suite: secret modes — inline / existingSecret / ESO routing release: name: t namespace: sim tests: - it: inline mode renders the chart-managed Secret template: secrets-app.yaml set: app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.INTERNAL_API_SECRET: x app.env.CRON_SECRET: x postgresql.auth.password: xxxxxxxx asserts: - isKind: { of: Secret } - equal: { path: metadata.name, value: t-sim-app-secrets } - it: existingSecret mode skips the chart-managed Secret templates: - secrets-app.yaml - external-secret-app.yaml set: app.secrets.existingSecret.enabled: true app.secrets.existingSecret.name: my-existing-secret postgresql.auth.password: xxxxxxxx asserts: - hasDocuments: { count: 0 } - it: ESO mode renders an ExternalSecret instead of the chart-managed Secret template: external-secret-app.yaml set: externalSecrets.enabled: true externalSecrets.secretStoreRef.name: sim-store externalSecrets.secretStoreRef.kind: ClusterSecretStore externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron externalSecrets.remoteRefs.postgresql.password: path/to/pgpw postgresql.auth.password: xxxxxxxx asserts: - isKind: { of: ExternalSecret } - equal: { path: metadata.name, value: t-sim-app-secrets } - equal: { path: spec.secretStoreRef.name, value: sim-store } - equal: { path: spec.secretStoreRef.kind, value: ClusterSecretStore } - it: ESO mode skips the chart-managed Secret template: secrets-app.yaml set: externalSecrets.enabled: true externalSecrets.secretStoreRef.name: sim-store externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron externalSecrets.remoteRefs.postgresql.password: path/to/pgpw postgresql.auth.password: xxxxxxxx asserts: - hasDocuments: { count: 0 } - it: ESO validator fails when app.env contains an unmapped key set: externalSecrets.enabled: true externalSecrets.secretStoreRef.name: sim-store externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron externalSecrets.remoteRefs.postgresql.password: path/to/pgpw app.env.UNMAPPED_KEY: "would-go-nowhere" postgresql.auth.password: xxxxxxxx asserts: - failedTemplate: errorPattern: "Key 'UNMAPPED_KEY' is set in app.env but externalSecrets.enabled=true" - it: app deployment envFrom references existingSecret name template: deployment-app.yaml set: app.secrets.existingSecret.enabled: true app.secrets.existingSecret.name: my-existing-secret postgresql.auth.password: xxxxxxxx asserts: - contains: path: spec.template.spec.containers[0].envFrom content: secretRef: name: my-existing-secret - it: realtime.env-only value reaches the Secret when app.env entry is empty (cursor bugbot fix) template: secrets-app.yaml set: app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.INTERNAL_API_SECRET: x app.env.CRON_SECRET: x app.env.BETTER_AUTH_URL: "" realtime.env.BETTER_AUTH_URL: "https://realtime.example.com" postgresql.auth.password: xxxxxxxx asserts: - equal: path: stringData.BETTER_AUTH_URL value: "https://realtime.example.com" - it: app.env wins over realtime.env on collision when both are non-empty template: secrets-app.yaml set: app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx app.env.INTERNAL_API_SECRET: x app.env.CRON_SECRET: x app.env.NEXT_PUBLIC_APP_URL: "https://app.example.com" realtime.env.NEXT_PUBLIC_APP_URL: "https://realtime.example.com" postgresql.auth.password: xxxxxxxx asserts: - equal: path: stringData.NEXT_PUBLIC_APP_URL value: "https://app.example.com"