fix: updates handling of github token to use a default string instead…

… of null (#339)

* fix: set the ANCHORE_GITHUB_TOKEN to "default-unset" instead of null, and add tests

Having a non-null string value ensures proper rendering of the value
into the secret and is a no-op when the
anchoreConfig.feeds.drivers.github.enabled property is false.

When a user enables that flag, it is expected that the token value is
set to a non-default value in order for the driver to work.

Signed-off-by: Zach Hill <zach@anchore.com>

* Update secret_test.yaml

---------

Signed-off-by: Zach Hill <zach@anchore.com>
Co-authored-by: Brady Todhunter <bradyt@anchore.com>

stable/feeds/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: feeds
 type: application
-version: "2.2.0"
+version: "2.2.1"
 appVersion: "5.2.0"
 kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x
 description: Anchore feeds service

stable/feeds/templates/envvars_configmap.yaml

@@ -63,7 +63,7 @@ data:
   ANCHORE_FEEDS_PACKAGES_ENABLED: "false"
   ANCHORE_FEEDS_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}"
   ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true"
-  ANCHORE_GITHUB_TOKEN: "null"
+  ANCHORE_GITHUB_TOKEN: "default-unset"
   ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0"
   ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0"
   ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180"

stable/feeds/templates/secret.yaml

@@ -16,9 +16,11 @@ stringData:
 {{- with .Values.anchoreConfig.keys.secret }}
   ANCHORE_SAML_SECRET: {{ . | quote }}
 {{- end }}
+{{- if .Values.anchoreConfig.feeds.drivers.github.enabled }}
 {{- with .Values.anchoreConfig.feeds.drivers.github.token }}
   ANCHORE_GITHUB_TOKEN: {{ . | quote }}
 {{- end }}
+{{- end }}
 {{- with .Values.anchoreConfig.feeds.drivers.nvdv2.api_key }}
   ANCHORE_NVD_API_KEY: {{ . | quote }}
 {{- end }}

stable/feeds/tests/__snapshot__/configmap_test.yaml.snap

@@ -182,7 +182,7 @@ should render the configmaps:
       ANCHORE_FEEDS_PACKAGES_ENABLED: "false"
       ANCHORE_FEEDS_TMP_DIR: /anchore_scratch
       ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true"
-      ANCHORE_GITHUB_TOKEN: "null"
+      ANCHORE_GITHUB_TOKEN: default-unset
       ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0"
       ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0"
       ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180"

stable/feeds/tests/configmap_test.yaml

@@ -32,3 +32,20 @@ tests:
       - matchRegex:
           path: data["ANCHORE_FEEDS_EXTERNAL_URL"]
           pattern: https://something/v2/$
+
+  - it: should render the default-unset string for the ANCHORE_GITHUB_TOKEN rather than "null"
+    template: envvars_configmap.yaml
+    asserts:
+      - equal:
+          path: data.ANCHORE_GITHUB_TOKEN
+          value: "default-unset"
+
+  - it: should render the default-unset string in envvar even if GH token is set, since that is covered by the secrets
+    template: envvars_configmap.yaml
+    set:
+      feeds.drivers.github.enabled: true
+      feeds.drivers.github.token: foobar
+    asserts:
+      - equal:
+          path: data.ANCHORE_GITHUB_TOKEN
+          value: "default-unset"

stable/feeds/tests/secret_test.yaml

@@ -0,0 +1,26 @@
+suite: Secret Tests
+templates:
+  - secret.yaml
+release:
+  name: test-release
+  namespace: test-namespace
+chart:
+  version: 9.9.9
+  appVersion: 9.9.9
+tests:
+  - it: should not render github driver token in the secret when github driver is not enabled
+    template: secret.yaml
+    values:
+      - values.yaml
+    asserts:
+      - notExists:
+          path: stringData.ANCHORE_GITHUB_TOKEN
+  - it: should render github driver token in the secret correctly when driver is enabled & token is set
+    template: secret.yaml
+    set:
+      anchoreConfig.feeds.drivers.github.token: foobar
+      anchoreConfig.feeds.drivers.github.enabled: true
+    asserts:
+      - equal:
+          path: stringData.ANCHORE_GITHUB_TOKEN
+          value: "foobar"