logic855
/
helm-external-secrets
zrcadlo https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
							suite: test componentName DNS-label name truncation
templates:
  - webhook-service.yaml
  - cert-controller-service.yaml
  - cert-controller-deployment.yaml
  - service.yaml
  - validatingwebhook.yaml
  - webhook-certificate.yaml
tests:
  - it: should not alter names that are well under the 63-char DNS label limit
    set:
      fullnameOverride: my-release
      webhook.create: true
      webhook.service.enabled: true
    template: webhook-service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: my-release-webhook
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$

  - it: should truncate from the right and preserve the name prefix for a short suffix (-webhook 8 chars)
    # fullnameOverride: 60 chars ("external-secrets-production-cluster-for-long-release-testing").
    # componentName maxLen = 63 - 8 = 55; trunc(55) keeps the first 55 chars of the
    # base name so appending the 8-char suffix produces exactly 63 chars total.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      webhook.create: true
      webhook.service.enabled: true
    template: webhook-service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: "external-secrets-production-cluster-for-long-release-te-webhook"
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$

  - it: should truncate from the right for the longest suffix in the chart (-cert-controller-metrics 24 chars)
    # Same 60-char fullnameOverride.
    # componentName maxLen = 63 - 24 = 39; trunc(39) keeps the first 39 chars,
    # so the total is exactly 63.  This is the primary failure case from issue #1997.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      certController.create: true
      certController.metrics.service.enabled: true
    template: cert-controller-service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: "external-secrets-production-cluster-for-cert-controller-metrics"
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$

  - it: should strip a trailing dash when the truncation point falls on a hyphen
    # fullnameOverride: 60 chars with a hyphen at position 55
    # ("external-secrets-for-production-release-cluster-naming-tests").
    # trunc(55) yields the first 54 chars plus a trailing "-"; trimSuffix "-"
    # removes it, leaving 54 chars, so the result is 54 + 8 = 62 chars with no
    # double-dash at the suffix boundary.
    set:
      fullnameOverride: "external-secrets-for-production-release-cluster-naming-tests"
      webhook.create: true
      webhook.service.enabled: true
    template: webhook-service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: "external-secrets-for-production-release-cluster-naming-webhook"
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$

  - it: service.yaml - should truncate -metrics suffix (8 chars) when fullname is long
    # service.yaml uses componentName with suffix "-metrics" (8 chars), same
    # maxLen=55 as -webhook. Confirms the main controller metrics Service is
    # covered by the helper, not just webhook/cert-controller Services.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      metrics.service.enabled: true
    template: service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: "external-secrets-production-cluster-for-long-release-te-metrics"
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$

  - it: validatingwebhook.yaml - clientConfig.service.name must match the truncated webhook Service name
    # The ValidatingWebhook routes admission requests to the webhook Service.
    # If service.name here diverges from the Service metadata.name, TLS
    # routing breaks. Both must use the same componentName helper output.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      webhook.create: true
    template: validatingwebhook.yaml
    documentIndex: 0
    asserts:
      - equal:
          path: webhooks[0].clientConfig.service.name
          value: "external-secrets-production-cluster-for-long-release-te-webhook"
      - matchRegex:
          path: webhooks[0].clientConfig.service.name
          pattern: ^.{1,63}$

  - it: webhook-certificate.yaml - dnsNames must match the truncated webhook Service hostname
    # cert-manager issues TLS certs for the webhook Service. The SAN must
    # match the Service name exactly or the TLS handshake fails. Both
    # commonName and the first dnsName entry use componentName so they stay
    # in sync with the Service even when the release name is long.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      webhook.create: true
      webhook.certManager.enabled: true
      webhook.certManager.cert.create: true
      webhook.certManager.cert.issuerRef:
        name: selfsigned
        kind: ClusterIssuer
    template: webhook-certificate.yaml
    asserts:
      - equal:
          path: spec.commonName
          value: "external-secrets-production-cluster-for-long-release-te-webhook"
      - equal:
          path: spec.dnsNames[0]
          value: "external-secrets-production-cluster-for-long-release-te-webhook"
      - matchRegex:
          path: spec.commonName
          pattern: ^.{1,63}$

  - it: "cert-controller --service-name must match webhook Service name when truncation fires"
    # cert-controller-deployment uses componentName with -webhook suffix for
    # --service-name. The value must equal the webhook Service metadata.name or
    # the cert-controller can't locate the Service and TLS breaks.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      certController.create: true
      webhook.create: true
    template: cert-controller-deployment.yaml
    asserts:
      - contains:
          path: spec.template.spec.containers[0].args
          content: "--service-name=external-secrets-production-cluster-for-long-release-te-webhook"

  - it: "webhook Service metadata.name must match cert-controller --service-name when truncation fires"
    # Mirror of the above: the webhook Service must be named identically to what
    # cert-controller passes as --service-name. Both use componentName(-webhook)
    # so they stay in sync; this test surfaces any future divergence.
    set:
      fullnameOverride: "external-secrets-production-cluster-for-long-release-testing"
      webhook.create: true
      webhook.service.enabled: true
    template: webhook-service.yaml
    asserts:
      - equal:
          path: metadata.name
          value: "external-secrets-production-cluster-for-long-release-te-webhook"
      - matchRegex:
          path: metadata.name
          pattern: ^.{1,63}$