diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1ee0f4fbb..bd611a6a5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 20 steps: - name: Check out code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@v5 with: fetch-depth: 2 @@ -29,3 +29,46 @@ jobs: - name: Upload coverage to Codecov uses: codecov/codecov-action@v3 + + helm-tests: + name: Helm Chart Tests + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Check out code + uses: actions/checkout@v5 + + - name: Set up Helm + uses: azure/setup-helm@v4 + + - name: Helm lint (default values) + run: helm lint ./helm-chart + + - name: Helm lint (S3 values) + run: helm lint ./helm-chart -f ./helm-chart/tests/fixtures/values-s3.yaml + + - name: Helm lint (Azure Blob values) + run: helm lint ./helm-chart -f ./helm-chart/tests/fixtures/values-azblob.yaml + + - name: Helm lint (cloud refs values) + run: helm lint ./helm-chart -f ./helm-chart/tests/fixtures/values-cloud-refs.yaml + + - name: Install helm-unittest plugin + run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false + + - name: Run helm unit tests + run: helm unittest ./helm-chart + + - name: Install kubeconform + run: | + curl -sL https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar xz + sudo mv kubeconform /usr/local/bin/ + + - name: Validate default template + run: helm template kubeshark ./helm-chart | kubeconform -strict -kubernetes-version 1.35.0 -summary + + - name: Validate S3 template + run: helm template kubeshark ./helm-chart -f ./helm-chart/tests/fixtures/values-s3.yaml | kubeconform -strict -kubernetes-version 1.35.0 -summary + + - name: Validate Azure Blob template + run: helm template kubeshark ./helm-chart -f ./helm-chart/tests/fixtures/values-azblob.yaml | kubeconform -strict -kubernetes-version 1.35.0 -summary diff --git a/Makefile b/Makefile index aea7707ac..2629ce20b 100644 --- a/Makefile +++ b/Makefile @@ -137,6 +137,15 @@ test-integration-short: ## Run quick integration tests (skips long-running tests rm -f $$LOG_FILE; \ exit $$status +helm-test: ## Run Helm lint and unit tests. + helm lint ./helm-chart + helm unittest ./helm-chart + +helm-test-full: helm-test ## Run Helm tests with kubeconform schema validation. + helm template kubeshark ./helm-chart | kubeconform -strict -kubernetes-version 1.35.0 -summary + helm template kubeshark ./helm-chart -f ./helm-chart/tests/fixtures/values-s3.yaml | kubeconform -strict -kubernetes-version 1.35.0 -summary + helm template kubeshark ./helm-chart -f ./helm-chart/tests/fixtures/values-azblob.yaml | kubeconform -strict -kubernetes-version 1.35.0 -summary + lint: ## Lint the source code. golangci-lint run diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index c1a85af99..3dbb30b1a 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -315,10 +315,28 @@ type SnapshotsLocalConfig struct { StorageSize string `yaml:"storageSize" json:"storageSize" default:"20Gi"` } +type SnapshotsCloudS3Config struct { + Bucket string `yaml:"bucket" json:"bucket" default:""` + Region string `yaml:"region" json:"region" default:""` + AccessKey string `yaml:"accessKey" json:"accessKey" default:""` + SecretKey string `yaml:"secretKey" json:"secretKey" default:""` + RoleArn string `yaml:"roleArn" json:"roleArn" default:""` + ExternalId string `yaml:"externalId" json:"externalId" default:""` +} + +type SnapshotsCloudAzblobConfig struct { + StorageAccount string `yaml:"storageAccount" json:"storageAccount" default:""` + Container string `yaml:"container" json:"container" default:""` + StorageKey string `yaml:"storageKey" json:"storageKey" default:""` +} + type SnapshotsCloudConfig struct { - Provider string `yaml:"provider" json:"provider" default:""` - ConfigMaps []string `yaml:"configMaps" json:"configMaps" default:"[]"` - Secrets []string `yaml:"secrets" json:"secrets" default:"[]"` + Provider string `yaml:"provider" json:"provider" default:""` + Prefix string `yaml:"prefix" json:"prefix" default:""` + ConfigMaps []string `yaml:"configMaps" json:"configMaps" default:"[]"` + Secrets []string `yaml:"secrets" json:"secrets" default:"[]"` + S3 SnapshotsCloudS3Config `yaml:"s3" json:"s3"` + Azblob SnapshotsCloudAzblobConfig `yaml:"azblob" json:"azblob"` } type SnapshotsConfig struct { diff --git a/helm-chart/README.md b/helm-chart/README.md index 272e47dd7..78e289a97 100644 --- a/helm-chart/README.md +++ b/helm-chart/README.md @@ -146,8 +146,18 @@ Example for overriding image names: | `tap.snapshots.local.storageClass` | Storage class for local snapshots volume. When empty, uses `emptyDir`. When set, creates a PVC with this storage class | `""` | | `tap.snapshots.local.storageSize` | Storage size for local snapshots volume (supports K8s quantity format: `1Gi`, `500Mi`, etc.) | `20Gi` | | `tap.snapshots.cloud.provider` | Cloud storage provider for snapshots: `s3` or `azblob`. Empty string disables cloud storage. See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `""` | -| `tap.snapshots.cloud.configMaps` | Names of ConfigMaps containing cloud storage environment variables. See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `[]` | -| `tap.snapshots.cloud.secrets` | Names of Secrets containing cloud storage credentials. See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `[]` | +| `tap.snapshots.cloud.prefix` | Key prefix in the bucket/container (e.g. `snapshots/`). See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `""` | +| `tap.snapshots.cloud.configMaps` | Names of pre-existing ConfigMaps with cloud storage env vars. Alternative to inline `s3`/`azblob` values below. See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `[]` | +| `tap.snapshots.cloud.secrets` | Names of pre-existing Secrets with cloud storage credentials. Alternative to inline `s3`/`azblob` values below. See [Cloud Storage docs](docs/snapshots_cloud_storage.md). | `[]` | +| `tap.snapshots.cloud.s3.bucket` | S3 bucket name. When set, the chart auto-creates a ConfigMap with `SNAPSHOT_AWS_BUCKET`. | `""` | +| `tap.snapshots.cloud.s3.region` | AWS region for the S3 bucket. | `""` | +| `tap.snapshots.cloud.s3.accessKey` | AWS access key ID. When set, the chart auto-creates a Secret with `SNAPSHOT_AWS_ACCESS_KEY`. | `""` | +| `tap.snapshots.cloud.s3.secretKey` | AWS secret access key. When set, the chart auto-creates a Secret with `SNAPSHOT_AWS_SECRET_KEY`. | `""` | +| `tap.snapshots.cloud.s3.roleArn` | IAM role ARN to assume via STS for cross-account S3 access. | `""` | +| `tap.snapshots.cloud.s3.externalId` | External ID for the STS AssumeRole call. | `""` | +| `tap.snapshots.cloud.azblob.storageAccount` | Azure storage account name. When set, the chart auto-creates a ConfigMap with `SNAPSHOT_AZBLOB_STORAGE_ACCOUNT`. | `""` | +| `tap.snapshots.cloud.azblob.container` | Azure blob container name. | `""` | +| `tap.snapshots.cloud.azblob.storageKey` | Azure storage account access key. When set, the chart auto-creates a Secret with `SNAPSHOT_AZBLOB_STORAGE_KEY`. | `""` | | `tap.release.repo` | URL of the Helm chart repository | `https://helm.kubeshark.com` | | `tap.release.name` | Helm release name | `kubeshark` | | `tap.release.namespace` | Helm release namespace | `default` | diff --git a/helm-chart/docs/snapshots_cloud_storage.md b/helm-chart/docs/snapshots_cloud_storage.md index 11ccb2775..50997a68e 100644 --- a/helm-chart/docs/snapshots_cloud_storage.md +++ b/helm-chart/docs/snapshots_cloud_storage.md @@ -11,13 +11,31 @@ tap: snapshots: cloud: provider: "" # "s3" or "azblob" (empty = disabled) + prefix: "" # key prefix in the bucket/container (e.g. "snapshots/") configMaps: [] # names of pre-existing ConfigMaps with cloud config env vars secrets: [] # names of pre-existing Secrets with cloud credentials + s3: + bucket: "" + region: "" + accessKey: "" + secretKey: "" + roleArn: "" + externalId: "" + azblob: + storageAccount: "" + container: "" + storageKey: "" ``` - `provider` selects which cloud backend to use. Leave empty to disable cloud storage. - `configMaps` and `secrets` are lists of names of existing ConfigMap/Secret resources. They are mounted as `envFrom` on the hub pod, injecting all their keys as environment variables. +### Inline Values (Alternative to External ConfigMaps/Secrets) + +Instead of creating ConfigMap and Secret resources manually, you can set cloud storage configuration directly in `values.yaml` or via `--set` flags. The Helm chart will automatically create the necessary ConfigMap and Secret resources. + +Both approaches can be used together — inline values are additive to external `configMaps`/`secrets` references. + --- ## Amazon S3 @@ -48,6 +66,29 @@ Credentials are resolved in this order: The provider validates bucket access on startup via `HeadBucket`. If the bucket is inaccessible, the hub will fail to start. +### Example: Inline Values (simplest approach) + +```yaml +tap: + snapshots: + cloud: + provider: "s3" + s3: + bucket: my-kubeshark-snapshots + region: us-east-1 +``` + +Or with static credentials via `--set`: + +```bash +helm install kubeshark kubeshark/kubeshark \ + --set tap.snapshots.cloud.provider=s3 \ + --set tap.snapshots.cloud.s3.bucket=my-kubeshark-snapshots \ + --set tap.snapshots.cloud.s3.region=us-east-1 \ + --set tap.snapshots.cloud.s3.accessKey=AKIA... \ + --set tap.snapshots.cloud.s3.secretKey=wJal... +``` + ### Example: IRSA (recommended for EKS) Create a ConfigMap with bucket configuration: @@ -159,6 +200,19 @@ Credentials are resolved in this order: The provider validates container access on startup via `GetProperties`. If the container is inaccessible, the hub will fail to start. +### Example: Inline Values + +```yaml +tap: + snapshots: + cloud: + provider: "azblob" + azblob: + storageAccount: mykubesharksa + container: snapshots + storageKey: "base64-encoded-storage-key..." # optional, omit for DefaultAzureCredential +``` + ### Example: Workload Identity (recommended for AKS) Create a ConfigMap with storage configuration: diff --git a/helm-chart/templates/04-hub-deployment.yaml b/helm-chart/templates/04-hub-deployment.yaml index 6f897b2f9..394137d19 100644 --- a/helm-chart/templates/04-hub-deployment.yaml +++ b/helm-chart/templates/04-hub-deployment.yaml @@ -65,7 +65,9 @@ spec: - -cloud-storage-provider - '{{ .Values.tap.snapshots.cloud.provider }}' {{- end }} - {{- if or .Values.tap.secrets .Values.tap.snapshots.cloud.configMaps .Values.tap.snapshots.cloud.secrets }} + {{- $hasInlineConfig := or .Values.tap.snapshots.cloud.prefix .Values.tap.snapshots.cloud.s3.bucket .Values.tap.snapshots.cloud.s3.region .Values.tap.snapshots.cloud.s3.roleArn .Values.tap.snapshots.cloud.s3.externalId .Values.tap.snapshots.cloud.azblob.storageAccount .Values.tap.snapshots.cloud.azblob.container }} + {{- $hasInlineSecrets := or .Values.tap.snapshots.cloud.s3.accessKey .Values.tap.snapshots.cloud.s3.secretKey .Values.tap.snapshots.cloud.azblob.storageKey }} + {{- if or .Values.tap.secrets .Values.tap.snapshots.cloud.configMaps .Values.tap.snapshots.cloud.secrets $hasInlineConfig $hasInlineSecrets }} envFrom: {{- range .Values.tap.secrets }} - secretRef: @@ -79,6 +81,14 @@ spec: - secretRef: name: {{ . }} {{- end }} + {{- if $hasInlineConfig }} + - configMapRef: + name: {{ include "kubeshark.name" . }}-cloud-config + {{- end }} + {{- if $hasInlineSecrets }} + - secretRef: + name: {{ include "kubeshark.name" . }}-cloud-secret + {{- end }} {{- end }} env: - name: POD_NAME diff --git a/helm-chart/templates/21-cloud-storage.yaml b/helm-chart/templates/21-cloud-storage.yaml new file mode 100644 index 000000000..0d93113e4 --- /dev/null +++ b/helm-chart/templates/21-cloud-storage.yaml @@ -0,0 +1,55 @@ +{{- $hasConfigValues := or .Values.tap.snapshots.cloud.prefix .Values.tap.snapshots.cloud.s3.bucket .Values.tap.snapshots.cloud.s3.region .Values.tap.snapshots.cloud.s3.roleArn .Values.tap.snapshots.cloud.s3.externalId .Values.tap.snapshots.cloud.azblob.storageAccount .Values.tap.snapshots.cloud.azblob.container -}} +{{- $hasSecretValues := or .Values.tap.snapshots.cloud.s3.accessKey .Values.tap.snapshots.cloud.s3.secretKey .Values.tap.snapshots.cloud.azblob.storageKey -}} +{{- if $hasConfigValues }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "kubeshark.labels" . | nindent 4 }} + name: {{ include "kubeshark.name" . }}-cloud-config + namespace: {{ .Release.Namespace }} +data: + {{- if .Values.tap.snapshots.cloud.prefix }} + SNAPSHOT_CLOUD_PREFIX: {{ .Values.tap.snapshots.cloud.prefix | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.s3.bucket }} + SNAPSHOT_AWS_BUCKET: {{ .Values.tap.snapshots.cloud.s3.bucket | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.s3.region }} + SNAPSHOT_AWS_REGION: {{ .Values.tap.snapshots.cloud.s3.region | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.s3.roleArn }} + SNAPSHOT_AWS_ROLE_ARN: {{ .Values.tap.snapshots.cloud.s3.roleArn | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.s3.externalId }} + SNAPSHOT_AWS_EXTERNAL_ID: {{ .Values.tap.snapshots.cloud.s3.externalId | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.azblob.storageAccount }} + SNAPSHOT_AZBLOB_STORAGE_ACCOUNT: {{ .Values.tap.snapshots.cloud.azblob.storageAccount | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.azblob.container }} + SNAPSHOT_AZBLOB_CONTAINER: {{ .Values.tap.snapshots.cloud.azblob.container | quote }} + {{- end }} +{{- end }} +{{- if $hasSecretValues }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "kubeshark.labels" . | nindent 4 }} + name: {{ include "kubeshark.name" . }}-cloud-secret + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + {{- if .Values.tap.snapshots.cloud.s3.accessKey }} + SNAPSHOT_AWS_ACCESS_KEY: {{ .Values.tap.snapshots.cloud.s3.accessKey | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.s3.secretKey }} + SNAPSHOT_AWS_SECRET_KEY: {{ .Values.tap.snapshots.cloud.s3.secretKey | quote }} + {{- end }} + {{- if .Values.tap.snapshots.cloud.azblob.storageKey }} + SNAPSHOT_AZBLOB_STORAGE_KEY: {{ .Values.tap.snapshots.cloud.azblob.storageKey | quote }} + {{- end }} +{{- end }} diff --git a/helm-chart/tests/cloud_storage_test.yaml b/helm-chart/tests/cloud_storage_test.yaml new file mode 100644 index 000000000..79074913e --- /dev/null +++ b/helm-chart/tests/cloud_storage_test.yaml @@ -0,0 +1,175 @@ +suite: cloud storage template +templates: + - templates/21-cloud-storage.yaml +tests: + - it: should render nothing with default values + asserts: + - hasDocuments: + count: 0 + + - it: should render ConfigMap with S3 config only + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.region: us-east-1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: metadata.name + value: RELEASE-NAME-cloud-config + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_BUCKET + value: "my-bucket" + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_REGION + value: "us-east-1" + documentIndex: 0 + - notExists: + path: data.SNAPSHOT_AWS_ACCESS_KEY + documentIndex: 0 + + - it: should render