Skip to content

Commit

Permalink
remove enterprise license cluster roles (hashicorp#511)
Browse files Browse the repository at this point in the history 
* remove unnecessary cluster role usage for enterprise license templates
  • Loading branch information
@kschoche
kschoche authored Jun 24, 2020
1 parent 327ce4f commit 078bed6
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 30 deletions.
3 changes: 2 additions & 1 deletion ...lates/enterprise-license-clusterrole.yaml → templates/enterprise-license-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: Role
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
Expand Down
6 changes: 3 additions & 3 deletions ...nterprise-license-clusterrolebinding.yaml → ...lates/enterprise-license-rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }}
{{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: RoleBinding
metadata:
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
kind: Role
name: {{ template "consul.fullname" . }}-enterprise-license
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-enterprise-license
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
32 changes: 16 additions & 16 deletions .../unit/enterprise-license-clusterrole.bats → test/unit/enterprise-license-role.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

load _helpers

@test "enterpriseLicense/ClusterRole: disabled by default" {
@test "enterpriseLicense/Role: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRole: disabled with server=false, ent secret defined" {
@test "enterpriseLicense/Role: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
Expand All @@ -23,41 +23,41 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRole: disabled when ent secretName missing" {
@test "enterpriseLicense/Role: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRole: disabled when ent secretKey missing" {
@test "enterpriseLicense/Role: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRole: enabled when ent license defined" {
@test "enterpriseLicense/Role: enabled when ent license defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "enterpriseLicense/ClusterRole: rules are empty if global.acls.manageSystemACLs and global.enablePodSecurityPolicies are false" {
@test "enterpriseLicense/Role: rules are empty if global.acls.manageSystemACLs and global.enablePodSecurityPolicies are false" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
Expand All @@ -68,10 +68,10 @@ load _helpers
#--------------------------------------------------------------------
# global.acls.manageSystemACLs

@test "enterpriseLicense/ClusterRole: allows acl token when global.acls.manageSystemACLs is true" {
@test "enterpriseLicense/Role: allows acl token when global.acls.manageSystemACLs is true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.acls.manageSystemACLs=true' \
Expand All @@ -84,10 +84,10 @@ load _helpers
#--------------------------------------------------------------------
# global.enablePodSecurityPolicies

@test "enterpriseLicense/ClusterRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
@test "enterpriseLicense/Role: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrole.yaml \
-x templates/enterprise-license-role.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
--set 'global.enablePodSecurityPolicies=true' \
Expand Down
20 changes: 10 additions & 10 deletions ...nterprise-license-clusterrolebinding.bats → .../unit/enterprise-license-rolebinding.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

load _helpers

@test "enterpriseLicense/ClusterRoleBinding: disabled by default" {
@test "enterpriseLicense/RoleBinding: disabled by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
-x templates/enterprise-license-rolebinding.yaml \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRoleBinding: disabled with server=false, ent secret defined" {
@test "enterpriseLicense/RoleBinding: disabled with server=false, ent secret defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
-x templates/enterprise-license-rolebinding.yaml \
--set 'server.enabled=false' \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
Expand All @@ -23,30 +23,30 @@ load _helpers
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretName missing" {
@test "enterpriseLicense/RoleBinding: disabled when ent secretName missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
-x templates/enterprise-license-rolebinding.yaml \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRoleBinding: disabled when ent secretKey missing" {
@test "enterpriseLicense/RoleBinding: disabled when ent secretKey missing" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
-x templates/enterprise-license-rolebinding.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
. | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "enterpriseLicense/ClusterRoleBinding: enabled when ent license defined" {
@test "enterpriseLicense/RoleBinding: enabled when ent license defined" {
cd `chart_dir`
local actual=$(helm template \
-x templates/enterprise-license-clusterrolebinding.yaml \
-x templates/enterprise-license-rolebinding.yaml \
--set 'server.enterpriseLicense.secretName=foo' \
--set 'server.enterpriseLicense.secretKey=bar' \
. | tee /dev/stderr |
Expand Down

0 comments on commit 078bed6

Please sign in to comment.