Skip to content

Add secret resource #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
n0rad merged 1 commit into from
May 6, 2025
Merged

Add secret resource #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions base/ci/advanced-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: main
Expand Down
1 change: 1 addition & 0 deletions base/ci/basic-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: main
Expand Down
1 change: 1 addition & 0 deletions base/ci/inferenceService-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: main
Expand Down
2 changes: 2 additions & 0 deletions base/ci/multiple-workloads-main-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: main
Expand All @@ -91,6 +92,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-titi-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: titi
Expand Down
2 changes: 2 additions & 0 deletions base/ci/multiple-workloads-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-titi-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: titi
Expand All @@ -91,6 +92,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-toto-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: toto
Expand Down
1 change: 1 addition & 0 deletions base/ci/test-result.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: release-name-sa-token
namespace: default
labels:
app: release-name
app.kubernetes.io/component: main
Expand Down
12 changes: 12 additions & 0 deletions base/schema/resources.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,18 @@
"$ref": "resources/persistentVolumes.json#/instance"
}
}
},
"secrets": {
"title": "Render some secrets, indexed by an identifier",
"type": "object",
"minProperties": 1,
"additionalProperties": false,
"patternProperties": {
"^[0-9a-z-]*$": {
"title": "Identifier of the secret",
"$ref": "resources/secrets.json#/instance"
}
}
}
}
}
40 changes: 40 additions & 0 deletions base/schema/resources/secrets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"instance": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"$ref": "../lib/utils.json#/enabled"
},
"annotations": {
"$ref": "../lib/k8s.json#/Annotations"
},
"labels": {
"$ref": "../lib/k8s.json#/Labels"
},
"namespace": {
"type": "string"
},
"nameOverride": {
"$ref": "../lib/utils.json#/nameOverride"
},
"type": {
"type": "string"
},
"stringData": {
"title": "Secret data as string",
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"data": {
"title": "Secret data as base64 encoded",
"type": "object",
"additionalProperties": {
"type": "string"
}
}
}
}
}
1 change: 1 addition & 0 deletions base/templates/loader/_generate.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Secondary entrypoint and primary loader for the common chart
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "routes") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "configMaps") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "sealedSecrets") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "secrets") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "networkPolicies") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "podDisruptionBudgets") | nindent 0 -}}
{{- include "base.lib.resource.renderResources" (dict "rootContext" $ "class" "horizontalPodAutoscalers") | nindent 0 -}}
Expand Down
18 changes: 16 additions & 2 deletions base/templates/resources/pods/metadata/_annotations.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,23 @@ Returns the value for annotations
-}}
{{- end -}}

{{- /* Add Secrets checksum */ -}}
{{- $secretsFound := dict -}}
{{- /* Add SealedSecrets checksum */ -}}
{{- $sealedSecretsFound := dict -}}
{{- range $name, $secret := $rootContext.Values.resources.sealedSecrets -}}
{{- if include "base.lib.utils.isEnabled" $secret -}}
{{- $_ := set $sealedSecretsFound $name (toYaml $secret.encryptedData | sha256sum) -}}
{{- end -}}
{{- end -}}
{{- if $sealedSecretsFound -}}
{{- $annotations = merge
(dict "checksum/sealedSecrets" (toYaml $sealedSecretsFound | sha256sum))
$annotations
-}}
{{- end -}}

{{- /* Add secrets checksum */ -}}
{{- $secretsFound := dict -}}
{{- range $name, $secret := $rootContext.Values.resources.secrets -}}
{{- if include "base.lib.utils.isEnabled" $secret -}}
{{- $_ := set $secretsFound $name (toYaml $secret.encryptedData | sha256sum) -}}
{{- end -}}
Expand Down
2 changes: 1 addition & 1 deletion base/templates/resources/sealedSecrets/pod_metadata_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,6 @@ tests:
value: Deployment
asserts:
- equal:
path: spec.template.metadata.annotations.checksum/secrets
path: spec.template.metadata.annotations.checksum/sealedSecrets
value:
afdf20f511621d5cb358c5e8b0da2d14cdbe2549fb12fa123f6a6e9baabef26e
1 change: 1 addition & 0 deletions base/templates/resources/secrets/_class.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type: {{ . }}
{{- end }}
metadata:
name: {{ $object.name }}
namespace: {{ default $rootContext.Release.Namespace $object.namespace }}
{{- with $labels }}
labels: {{- toYaml . | nindent 4 -}}
{{- end }}
Expand Down
136 changes: 136 additions & 0 deletions base/templates/resources/secrets/metadata_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: secrets metadata
templates:
- base.yaml
values:
- ../../../tests/overallValues.yaml
tests:
- it: default metadata should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- notExists:
path: metadata.annotations
- equal:
path: metadata.labels
value:
app: RELEASE-NAME
app.kubernetes.io/component: secret
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: RELEASE-NAME
helm.sh/chart: base-template-0.0.0
- equal:
path: metadata.namespace
value: NAMESPACE

- it: Setting secret namepace should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
namespace: &namespace myFancyNamespace
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: metadata.namespace
value: *namespace

- it: custom metadata should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
annotations:
test_annotation: test
labels:
test_label: test
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: metadata.annotations
value:
test_annotation: test
- equal:
path: metadata.labels
value:
app: RELEASE-NAME
app.kubernetes.io/component: secret
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: RELEASE-NAME
helm.sh/chart: base-template-0.0.0
test_label: test

- it: custom metadata with global metadata should pass
set:
mainWorkload.serviceAccount.enabled: false
global:
labels:
global_label: test
annotations:
global_annotation: test
resources:
secrets:
secret:
enabled: true
annotations:
test_annotation: test
labels:
test_label: test
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: metadata.annotations
value:
global_annotation: test
test_annotation: test
- equal:
path: metadata.labels
value:
app: RELEASE-NAME
app.kubernetes.io/component: secret
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: RELEASE-NAME
global_label: test
helm.sh/chart: base-template-0.0.0
test_label: test

- it: custom secret type should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
type: &type kubernetes.io/service-account-token
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: type
value: *type
88 changes: 88 additions & 0 deletions base/templates/resources/secrets/names_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: secret names
templates:
- base.yaml
values:
- ../../../tests/overallValues.yaml
tests:
- it: default should pass
set:
mainWorkload.serviceAccount.enabled: false
asserts:
- containsDocument:
kind: Secret
not: true

- it: with disabled secret should pass
set:
resources.secrets.secret.enabled: false
asserts:
- containsDocument:
kind: Secret
not: true

- it: with multiple secrets should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
data: {}
secondary:
enabled: true
data: {}
asserts:
- documentSelector:
path: metadata.name
value: RELEASE-NAME-secret
isKind:
of: Secret
- documentSelector:
path: metadata.name
value: RELEASE-NAME-secret
exists:
path: metadata.name
- documentSelector:
path: metadata.name
value: RELEASE-NAME-secondary
isKind:
of: Secret
- documentSelector:
path: metadata.name
value: RELEASE-NAME-secondary
exists:
path: metadata.name

- it: default name should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: metadata.name
value: RELEASE-NAME-secret

- it: with nameOverride should pass
set:
mainWorkload.serviceAccount.enabled: false
resources:
secrets:
secret:
enabled: true
nameOverride: http
data: {}
documentSelector:
path: kind
value: Secret
asserts:
- equal:
path: metadata.name
value: RELEASE-NAME-http
Loading