Adds Helm option to use independently installed Conjur connect ConfigMap

.github/workflows/helm-unit-test.yaml

@@ -0,0 +1,33 @@
+name: Helm Unit Test
+
+on:
+  # Run this on pushes to main
+  push:
+    branches:
+    - main
+
+  # Or when PR operations are done
+  pull_request:
+    types:
+    - opened
+    - reopened
+    - synchronize
+
+jobs:
+  unit_test:
+    name: Run Helm unittest and Schema Validation Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.5.3
+
+      - name: Run Helm unittest
+        run: cd ./helm/secrets-provider/tests && ./test-unit
+
+      - name: Run Helm schema validation tests
+        run: cd ./helm/secrets-provider/tests && ./test-schema

helm/secrets-provider/Chart.yaml

@@ -3,3 +3,4 @@ description: A Helm chart for deploying CyberArk Secrets Provider for Kubernetes
 name: secrets-provider
 version: 1.1.4
 home: https://github.com/cyberark/secrets-provider-for-k8s
+icon: https://www.cyberark.com/wp-content/uploads/2015/12/cybr-aim.jpg

helm/secrets-provider/templates/cert-config-map.yaml

@@ -1,7 +1,9 @@
+{{- if not .Values.environment.conjur.conjurConnConfigMap }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Values.environment.conjur.sslCertificate.name }}
   namespace: {{ .Release.Namespace }}
 data:
   ssl-certificate: {{ .Values.environment.conjur.sslCertificate.value | quote }}
+{{- end }}

helm/secrets-provider/templates/secrets-provider.yaml

@@ -41,6 +41,7 @@ spec:
               apiVersion: v1
               fieldPath: metadata.namespace
 
+        {{- if not .Values.environment.conjur.conjurConnConfigMap }}
         - name: CONJUR_APPLIANCE_URL
           value:  {{ .Values.environment.conjur.applianceUrl | quote }}
 
@@ -55,6 +56,7 @@ spec:
             configMapKeyRef:
               name: {{ .Values.environment.conjur.sslCertificate.name | quote }}
               key: ssl-certificate
+        {{- end }}
 
         - name: CONJUR_AUTHN_LOGIN
           value: {{ .Values.environment.conjur.authnLogin | quote }}
@@ -83,5 +85,11 @@ spec:
         - name: DEBUG
           value: "true"
         {{- end }}
+
+        {{- if .Values.environment.conjur.conjurConnConfigMap }}
+        envFrom:
+        - configMapRef:
+            name: {{ .Values.environment.conjur.conjurConnConfigMap }}
+        {{- end }}
       restartPolicy: Never
   backoffLimit: 0

helm/secrets-provider/tests/secrets_provider_test.yaml

@@ -0,0 +1,136 @@
+# Helm unit test to be used with the 'helm-unittest' Helm plugin.
+# Reference: https://github.com/quintush/helm-unittest/blob/master/DOCUMENT.md
+
+suite: test secrets-provider
+
+templates:
+  - secrets-provider.yaml
+
+# Default testing values for required chart values
+defaults: &defaultRequired
+  environment.conjur.account: myConjurAccount
+  environment.conjur.applianceUrl: https://conjur.example.com
+  environment.conjur.authnLogin: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+  environment.conjur.authnUrl: https://conjur.example.com/authn-k8s/my-authn-id
+  environment.conjur.sslCertificate.value: "-----BEGIN CERTIFICATE-----\n
+  MIIC/ThisIsAFakeThisIsOnlyAFake==\n
+  -----END CERTIFICATE-----\n"
+  environment.k8sSecrets: [k8s-secret1,k8s-secret2]
+
+tests:
+  #=======================================================================
+  - it: succeeds if all required values are provided including Conjur
+        connect params
+  #=======================================================================
+    set:
+      # Set required values
+      <<: *defaultRequired
+
+    asserts:
+      # Confirm that a Secrets Provider Job manifest has been created
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Job
+
+      # Confirm that required values that were explicitly set have been used
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_ACCOUNT
+              value: myConjurAccount
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_APPLIANCE_URL
+              value: https://conjur.example.com
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_AUTHN_LOGIN
+              value: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_AUTHN_URL
+              value: https://conjur.example.com/authn-k8s/my-authn-id
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: CONJUR_SSL_CERTIFICATE
+              valueFrom:
+                  configMapKeyRef:
+                      key: ssl-certificate
+                      name: cert-config-map
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: K8S_SECRETS
+              value: k8s-secret1,k8s-secret2
+
+      # Confirm that default chart values have been used
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: cyberark/secrets-provider-for-k8s:1.1.4
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: IfNotPresent
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: cyberark-secrets-provider-for-k8s
+
+  #=======================================================================
+  - it: succeeds if Conjur connect ConfigMap provided instead of Conjur
+        connect params
+  #=======================================================================
+    set:
+      # Set required values including Conjur connect ConfigMap
+      environment.conjur.authnLogin: host/conjur/authn-k8s/my-authn-id/my-conjur-policy/my-host-id
+      environment.conjur.conjurConnConfigMap: conjur-connect
+      environment.k8sSecrets: [k8s-secret1,k8s-secret2]
+
+    asserts:
+      # Confirm that a Secrets Provider Job manifest has been created
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Job
+
+      # Confirm that required values that were explicitly set have been used
+      - contains:
+          path: spec.template.spec.containers[0].envFrom
+          content:
+              configMapRef:
+                  name: conjur-connect
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+              name: K8S_SECRETS
+              value: k8s-secret1,k8s-secret2
+
+  #=======================================================================
+  - it: allows Secrets Provider image spec to be set explicitly
+  #=======================================================================
+    set:
+      # Set required values
+      <<: *defaultRequired
+
+      # Explicitly set Secrets Provider image specifications and container name
+      secretsProvider.image: my-docker-org/my-docker-image
+      secretsProvider.tag: latest
+      secretsProvider.imagePullPolicy: Always
+      secretsProvider.name: my-container-name
+
+    asserts:
+      # Confirm that explicit image settings have been used
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: my-docker-org/my-docker-image:latest
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: my-container-name