ConfigMap and Secret with S3 config and credentials + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.region: us-east-1 + tap.snapshots.cloud.s3.accessKey: AKIAIOSFODNN7EXAMPLE + tap.snapshots.cloud.s3.secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_BUCKET + value: "my-bucket" + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_REGION + value: "us-east-1" + documentIndex: 0 + - isKind: + of: Secret + documentIndex: 1 + - equal: + path: metadata.name + value: RELEASE-NAME-cloud-secret + documentIndex: 1 + - equal: + path: stringData.SNAPSHOT_AWS_ACCESS_KEY + value: "AKIAIOSFODNN7EXAMPLE" + documentIndex: 1 + - equal: + path: stringData.SNAPSHOT_AWS_SECRET_KEY + value: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + documentIndex: 1 + + - it: should render ConfigMap with Azure Blob config only + set: + tap.snapshots.cloud.azblob.storageAccount: myaccount + tap.snapshots.cloud.azblob.container: mycontainer + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AZBLOB_STORAGE_ACCOUNT + value: "myaccount" + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AZBLOB_CONTAINER + value: "mycontainer" + documentIndex: 0 + + - it: should render ConfigMap and Secret with Azure Blob config and storage key + set: + tap.snapshots.cloud.azblob.storageAccount: myaccount + tap.snapshots.cloud.azblob.container: mycontainer + tap.snapshots.cloud.azblob.storageKey: c29tZWtleQ== + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AZBLOB_STORAGE_ACCOUNT + value: "myaccount" + documentIndex: 0 + - isKind: + of: Secret + documentIndex: 1 + - equal: + path: stringData.SNAPSHOT_AZBLOB_STORAGE_KEY + value: "c29tZWtleQ==" + documentIndex: 1 + + - it: should render ConfigMap with only prefix + set: + tap.snapshots.cloud.prefix: snapshots/prod + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: data.SNAPSHOT_CLOUD_PREFIX + value: "snapshots/prod" + documentIndex: 0 + - notExists: + path: data.SNAPSHOT_AWS_BUCKET + documentIndex: 0 + - notExists: + path: data.SNAPSHOT_AZBLOB_STORAGE_ACCOUNT + documentIndex: 0 + + - it: should render ConfigMap with role ARN without credentials (IAM auth) + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.region: us-east-1 + tap.snapshots.cloud.s3.roleArn: arn:aws:iam::123456789012:role/my-role + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_ROLE_ARN + value: "arn:aws:iam::123456789012:role/my-role" + documentIndex: 0 + - equal: + path: data.SNAPSHOT_AWS_BUCKET + value: "my-bucket" + documentIndex: 0 + + - it: should render ConfigMap with externalId + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.externalId: ext-12345 + asserts: + - hasDocuments: + count: 1 + - equal: + path: data.SNAPSHOT_AWS_EXTERNAL_ID + value: "ext-12345" + documentIndex: 0 + + - it: should set correct namespace + release: + namespace: kubeshark-ns + set: + tap.snapshots.cloud.s3.bucket: my-bucket + asserts: + - equal: + path: metadata.namespace + value: kubeshark-ns + documentIndex: 0 diff --git a/helm-chart/tests/fixtures/values-azblob.yaml b/helm-chart/tests/fixtures/values-azblob.yaml new file mode 100644 index 000000000..390e076f3 --- /dev/null +++ b/helm-chart/tests/fixtures/values-azblob.yaml @@ -0,0 +1,9 @@ +tap: + snapshots: + cloud: + provider: azblob + prefix: snapshots/ + azblob: + storageAccount: kubesharkstore + container: snapshots + storageKey: c29tZWtleWhlcmU= diff --git a/helm-chart/tests/fixtures/values-cloud-refs.yaml b/helm-chart/tests/fixtures/values-cloud-refs.yaml new file mode 100644 index 000000000..901bdbeb3 --- /dev/null +++ b/helm-chart/tests/fixtures/values-cloud-refs.yaml @@ -0,0 +1,8 @@ +tap: + snapshots: + cloud: + provider: s3 + configMaps: + - my-cloud-config + secrets: + - my-cloud-secret diff --git