diff --git a/.github/workflows/common.release.yaml b/.github/workflows/common.release.yaml index 60796452..a8dc2d76 100644 --- a/.github/workflows/common.release.yaml +++ b/.github/workflows/common.release.yaml @@ -30,7 +30,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 with: - version: v3.14.1 + version: v3.14.4 # Optional step if GPG signing is used - name: Prepare GPG key diff --git a/.github/workflows/common_library_tests.yaml b/.github/workflows/common_library_tests.yaml index 766122af..bb495f68 100644 --- a/.github/workflows/common_library_tests.yaml +++ b/.github/workflows/common_library_tests.yaml @@ -24,7 +24,7 @@ jobs: helm-version: - v3.11.3 - v3.12.3 - - v3.14.1 + - v3.14.4 steps: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 @@ -62,7 +62,7 @@ jobs: fail-fast: false matrix: helm-version: - - v3.14.1 + - v3.14.4 steps: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 @@ -112,7 +112,7 @@ jobs: helm-version: - v3.11.3 - v3.12.3 - - v3.14.1 + - v3.14.4 values: - basic-values.yaml - configmap-values.yaml @@ -202,8 +202,6 @@ jobs: tar -xvzf kail_${KAIL_VERSION}_linux_amd64.tar.gz chmod +x kail - - - name: Add Dependencies run: | if [[ "${{ matrix.values }}" =~ (ingress|metrics|cnpg).*-values.yaml ]]; then @@ -257,7 +255,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - basic-values.yaml # - configmap-values.yaml @@ -321,7 +319,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - ingress-values.yaml # - metrics-values.yaml @@ -377,7 +375,7 @@ jobs: # # We run tests on Helm version of latest SCALE release # helm-version: # - v3.12.3 -# - v3.14.0 +# - v3.14.4 # values: # - vpn-gluetun-values.yaml # - vpn-tailscale-values.yaml diff --git a/library/common-test/tests/rbac/data_test.yaml b/library/common-test/tests/rbac/data_test.yaml index 289fb4f7..5484b3e6 100644 --- a/library/common-test/tests/rbac/data_test.yaml +++ b/library/common-test/tests/rbac/data_test.yaml @@ -13,6 +13,7 @@ tests: some_kind: some-kind some_name: some-name some_api_group: rbac.authorization.k8s.io + some_non_resource_url: /health serviceAccount: my-sa: enabled: true @@ -39,6 +40,8 @@ tests: - "{{ .Values.some_name }}" verbs: - "{{ .Values.some_verb }}" + nonResourceURLs: + - "{{ .Values.some_non_resource_url }}" subjects: - kind: a-kind name: a-name @@ -46,7 +49,6 @@ tests: - kind: "{{ .Values.some_kind }}" name: "{{ .Values.some_name }}" apiGroup: "{{ .Values.some_api_group }}" - asserts: - documentIndex: &roleDoc 2 isKind: @@ -73,6 +75,8 @@ tests: - some-name verbs: - list + nonResourceURLs: + - /health - documentIndex: &roleBinding 3 isKind: of: RoleBinding diff --git a/library/common-test/tests/rbac/validation_test.yaml b/library/common-test/tests/rbac/validation_test.yaml index f256e2e8..bf54997b 100644 --- a/library/common-test/tests/rbac/validation_test.yaml +++ b/library/common-test/tests/rbac/validation_test.yaml @@ -141,6 +141,36 @@ tests: - failedTemplate: errorMessage: RBAC - Expected non-empty [rbac.rules.verbs] + - it: should fail without apiGroups in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - resources: + - pods + - verbs: + - get + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty [rbac.rules.apiGroups] + + - it: should fail without apiGroups in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - resources: + - "pods" + - verbs: + - get + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty [rbac.rules.apiGroups] + - it: should fail with empty entry in resources in rules in rbac set: rbac: @@ -159,6 +189,25 @@ tests: - failedTemplate: errorMessage: RBAC - Expected non-empty entry in [rbac.rules.resources] + - it: should fail with empty entry in nonResourceURLs in rules in rbac + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + nonResourceURLs: + - "" + asserts: + - failedTemplate: + errorMessage: RBAC - Expected non-empty entry in [rbac.rules.nonResourceURLs] + - it: should fail with empty entry in verbs in rules in rbac set: rbac: diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index 14414720..6aca6562 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -15,7 +15,7 @@ maintainers: name: common sources: null type: library -version: 20.4.0 +version: 20.4.1 annotations: artifacthub.io/category: "integration-delivery" artifacthub.io/license: "BUSL-1.1" diff --git a/library/common/templates/lib/rbac/_rules.tpl b/library/common/templates/lib/rbac/_rules.tpl index 9b330388..54813d15 100644 --- a/library/common/templates/lib/rbac/_rules.tpl +++ b/library/common/templates/lib/rbac/_rules.tpl @@ -14,6 +14,12 @@ objectData: The object data to be used to render the RBAC. {{- end -}} {{- range $objectData.rules -}} + {{- if not .apiGroups -}} + {{- fail "RBAC - Expected non-empty [rbac.rules.apiGroups]" -}} + {{- end -}} + {{- if not .resources -}} + {{- fail "RBAC - Expected non-empty [rbac.rules.resources]" -}} + {{- end -}} {{- if not .verbs -}} {{- fail "RBAC - Expected non-empty [rbac.rules.verbs]" -}} {{- end -}} @@ -41,6 +47,16 @@ objectData: The object data to be used to render the RBAC. - {{ tpl . $rootCtx | quote }} {{- end -}} {{- end -}} + {{- /* nonResourceURLs */}} + {{- if .nonResourceURLs }} + nonResourceURLs: + {{- range .nonResourceURLs }} + {{- if not . -}} + {{- fail "RBAC - Expected non-empty entry in [rbac.rules.nonResourceURLs]" -}} + {{- end }} + - {{ tpl . $rootCtx | quote }} + {{- end -}} + {{- end -}} {{- /* verbs */}} verbs: {{- range .verbs -}}