diff --git a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl index f11550cb79149..3346cf663f6f6 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl +++ b/image/templates/helm/stackrox-secured-cluster/templates/_init.tpl.htpl @@ -347,12 +347,12 @@ The following block checks for the validity of the provided init bundle. (`helm {{ include "srox.fail" "A CA certificate must be specified (please make sure that either an init bundle or a cluster registration secret has been provided)" }} {{- end }} +{{ $imagePullSecretNames := list "stackrox" }} [<- if not .KubectlOutput ->] {{/* Scanner setup. */}} -{{ $imagePullSecretNames := list }} {{ $anyScannerEnabled := or (eq ._rox.scanner.disable false) (eq ._rox.scannerV4.disable false) }} {{ if $anyScannerEnabled }} @@ -387,12 +387,6 @@ The following block checks for the validity of the provided init bundle. (`helm {{ $imagePullSecretNames = append $imagePullSecretNames "stackrox-scanner-v4" }} {{ end }} - {{ if not (empty $imagePullSecretNames) }} - {{ $imagePullSecretNames = append $imagePullSecretNames "stackrox" }} - {{/* Note: This must happen late, as we rely on "srox.configureImage" to collect the - set of all referenced images first. */}} - {{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" $imagePullSecretNames $.Release.Namespace) }} - {{ end }} {{ end }} [<- end >] @@ -403,6 +397,7 @@ The following block checks for the validity of the provided init bundle. (`helm set of all referenced images first. */}} {{ include "srox.configureImagePullSecrets" (list $ "mainImagePullSecrets" $._rox.mainImagePullSecrets "secured-cluster-services-main" (list "stackrox") $._rox._namespace) }} {{ include "srox.configureImagePullSecrets" (list $ "collectorImagePullSecrets" $._rox.collectorImagePullSecrets "secured-cluster-services-collector" (list "stackrox" "collector-stackrox") $._rox._namespace) }} +{{ include "srox.configureImagePullSecrets" (list $ "imagePullSecrets" $._rox.imagePullSecrets "secured-cluster-services-main" $imagePullSecretNames $._rox._namespace) }} {{/* Derive internal representation of specific chart configuration settings. */}} diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/image-pull-secrets.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/image-pull-secrets.test.yaml index 8bf544cb9fb31..f7818b8765444 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/image-pull-secrets.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/image-pull-secrets.test.yaml @@ -19,13 +19,29 @@ expect: | assumeThat(.error == null) | .serviceaccounts["collector"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"]) assumeThat(.error == null) | .serviceaccounts["sensor"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"]) assumeThat(.error == null) | .serviceaccounts["admission-control"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"]) + assumeThat(.error == null) | .serviceaccounts["scanner"] | saNotRefersTo(["stackrox", "stackrox-scanner", "collector-stackrox"]) # Ensure that sensor and admission-control secrets do not reference the collector secrets in the non-error case. assumeThat(.error == null) | .serviceaccounts["sensor"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"]) assumeThat(.error == null) | .serviceaccounts["admission-control"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"]) + assumeThat(.error == null) | .serviceaccounts["scanner"] | saNotRefersTo(["secured-cluster-services-collector", "collector-stackrox"]) tests: +- name: "scanner service account references image pull secrets if scanner V4 is disabled" + values: + scanner: + disable: false + scannerV4: + disable: true + tests: + - name: "if image pull secrets are specified" + values: + imagePullSecrets: + username: euler + password: "0.57721" + expect: | + .serviceaccounts["scanner"] | saRefersTo(["secured-cluster-services-main"]) - name: "with no image pull secret creation" expect: | .secrets?["secured-cluster-services-main"]? | assertThat(. == null)