: diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 841dbabd27..6591aad319 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -3,6 +3,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} {{- $defaults := .Values.ingressGateways.defaults }} diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index a7e03aa8f9..c5eb653144 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -6,6 +6,8 @@ {{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} + apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 4890874a33..49c2dd6d66 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -8,6 +8,7 @@ {{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} {{- /* We don't render this job when server.updatePartition > 0 because that means a server rollout is in progress and this job won't complete unless diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 1c82002776..2bb6108bab 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -16,6 +16,7 @@ {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} # StatefulSet to run the actual Consul server cluster. apiVersion: apps/v1 kind: StatefulSet @@ -348,7 +349,7 @@ spec: {{- end }} {{- end }} -config-file=/consul/extra-config/extra-from-values.json - {{- if and .Values.global.cloud.enabled .Values.global.cloud.secretName }} + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" {{- end }} volumeMounts: diff --git a/charts/consul/templates/sync-catalog-deployment.yaml b/charts/consul/templates/sync-catalog-deployment.yaml index 2a7e0d18c2..e1dbd1ce61 100644 --- a/charts/consul/templates/sync-catalog-deployment.yaml +++ b/charts/consul/templates/sync-catalog-deployment.yaml @@ -2,6 +2,7 @@ {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} {{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the sync-catalog pod apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 2e12b45337..2a262d646e 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -2,6 +2,7 @@ {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} {{- $defaults := .Values.terminatingGateways.defaults }} diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index f6b3446579..e14d06dd1e 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -971,7 +971,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set,thetemplate fails." { +@test "apiGateway/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -993,7 +993,7 @@ load _helpers [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1018,7 +1018,7 @@ load _helpers [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1043,7 +1043,7 @@ load _helpers [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1068,7 +1068,7 @@ load _helpers [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1093,7 +1093,7 @@ load _helpers [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1115,10 +1115,10 @@ load _helpers [ "$status" -eq 1 ] echo "$output" - [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.scadaAddress is defined, both must be set." ]] + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set,the template fails." { +@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index f5393e4f24..e1107a9bd4 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -2628,19 +2628,231 @@ rollingUpdate: #-------------------------------------------------------------------- # global.cloud +@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} -@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ - --set 'global.acls.manageSystemACLs=true' \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "client/DaemonSet: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats index 457495b9c8..1e72b84f0c 100644 --- a/charts/consul/test/unit/client-snapshot-agent-deployment.bats +++ b/charts/consul/test/unit/client-snapshot-agent-deployment.bats @@ -1157,7 +1157,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ #-------------------------------------------------------------------- # global.cloud -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-snapshot-agent-deployment.yaml \ @@ -1167,8 +1167,218 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.datacenter=dc-foo' \ --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "client/SnapshotAgentDeployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index cd65be8839..0f2d5de647 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2329,20 +2329,213 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud -@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.datacenter=dc-foo' \ + --set 'global.domain=bar' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/client-daemonset.yaml \ + --set 'client.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "connectInject/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @test "connectInject/Deployment: sets TLS server name if global.cloud.enabled is set" { @@ -2353,7 +2546,12 @@ reservedNameTest() { --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 9c9cadc404..ee47bb0784 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -846,22 +846,210 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ --set 'controller.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } +@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "controller/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + + @test "controller/Deployment: sets TLS server name if global.cloud.enabled is set" { cd `chart_dir` local actual=$(helm template \ @@ -870,7 +1058,12 @@ load _helpers --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index 7d0f318d1f..b84feecebe 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -1146,21 +1146,239 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/ingress-gateways-deployment.yaml \ --set 'ingressGateways.enabled=true' \ --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "ingressGateways/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @test "ingressGateways/Deployment: sets TLS server name if global.cloud.enabled is set" { @@ -1174,7 +1392,12 @@ key2: value2' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 1edbee0419..6d28a92dfe 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -1337,21 +1337,219 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "meshGateway/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @test "meshGateway/Deployment: sets TLS server name if global.cloud.enabled is set" { @@ -1363,7 +1561,12 @@ key2: value2' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/partition-init-job.bats b/charts/consul/test/unit/partition-init-job.bats index 4d4193be4d..6ca4f0cf6a 100644 --- a/charts/consul/test/unit/partition-init-job.bats +++ b/charts/consul/test/unit/partition-init-job.bats @@ -585,10 +585,288 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud +@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/Job: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + @test "partitionInit/Job: sets TLS server name if global.cloud.enabled is set" { cd `chart_dir` local actual=$(helm template \ --s templates/partition-init-job.yaml \ + -s templates/partition-init-job.yaml \ --set 'global.enabled=false' \ --set 'global.adminPartitions.enabled=true' \ --set 'global.enableConsulNamespaces=true' \ @@ -601,7 +879,12 @@ reservedNameTest() { --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index d05b4ea6aa..d3c1b31381 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -1890,21 +1890,199 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "serverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { cd `chart_dir` run helm template \ -s templates/server-acl-init-job.yaml \ - --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @test "serverACLInit/Job: sets TLS server name if global.cloud.enabled is set" { @@ -1914,7 +2092,12 @@ load _helpers --set 'global.acls.manageSystemACLs=true' \ --set 'global.tls.enabled=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index d8670dd753..5c52decd24 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -1961,12 +1961,17 @@ load _helpers } -@test "server/StatefulSet: cloud config is set in command when global.cloud.enabled is set" { +@test "server/StatefulSet: cloud config is set in command when global.cloud.enabled and global.cloud.resourceId are set" { cd `chart_dir` local object=$(helm template \ -s templates/server-statefulset.yaml \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=foo' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr) local actual=$(echo "$object" | @@ -1975,12 +1980,17 @@ load _helpers } -@test "server/StatefulSet: creates HCP_RESOURCE_ID, HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, HCP_SCADA_ADDRESS, and HCP_API_HOSTNAME envvars in consul container when global.cloud.enabled is set" { +@test "server/StatefulSet: creates HCP_RESOURCE_ID, HCP_CLIENT_ID, HCP_CLIENT_SECRET envvars in consul container when global.cloud.enabled is set" { cd `chart_dir` local object=$(helm template \ -s templates/server-statefulset.yaml \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=foo' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr ) local container=$(echo "$object" | @@ -1992,11 +2002,11 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + [ "${actual}" = "client-id-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "client-id" ] + [ "${actual}" = "client-id-key" ] # HCP_CLIENT_SECRET envvar=$(echo "$container" | @@ -2004,11 +2014,11 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + [ "${actual}" = "client-secret-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "client-secret" ] + [ "${actual}" = "client-secret-key" ] # HCP_RESOURCE_ID envvar=$(echo "$container" | @@ -2016,11 +2026,35 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + [ "${actual}" = "resource-id-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "resource-id" ] + [ "${actual}" = "resource-id-key" ] +} + +@test "server/StatefulSet: creates HCP_AUTH_URL, HCP_SCADA_ADDRESS, and HCP_API_HOSTNAME envvars in consul container when global.cloud.enabled is set and those cloud values are specified" { + cd `chart_dir` + local object=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=foo' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + --set 'global.cloud.apiHost.secretName=api-host-name' \ + --set 'global.cloud.apiHost.secretKey=api-host-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . | tee /dev/stderr ) + + local container=$(echo "$object" | + yq -r '.spec.template.spec.containers[] | select(.name == "consul")' | tee /dev/stderr) # HCP_AUTH_URL envvar=$(echo "$container" | @@ -2028,11 +2062,13 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + echo "actual: $actual" + + [ "${actual}" = "auth-url-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "auth-url" ] + [ "${actual}" = "auth-url-key" ] # HCP_API_HOST envvar=$(echo "$container" | @@ -2040,11 +2076,11 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + [ "${actual}" = "api-host-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "api-hostname" ] + [ "${actual}" = "api-host-key" ] # HCP_SCADA_ADDRESS envvar=$(echo "$container" | @@ -2052,11 +2088,11 @@ load _helpers local actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.name' | tee /dev/stderr) - [ "${actual}" = "foo" ] + [ "${actual}" = "scada-address-name" ] actual=$(echo "$envvar" | yq -r '.valueFrom.secretKeyRef.key' | tee /dev/stderr) - [ "${actual}" = "scada-address" ] + [ "${actual}" = "scada-address-key" ] } @test "server/StatefulSet: cloud config is set in command global.cloud.enabled is not set" { @@ -2079,13 +2115,213 @@ load _helpers [ "${actual}" = '[{"name":"ACL_BOOTSTRAP_TOKEN","valueFrom":{"secretKeyRef":{"name":"name","key":"key"}}}]' ] } -@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { cd `chart_dir` run helm template \ -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "server/StatefulSet: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/sync-catalog-deployment.bats b/charts/consul/test/unit/sync-catalog-deployment.bats index 29a1e9cf5b..93b25cc304 100755 --- a/charts/consul/test/unit/sync-catalog-deployment.bats +++ b/charts/consul/test/unit/sync-catalog-deployment.bats @@ -1503,18 +1503,187 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud -@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "syncCatalog/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { cd `chart_dir` run helm template \ -s templates/sync-catalog-deployment.yaml \ --set 'syncCatalog.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 652fc6c73d..3e1e4aa38b 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -1194,22 +1194,192 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.secretName is not set" { +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/terminating-gateways-deployment.yaml \ --set 'terminatingGateways.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientSecret.secretName=client-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + . + + [ "$status" -eq 1 ] + [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.authUrl.secretKey=auth-url-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretName=auth-url-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/mesh-gateway-deployment.yaml \ --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] + echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] +} + +@test "terminatingGateways/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { + cd `chart_dir` + run helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ + --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ + . + + [ "$status" -eq 1 ] + echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @test "terminatingGateways/Deployment: sets TLS server name if global.cloud.enabled is set" { @@ -1217,12 +1387,15 @@ key2: value2' \ local actual=$(helm template \ -s templates/terminating-gateways-deployment.yaml \ --set 'terminatingGateways.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.cloud.enabled=true' \ - --set 'global.cloud.secretName=blah' \ + --set 'global.cloud.clientId.secretName=client-id-name' \ + --set 'global.cloud.clientId.secretKey=client-id-key' \ + --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ + --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ + --set 'global.cloud.resourceId.secretName=resource-id-name' \ + --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] From 8806ae63a3a30f26c40c012d6a780749066e96b2 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 06:45:32 -0600 Subject: [PATCH 04/11] add changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 03960a7d6b..fe97be5f69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ BREAKING CHANGES: BUG FIXES: * CLI - * Pass required environment variables to the CLI for cluster bootstrapping. [[GH-1593](https://github.com/hashicorp/consul-k8s/pull/1593)] + * Allow optional environment variables for use in the cloud preset to the CLI for cluster bootstrapping. [[GH-1608](https://github.com/hashicorp/consul-k8s/pull/1608)] * Configure `-tls-server-name` when `global.cloud.enabled=true` so that it matches the server certificate created via HCP [[GH-1591](https://github.com/hashicorp/consul-k8s/pull/1591)] * Do not query clients in the status command since clients no longer exist. [[GH-1573](https://github.com/hashicorp/consul-k8s/pull/1573)] From dd54718221a868aa55518f547693295fbf89bcdb Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 06:52:07 -0600 Subject: [PATCH 05/11] changing validateCloudSecretNames to validaterequiredCloudSecretsExist --- charts/consul/templates/_helpers.tpl | 4 ++-- .../consul/templates/api-gateway-controller-deployment.yaml | 2 +- charts/consul/templates/client-daemonset.yaml | 2 +- charts/consul/templates/client-snapshot-agent-deployment.yaml | 2 +- charts/consul/templates/connect-inject-deployment.yaml | 2 +- charts/consul/templates/controller-deployment.yaml | 2 +- charts/consul/templates/create-federation-secret-job.yaml | 2 +- charts/consul/templates/ingress-gateways-deployment.yaml | 2 +- charts/consul/templates/mesh-gateway-deployment.yaml | 2 +- charts/consul/templates/server-acl-init-job.yaml | 2 +- charts/consul/templates/server-statefulset.yaml | 2 +- charts/consul/templates/sync-catalog-deployment.yaml | 2 +- charts/consul/templates/terminating-gateways-deployment.yaml | 2 +- 13 files changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 4e3b735be7..9d6ce469bb 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -376,10 +376,10 @@ Fails global.cloud.enabled is true and one of the following secrets is nil or em - global.cloud.clientId.secretName - global.cloud.clientSecret.secretName -Usage: {{ template "consul.validateCloudSecretNames" . }} +Usage: {{ template "consul.validaterequiredCloudSecretsExist" . }} */}} -{{- define "consul.validateCloudSecretNames" -}} +{{- define "consul.validaterequiredCloudSecretsExist" -}} {{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} {{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} {{- end }} diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml index 044e81f069..5104da3cda 100644 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ b/charts/consul/templates/api-gateway-controller-deployment.yaml @@ -2,7 +2,7 @@ {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} {{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index fcb703d604..8345926101 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -10,7 +10,7 @@ {{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # DaemonSet to run the Consul clients on every node. apiVersion: apps/v1 diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml index 010a7ee87f..fe86668b44 100644 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ b/charts/consul/templates/client-snapshot-agent-deployment.yaml @@ -2,7 +2,7 @@ {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} {{- if .Values.client.snapshotAgent.enabled }} {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index ea6eac42da..bd0b7cfe8a 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -7,7 +7,7 @@ {{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}} {{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index 16c5ed30de..ca47d435b0 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -2,7 +2,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateVaultWebhookCertConfiguration" . }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml index 963c07abc9..fcf99b620d 100644 --- a/charts/consul/templates/create-federation-secret-job.yaml +++ b/charts/consul/templates/create-federation-secret-job.yaml @@ -2,7 +2,7 @@ {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} {{- if eq (int .Values.server.updatePartition) 0 }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: batch/v1 kind: Job diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 6591aad319..b6eefdfc43 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -2,7 +2,7 @@ {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index c5eb653144..0ba6d55b9e 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -5,7 +5,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 49c2dd6d66..27c40920e1 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -7,7 +7,7 @@ {{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} {{- /* We don't render this job when server.updatePartition > 0 because that diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 2bb6108bab..ab2e42406a 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -15,7 +15,7 @@ {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # StatefulSet to run the actual Consul server cluster. apiVersion: apps/v1 diff --git a/charts/consul/templates/sync-catalog-deployment.yaml b/charts/consul/templates/sync-catalog-deployment.yaml index e1dbd1ce61..bc601da34a 100644 --- a/charts/consul/templates/sync-catalog-deployment.yaml +++ b/charts/consul/templates/sync-catalog-deployment.yaml @@ -1,7 +1,7 @@ {{- $clientEnabled := (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} {{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the sync-catalog pod apiVersion: apps/v1 diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 2a262d646e..a4668a93c3 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -1,7 +1,7 @@ {{- if .Values.terminatingGateways.enabled }} {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validateCloudSecretNames" . }} +{{ template "consul.validaterequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} From 6ca601f08d1b0226d6d9e2ca7ba147fbb004a1a6 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 08:52:46 -0600 Subject: [PATCH 06/11] PR feedback --- charts/consul/templates/_helpers.tpl | 4 ++-- .../api-gateway-controller-deployment.yaml | 2 +- charts/consul/templates/client-daemonset.yaml | 2 +- .../client-snapshot-agent-deployment.yaml | 2 +- .../templates/connect-inject-deployment.yaml | 2 +- .../templates/controller-deployment.yaml | 2 +- .../create-federation-secret-job.yaml | 2 +- .../ingress-gateways-deployment.yaml | 2 +- .../templates/mesh-gateway-deployment.yaml | 2 +- .../consul/templates/server-acl-init-job.yaml | 2 +- .../consul/templates/server-statefulset.yaml | 4 ++-- .../templates/sync-catalog-deployment.yaml | 2 +- .../terminating-gateways-deployment.yaml | 2 +- .../api-gateway-controller-deployment.bats | 18 +++++++-------- charts/consul/test/unit/client-daemonset.bats | 18 +++++++-------- .../client-snapshot-agent-deployment.bats | 18 +++++++-------- .../test/unit/connect-inject-deployment.bats | 18 +++++++-------- .../test/unit/controller-deployment.bats | 18 +++++++-------- .../unit/ingress-gateways-deployment.bats | 18 +++++++-------- .../test/unit/mesh-gateway-deployment.bats | 18 +++++++-------- .../consul/test/unit/partition-init-job.bats | 18 +++++++-------- .../consul/test/unit/server-acl-init-job.bats | 18 +++++++-------- .../consul/test/unit/server-statefulset.bats | 22 +++++++++---------- .../test/unit/sync-catalog-deployment.bats | 18 +++++++-------- .../unit/terminating-gateways-deployment.bats | 18 +++++++-------- 25 files changed, 125 insertions(+), 125 deletions(-) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 9d6ce469bb..9ea3b2f903 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -376,10 +376,10 @@ Fails global.cloud.enabled is true and one of the following secrets is nil or em - global.cloud.clientId.secretName - global.cloud.clientSecret.secretName -Usage: {{ template "consul.validaterequiredCloudSecretsExist" . }} +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} */}} -{{- define "consul.validaterequiredCloudSecretsExist" -}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} {{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} {{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} {{- end }} diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml index 5104da3cda..a611fdd2d3 100644 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ b/charts/consul/templates/api-gateway-controller-deployment.yaml @@ -2,7 +2,7 @@ {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} {{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index 8345926101..1ef1858c22 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -10,7 +10,7 @@ {{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # DaemonSet to run the Consul clients on every node. apiVersion: apps/v1 diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml index fe86668b44..ca87a3d014 100644 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ b/charts/consul/templates/client-snapshot-agent-deployment.yaml @@ -2,7 +2,7 @@ {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} {{- if .Values.client.snapshotAgent.enabled }} {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index bd0b7cfe8a..92648309ab 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -7,7 +7,7 @@ {{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}} {{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the Connect sidecar injector apiVersion: apps/v1 diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index ca47d435b0..c8b884d2c9 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -2,7 +2,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateVaultWebhookCertConfiguration" . }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 kind: Deployment diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml index fcf99b620d..40b81957d1 100644 --- a/charts/consul/templates/create-federation-secret-job.yaml +++ b/charts/consul/templates/create-federation-secret-job.yaml @@ -2,7 +2,7 @@ {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} {{- if eq (int .Values.server.updatePartition) 0 }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: batch/v1 kind: Job diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index b6eefdfc43..2c8a5d65da 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -2,7 +2,7 @@ {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 0ba6d55b9e..daec987816 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -5,7 +5,7 @@ {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} {{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} apiVersion: apps/v1 diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 27c40920e1..7bb955161f 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -7,7 +7,7 @@ {{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} {{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} {{- /* We don't render this job when server.updatePartition > 0 because that diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index ab2e42406a..7a43910e2e 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -15,7 +15,7 @@ {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # StatefulSet to run the actual Consul server cluster. apiVersion: apps/v1 @@ -255,7 +255,7 @@ spec: name: {{ .Values.global.acls.replicationToken.secretName | quote }} key: {{ .Values.global.acls.replicationToken.secretKey | quote }} {{- end }} - {{- if and .Values.global.cloud.enabled}} + {{- if .Values.global.cloud.enabled}} # These are mounted as secrets so that the consul server agent can use them. # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. diff --git a/charts/consul/templates/sync-catalog-deployment.yaml b/charts/consul/templates/sync-catalog-deployment.yaml index bc601da34a..c25e113e35 100644 --- a/charts/consul/templates/sync-catalog-deployment.yaml +++ b/charts/consul/templates/sync-catalog-deployment.yaml @@ -1,7 +1,7 @@ {{- $clientEnabled := (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} {{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # The deployment for running the sync-catalog pod apiVersion: apps/v1 diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index a4668a93c3..1c36275375 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -1,7 +1,7 @@ {{- if .Values.terminatingGateways.enabled }} {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validaterequiredCloudSecretsExist" . }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} {{- $root := . }} diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index e14d06dd1e..aef6506975 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -908,7 +908,7 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -929,7 +929,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -950,7 +950,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "apiGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/api-gateway-controller-deployment.yaml \ @@ -1014,7 +1014,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1039,7 +1039,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1064,7 +1064,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1089,7 +1089,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1114,7 +1114,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1139,6 +1139,6 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index e1107a9bd4..3b4684dafe 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -2628,7 +2628,7 @@ rollingUpdate: #-------------------------------------------------------------------- # global.cloud -@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "client/DaemonSet: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ @@ -2648,7 +2648,7 @@ rollingUpdate: [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "client/DaemonSet: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ @@ -2668,7 +2668,7 @@ rollingUpdate: [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "client/DaemonSet: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "client/DaemonSet: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ @@ -2732,7 +2732,7 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2757,7 +2757,7 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2781,7 +2781,7 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2805,7 +2805,7 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2829,7 +2829,7 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -2853,6 +2853,6 @@ rollingUpdate: . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats index 1e72b84f0c..5fca692bc0 100644 --- a/charts/consul/test/unit/client-snapshot-agent-deployment.bats +++ b/charts/consul/test/unit/client-snapshot-agent-deployment.bats @@ -1157,7 +1157,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ #-------------------------------------------------------------------- # global.cloud -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-snapshot-agent-deployment.yaml \ @@ -1177,7 +1177,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-snapshot-agent-deployment.yaml \ @@ -1197,7 +1197,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-snapshot-agent-deployment.yaml \ @@ -1259,7 +1259,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1283,7 +1283,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1307,7 +1307,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1331,7 +1331,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1355,7 +1355,7 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1379,6 +1379,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 0f2d5de647..8f0d3cd971 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2329,7 +2329,7 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud -@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "connectInject/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ @@ -2349,7 +2349,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "connectInject/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ @@ -2369,7 +2369,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "connectInject/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "connectInject/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/connect-inject-deployment.yaml \ @@ -2424,7 +2424,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2446,7 +2446,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2468,7 +2468,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2490,7 +2490,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2512,7 +2512,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -2534,7 +2534,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index ee47bb0784..fdb5e1a47a 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -846,7 +846,7 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "controller/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -864,7 +864,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "controller/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -882,7 +882,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "controller/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "controller/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/controller-deployment.yaml \ @@ -937,7 +937,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -959,7 +959,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -980,7 +980,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1001,7 +1001,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1023,7 +1023,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1045,7 +1045,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index b84feecebe..5fdbeddccf 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -1146,7 +1146,7 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "ingressGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/ingress-gateways-deployment.yaml \ @@ -1167,7 +1167,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "ingressGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/ingress-gateways-deployment.yaml \ @@ -1188,7 +1188,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "ingressGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "ingressGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/ingress-gateways-deployment.yaml \ @@ -1252,7 +1252,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1277,7 +1277,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1302,7 +1302,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1327,7 +1327,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1352,7 +1352,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1377,7 +1377,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 6d28a92dfe..7d1f4ba037 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -1337,7 +1337,7 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "meshGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/mesh-gateway-deployment.yaml \ @@ -1356,7 +1356,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "meshGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/mesh-gateway-deployment.yaml \ @@ -1375,7 +1375,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "meshGateway/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "meshGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/mesh-gateway-deployment.yaml \ @@ -1433,7 +1433,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1456,7 +1456,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1479,7 +1479,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1502,7 +1502,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1525,7 +1525,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1548,7 +1548,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/partition-init-job.bats b/charts/consul/test/unit/partition-init-job.bats index 6ca4f0cf6a..5078fcf62c 100644 --- a/charts/consul/test/unit/partition-init-job.bats +++ b/charts/consul/test/unit/partition-init-job.bats @@ -585,7 +585,7 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud -@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "partitionInit/Job: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/partition-init-job.yaml \ @@ -611,7 +611,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "partitionInit/Job: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/mesh-gateway-deployment.yaml \ @@ -630,7 +630,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "partitionInit/Job: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "partitionInit/Job: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/partition-init-job.yaml \ @@ -709,7 +709,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -739,7 +739,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -769,7 +769,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -799,7 +799,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -829,7 +829,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -859,7 +859,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index d3c1b31381..f9c2ceaf4c 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -1890,7 +1890,7 @@ load _helpers #-------------------------------------------------------------------- # global.cloud -@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-acl-init-job.yaml \ @@ -1907,7 +1907,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-acl-init-job.yaml \ @@ -1924,7 +1924,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "partitionInit/JobserverACLInit/Job: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-acl-init-job.yaml \ @@ -1976,7 +1976,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1997,7 +1997,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2018,7 +2018,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2039,7 +2039,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2060,7 +2060,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -2081,7 +2081,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index 5c52decd24..508c9cec93 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -1980,7 +1980,7 @@ load _helpers } -@test "server/StatefulSet: creates HCP_RESOURCE_ID, HCP_CLIENT_ID, HCP_CLIENT_SECRET envvars in consul container when global.cloud.enabled is set" { +@test "server/StatefulSet: creates HCP_RESOURCE_ID, HCP_CLIENT_ID, HCP_CLIENT_SECRET envvars in consul container when global.cloud.enabled is true" { cd `chart_dir` local object=$(helm template \ -s templates/server-statefulset.yaml \ @@ -2033,7 +2033,7 @@ load _helpers [ "${actual}" = "resource-id-key" ] } -@test "server/StatefulSet: creates HCP_AUTH_URL, HCP_SCADA_ADDRESS, and HCP_API_HOSTNAME envvars in consul container when global.cloud.enabled is set and those cloud values are specified" { +@test "server/StatefulSet: creates HCP_AUTH_URL, HCP_SCADA_ADDRESS, and HCP_API_HOSTNAME envvars in consul container when global.cloud.enabled is true and those cloud values are specified" { cd `chart_dir` local object=$(helm template \ -s templates/server-statefulset.yaml \ @@ -2115,7 +2115,7 @@ load _helpers [ "${actual}" = '[{"name":"ACL_BOOTSTRAP_TOKEN","valueFrom":{"secretKeyRef":{"name":"name","key":"key"}}}]' ] } -@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "server/StatefulSet: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-statefulset.yaml \ @@ -2130,7 +2130,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "server/StatefulSet: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-statefulset.yaml \ @@ -2149,7 +2149,7 @@ load _helpers [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "server/StatefulSet: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "server/StatefulSet: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/server-statefulset.yaml \ @@ -2207,7 +2207,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2230,7 +2230,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -2253,7 +2253,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2276,7 +2276,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -2299,7 +2299,7 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -2322,6 +2322,6 @@ load _helpers . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/sync-catalog-deployment.bats b/charts/consul/test/unit/sync-catalog-deployment.bats index 93b25cc304..ecc68537ef 100755 --- a/charts/consul/test/unit/sync-catalog-deployment.bats +++ b/charts/consul/test/unit/sync-catalog-deployment.bats @@ -1503,7 +1503,7 @@ reservedNameTest() { #-------------------------------------------------------------------- # global.cloud -@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "syncCatalog/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/sync-catalog-deployment.yaml \ @@ -1519,7 +1519,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "syncCatalog/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/sync-catalog-deployment.yaml \ @@ -1535,7 +1535,7 @@ reservedNameTest() { [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "syncCatalog/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "syncCatalog/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/sync-catalog-deployment.yaml \ @@ -1584,7 +1584,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1604,7 +1604,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1624,7 +1624,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1644,7 +1644,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1664,7 +1664,7 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1684,6 +1684,6 @@ reservedNameTest() { . