fix(deployment): mount secret with environment variables

templates/_deployment.tpl

@@ -34,6 +34,18 @@
 {{/* envFrom */}}
 
 {{- define "athens-proxy.deployment.envFrom" -}}
+{{- $envFrom := .Values.deployment.athensProxy.envFrom | default (list) }}
+
+{{- if .Values.config.env.enabled }}
+{{- $secretName := include "athens-proxy.secrets.env.name" $ }}
+{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0)}}
+{{- $secretName = .Values.config.env.existingSecret.secretName }}
+{{- end }}
+{{- $envFrom = concat $envFrom (list (dict "secretRef" (dict "name" $secretName))) }}
+{{- end }}
+
+{{ toYaml (dict "envFrom" $envFrom) }}
+
 {{- end -}}
 
 {{/* image */}}

templates/_pod.tpl

@@ -4,6 +4,9 @@
 
 {{- define "athens-proxy.pod.annotations" -}}
 {{ include "athens-proxy.annotations" . }}
+{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) -}}
+{{- printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }}
+{{- end -}}
 {{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) -}}
 {{- printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }}
 {{- end -}}
@@ -18,6 +21,8 @@
 {{- end -}}
 {{- end }}
 
+
+
 {{/* labels */}}
 
 {{- define "athens-proxy.pod.labels" -}}

templates/secretEnv.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.config.env.existingSecret.enabled }}
+{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }}
 ---
 apiVersion: v1
 kind: Secret

unittests/deployment/env.yaml

@@ -0,0 +1,51 @@
+chart:
+  appVersion: 0.1.0
+  version: 0.1.0
+suite: Deployment template
+release:
+  name: athens-proxy-unittest
+  namespace: testing
+templates:
+- templates/deployment.yaml
+- templates/secretEnv.yaml
+tests:
+- it: Rendering default without mounted env secret
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - notContains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted env secret
+  set:
+    config.env.enabled: true
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml
+
+- it: Rendering default with mounted env secret
+  set:
+    config.env.enabled: true
+    config.env.existingSecret.enabled: true
+  asserts:
+    - notExists:
+        path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].envFrom
+        content:
+          secretRef:
+            name: athens-proxy-unittest-env
+      template: templates/deployment.yaml

unittests/secrets/env.yaml

@@ -8,14 +8,22 @@ release:
 templates:
 - templates/secretEnv.yaml
 tests:
+- it: Skip rendering by default
+  asserts:
+  - hasDocuments:
+      count: 0
+
 - it: Skip rendering by using existing secret.
   set:
+    config.env.enabled: true
     config.env.existingSecret.enabled: true
   asserts:
   - hasDocuments:
       count: 0
 
 - it: Rendering env secret with default values.
+  set:
+    config.env.enabled: true
   asserts:
   - hasDocuments:
       count: 1
@@ -39,6 +47,7 @@ tests:
 
 - it: Rendering env secret with custom values.
   set:
+    config.env.enabled: true
     config.env.secret.envs.ATHENS_GITHUB_TOKEN: my-secret-token
   asserts:
   - isSubset:
@@ -48,6 +57,7 @@ tests:
 
 - it: Rendering custom annotations and labels.
   set:
+    config.env.enabled: true
     config.env.secret.annotations:
       foo: bar
       bar: foo

values.yaml

@@ -8,6 +8,9 @@ fullnameOverride: ""
 ## @section Configuration
 config:
   env:
+    ## @param config.env.enabled Enable mounting of the secret as environment variables.
+    enabled: false
+
     ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables.
     ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables.
     existingSecret: