ROX-27209: Create external secrets for quay image pull secrets

stackrox · Nov 29, 2024 · 23bace9 · 23bace9
1 parent 6a0cf5e
commit 23bace9
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 1 deletion.
diff --git a/...raform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml b/...raform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml
@@ -88,7 +88,7 @@ spec:
       remoteRef:
         key: "secured-cluster"
         property: "sensor_key"
-{{- if and (ne .Values.pullSecret "") .Values.createPullSecret  }}
+{{- if and .Values.pullSecret .Values.createPullSecret }}
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret

diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync-secret.yaml
@@ -44,3 +44,25 @@ spec:
       remoteRef:
         key: "/fleetshard-sync/aws_role_arn"
 {{- end }}
+{{- with .Values.fleetshardSync.tenantImagePullSecret }}
+{{- if and .create .name }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+  secretStoreRef:
+    name: {{ $.Values.global.secretStore.aws.secretsManagerSecretStoreName }}
+    kind: ClusterSecretStore
+    target:
+      name: {{ .name }}
+      creationPolicy: Owner
+    data:
+      - secretKey: {{ .key }} # pragma: allowlist secret
+        remoteRef:
+          key: "quay/rhacs-eng"
+          property: ".dockerconfigjson"
+{{- end }}
+{{- end }}
diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml
@@ -64,6 +64,7 @@ fleetshardSync:
   tenantImagePullSecret:
     name: ""
     key: .dockerconfigjson
+    create: false
   printCentralUpdateDiff: false
   argoCdNamespace: openshift-gitops
 

diff --git a/dp-terraform/test/helm_template_test.go b/dp-terraform/test/helm_template_test.go
@@ -198,6 +198,67 @@ func TestHelmTemplate_FleetshardSyncDeployment_Image(t *testing.T) {
 	}
 }
 
+func TestHelmTemplate_FleetshardSync_ImagePullSecret(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name             string
+		pullSecret       string
+		createPullSecret string
+		wantPullSecret   bool
+	}{
+		{
+			name:             "should not create secret when pull secret is not set and createPullSecret is false",
+			pullSecret:       "",
+			createPullSecret: "false",
+			wantPullSecret:   false,
+		},
+		{
+			name:             "should not create secret when pull secret is set and createPullSecret is false",
+			pullSecret:       "quay-image-pull-secret",
+			createPullSecret: "false",
+			wantPullSecret:   false,
+		},
+		{
+			name:             "should not create secret when pull secret is not set and createPullSecret is true",
+			pullSecret:       "",
+			createPullSecret: "true",
+			wantPullSecret:   false,
+		},
+		{
+			name:             "should create secret when pull secret is set and createPullSecret is true",
+			pullSecret:       "quay-image-pull-secret",
+			createPullSecret: "true",
+			wantPullSecret:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			values := map[string]string{
+				"secured-cluster.enabled":                     "false",
+				"fleetshardSync.managedDB.enabled":            "false",
+				"fleetshardSync.tenantImagePullSecret.create": tt.createPullSecret,
+			}
+			if tt.pullSecret != "" {
+				values["fleetshardSync.tenantImagePullSecret.name"] = tt.pullSecret // pragma: allowlist secret
+			}
+
+			output := renderTemplate(t, values, "templates/fleetshard-sync-secret.yaml")
+			allRange := strings.Split(output, "---")
+			for _, rawOutput := range allRange[1:] {
+				var secret corev1.Secret
+				helm.UnmarshalK8SYaml(t, rawOutput, &secret)
+				if secret.Name == tt.pullSecret {
+					require.True(t, tt.wantPullSecret)
+					return
+				}
+			}
+			require.False(t, tt.wantPullSecret)
+		})
+	}
+}
+
 func TestHelmTemplate_SecuredCluster_ImagePullSecret(t *testing.T) {
 	t.Parallel()