feat(chart): add additionalEnvironmentVariables to controller deployment

jvanz · jvanz · commit 4c1795ae89ef · 2026-03-25T23:45:22.000-03:00
Add additionalEnvironmentVariables to the Helm chart values so users can
inject arbitrary environment variables into the controller container without
modifying the chart. Each entry is a standard Kubernetes EnvVar object.

Use this in e2e tests to pass KUBEWARDEN_DISABLE_CLIENT_CACHE=true via
--set at install time, replacing the fragile post-install Deployment patch
that also had a bug (searched for container name 'manager' instead of
'controller', so the env var was never actually injected).

Signed-off-by: José Guilherme Vanz &lt;jguilhermevanz@suse.com&gt;
Assisted-by: Github Copilot
diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/deployment.yaml
@@ -108,6 +108,9 @@ spec:
         {{- end }}
         {{- end }}
         {{- end }}
+        {{- with .Values.additionalEnvironmentVariables }}
+        {{- toYaml . | nindent 10 }}
+        {{- end }}
 
         image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
         imagePullPolicy: {{ .Values.image.pullPolicy }}
diff --git a/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml b/charts/kubewarden-controller/tests/additional_environment_variables_test.yaml
@@ -0,0 +1,42 @@
+suite: additionalEnvironmentVariables configuration
+templates:
+  - deployment.yaml
+tests:
+  - it: "should not add extra env vars when additionalEnvironmentVariables is empty (default)"
+    asserts:
+      - isNullOrEmpty:
+          path: spec.template.spec.containers[0].env
+
+  - it: "should inject a single env var with a plain value"
+    set:
+      additionalEnvironmentVariables:
+        - name: MY_VAR
+          value: "my-value"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: MY_VAR
+            value: "my-value"
+
+  - it: "should inject multiple env vars"
+    set:
+      additionalEnvironmentVariables:
+        - name: FIRST_VAR
+          value: "first"
+        - name: SECOND_VAR
+          value: "second"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: FIRST_VAR
+            value: "first"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          any: true
+          content:
+            name: SECOND_VAR
+            value: "second"
diff --git a/charts/kubewarden-controller/values.schema.json b/charts/kubewarden-controller/values.schema.json
@@ -5,6 +5,9 @@
         "additionalAnnotations": {
             "type": "object"
         },
+        "additionalEnvironmentVariables": {
+            "type": "array"
+        },
         "additionalLabels": {
             "type": "object"
         },
diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml
@@ -230,6 +230,14 @@ preDeleteJob:
 # kubewarden-controller deployment settings:
 podAnnotations: {}
 nodeSelector: {}
+# additionalEnvironmentVariables is a list of additional environment variables
+# to inject into the controller container.
+# Each entry is a standard Kubernetes EnvVar object (name, value, valueFrom, …).
+# Example:
+#   additionalEnvironmentVariables:
+#     - name: MY_VAR
+#       value: "my-value"
+additionalEnvironmentVariables: []
 # Resource limits & requests
 # Ref: https://kubernetes.io/docs/user-guide/compute-resources/
 resources:
diff --git a/e2e/main_test.go b/e2e/main_test.go
@@ -6,13 +6,7 @@ import (
 	"fmt"
 	"os"
 	"testing"
-	"time"
 
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/e2e-framework/klient/wait"
-	"sigs.k8s.io/e2e-framework/klient/wait/conditions"
 	"sigs.k8s.io/e2e-framework/pkg/env"
 	"sigs.k8s.io/e2e-framework/pkg/envconf"
 	"sigs.k8s.io/e2e-framework/pkg/envfuncs"
@@ -77,21 +71,6 @@ func TestMain(m *testing.M) {
 				return ctx, fmt.Errorf("failed to install kubewarden-controller helm chart: %w", err)
 			}
 
-			// Inject KUBEWARDEN_DISABLE_CLIENT_CACHE into the controller
-			// container so that all client reads bypass the informer cache and
-			// hit the API server directly. This ensures RBAC permissions (including
-			// the "get" verb) are fully evaluated during e2e tests without
-			// exposing this testing knob in the Helm chart.
-			if err = injectDisableClientCacheEnvVar(ctx, cfg); err != nil {
-				return ctx, fmt.Errorf("failed to inject disable client cache env var: %w", err)
-			}
-
-			// Wait explicitly for kubewarden-controller deployment to be ready
-			err = waitForKubewardenControllerDeployment(ctx, cfg)
-			if err != nil {
-				return ctx, fmt.Errorf("failed to wait for kubewarden-controller deployment: %w", err)
-			}
-
 			return ctx, nil
 		},
 	)
@@ -103,40 +82,3 @@ func TestMain(m *testing.M) {
 
 	os.Exit(testenv.Run(m))
 }
-
-// waitForKubewardenControllerDeployment waits for the kubewarden-controller deployment to be ready.
-func waitForKubewardenControllerDeployment(_ context.Context, cfg *envconf.Config) error {
-	// Wait for the kubewarden-controller deployment to be available
-	return wait.For(conditions.New(cfg.Client().Resources()).DeploymentConditionMatch(
-		&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "kubewarden-controller", Namespace: namespace}},
-		appsv1.DeploymentAvailable,
-		corev1.ConditionTrue,
-	), wait.WithTimeout(5*time.Minute), wait.WithInterval(1*time.Second))
-}
-
-// injectDisableClientCacheEnvVar patches the kubewarden-controller Deployment
-// to set KUBEWARDEN_DISABLE_CLIENT_CACHE=true on the controller container.
-// This causes the controller to bypass the informer cache for all client reads,
-// ensuring RBAC permissions are fully evaluated by the API server during e2e
-// tests. The env var is not exposed in the Helm chart values intentionally.
-func injectDisableClientCacheEnvVar(ctx context.Context, cfg *envconf.Config) error {
-	deployment := &appsv1.Deployment{}
-	if err := cfg.Client().Resources().Get(ctx, "kubewarden-controller", namespace, deployment); err != nil {
-		return fmt.Errorf("failed to get kubewarden-controller deployment: %w", err)
-	}
-
-	for i, container := range deployment.Spec.Template.Spec.Containers {
-		if container.Name != "manager" {
-			continue
-		}
-		deployment.Spec.Template.Spec.Containers[i].Env = append(
-			deployment.Spec.Template.Spec.Containers[i].Env,
-			corev1.EnvVar{Name: "KUBEWARDEN_DISABLE_CLIENT_CACHE", Value: "true"},
-		)
-	}
-
-	if err := cfg.Client().Resources().Update(ctx, deployment); err != nil {
-		return fmt.Errorf("failed to update kubewarden-controller deployment: %w", err)
-	}
-	return nil
-}
