diff --git a/library/common-test/tests/rbac/validation_test.yaml b/library/common-test/tests/rbac/validation_test.yaml index 04e8d141..a95d7b17 100644 --- a/library/common-test/tests/rbac/validation_test.yaml +++ b/library/common-test/tests/rbac/validation_test.yaml @@ -341,3 +341,20 @@ tests: asserts: - failedTemplate: errorMessage: RBAC - Namespace [my-extra-super-duper-long-name-that-is-longer-than-63-characters] is not valid. Must start and end with an alphanumeric lowercase character. It can contain '-'. And must be at most 63 characters. + + - it: should fail without serviceAccount + set: + rbac: + my-rbac: + enabled: true + primary: true + rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + asserts: + - failedTemplate: + errorMessage: RBAC - Expected at least one serviceAccount to exist, but got [0] diff --git a/library/common-test/tests/volsync/replication_dest_spec_test.yaml b/library/common-test/tests/volsync/replication_dest_spec_test.yaml index 06c3ecd4..17f73f6d 100644 --- a/library/common-test/tests/volsync/replication_dest_spec_test.yaml +++ b/library/common-test/tests/volsync/replication_dest_spec_test.yaml @@ -129,7 +129,7 @@ tests: enabled: false credentials: *credentials asserts: - - documentIndex: *replicationDestDoc + - documentIndex: &replicationDestDoc 4 isKind: of: ReplicationDestination - documentIndex: *replicationDestDoc diff --git a/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl b/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl index c78b80e4..fcee7b34 100644 --- a/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl +++ b/library/common/templates/lib/dependencies/_volsyncDirectWait.tpl @@ -71,12 +71,6 @@ rules: - watch {{- end -}} -{{/* TODO: adapt this to only assign to pods that need one */}} -{{- define "tc.v1.common.dependencies.volsync.extrawaitsa" -}} -enabled: true -primary: false -{{- end -}} - {{- define "tc.v1.common.dependencies.volsync.waitsa.inject" -}} {{- $result := include "tc.v1.common.lib.rbac.hasPrimaryOnEnabled" (dict "rootCtx" $) | fromJson -}} {{- $hasPrimary := $result.hasPrimary -}} @@ -98,7 +92,7 @@ primary: false {{- end -}} {{- $_ := set .Values.serviceAccount $saName (dict - "enabled" true "primary" not $hasPrimary "targetSelectAll" true + "enabled" true "primary" (not $hasPrimary) "targetSelectAll" true ) -}} {{- end -}} @@ -139,6 +133,10 @@ primary: false {{- end -}} {{- if $volSyncDetect -}} + {{/* Inject the wait service account */}} + {{- include "tc.v1.common.dependencies.volsync.waitsa.inject" $ -}} + + {{- /* Create the wait container */}} {{- $container := include "tc.v1.common.dependencies.volsync.directwait" $ | fromYaml -}} {{- if $container -}} {{- range $workload := .Values.workload -}} diff --git a/library/common/templates/lib/rbac/_getServiceAccounts.tpl b/library/common/templates/lib/rbac/_getServiceAccounts.tpl index 61a23056..789f814f 100644 --- a/library/common/templates/lib/rbac/_getServiceAccounts.tpl +++ b/library/common/templates/lib/rbac/_getServiceAccounts.tpl @@ -10,6 +10,9 @@ objectData: The object data to be used to render the RBAC. {{- $objectData := .objectData -}} {{- $serviceAccounts := list -}} + {{- if not $rootCtx.Values.serviceAccount -}} + {{- fail "RBAC - Expected at least one serviceAccount to exist, but got [0]" -}} + {{- end -}} {{- range $name, $serviceAccount := $rootCtx.Values.serviceAccount -}} {{- $saName := include "tc.v1.common.lib.chart.names.fullname" $rootCtx -}}