diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml index 5dd3553e9..4756a253d 100644 --- a/templates/injector-deployment.yaml +++ b/templates/injector-deployment.yaml @@ -131,6 +131,12 @@ spec: periodSeconds: 2 successThreshold: 1 timeoutSeconds: 5 +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} - name: leader-elector image: {{ .Values.injector.leaderElector.image.repository }}:{{ .Values.injector.leaderElector.image.tag }} @@ -161,10 +167,6 @@ spec: timeoutSeconds: 5 {{- end }} {{- if .Values.injector.certs.secretName }} - volumeMounts: - - name: webhook-certs - mountPath: /etc/webhook/certs - readOnly: true volumes: - name: webhook-certs secret: diff --git a/test/unit/injector-deployment.bats b/test/unit/injector-deployment.bats index 3b6efbc38..cd6f1ddd3 100755 --- a/test/unit/injector-deployment.bats +++ b/test/unit/injector-deployment.bats @@ -168,6 +168,24 @@ load _helpers [ "${value}" = "RELEASE-NAME-vault-agent-injector-svc,RELEASE-NAME-vault-agent-injector-svc.${namespace:-default},RELEASE-NAME-vault-agent-injector-svc.${namespace:-default}.svc" ] } +@test "injector/deployment: manual TLS adds volume mount" { + cd `chart_dir` + local object=$(helm template \ + --show-only templates/injector-deployment.yaml \ + --set 'injector.enabled=true' \ + --set 'injector.certs.secretName=vault-tls' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "webhook-certs")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.mountPath' | tee /dev/stderr) + [ "${actual}" = "/etc/webhook/certs" ] + + local actual=$(echo $object | + yq -r '.readOnly' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + @test "injector/deployment: with externalVaultAddr" { cd `chart_dir` local object=$(helm template \