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 3e1e4aa38b..167b6e82fd 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -1194,7 +1194,7 @@ key2: value2' \ #-------------------------------------------------------------------- # global.cloud -@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/terminating-gateways-deployment.yaml \ @@ -1210,7 +1210,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { cd `chart_dir` run helm template \ -s templates/terminating-gateways-deployment.yaml \ @@ -1226,7 +1226,7 @@ key2: value2' \ [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } -@test "terminatingGateways/Deployment: fails when global.cloud.enabled is set and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { +@test "terminatingGateways/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { cd `chart_dir` run helm template \ -s templates/terminating-gateways-deployment.yaml \ @@ -1275,7 +1275,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1295,7 +1295,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1315,7 +1315,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1338,7 +1338,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1358,7 +1358,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1378,7 +1378,7 @@ key2: value2' \ . [ "$status" -eq 1 ] - echo "$output" + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } From 0f9e5a239ac0060fc9e020f5a8308c7720d45a19 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 12:45:17 -0600 Subject: [PATCH 07/11] organize consts by name/key --- cli/preset/cloud_preset.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cli/preset/cloud_preset.go b/cli/preset/cloud_preset.go index 9a85ae4d34..f6f343b574 100644 --- a/cli/preset/cloud_preset.go +++ b/cli/preset/cloud_preset.go @@ -22,23 +22,23 @@ import ( const ( secretNameHCPClientID = "consul-hcp-client-id" + secretKeyHCPClientID = "client-id" secretNameHCPClientSecret = "consul-hcp-client-secret" + secretKeyHCPClientSecret = "client-secret" + secretNameHCPResourceID = "consul-hcp-resource-id" + secretKeyHCPResourceID = "resource-id" secretNameHCPAPIHostname = "consul-hcp-api-host" + secretKeyHCPAPIHostname = "api-hostname" secretNameHCPAuthURL = "consul-hcp-auth-url" + secretKeyHCPAuthURL = "auth-url" secretNameHCPScadaAddress = "consul-hcp-scada-address" - secretNameHCPResourceID = "consul-hcp-resource-id" + secretKeyHCPScadaAddress = "scada-address" secretNameGossipKey = "consul-gossip-key" + secretKeyGossipKey = "key" secretNameBootstrapToken = "consul-bootstrap-token" + secretKeyBootstrapToken = "token" secretNameServerCA = "consul-server-ca" secretNameServerCert = "consul-server-cert" - secretKeyHCPClientID = "client-id" - secretKeyHCPClientSecret = "client-secret" - secretKeyHCPResourceID = "resource-id" - secretKeyHCPAuthURL = "auth-url" - secretKeyHCPAPIHostname = "api-hostname" - secretKeyHCPScadaAddress = "scada-address" - secretKeyGossipKey = "key" - secretKeyBootstrapToken = "token" ) // CloudBootstrapConfig represents the response fetched from the agent From 69ed34e74dd09177fa37afc8a549c3777a61f419 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 12:58:42 -0600 Subject: [PATCH 08/11] add conditional checks around hcp config secret saving --- cli/preset/cloud_preset.go | 128 +++++++++++++++++++++---------------- 1 file changed, 74 insertions(+), 54 deletions(-) diff --git a/cli/preset/cloud_preset.go b/cli/preset/cloud_preset.go index f6f343b574..b00322b67c 100644 --- a/cli/preset/cloud_preset.go +++ b/cli/preset/cloud_preset.go @@ -252,80 +252,96 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi } // HCP resource id - data := map[string][]byte{ - secretKeyHCPResourceID: []byte(config.HCPConfig.ResourceID), - } - if err := i.saveSecret(secretNameHCPResourceID, data, corev1.SecretTypeOpaque); err != nil { - return err + if config.HCPConfig.ResourceID != "" { + data := map[string][]byte{ + secretKeyHCPResourceID: []byte(config.HCPConfig.ResourceID), + } + if err := i.saveSecret(secretNameHCPResourceID, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP resource id saved in '%s' secret in namespace '%s'.", + secretKeyHCPResourceID, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("HCP resource id saved in '%s' secret in namespace '%s'.", - secretKeyHCPResourceID, i.KubernetesNamespace), terminal.WithSuccessStyle()) // HCP client id - data = map[string][]byte{ - secretKeyHCPClientID: []byte(config.HCPConfig.ClientID), - } - if err := i.saveSecret(secretNameHCPClientID, data, corev1.SecretTypeOpaque); err != nil { - return err + if config.HCPConfig.ClientID != "" { + data := map[string][]byte{ + secretKeyHCPClientID: []byte(config.HCPConfig.ClientID), + } + if err := i.saveSecret(secretNameHCPClientID, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP client id saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientID, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("HCP client id saved in '%s' secret in namespace '%s'.", - secretKeyHCPClientID, i.KubernetesNamespace), terminal.WithSuccessStyle()) // HCP client secret - data = map[string][]byte{ - secretKeyHCPClientSecret: []byte(config.HCPConfig.ClientSecret), - } - if err := i.saveSecret(secretNameHCPClientSecret, data, corev1.SecretTypeOpaque); err != nil { - return err + if config.HCPConfig.ClientSecret != "" { + data := map[string][]byte{ + secretKeyHCPClientSecret: []byte(config.HCPConfig.ClientSecret), + } + if err := i.saveSecret(secretNameHCPClientSecret, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("HCP client secret saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientSecret, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("HCP client secret saved in '%s' secret in namespace '%s'.", - secretKeyHCPClientSecret, i.KubernetesNamespace), terminal.WithSuccessStyle()) // bootstrap token - data = map[string][]byte{ - secretKeyBootstrapToken: []byte(config.ConsulConfig.ACL.Tokens.InitialManagement), - } - if err := i.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { - return err + if config.ConsulConfig.ACL.Tokens.InitialManagement != "" { + data := map[string][]byte{ + secretKeyBootstrapToken: []byte(config.ConsulConfig.ACL.Tokens.InitialManagement), + } + if err := i.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("ACL bootstrap token saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyBootstrapToken, secretNameBootstrapToken, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("ACL bootstrap token saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyBootstrapToken, secretNameBootstrapToken, i.KubernetesNamespace), terminal.WithSuccessStyle()) // gossip key - data = map[string][]byte{ - secretKeyGossipKey: []byte(config.BootstrapResponse.Bootstrap.GossipKey), - } - if err := i.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { - return err + if config.BootstrapResponse.Bootstrap.GossipKey != "" { + data := map[string][]byte{ + secretKeyGossipKey: []byte(config.BootstrapResponse.Bootstrap.GossipKey), + } + if err := i.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("Gossip encryption key saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyGossipKey, secretNameGossipKey, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("Gossip encryption key saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyGossipKey, secretNameGossipKey, i.KubernetesNamespace), terminal.WithSuccessStyle()) // server cert secret - data = map[string][]byte{ - corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.Cert), - corev1.TLSPrivateKeyKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey), - } - if err := i.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { - return err + if config.BootstrapResponse.Bootstrap.ServerTLS.Cert != "" { + data := map[string][]byte{ + corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.Cert), + corev1.TLSPrivateKeyKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey), + } + if err := i.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("Server TLS cert and key saved as '%s' and '%s' key in '%s secret in namespace '%s'.", + corev1.TLSCertKey, corev1.TLSPrivateKeyKey, secretNameServerCert, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("Server TLS cert and key saved as '%s' and '%s' key in '%s secret in namespace '%s'.", - corev1.TLSCertKey, corev1.TLSPrivateKeyKey, secretNameServerCert, i.KubernetesNamespace), terminal.WithSuccessStyle()) // server CA - data = map[string][]byte{ - corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0]), - } - if err := i.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { - return err + if len(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities) > 0 && + config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0] != "" { + data := map[string][]byte{ + corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0]), + } + if err := i.