From f59f3d4b1336b86724d7dd4d4b6bca57ee8ad36a Mon Sep 17 00:00:00 2001
From: Christian <thechristschn@users.noreply.github.com>
Date: Wed, 16 Mar 2022 23:31:59 +0100
Subject: [PATCH] Add namespace to injector-leader-elector role, rolebinding
 and secret (#683)

---
 CHANGELOG.md                           |  1 +
 templates/injector-certs-secret.yaml   |  1 +
 templates/injector-role.yaml           |  1 +
 templates/injector-rolebinding.yaml    |  1 +
 test/unit/injector-leader-elector.bats | 33 ++++++++++++++++++++++++++
 5 files changed, 37 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index db815eb60..7b90f48aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ CHANGES:
 
 Improvements:
 * CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690)
+* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683)
 
 ## 0.19.0 (January 20th, 2022)
 
diff --git a/templates/injector-certs-secret.yaml b/templates/injector-certs-secret.yaml
index 78363be55..e0d96b2fd 100644
--- a/templates/injector-certs-secret.yaml
+++ b/templates/injector-certs-secret.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: vault-injector-certs
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/templates/injector-role.yaml b/templates/injector-role.yaml
index e7e383d16..c8ecfddd0 100644
--- a/templates/injector-role.yaml
+++ b/templates/injector-role.yaml
@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/templates/injector-rolebinding.yaml b/templates/injector-rolebinding.yaml
index aa8179420..401873fb8 100644
--- a/templates/injector-rolebinding.yaml
+++ b/templates/injector-rolebinding.yaml
@@ -3,6 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
     app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/test/unit/injector-leader-elector.bats b/test/unit/injector-leader-elector.bats
index b6fa4ae62..bbd482985 100644
--- a/test/unit/injector-leader-elector.bats
+++ b/test/unit/injector-leader-elector.bats
@@ -87,6 +87,17 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "injector/certs-secret: namespace is set" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-certs-secret.yaml \
+      --set "injector.replicas=2" \
+      --namespace foo \
+      . || echo "---") | tee /dev/stderr |
+      yq '.metadata.namespace' | tee /dev/stderr)
+  [ "${actual}" = "\"foo\"" ]
+}
+
 @test "injector/role: created/skipped as appropriate" {
   cd `chart_dir`
   local actual=$( (helm template \
@@ -127,6 +138,17 @@ load _helpers
   [ "${actual}" = "true" ]
 }
 
+@test "injector/role: namespace is set" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-role.yaml \
+      --set "injector.replicas=2" \
+      --namespace foo \
+      . || echo "---") | tee /dev/stderr |
+      yq '.metadata.namespace' | tee /dev/stderr)
+  [ "${actual}" = "\"foo\"" ]
+}
+
 @test "injector/rolebinding: created/skipped as appropriate" {
   cd `chart_dir`
   local actual=$( (helm template \
@@ -166,3 +188,14 @@ load _helpers
       yq 'length > 0' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+@test "injector/rolebinding: namespace is set" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/injector-rolebinding.yaml \
+      --set "injector.replicas=2" \
+      --namespace foo \
+      . || echo "---") | tee /dev/stderr |
+      yq '.metadata.namespace' | tee /dev/stderr)
+  [ "${actual}" = "\"foo\"" ]
+}