Chart: Make admission webhook patch job RBAC configurable. (#11376)

* Add an option to skip rbac resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add an option to skip rbac resources creation in helm chart update README (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Add helm chart tests for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Chart make admission webhook patch job RBAC configurable (#11375) Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> --------- Signed-off-by: Reddysekhar Gaduputi <gsekhar73@gmail.com> Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
2024-06-03 14:47:23 +05:30 · 2024-06-03 14:47:23 +05:30 · 0c17748c44
commit 0c17748c44
parent 82c4d78a2f
15 changed files with 131 additions and 10 deletions
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRole
+templates:
+  - admission-webhooks/job-patch/clusterrole.yaml
+
+tests:
+  - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRoleBinding
+templates:
+  - admission-webhooks/job-patch/clusterrolebinding.yaml
+
+tests:
+  - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > Role
+templates:
+  - admission-webhooks/job-patch/role.yaml
+
+tests:
+  - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > RoleBinding
+templates:
+  - admission-webhooks/job-patch/rolebinding.yaml
+
+tests:
+  - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
+++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
@ -0,0 +1,47 @@
+suite: Admission Webhooks > Patch Job > ServiceAccount
+templates:
+  - admission-webhooks/job-patch/serviceaccount.yaml
+
+tests:
+  - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ingress-nginx-admission
+
+  - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ingress-nginx-admission-test-sa
+
+  - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: automountServiceAccountToken
+          value: false