suite: "Test AutoscalingRunnerSet Vault Config"
templates:
  - autoscalingrunnserset.yaml
tests:
  - it: should not render vaultConfig when secretResolution.type is kubernetes
    set:
      scaleset.name: "test"
      auth.url: "https://github.com/org"
      auth.githubToken: "gh_token12345"
      controllerServiceAccount.name: "arc"
      controllerServiceAccount.namespace: "arc-system"
      secretResolution:
        type: kubernetes
    release:
      name: "test-name"
      namespace: "test-namespace"
    asserts:
      - notExists:
          path: spec.vaultConfig

  - it: should render azureKeyVault vaultConfig when configured
    set:
      scaleset.name: "test"
      auth.url: "https://github.com/org"
      auth.githubToken: "gh_token12345"
      controllerServiceAccount.name: "arc"
      controllerServiceAccount.namespace: "arc-system"
      secretResolution:
        type: azureKeyVault
        azureKeyVault:
          url: "https://myvault.vault.azure.net"
          tenantId: "tenant-123"
          clientId: "client-456"
          certificatePath: "/etc/certs/akv.pem"
          secretKey: "secret-key-name"
    release:
      name: "test-name"
      namespace: "test-namespace"
    asserts:
      - equal:
          path: spec.vaultConfig.type
          value: azureKeyVault
      - equal:
          path: spec.vaultConfig.azureKeyVault.url
          value: "https://myvault.vault.azure.net"
      - equal:
          path: spec.vaultConfig.azureKeyVault.tenantId
          value: "tenant-123"
      - equal:
          path: spec.vaultConfig.azureKeyVault.clientId
          value: "client-456"
      - equal:
          path: spec.vaultConfig.azureKeyVault.certificatePath
          value: "/etc/certs/akv.pem"
      - equal:
          path: spec.vaultConfig.azureKeyVault.secretKey
          value: "secret-key-name"

  - it: should render vaultConfig proxy when configured
    set:
      scaleset.name: "test"
      auth.url: "https://github.com/org"
      auth.githubToken: "gh_token12345"
      controllerServiceAccount.name: "arc"
      controllerServiceAccount.namespace: "arc-system"
      secretResolution:
        type: azureKeyVault
        proxy:
          http:
            url: "http://proxy.example.com:3128"
            credentialSecretRef: "proxy-credentials"
          noProxy:
            - "localhost"
        azureKeyVault:
          url: "https://myvault.vault.azure.net"
          tenantId: "tenant-123"
          clientId: "client-456"
          certificatePath: "/etc/certs/akv.pem"
          secretKey: "secret-key-name"
    release:
      name: "test-name"
      namespace: "test-namespace"
    asserts:
      - equal:
          path: spec.vaultConfig.proxy.http.url
          value: "http://proxy.example.com:3128"
      - equal:
          path: spec.vaultConfig.proxy.http.credentialSecretRef
          value: "proxy-credentials"
      - contains:
          path: spec.vaultConfig.proxy.noProxy
          content: "localhost"
      - notExists:
          path: spec.proxy

  - it: should fail for unsupported secretResolution.type
    set:
      scaleset.name: "test"
      auth.url: "https://github.com/org"
      auth.githubToken: "gh_token12345"
      controllerServiceAccount.name: "arc"
      controllerServiceAccount.namespace: "arc-system"
      secretResolution:
        type: "hashicorpVault"
    release:
      name: "test-name"
      namespace: "test-namespace"
    asserts:
      - failedTemplate:
          errorMessage: "Unsupported keyVault type: hashicorpVault"