a/helm-chart/tests/fixtures/values-s3.yaml b/helm-chart/tests/fixtures/values-s3.yaml new file mode 100644 index 000000000..e8e7fcd50 --- /dev/null +++ b/helm-chart/tests/fixtures/values-s3.yaml @@ -0,0 +1,10 @@ +tap: + snapshots: + cloud: + provider: s3 + prefix: snapshots/ + s3: + bucket: kubeshark-snapshots + region: us-east-1 + accessKey: AKIAIOSFODNN7EXAMPLE + secretKey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY diff --git a/helm-chart/tests/hub_deployment_test.yaml b/helm-chart/tests/hub_deployment_test.yaml new file mode 100644 index 000000000..1915e9e8c --- /dev/null +++ b/helm-chart/tests/hub_deployment_test.yaml @@ -0,0 +1,129 @@ +suite: hub deployment cloud integration +templates: + - templates/04-hub-deployment.yaml +tests: + - it: should not render envFrom with default values + asserts: + - isKind: + of: Deployment + - notContains: + path: spec.template.spec.containers[0].envFrom + any: true + content: + configMapRef: + name: RELEASE-NAME-cloud-config + + - it: should render envFrom with inline S3 config + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.region: us-east-1 + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: RELEASE-NAME-cloud-config + + - it: should render envFrom secret ref with inline credentials + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.accessKey: AKIAIOSFODNN7EXAMPLE + tap.snapshots.cloud.s3.secretKey: secret + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: RELEASE-NAME-cloud-config + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: RELEASE-NAME-cloud-secret + + - it: should render envFrom with external configMaps + set: + tap.snapshots.cloud.configMaps: + - my-cloud-config + - my-other-config + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: my-cloud-config + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: my-other-config + + - it: should render envFrom with external secrets + set: + tap.snapshots.cloud.secrets: + - my-cloud-secret + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: my-cloud-secret + + - it: should render cloud-storage-provider arg when provider is set + set: + tap.snapshots.cloud.provider: s3 + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: -cloud-storage-provider + - contains: + path: spec.template.spec.containers[0].command + content: s3 + + - it: should not render cloud-storage-provider arg with default values + asserts: + - notContains: + path: spec.template.spec.containers[0].command + content: -cloud-storage-provider + + - it: should render envFrom with tap.secrets + set: + tap.secrets: + - my-existing-secret + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: my-existing-secret + + - it: should render both inline and external refs together + set: + tap.snapshots.cloud.s3.bucket: my-bucket + tap.snapshots.cloud.s3.accessKey: key + tap.snapshots.cloud.s3.secretKey: secret + tap.snapshots.cloud.configMaps: + - ext-config + tap.snapshots.cloud.secrets: + - ext-secret + asserts: + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: ext-config + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: ext-secret + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: RELEASE-NAME-cloud-config + - contains: + path: spec.template.spec.containers[0].envFrom + content: + secretRef: + name: RELEASE-NAME-cloud-secret diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 7df549461..a62ee6c33 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -43,8 +43,20 @@ tap: storageSize: 20Gi cloud: provider: "" + prefix: "" configMaps: [] secrets: [] + s3: + bucket: "" + region: "" + accessKey: "" + secretKey: "" + roleArn: "" + externalId: "" + azblob: + storageAccount: "" + container: "" + storageKey: "" release: repo: https://helm.kubeshark.com name: kubeshark