From f63450aec4b2ebaab3d0f30cb777f223da465ce0 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Sun, 12 Oct 2025 18:48:18 +0200 Subject: [PATCH] fix(deployment): mount secret with environment variables --- templates/_deployment.tpl | 12 +++++++++ templates/_pod.tpl | 5 ++++ templates/secretEnv.yaml | 2 +- unittests/deployment/env.yaml | 51 +++++++++++++++++++++++++++++++++++ unittests/secrets/env.yaml | 10 +++++++ values.yaml | 3 +++ 6 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 unittests/deployment/env.yaml diff --git a/templates/_deployment.tpl b/templates/_deployment.tpl index a2f95af..9e12669 100644 --- a/templates/_deployment.tpl +++ b/templates/_deployment.tpl @@ -34,6 +34,18 @@ {{/* envFrom */}} {{- define "athens-proxy.deployment.envFrom" -}} +{{- $envFrom := .Values.deployment.athensProxy.envFrom | default (list) }} + +{{- if .Values.config.env.enabled }} +{{- $secretName := include "athens-proxy.secrets.env.name" $ }} +{{- if and .Values.config.env.existingSecret.enabled (gt (len .Values.config.env.existingSecret.secretName) 0)}} +{{- $secretName = .Values.config.env.existingSecret.secretName }} +{{- end }} +{{- $envFrom = concat $envFrom (list (dict "secretRef" (dict "name" $secretName))) }} +{{- end }} + +{{ toYaml (dict "envFrom" $envFrom) }} + {{- end -}} {{/* image */}} diff --git a/templates/_pod.tpl b/templates/_pod.tpl index c27df38..f7ffb5b 100644 --- a/templates/_pod.tpl +++ b/templates/_pod.tpl @@ -4,6 +4,9 @@ {{- define "athens-proxy.pod.annotations" -}} {{ include "athens-proxy.annotations" . }} +{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) -}} +{{- printf "checksum/secret-%s: %s" (include "athens-proxy.secrets.env.name" $) (include (print $.Template.BasePath "/secretEnv.yaml") . | sha256sum) }} +{{- end -}} {{- if and .Values.config.downloadMode.enabled (not .Values.config.downloadMode.existingConfigMap.enabled) -}} {{- printf "checksum/config-map-%s: %s" (include "athens-proxy.configMap.downloadMode.name" $) (include (print $.Template.BasePath "/configMapDownloadMode.yaml") . | sha256sum) }} {{- end -}} @@ -18,6 +21,8 @@ {{- end -}} {{- end }} + + {{/* labels */}} {{- define "athens-proxy.pod.labels" -}} diff --git a/templates/secretEnv.yaml b/templates/secretEnv.yaml index 8997bf5..a1946dd 100644 --- a/templates/secretEnv.yaml +++ b/templates/secretEnv.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.config.env.existingSecret.enabled }} +{{- if and .Values.config.env.enabled (not .Values.config.env.existingSecret.enabled) }} --- apiVersion: v1 kind: Secret diff --git a/unittests/deployment/env.yaml b/unittests/deployment/env.yaml new file mode 100644 index 0000000..8740d42 --- /dev/null +++ b/unittests/deployment/env.yaml @@ -0,0 +1,51 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: Deployment template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/deployment.yaml +- templates/secretEnv.yaml +tests: +- it: Rendering default without mounted env secret + asserts: + - notExists: + path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env + template: templates/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: athens-proxy-unittest-env + template: templates/deployment.yaml + +- it: Rendering default with mounted env secret + set: + config.env.enabled: true + asserts: + - exists: + path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: athens-proxy-unittest-env + template: templates/deployment.yaml + +- it: Rendering default with mounted env secret + set: + config.env.enabled: true + config.env.existingSecret.enabled: true + asserts: + - notExists: + path: spec.template.metadata.annotations.checksum/secret-athens-proxy-unittest-env + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: athens-proxy-unittest-env + template: templates/deployment.yaml \ No newline at end of file diff --git a/unittests/secrets/env.yaml b/unittests/secrets/env.yaml index aad2f9c..781e0cc 100644 --- a/unittests/secrets/env.yaml +++ b/unittests/secrets/env.yaml @@ -8,14 +8,22 @@ release: templates: - templates/secretEnv.yaml tests: +- it: Skip rendering by default + asserts: + - hasDocuments: + count: 0 + - it: Skip rendering by using existing secret. set: + config.env.enabled: true config.env.existingSecret.enabled: true asserts: - hasDocuments: count: 0 - it: Rendering env secret with default values. + set: + config.env.enabled: true asserts: - hasDocuments: count: 1 @@ -39,6 +47,7 @@ tests: - it: Rendering env secret with custom values. set: + config.env.enabled: true config.env.secret.envs.ATHENS_GITHUB_TOKEN: my-secret-token asserts: - isSubset: @@ -48,6 +57,7 @@ tests: - it: Rendering custom annotations and labels. set: + config.env.enabled: true config.env.secret.annotations: foo: bar bar: foo diff --git a/values.yaml b/values.yaml index fe9f4f1..3745d29 100644 --- a/values.yaml +++ b/values.yaml @@ -8,6 +8,9 @@ fullnameOverride: "" ## @section Configuration config: env: + ## @param config.env.enabled Enable mounting of the secret as environment variables. + enabled: false + ## @param config.env.existingSecret.enabled Mount an existing secret containing the application specific environment variables. ## @param config.env.existingSecret.secretName Name of the existing secret containing the application specific environment variables. existingSecret: