create-federation-secret job runs only when server.updatePartition is…

… 0 (#1512) * create-federation-secret job runs only when server.updatePartition is 0 * I added a test to check createFederationSecret/Job doesn't run when updatepartition != 0 Co-authored-by: David Yu <dyu@hashicorp.com>
hashicorp · Sep 26, 2022 · 25b3b99 · 25b3b99
1 parent b89e654
commit 25b3b99
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,8 @@ BUG FIXES:
 * Control plane
   * Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter [[GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481)]
 * Helm:
-  * Fixes a typo in the templating of `global.connectInject.disruptionBudget.maxUnavailable`. [[GH-1530](https://github.com/hashicorp/consul-k8s/pull/1530)].
+  * Only create Federation Secret Job when server.updatePartition is 0 [[GH-1512](https://github.com/hashicorp/consul-k8s/pull/1512)]
+  * Fixes a typo in the templating of `global.connectInject.disruptionBudget.maxUnavailable`. [[GH-1530](https://github.com/hashicorp/consul-k8s/pull/1530)]
 
 IMPROVEMENTS:
 * Helm:

diff --git a/charts/consul/templates/create-federation-secret-job.yaml b/charts/consul/templates/create-federation-secret-job.yaml
@@ -1,6 +1,7 @@
 {{- if .Values.global.federation.createFederationSecret }}
 {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }}
 {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }}
+{{- if eq (int .Values.server.updatePartition) 0 }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -157,3 +158,4 @@ spec:
               memory: "50Mi"
               cpu: "50m"
 {{- end }}
+{{- end }}
diff --git a/charts/consul/test/unit/create-federation-secret-job.bats b/charts/consul/test/unit/create-federation-secret-job.bats
@@ -61,6 +61,21 @@ load _helpers
   [[ "$output" =~ "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" ]]
 }
 
+@test "createFederationSecret/Job: disabled by updatepartition != 0" {
+  cd `chart_dir`
+  assert_empty helm template \
+      -s templates/create-federation-secret-job.yaml  \
+      --set 'global.federation.enabled=true' \
+      --set 'global.federation.createFederationSecret=true' \
+      --set 'global.acls.createReplicationToken=true' \
+      --set 'global.acls.manageSystemACLs=true' \
+      --set 'global.tls.enabled=true' \
+      --set 'meshGateway.enabled=true' \
+      --set 'connectInject.enabled=true' \
+      --set 'server.updatePartition=1' \
+      .
+}
+
 @test "createFederationSecret/Job: mounts auto-created ca secrets by default" {
   cd `chart_dir`
   local volumes=$(helm template \