feat(helm-chart/servicePrincipal): allow an existingSecret for holding armAuth.json (#1551)

* feat(helm-chart/servicePrincipal): allow an existingSecret for holding armAuth.json

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

* feat(existingSecret): add tests

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

---------

Signed-off-by: Toni Tauro <toni.tauro@adfinis.com>

Author: eyenx

helm/ingress-azure/templates/deployment.yaml

@@ -110,11 +110,16 @@ spec:
           path: /etc/kubernetes/
           type: Directory
       {{- if .Values.armAuth }}
-      {{- if eq .Values.armAuth.type "servicePrincipal"}}
+      {{- if and (eq .Values.armAuth.type "servicePrincipal") (not .Values.armAuth.existingSecret) }}
       - name: networking-appgw-k8s-azure-service-principal-mount
         secret:
           secretName: networking-appgw-k8s-azure-service-principal
       {{- end}}
+      {{- if and (eq .Values.armAuth.type "servicePrincipal") (.Values.armAuth.existingSecret) }}
+      - name: networking-appgw-k8s-azure-service-principal-mount
+        secret:
+          secretName: {{ .Values.armAuth.existingSecret }}
+      {{- end}}
       {{- end}}
       {{- if .Values.kubernetes.volumes }}
       {{- if .Values.kubernetes.volumes.extraVolumes }}
@@ -144,4 +149,4 @@ spec:
       {{- if .Values.image.pullSecrets }}
       imagePullSecrets:
         - name: {{ .Values.image.pullSecrets }}
-      {{- end }}
+      {{- end }}

helm/ingress-azure/templates/secrets.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.armAuth -}}
-{{- if eq .Values.armAuth.type "servicePrincipal" -}}
+{{- if and (eq .Values.armAuth.type "servicePrincipal") (not .Values.armAuth.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:

helm/ingress-azure/tests/fixtures/sample-config-existing-secret.json

@@ -0,0 +1,20 @@
+{
+    "verbosityLevel": 3,
+    "appgw": {
+        "subscriptionId": "0000-0000-0000-0000-00000000",
+        "resourceGroup": "resgp",
+        "name": "gateway",
+        "usePrivateIP": false,
+        "shared": false
+    },
+    "armAuth": {
+        "type": "servicePrincipal",
+        "existingSecret": "my-existing-secret"
+    },
+    "rbac": {
+        "enabled": false
+    },
+    "kubernetes": {
+        "resources": {}
+    }
+}

helm/ingress-azure/tests/snapshots/sample-config-existing-secret/ingress-azure/templates/configmap.yaml

@@ -0,0 +1,22 @@
+---
+# Source: ingress-azure/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: release-name-cm-ingress-azure
+  labels:
+    app: ingress-azure
+    chart: ingress-azure-1.6.0
+    heritage: Helm
+    release: release-name
+data:
+  APPGW_VERBOSITY_LEVEL: "3"
+  MULTI_CLUSTER_MODE: "false"
+  HTTP_SERVICE_PORT: "8123"
+  APPGW_SUBSCRIPTION_ID: "0000-0000-0000-0000-00000000"
+  APPGW_RESOURCE_GROUP: "resgp"
+  APPGW_NAME: "gateway"
+  APPGW_SUBNET_NAME: "gateway-subnet"
+  INGRESS_CLASS_RESOURCE_ENABLED: "true"
+  INGRESS_CLASS_RESOURCE_NAME: "azure-application-gateway"
+  INGRESS_CLASS_RESOURCE_CONTROLLER: "azure/application-gateway"

helm/ingress-azure/tests/snapshots/sample-config-existing-secret/ingress-azure/templates/deployment.yaml

@@ -0,0 +1,76 @@
+---
+# Source: ingress-azure/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: release-name-ingress-azure
+  labels:
+    app: ingress-azure
+    chart: ingress-azure-1.6.0
+    heritage: Helm
+    release: release-name
+spec:
+  replicas: 1 # TODO: Make configurable when leader election is supported.
+  selector:
+    matchLabels:
+      app: ingress-azure
+      release: release-name
+  template:
+    metadata:
+      labels:
+        app: ingress-azure
+        release: release-name
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "8123"
+    spec:
+      serviceAccountName: release-name-sa-ingress-azure
+      securityContext:
+        runAsUser: 0
+      containers:
+        - name: ingress-azure
+          image: mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.6.0
+          imagePullPolicy: Always
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8123
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health/alive
+              port: 8123
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          env:
+            - name: AZURE_CLOUD_PROVIDER_LOCATION
+              value: /etc/appgw/azure.json
+            - name: AGIC_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: AGIC_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: AZURE_AUTH_LOCATION
+              value: /etc/Azure/Networking-AppGW/auth/armAuth.json
+          envFrom:
+            - configMapRef:
+                name: release-name-cm-ingress-azure
+          volumeMounts:
+            - name: azure
+              mountPath: /etc/appgw/
+              readOnly: true
+            - name: networking-appgw-k8s-azure-service-principal-mount
+              mountPath: /etc/Azure/Networking-AppGW/auth
+              readOnly: true
+      volumes:
+        - name: azure
+          hostPath:
+            path: /etc/kubernetes/
+            type: Directory
+        - name: networking-appgw-k8s-azure-service-principal-mount
+          secret:
+            secretName: my-existing-secret

helm/ingress-azure/tests/snapshots/sample-config-existing-secret/ingress-azure/templates/ingressclass.yaml

@@ -0,0 +1,10 @@
+---
+# Source: ingress-azure/templates/ingressclass.yaml
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+  name: azure-application-gateway
+spec:
+  controller: azure/application-gateway

helm/ingress-azure/tests/snapshots/sample-config-existing-secret/ingress-azure/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+---
+# Source: ingress-azure/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: ingress-azure
+    chart: ingress-azure-1.6.0
+    heritage: Helm
+    release: release-name
+  name: release-name-sa-ingress-azure

helm/ingress-azure/values-template.yaml

@@ -99,6 +99,9 @@ appgw: {}
 #   # Generate this value with:
 #   #   az ad sp create-for-rbac --subscription <subscription-uuid> --sdk-auth | base64 -w0
 #   secretJSON: <base64-encoded-JSON-blob>
+#   # name of existing Secret containing armAuth.json
+#   # if set, no secret is being created by the chart
+#   existingSecret: mysecret
 #
 # - Option 3: Workload Identity (https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview)
 # armAuth:
@@ -112,4 +115,4 @@ nodeSelector: {}
 ################################################################################
 # Specify if the cluster is RBAC enabled or not
 rbac:
-  enabled: false # true/false
+  enabled: false # true/false

helm/ingress-azure/values.yaml

@@ -103,6 +103,9 @@ appgw: {}
 #   # Generate this value with:
 #   #   az ad sp create-for-rbac --subscription <subscription-uuid> --sdk-auth | base64 -w0
 #   secretJSON: <base64-encoded-JSON-blob>
+#   # name of existing Secret containing armAuth.json
+#   # if set, no secret is being created by the chart
+#   existingSecret: mysecret
 #
 # - Option 3: Workload Identity (https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview)
 # armAuth:
@@ -116,4 +119,4 @@ nodeSelector: {}
 ################################################################################
 # Specify if the cluster is RBAC enabled or not
 rbac:
-  enabled: false # true/false
+  enabled: false # true/false