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { + return err + } + i.UI.Output(fmt.Sprintf("Server TLS CA saved as '%s' key in '%s' secret in namespace '%s'.", + corev1.TLSCertKey, secretNameServerCA, i.KubernetesNamespace), terminal.WithSuccessStyle()) } - i.UI.Output(fmt.Sprintf("Server TLS CA saved as '%s' key in '%s' secret in namespace '%s'.", - corev1.TLSCertKey, secretNameServerCA, i.KubernetesNamespace), terminal.WithSuccessStyle()) - // Optional secrets // HCP auth url if config.HCPConfig.AuthURL != "" { - data[secretKeyHCPAuthURL] = []byte(config.HCPConfig.AuthURL) + data := map[string][]byte{ + secretKeyHCPAuthURL: []byte(config.HCPConfig.AuthURL), + } if err := i.saveSecret(secretNameHCPAuthURL, data, corev1.SecretTypeOpaque); err != nil { return err } @@ -335,7 +351,9 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi // HCP api hostname if config.HCPConfig.APIHostname != "" { - data[secretKeyHCPAPIHostname] = []byte(config.HCPConfig.APIHostname) + data := map[string][]byte{ + secretKeyHCPAPIHostname: []byte(config.HCPConfig.APIHostname), + } if err := i.saveSecret(secretNameHCPAPIHostname, data, corev1.SecretTypeOpaque); err != nil { return err } @@ -345,7 +363,9 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi // HCP scada address if config.HCPConfig.ScadaAddress != "" { - data[secretKeyHCPScadaAddress] = []byte(config.HCPConfig.ScadaAddress) + data := map[string][]byte{ + secretKeyHCPScadaAddress: []byte(config.HCPConfig.ScadaAddress) + } if err := i.saveSecret(secretNameHCPScadaAddress, data, corev1.SecretTypeOpaque); err != nil { return err } From 15d784197713d63017a2f57f962e72e8d02bdf65 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 13:00:54 -0600 Subject: [PATCH 09/11] make the self reference in CloudPreset c instead of i --- cli/preset/cloud_preset.go | 120 ++++++++++++++++++------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/cli/preset/cloud_preset.go b/cli/preset/cloud_preset.go index b00322b67c..2cae41aef3 100644 --- a/cli/preset/cloud_preset.go +++ b/cli/preset/cloud_preset.go @@ -95,27 +95,27 @@ type CloudPreset struct { // GetValueMap must fetch configuration from HCP, save various secrets from // the response, and map the secret names into the returned value map. -func (i *CloudPreset) GetValueMap() (map[string]interface{}, error) { - bootstrapConfig, err := i.fetchAgentBootstrapConfig() +func (c *CloudPreset) GetValueMap() (map[string]interface{}, error) { + bootstrapConfig, err := c.fetchAgentBootstrapConfig() if err != nil { return nil, err } - if !i.SkipSavingSecrets { - err = i.saveSecretsFromBootstrapConfig(bootstrapConfig) + if !c.SkipSavingSecrets { + err = c.saveSecretsFromBootstrapConfig(bootstrapConfig) if err != nil { return nil, err } } - return i.getHelmConfigWithMapSecretNames(bootstrapConfig), nil + return c.getHelmConfigWithMapSecretNames(bootstrapConfig), nil } // fetchAgentBootstrapConfig use the resource-id, client-id, and client-secret // to call to the agent bootstrap config endpoint and parse the response into a // CloudBootstrapConfig struct. -func (i *CloudPreset) fetchAgentBootstrapConfig() (*CloudBootstrapConfig, error) { - i.UI.Output("Fetching Consul cluster configuration from HCP", terminal.WithHeaderStyle()) +func (c *CloudPreset) fetchAgentBootstrapConfig() (*CloudBootstrapConfig, error) { + c.UI.Output("Fetching Consul cluster configuration from HCP", terminal.WithHeaderStyle()) httpClientCfg := httpclient.Config{} clientRuntime, err := httpclient.New(httpClientCfg) if err != nil { @@ -123,16 +123,16 @@ func (i *CloudPreset) fetchAgentBootstrapConfig() (*CloudBootstrapConfig, error) } hcpgnmClient := hcpgnm.New(clientRuntime, nil) - clusterResource, err := resource.FromString(i.HCPConfig.ResourceID) + clusterResource, err := resource.FromString(c.HCPConfig.ResourceID) if err != nil { return nil, err } - params := hcpgnm.NewAgentBootstrapConfigParamsWithContext(i.Context). + params := hcpgnm.NewAgentBootstrapConfigParamsWithContext(c.Context). WithID(clusterResource.ID). WithLocationOrganizationID(clusterResource.Organization). WithLocationProjectID(clusterResource.Project). - WithHTTPClient(i.HTTPClient) + WithHTTPClient(c.HTTPClient) resp, err := hcpgnmClient.AgentBootstrapConfig(params, nil) if err != nil { @@ -140,14 +140,14 @@ func (i *CloudPreset) fetchAgentBootstrapConfig() (*CloudBootstrapConfig, error) } bootstrapConfig := resp.GetPayload() - i.UI.Output("HCP configuration successfully fetched.", terminal.WithSuccessStyle()) + c.UI.Output("HCP configuration successfully fetched.", terminal.WithSuccessStyle()) - return i.parseBootstrapConfigResponse(bootstrapConfig) + return c.parseBootstrapConfigResponse(bootstrapConfig) } // parseBootstrapConfigResponse unmarshals the boostrap parseBootstrapConfigResponse // and also sets the HCPConfig values to return CloudBootstrapConfig struct. -func (i *CloudPreset) parseBootstrapConfigResponse(bootstrapRepsonse *models.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse) (*CloudBootstrapConfig, error) { +func (c *CloudPreset) parseBootstrapConfigResponse(bootstrapRepsonse *models.HashicorpCloudGlobalNetworkManager20220215AgentBootstrapResponse) (*CloudBootstrapConfig, error) { var cbc CloudBootstrapConfig var consulConfig ConsulConfig err := json.Unmarshal([]byte(bootstrapRepsonse.Bootstrap.ConsulConfig), &consulConfig) @@ -155,7 +155,7 @@ func (i *CloudPreset) parseBootstrapConfigResponse(bootstrapRepsonse *models.Has return nil, err } cbc.ConsulConfig = consulConfig - cbc.HCPConfig = *i.HCPConfig + cbc.HCPConfig = *c.HCPConfig cbc.BootstrapResponse = bootstrapRepsonse return &cbc, nil @@ -175,7 +175,7 @@ func getOptionalSecretFromHCPConfig(hcpConfigValue, valuesConfigKey, secretName, // getHelmConfigWithMapSecretNames maps the secret names were agent bootstrap // config values have been saved, maps them into the Helm values template for // the cloud preset, and returns the value map. -func (i *CloudPreset) getHelmConfigWithMapSecretNames(cfg *CloudBootstrapConfig) map[string]interface{} { +func (c *CloudPreset) getHelmConfigWithMapSecretNames(cfg *CloudBootstrapConfig) map[string]interface{} { apiHostCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.APIHostname, "apiHost", secretNameHCPAPIHostname, secretKeyHCPAPIHostname) authURLCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.AuthURL, "authUrl", secretNameHCPAuthURL, secretKeyHCPAuthURL) scadaAddressCfg := getOptionalSecretFromHCPConfig(cfg.HCPConfig.ScadaAddress, "scadaAddress", secretNameHCPScadaAddress, secretKeyHCPScadaAddress) @@ -245,9 +245,9 @@ controller: // - gossip encryption key. // - server tls cert and key. // - server CA cert. -func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfig) error { +func (c *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfig) error { // create namespace - if err := i.createNamespaceIfNotExists(); err != nil { + if err := c.createNamespaceIfNotExists(); err != nil { return err } @@ -256,11 +256,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyHCPResourceID: []byte(config.HCPConfig.ResourceID), } - if err := i.saveSecret(secretNameHCPResourceID, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPResourceID, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP resource id saved in '%s' secret in namespace '%s'.", - secretKeyHCPResourceID, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP resource id saved in '%s' secret in namespace '%s'.", + secretKeyHCPResourceID, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // HCP client id @@ -268,11 +268,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyHCPClientID: []byte(config.HCPConfig.ClientID), } - if err := i.saveSecret(secretNameHCPClientID, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPClientID, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP client id saved in '%s' secret in namespace '%s'.", - secretKeyHCPClientID, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP client id saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientID, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // HCP client secret @@ -280,11 +280,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyHCPClientSecret: []byte(config.HCPConfig.ClientSecret), } - if err := i.saveSecret(secretNameHCPClientSecret, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPClientSecret, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP client secret saved in '%s' secret in namespace '%s'.", - secretKeyHCPClientSecret, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP client secret saved in '%s' secret in namespace '%s'.", + secretKeyHCPClientSecret, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // bootstrap token @@ -292,11 +292,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyBootstrapToken: []byte(config.ConsulConfig.ACL.Tokens.InitialManagement), } - if err := i.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameBootstrapToken, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("ACL bootstrap token saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyBootstrapToken, secretNameBootstrapToken, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("ACL bootstrap token saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyBootstrapToken, secretNameBootstrapToken, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // gossip key @@ -304,11 +304,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyGossipKey: []byte(config.BootstrapResponse.Bootstrap.GossipKey), } - if err := i.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameGossipKey, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("Gossip encryption key saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyGossipKey, secretNameGossipKey, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("Gossip encryption key saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyGossipKey, secretNameGossipKey, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // server cert secret @@ -317,11 +317,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.Cert), corev1.TLSPrivateKeyKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.PrivateKey), } - if err := i.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { + if err := c.saveSecret(secretNameServerCert, data, corev1.SecretTypeTLS); err != nil { return err } - i.UI.Output(fmt.Sprintf("Server TLS cert and key saved as '%s' and '%s' key in '%s secret in namespace '%s'.", - corev1.TLSCertKey, corev1.TLSPrivateKeyKey, secretNameServerCert, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("Server TLS cert and key saved as '%s' and '%s' key in '%s secret in namespace '%s'.", + corev1.TLSCertKey, corev1.TLSPrivateKeyKey, secretNameServerCert, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // server CA @@ -330,11 +330,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ corev1.TLSCertKey: []byte(config.BootstrapResponse.Bootstrap.ServerTLS.CertificateAuthorities[0]), } - if err := i.