| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 |
- suite: test cert controller rbac
- templates:
- - cert-controller-rbac.yaml
- tests:
- - it: should keep get/list/watch on customresourcedefinitions cluster-wide
- documentIndex: 0
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - "apiextensions.k8s.io"
- resources:
- - "customresourcedefinitions"
- verbs:
- - "get"
- - "list"
- - "watch"
- - it: should scope customresourcedefinitions update/patch to the managed CRDs by resourceNames
- documentIndex: 0
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - "apiextensions.k8s.io"
- resources:
- - "customresourcedefinitions"
- resourceNames:
- - "externalsecrets.external-secrets.io"
- - "secretstores.external-secrets.io"
- - "clustersecretstores.external-secrets.io"
- verbs:
- - "update"
- - "patch"
- - notContains:
- path: rules
- content:
- apiGroups:
- - "apiextensions.k8s.io"
- resources:
- - "customresourcedefinitions"
- verbs:
- - "get"
- - "list"
- - "watch"
- - "update"
- - "patch"
- - it: should exclude clustersecretstores from the scoped CRD rule when createClusterSecretStore is false
- documentIndex: 0
- set:
- crds:
- createClusterSecretStore: false
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - "apiextensions.k8s.io"
- resources:
- - "customresourcedefinitions"
- resourceNames:
- - "externalsecrets.external-secrets.io"
- - "secretstores.external-secrets.io"
- verbs:
- - "update"
- - "patch"
- - it: should keep get/list/watch on secrets cluster-wide
- documentIndex: 0
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - ""
- resources:
- - "secrets"
- verbs:
- - "get"
- - "list"
- - "watch"
- - it: should scope secret update/patch to the webhook secret by resourceNames
- documentIndex: 0
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - ""
- resources:
- - "secrets"
- resourceNames:
- - "RELEASE-NAME-external-secrets-webhook"
- verbs:
- - "update"
- - "patch"
- - notContains:
- path: rules
- content:
- apiGroups:
- - ""
- resources:
- - "secrets"
- verbs:
- - "get"
- - "list"
- - "watch"
- - "update"
- - "patch"
- - it: should not grant access to the provider tls secret when providers are disabled
- documentIndex: 0
- asserts:
- - notContains:
- path: rules
- content:
- apiGroups:
- - ""
- resources:
- - "secrets"
- resourceNames:
- - "external-secrets-provider-tls"
- verbs:
- - "update"
- - "patch"
- - it: should scope provider tls secret update/patch by resourceNames when v2 providers are enabled
- documentIndex: 0
- set:
- v2:
- enabled: true
- providers:
- enabled: true
- asserts:
- - contains:
- path: rules
- content:
- apiGroups:
- - ""
- resources:
- - "secrets"
- resourceNames:
- - "external-secrets-provider-tls"
- verbs:
- - "update"
- - "patch"
|