d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
119 lines
4.6 KiB
YAML
119 lines
4.6 KiB
YAML
suite: secret modes — inline / existingSecret / ESO routing
|
|
release:
|
|
name: t
|
|
namespace: sim
|
|
|
|
tests:
|
|
- it: inline mode renders the chart-managed Secret
|
|
template: secrets-app.yaml
|
|
set:
|
|
app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.INTERNAL_API_SECRET: x
|
|
app.env.CRON_SECRET: x
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- isKind: { of: Secret }
|
|
- equal: { path: metadata.name, value: t-sim-app-secrets }
|
|
|
|
- it: existingSecret mode skips the chart-managed Secret
|
|
templates:
|
|
- secrets-app.yaml
|
|
- external-secret-app.yaml
|
|
set:
|
|
app.secrets.existingSecret.enabled: true
|
|
app.secrets.existingSecret.name: my-existing-secret
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- hasDocuments: { count: 0 }
|
|
|
|
- it: ESO mode renders an ExternalSecret instead of the chart-managed Secret
|
|
template: external-secret-app.yaml
|
|
set:
|
|
externalSecrets.enabled: true
|
|
externalSecrets.secretStoreRef.name: sim-store
|
|
externalSecrets.secretStoreRef.kind: ClusterSecretStore
|
|
externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth
|
|
externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc
|
|
externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi
|
|
externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron
|
|
externalSecrets.remoteRefs.postgresql.password: path/to/pgpw
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- isKind: { of: ExternalSecret }
|
|
- equal: { path: metadata.name, value: t-sim-app-secrets }
|
|
- equal: { path: spec.secretStoreRef.name, value: sim-store }
|
|
- equal: { path: spec.secretStoreRef.kind, value: ClusterSecretStore }
|
|
|
|
- it: ESO mode skips the chart-managed Secret
|
|
template: secrets-app.yaml
|
|
set:
|
|
externalSecrets.enabled: true
|
|
externalSecrets.secretStoreRef.name: sim-store
|
|
externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth
|
|
externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc
|
|
externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi
|
|
externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron
|
|
externalSecrets.remoteRefs.postgresql.password: path/to/pgpw
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- hasDocuments: { count: 0 }
|
|
|
|
- it: ESO validator fails when app.env contains an unmapped key
|
|
set:
|
|
externalSecrets.enabled: true
|
|
externalSecrets.secretStoreRef.name: sim-store
|
|
externalSecrets.remoteRefs.app.BETTER_AUTH_SECRET: path/to/auth
|
|
externalSecrets.remoteRefs.app.ENCRYPTION_KEY: path/to/enc
|
|
externalSecrets.remoteRefs.app.INTERNAL_API_SECRET: path/to/iapi
|
|
externalSecrets.remoteRefs.app.CRON_SECRET: path/to/cron
|
|
externalSecrets.remoteRefs.postgresql.password: path/to/pgpw
|
|
app.env.UNMAPPED_KEY: "would-go-nowhere"
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- failedTemplate:
|
|
errorPattern: "Key 'UNMAPPED_KEY' is set in app.env but externalSecrets.enabled=true"
|
|
|
|
- it: app deployment envFrom references existingSecret name
|
|
template: deployment-app.yaml
|
|
set:
|
|
app.secrets.existingSecret.enabled: true
|
|
app.secrets.existingSecret.name: my-existing-secret
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- contains:
|
|
path: spec.template.spec.containers[0].envFrom
|
|
content:
|
|
secretRef:
|
|
name: my-existing-secret
|
|
|
|
- it: realtime.env-only value reaches the Secret when app.env entry is empty (cursor bugbot fix)
|
|
template: secrets-app.yaml
|
|
set:
|
|
app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.INTERNAL_API_SECRET: x
|
|
app.env.CRON_SECRET: x
|
|
app.env.BETTER_AUTH_URL: ""
|
|
realtime.env.BETTER_AUTH_URL: "https://realtime.example.com"
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- equal:
|
|
path: stringData.BETTER_AUTH_URL
|
|
value: "https://realtime.example.com"
|
|
|
|
- it: app.env wins over realtime.env on collision when both are non-empty
|
|
template: secrets-app.yaml
|
|
set:
|
|
app.env.BETTER_AUTH_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.ENCRYPTION_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|
app.env.INTERNAL_API_SECRET: x
|
|
app.env.CRON_SECRET: x
|
|
app.env.NEXT_PUBLIC_APP_URL: "https://app.example.com"
|
|
realtime.env.NEXT_PUBLIC_APP_URL: "https://realtime.example.com"
|
|
postgresql.auth.password: xxxxxxxx
|
|
asserts:
|
|
- equal:
|
|
path: stringData.NEXT_PUBLIC_APP_URL
|
|
value: "https://app.example.com"
|