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameServerCA, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("Server TLS CA saved as '%s' key in '%s' secret in namespace '%s'.", - corev1.TLSCertKey, secretNameServerCA, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("Server TLS CA saved as '%s' key in '%s' secret in namespace '%s'.", + corev1.TLSCertKey, secretNameServerCA, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // Optional secrets // HCP auth url @@ -342,11 +342,11 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyHCPAuthURL: []byte(config.HCPConfig.AuthURL), } - if err := i.saveSecret(secretNameHCPAuthURL, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPAuthURL, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP auth url saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyHCPAuthURL, secretNameHCPAuthURL, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP auth url saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPAuthURL, secretNameHCPAuthURL, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // HCP api hostname @@ -354,23 +354,23 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi data := map[string][]byte{ secretKeyHCPAPIHostname: []byte(config.HCPConfig.APIHostname), } - if err := i.saveSecret(secretNameHCPAPIHostname, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPAPIHostname, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP api hostname saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyHCPAPIHostname, secretNameHCPAPIHostname, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP api hostname saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPAPIHostname, secretNameHCPAPIHostname, c.KubernetesNamespace), terminal.WithSuccessStyle()) } // HCP scada address if config.HCPConfig.ScadaAddress != "" { data := map[string][]byte{ - secretKeyHCPScadaAddress: []byte(config.HCPConfig.ScadaAddress) + secretKeyHCPScadaAddress: []byte(config.HCPConfig.ScadaAddress), } - if err := i.saveSecret(secretNameHCPScadaAddress, data, corev1.SecretTypeOpaque); err != nil { + if err := c.saveSecret(secretNameHCPScadaAddress, data, corev1.SecretTypeOpaque); err != nil { return err } - i.UI.Output(fmt.Sprintf("HCP scada address saved as '%s' key in '%s' secret in namespace '%s'.", - secretKeyHCPScadaAddress, secretNameHCPScadaAddress, i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("HCP scada address saved as '%s' key in '%s' secret in namespace '%s'.", + secretKeyHCPScadaAddress, secretNameHCPScadaAddress, c.KubernetesNamespace), terminal.WithSuccessStyle()) } return nil @@ -379,25 +379,25 @@ func (i *CloudPreset) saveSecretsFromBootstrapConfig(config *CloudBootstrapConfi // createNamespaceIfNotExists checks to see if a given namespace exists and if // it does not will create it. This function is needed to ensure a namespace // exists before HCP config secrets are saved. -func (i *CloudPreset) createNamespaceIfNotExists() error { - i.UI.Output(fmt.Sprintf("Checking if %s namespace needs to be created", i.KubernetesNamespace), terminal.WithHeaderStyle()) +func (c *CloudPreset) createNamespaceIfNotExists() error { + c.UI.Output(fmt.Sprintf("Checking if %s namespace needs to be created", c.KubernetesNamespace), terminal.WithHeaderStyle()) // Create k8s namespace if it doesn't exist. - _, err := i.KubernetesClient.CoreV1().Namespaces().Get(context.Background(), i.KubernetesNamespace, metav1.GetOptions{}) + _, err := c.KubernetesClient.CoreV1().Namespaces().Get(context.Background(), c.KubernetesNamespace, metav1.GetOptions{}) if k8serrors.IsNotFound(err) { - _, err = i.KubernetesClient.CoreV1().Namespaces().Create(context.Background(), &corev1.Namespace{ + _, err = c.KubernetesClient.CoreV1().Namespaces().Create(context.Background(), &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ - Name: i.KubernetesNamespace, + Name: c.KubernetesNamespace, }, }, metav1.CreateOptions{}) if err != nil { return err } - i.UI.Output(fmt.Sprintf("Namespace '%s' has been created.", i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("Namespace '%s' has been created.", c.KubernetesNamespace), terminal.WithSuccessStyle()) } else if err != nil { return err } else { - i.UI.Output(fmt.Sprintf("Namespace '%s' already exists.", i.KubernetesNamespace), terminal.WithSuccessStyle()) + c.UI.Output(fmt.Sprintf("Namespace '%s' already exists.", c.KubernetesNamespace), terminal.WithSuccessStyle()) } return nil } @@ -405,26 +405,26 @@ func (i *CloudPreset) createNamespaceIfNotExists() error { // saveSecret saves given key value pairs into a given secret in a given // namespace. It is the generic function that helps saves all of the specific // cloud preset secrets. -func (i *CloudPreset) saveSecret(secretName string, kvps map[string][]byte, secretType corev1.SecretType) error { - _, err := i.KubernetesClient.CoreV1().Secrets(i.KubernetesNamespace).Get(context.Background(), secretName, metav1.GetOptions{}) +func (c *CloudPreset) saveSecret(secretName string, kvps map[string][]byte, secretType corev1.SecretType) error { + _, err := c.KubernetesClient.CoreV1().Secrets(c.KubernetesNamespace).Get(context.Background(), secretName, metav1.GetOptions{}) secret := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, - Namespace: i.KubernetesNamespace, + Namespace: c.KubernetesNamespace, Labels: map[string]string{common.CLILabelKey: common.CLILabelValue}, }, Data: kvps, Type: secretType, } if k8serrors.IsNotFound(err) { - _, err = i.KubernetesClient.CoreV1().Secrets(i.KubernetesNamespace).Create(context.Background(), secret, metav1.CreateOptions{}) + _, err = c.KubernetesClient.CoreV1().Secrets(c.KubernetesNamespace).Create(context.Background(), secret, metav1.CreateOptions{}) if err != nil { return err } } else if err != nil { return err } else { - return fmt.Errorf("'%s' secret in '%s' namespace already exists", secretName, i.KubernetesNamespace) + return fmt.Errorf("'%s' secret in '%s' namespace already exists", secretName, c.KubernetesNamespace) } return nil } From faa2f6e9f858bde8bdd53dd718f9af6ab137f829 Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 13:02:07 -0600 Subject: [PATCH 10/11] remove extra line --- .../unit/api-gateway-controller-deployment.bats | 11 ----------- charts/consul/test/unit/client-daemonset.bats | 13 ------------- .../test/unit/client-snapshot-agent-deployment.bats | 10 ---------- charts/consul/test/unit/cni-daemonset.bats | 1 - .../consul/test/unit/connect-inject-deployment.bats | 10 ---------- charts/consul/test/unit/controller-deployment.bats | 10 ---------- .../test/unit/ingress-gateways-deployment.bats | 10 ---------- .../consul/test/unit/mesh-gateway-deployment.bats | 12 ------------ charts/consul/test/unit/partition-init-job.bats | 10 ---------- charts/consul/test/unit/server-acl-init-job.bats | 10 ---------- charts/consul/test/unit/server-statefulset.bats | 11 ----------- .../consul/test/unit/sync-catalog-deployment.bats | 10 ---------- .../test/unit/terminating-gateways-deployment.bats | 10 ---------- 13 files changed, 128 deletions(-) diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index aef6506975..4ec5d8c62c 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -15,7 +15,6 @@ load _helpers -s templates/api-gateway-controller-deployment.yaml \ --set 'apiGateway.enabled=true' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "apiGateway.image must be set to enable api gateway" ]] } @@ -924,7 +923,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -945,7 +943,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -966,7 +963,6 @@ load _helpers --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -988,7 +984,6 @@ load _helpers --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1012,7 +1007,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1037,7 +1031,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1062,7 +1055,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1087,7 +1079,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1112,7 +1103,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1137,7 +1127,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index 3b4684dafe..559f3c46b2 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -2043,7 +2043,6 @@ rollingUpdate: --set 'global.adminPartitions.enabled=true' \ --set 'global.adminPartitions.name=test' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "global.adminPartitions.name has to be \"default\" in the server cluster" ]] } @@ -2056,7 +2055,6 @@ rollingUpdate: --set 'global.adminPartitions.enabled=true' \ --set 'global.federation.enabled=true' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" ]] } @@ -2621,7 +2619,6 @@ rollingUpdate: --set 'client.enabled=true' \ --set 'global.imageK8s=something' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" ]] } @@ -2643,7 +2640,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2663,7 +2659,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2684,7 +2679,6 @@ rollingUpdate: --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2706,7 +2700,6 @@ rollingUpdate: --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -2730,7 +2723,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2755,7 +2747,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2779,7 +2770,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2803,7 +2793,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2827,7 +2816,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -2851,7 +2839,6 @@ rollingUpdate: --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats index 5fca692bc0..6c69d9d64d 100644 --- a/charts/consul/test/unit/client-snapshot-agent-deployment.bats +++ b/charts/consul/test/unit/client-snapshot-agent-deployment.bats @@ -1172,7 +1172,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1192,7 +1191,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1212,7 +1210,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1233,7 +1230,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1257,7 +1253,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1281,7 +1276,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1305,7 +1299,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1329,7 +1322,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1353,7 +1345,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1377,7 +1368,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/cni-daemonset.bats b/charts/consul/test/unit/cni-daemonset.bats index 0c423abfec..17c80d2da0 100644 --- a/charts/consul/test/unit/cni-daemonset.bats +++ b/charts/consul/test/unit/cni-daemonset.bats @@ -37,7 +37,6 @@ load _helpers --set 'connectInject.enabled=false' \ -s templates/cni-daemonset.yaml \ . - [ "$status" -eq 1 ] [[ "$output" =~ "connectInject.enabled must be true if connectInject.cni.enabled is true" ]] } diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index 8f0d3cd971..bc3156fca5 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2344,7 +2344,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2364,7 +2363,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2382,7 +2380,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2401,7 +2398,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -2422,7 +2418,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2444,7 +2439,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2466,7 +2460,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2488,7 +2481,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2510,7 +2502,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -2532,7 +2523,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index fdb5e1a47a..7f32013cb0 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -859,7 +859,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -877,7 +876,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -895,7 +893,6 @@ load _helpers --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -914,7 +911,6 @@ load _helpers --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -935,7 +931,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -957,7 +952,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -978,7 +972,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -999,7 +992,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1021,7 +1013,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1043,7 +1034,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index 5fdbeddccf..16327084bc 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -1162,7 +1162,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1183,7 +1182,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1204,7 +1202,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1226,7 +1223,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1250,7 +1246,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1275,7 +1270,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1300,7 +1294,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1325,7 +1318,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1350,7 +1342,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1375,7 +1366,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 7d1f4ba037..30b612ef35 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -955,7 +955,6 @@ key2: value2' \ --set 'meshGateway.wanAddress.source=Static' \ --set 'meshGateway.wanAddress.static=' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" ]] } @@ -1037,7 +1036,6 @@ key2: value2' \ --set 'meshGateway.wanAddress.source=Service' \ --set 'meshGateway.service.type=NodePort' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" ]] } @@ -1351,7 +1349,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1370,7 +1367,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1389,7 +1385,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1409,7 +1404,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1431,7 +1425,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1454,7 +1447,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1477,7 +1469,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1500,7 +1491,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1523,7 +1513,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1546,7 +1535,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/partition-init-job.bats b/charts/consul/test/unit/partition-init-job.bats index 5078fcf62c..82ffc959fa 100644 --- a/charts/consul/test/unit/partition-init-job.bats +++ b/charts/consul/test/unit/partition-init-job.bats @@ -606,7 +606,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -625,7 +624,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -651,7 +649,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -678,7 +675,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -707,7 +703,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -737,7 +732,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -767,7 +761,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -797,7 +790,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -827,7 +819,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -857,7 +848,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index f9c2ceaf4c..973c06a429 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -1902,7 +1902,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1919,7 +1918,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1936,7 +1934,6 @@ load _helpers --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1954,7 +1951,6 @@ load _helpers --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1974,7 +1970,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1995,7 +1990,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2016,7 +2010,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2037,7 +2030,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2058,7 +2050,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -2079,7 +2070,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index 508c9cec93..d21bd3b1dd 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -62,7 +62,6 @@ load _helpers --set 'global.adminPartitions.enabled=true' \ --set 'global.federation.enabled=true' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" ]] } @@ -2125,7 +2124,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2144,7 +2142,6 @@ load _helpers --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2163,7 +2160,6 @@ load _helpers --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -2183,7 +2179,6 @@ load _helpers --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -2205,7 +2200,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2228,7 +2222,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -2251,7 +2244,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2274,7 +2266,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -2297,7 +2288,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -2320,7 +2310,6 @@ load _helpers --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/sync-catalog-deployment.bats b/charts/consul/test/unit/sync-catalog-deployment.bats index ecc68537ef..2b02e95943 100755 --- a/charts/consul/test/unit/sync-catalog-deployment.bats +++ b/charts/consul/test/unit/sync-catalog-deployment.bats @@ -1514,7 +1514,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1530,7 +1529,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1546,7 +1544,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1563,7 +1560,6 @@ reservedNameTest() { --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1582,7 +1578,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1602,7 +1597,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1622,7 +1616,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1642,7 +1635,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1662,7 +1654,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1682,7 +1673,6 @@ reservedNameTest() { --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 167b6e82fd..3f312cf760 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -1205,7 +1205,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1221,7 +1220,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1237,7 +1235,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] } @@ -1254,7 +1251,6 @@ key2: value2' \ --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] } @@ -1273,7 +1269,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1293,7 +1288,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] @@ -1313,7 +1307,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1336,7 +1329,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] @@ -1356,7 +1348,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] @@ -1376,7 +1367,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . - [ "$status" -eq 1 ] [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] From 7ff500a01e813810db1a29e59f7a27ab0131d40f Mon Sep 17 00:00:00 2001 From: John Murret Date: Tue, 11 Oct 2022 13:05:24 -0600 Subject: [PATCH 11/11] noting required vs optional values in helm values file. --- charts/consul/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index cef93abd43..cee86cf25e 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -655,6 +655,7 @@ global: enabled: false # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. resourceId: # The name of the Kubernetes secret that holds the resource id. # @type: string @@ -664,6 +665,7 @@ global: secretKey: null # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. clientId: # The name of the Kubernetes secret that holds the client id. # @type: string @@ -673,6 +675,7 @@ global: secretKey: null # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. clientSecret: # The name of the Kubernetes secret that holds the client secret. # @type: string @@ -682,6 +685,7 @@ global: secretKey: null # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. apiHost: # The name of the Kubernetes secret that holds the api hostname. # @type: string @@ -691,6 +695,7 @@ global: secretKey: null # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. authUrl: # The name of the Kubernetes secret that holds the authorization url. # @type: string @@ -700,6 +705,7 @@ global: secretKey: null # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. scadaAddress: # The name of the Kubernetes secret that holds the scada address. # @type: string