Adds Helm option to use independently installed Conjur connect ConfigMap

This change adds the following for the Secrets Provider stand-alone mode
Helm chart:

- A Helm chart value for allowing the Secrets Provider to get its Conjur
  connection information via an independently (i.e. outside of this Helm
  chart), instead of using Pod environment variables. This will allow
  this Helm chart in conjunction with the Kubernetes cluster prep Helm chart
  and the application Namespace prep Helm chart as described here:
  - https://github.com/cyberark/conjur-authn-k8s-client/tree/master/helm/conjur-config-namespace-prep
  - https://github.com/cyberark/conjur-authn-k8s-client/tree/master/helm/conjur-config-cluster-prep
  If the Conjur connection ConfigMap is configured, the other Conjur connect
  Helm chart settings are ignored.

- Adds Helm unit tests that make use of the 'helm-unittest' plugin. See:
  https://github.com/quintush/helm-unittest/blob/master/DOCUMENT.md

- Adds Helm schema validation tests based upon `helm lint ...`.

- In `values.yaml`, the required settings are commented out. This is done
  in order for the `required` settings in `values.schema.json` to take
  effect. Without commenting out these settings in `values.yaml`, the
  Helm schema validation interprets these settings as being "set",
  even if they are left as is, without overriding with explicit values.

- In `values.schema.json`, for any settings that have default values
  defined in `values.yaml`, the `required` settings in
  `values.schema.json` are deleted, since these settings will never
  be unset due to their default settings.

- Added a GitHub action for running the Helm unittest and the Helm
  schema validation tests.

.github/workflows/helm-unit-test.yaml

@@ -0,0 +1,33 @@
+name: Helm Unit Test
+
+on:
+  # Run this on pushes to main
+  push:
+    branches:
+    - main
+
+  # Or when PR operations are done
+  pull_request:
+    types:
+    - opened
+    - reopened
+    - synchronize
+
+jobs:
+  unit_test:
+    name: Run Helm unittest and Schema Validation Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.5.3
+
+      - name: Run Helm unittest
+        run: cd ./helm/secrets-provider/tests && ./test-unit
+
+      - name: Run Helm schema validation tests
+        run: cd ./helm/secrets-provider/tests && ./test-schema

helm/secrets-provider/Chart.yaml

@@ -3,3 +3,4 @@ description: A Helm chart for deploying CyberArk Secrets Provider for Kubernetes
 name: secrets-provider
 version: 1.1.4
 home: https://github.com/cyberark/secrets-provider-for-k8s
+icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg

helm/secrets-provider/templates/cert-config-map.yaml

@@ -1,7 +1,9 @@
+{{- if not .Values.environment.conjur.conjurConnConfigMap }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Values.environment.conjur.sslCertificate.name }}
   namespace: {{ .Release.Namespace }}
 data:
   ssl-certificate: {{ .Values.environment.conjur.sslCertificate.value | quote }}
+{{- end }}

helm/secrets-provider/templates/secrets-provider.yaml

@@ -41,6 +41,7 @@ spec:
               apiVersion: v1
               fieldPath: metadata.namespace
 
+        {{- if not .Values.environment.conjur.conjurConnConfigMap }}
         - name: CONJUR_APPLIANCE_URL
           value:  {{ .Values.environment.conjur.applianceUrl | quote }}
 
@@ -55,6 +56,7 @@ spec:
             configMapKeyRef:
               name: {{ .Values.environment.conjur.sslCertificate.name | quote }}
               key: ssl-certificate
+        {{- end }}
 
         - name: CONJUR_AUTHN_LOGIN
           value: {{ .Values.environment.conjur.authnLogin | quote }}
@@ -83,5 +85,11 @@ spec:
         - name: DEBUG
           value: "true"
         {{- end }}
+
+        {{- if .Values.environment.conjur.conjurConnConfigMap }}
+        envFrom:
+        - configMapRef:
+            name: {{ .Values.environment.conjur.conjurConnConfigMap }}
+        {{- end }}
       restartPolicy: Never
   backoffLimit: 0

helm/secrets-provider/tests/secrets_provider_test.yaml

@@ -0,0 +1,136 @@
+# Helm unit test to be used with the 'helm-unittest' Helm plugin.
+# Reference: https://github.com/quintush/helm-unittest/blob/master/DOCUMENT.md
+
+suite: test secrets-provider
+
+templates:
+  - secrets-provider.yaml
+
+# Default testing values for required chart values
+defaults: &defaultRequired
+  environment.conjur.account: myConjurAccount
+  environment.conjur.applianceUrl: https://conjur.example.com
+  environment.conjur.authnLogin: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+  environment.conjur.authnUrl: https://conjur.example.com/authn-k8s/my-authn-id
+  environment.conjur.sslCertificate.value: "-----BEGIN CERTIFICATE-----\n
+  MIIC/ThisIsAFakeThisIsOnlyAFake==\n
+  -----END CERTIFICATE-----\n"
+  environment.k8sSecrets: [k8s-secret1,k8s-secret2]
+
+tests:
+  #=======================================================================
+  - it: succeeds if all required values are provided including Conjur
+        connect params
+  #=======================================================================
+    set:
+      # Set required values
+      <<: *defaultRequired
+
+    asserts:
+      # Confirm that a Secrets Provider Job manifest has been created
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Job
+
+      # Confirm that required values that were explicitly set have been used
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_ACCOUNT
+              value: myConjurAccount
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_APPLIANCE_URL
+              value: https://conjur.example.com
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_AUTHN_LOGIN
+              value: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_AUTHN_URL
+              value: https://conjur.example.com/authn-k8s/my-authn-id
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_SSL_CERTIFICATE
+              valueFrom:
+                  configMapKeyRef:
+                      key: ssl-certificate
+                      name: cert-config-map
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: K8S_SECRETS
+              value: k8s-secret1,k8s-secret2
+
+      # Confirm that default chart values have been used
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: cyberark/secrets-provider-for-k8s:1.1.4
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: IfNotPresent
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: cyberark-secrets-provider-for-k8s
+
+  #=======================================================================
+  - it: succeeds if Conjur connect ConfigMap provided instead of Conjur
+        connect params
+  #=======================================================================
+    set:
+      # Set required values including Conjur connect ConfigMap
+      environment.conjur.authnLogin: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+      environment.conjur.conjurConnConfigMap: conjur-connect
+      environment.k8sSecrets: [k8s-secret1,k8s-secret2]
+
+    asserts:
+      # Confirm that a Secrets Provider Job manifest has been created
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Job
+
+      # Confirm that required values that were explicitly set have been used
+      - contains:
+          path: spec.template.spec.containers[0].envFrom
+          content:
+              configMapRef:
+                  name: conjur-connect
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: K8S_SECRETS
+              value: k8s-secret1,k8s-secret2
+
+  #=======================================================================
+  - it: allows Secrets Provider image spec to be set explicitly
+  #=======================================================================
+    set:
+      # Set required values
+      <<: *defaultRequired
+
+      # Explicitly set Secrets Provider image specifications and container name
+      secretsProvider.image: my-docker-org/my-docker-image
+      secretsProvider.tag: latest
+      secretsProvider.imagePullPolicy: Always
+      secretsProvider.name: my-container-name
+
+    asserts:
+      # Confirm that explicit image settings have been used
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: my-docker-org/my-docker-image:latest
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: my-container-name