suite: test rbac templates: - rbac.yaml tests: - it: should remove the labels aggregate-to-view to the view ClusterRole set: rbac: aggregateToView: false asserts: - isKind: of: ClusterRole documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - notExists: path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-view"] documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - it: should remove the labels aggregate-to-edit to the view and edit ClusterRoles set: rbac: aggregateToEdit: false asserts: - isKind: of: ClusterRole documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - notExists: path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"] documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - isKind: of: ClusterRole documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-edit - notExists: path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-edit"] documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-edit - it: should remove the labels aggregate-to-admin to the view and edit ClusterRoles set: rbac: aggregateToAdmin: false asserts: - isKind: of: ClusterRole documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - notExists: path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-admin"] documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view - isKind: of: ClusterRole documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-edit - notExists: path: metadata.labels["rbac.authorization.k8s.io/aggregate-to-admin"] documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-edit - it: should not create auth delegator ClusterRoleBinding by default documentSelector: path: kind value: ClusterRoleBinding asserts: - notEqual: path: metadata.name value: RELEASE-NAME-external-secrets-auth-delegator - it: should create auth delegator ClusterRoleBinding when systemAuthDelegator is true set: systemAuthDelegator: true documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-auth-delegator asserts: - isKind: of: ClusterRoleBinding - equal: path: roleRef.apiGroup value: rbac.authorization.k8s.io - equal: path: roleRef.kind value: ClusterRole - equal: path: roleRef.name value: system:auth-delegator - equal: path: subjects[0].kind value: ServiceAccount - equal: path: subjects[0].name value: RELEASE-NAME-external-secrets - equal: path: subjects[0].namespace value: NAMESPACE - it: should configure custom lease name when leaderElectionID is set set: leaderElectionID: "custom-eso-lease" asserts: - matchSnapshot: {} - it: should render resourceName as external-secrets-controller by default set: scopedRBAC: true documentSelector: path: rules[0].resourceNames[0] value: "external-secrets-controller" asserts: - isKind: of: Role - equal: path: metadata.name value: RELEASE-NAME-external-secrets-leaderelection - it: should include serviceaccounts/token create by default documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - contains: path: rules content: apiGroups: - "" resources: - "serviceaccounts/token" verbs: - "create" - it: should not include serviceaccounts/token create when serviceAccountTokenCreate is false set: rbac: serviceAccountTokenCreate: false documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - notContains: path: rules content: apiGroups: - "" resources: - "serviceaccounts/token" verbs: - "create" - it: should include externalsecrets create/update/delete when processClusterExternalSecret is true set: processClusterExternalSecret: true documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - contains: path: rules content: apiGroups: - "external-secrets.io" resources: - "externalsecrets" verbs: - "create" - "update" - "delete" - it: should not include externalsecrets create/update/delete when processClusterExternalSecret is false set: processClusterExternalSecret: false documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - notContains: path: rules content: apiGroups: - "external-secrets.io" resources: - "externalsecrets" verbs: - "create" - "update" - "delete" - it: should render controller Role with explicit scopedNamespace when scopedRBAC is true set: scopedRBAC: true scopedNamespace: "my-ns" documentIndex: 0 asserts: - isKind: of: Role - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - equal: path: metadata.namespace value: "my-ns" - it: should render controller Role with release namespace when scopedRBAC is true and scopedNamespace is empty set: scopedRBAC: true scopedNamespace: "" documentIndex: 0 asserts: - isKind: of: Role - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - equal: path: metadata.namespace value: NAMESPACE - it: should render controller ClusterRole when scopedRBAC is false set: scopedRBAC: false documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - notExists: path: metadata.namespace - it: should render view Role with release namespace when scopedRBAC is true set: scopedRBAC: true documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-view asserts: - isKind: of: Role - equal: path: metadata.namespace value: NAMESPACE - it: should render edit Role with release namespace when scopedRBAC is true set: scopedRBAC: true documentSelector: path: metadata.name value: RELEASE-NAME-external-secrets-edit asserts: - isKind: of: Role - equal: path: metadata.namespace value: NAMESPACE - it: should render ClusterRole when scopedNamespace is set without scopedRBAC set: scopedRBAC: false scopedNamespace: "my-ns" documentIndex: 0 asserts: - isKind: of: ClusterRole - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - notExists: path: metadata.namespace - it: should render controller RoleBinding when scopedRBAC is true and scopedNamespace is empty set: scopedRBAC: true scopedNamespace: "" documentIndex: 3 asserts: - isKind: of: RoleBinding - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - equal: path: metadata.namespace value: NAMESPACE - equal: path: roleRef.kind value: Role - equal: path: roleRef.name value: RELEASE-NAME-external-secrets-controller - it: should render controller RoleBinding with explicit scopedNamespace when scopedRBAC is true set: scopedRBAC: true scopedNamespace: "my-ns" documentIndex: 3 asserts: - isKind: of: RoleBinding - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - equal: path: metadata.namespace value: "my-ns" - equal: path: roleRef.kind value: Role - equal: path: roleRef.name value: RELEASE-NAME-external-secrets-controller - it: should render controller ClusterRoleBinding when scopedRBAC is false set: scopedRBAC: false documentIndex: 3 asserts: - isKind: of: ClusterRoleBinding - equal: path: metadata.name value: RELEASE-NAME-external-secrets-controller - notExists: path: metadata.namespace - equal: path: roleRef.kind value: ClusterRole - equal: path: roleRef.name value: RELEASE-NAME-external-secrets-controller