Migrate controllers and helper code from pkg

2025-10-24 08:20:45 +00:00 · 2022-04-11 10:06:24 +02:00
parent 21111fec90
commit 1a085562e4
23 changed files with 2982 additions and 25 deletions
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -0,0 +1,313 @@
+package kubernetessecrets
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/client-go/kubernetes"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+const restartDeploymentAnnotation = "false"
+
+type k8s struct {
+	clientset kubernetes.Interface
+}
+
+func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "test-secret-name"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	secretType := ""
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations, nil)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	createdSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not created: %v", err)
+	}
+	compareFields(item.Fields, createdSecret.Data, t)
+	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+
+	if createdSecret.Annotations["testAnnotation"] != "exists" {
+		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
+	}
+}
+
+func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) {
+	secretName := "test-secret-name"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	secretType := ""
+
+	ownerRef := &metav1.OwnerReference{
+		Kind:       "Deployment",
+		APIVersion: "apps/v1",
+		Name:       "test-deployment",
+		UID:        types.UID("test-uid"),
+	}
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations, ownerRef)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	createdSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
+
+	// Check owner references.
+	gotOwnerRefs := createdSecret.ObjectMeta.OwnerReferences
+	if len(gotOwnerRefs) != 1 {
+		t.Errorf("Expected owner references length: 1 but got: %d", len(gotOwnerRefs))
+	}
+
+	expOwnerRef := metav1.OwnerReference{
+		Kind:       "Deployment",
+		APIVersion: "apps/v1",
+		Name:       "test-deployment",
+		UID:        types.UID("test-uid"),
+	}
+	gotOwnerRef := gotOwnerRefs[0]
+	if gotOwnerRef != expOwnerRef {
+		t.Errorf("Expected owner reference value: %v but got: %v", expOwnerRef, gotOwnerRef)
+	}
+}
+
+func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "test-secret-update"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{}
+	secretType := ""
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations, nil)
+
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	// Updating kubernetes secret with new item
+	newItem := onepassword.Item{}
+	newItem.Fields = generateFields(6)
+	newItem.Version = 456
+	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations, nil)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	updatedSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, updatedSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not found: %v", err)
+	}
+	compareFields(newItem.Fields, updatedSecret.Data, t)
+	compareAnnotationsToItem(updatedSecret.Annotations, newItem, t)
+}
+func TestBuildKubernetesSecretData(t *testing.T) {
+	fields := generateFields(5)
+
+	secretData := BuildKubernetesSecretData(fields, nil)
+	if len(secretData) != len(fields) {
+		t.Errorf("Unexpected number of secret fields returned. Expected 3, got %v", len(secretData))
+	}
+	compareFields(fields, secretData, t)
+}
+
+func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
+	annotationKey := "annotationKey"
+	annotationValue := "annotationValue"
+	name := "someName"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		annotationKey: annotationValue,
+	}
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	labels := map[string]string{}
+	secretType := ""
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item, nil)
+	if kubeSecret.Name != strings.ToLower(name) {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+	if kubeSecret.Annotations[annotationKey] != annotations[annotationKey] {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+	compareFields(item.Fields, kubeSecret.Data, t)
+}
+
+func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
+	name := "inV@l1d k8s secret%name"
+	expectedName := "inv-l1d-k8s-secret-name"
+	namespace := "someNamespace"
+	annotations := map[string]string{
+		"annotationKey": "annotationValue",
+	}
+	labels := map[string]string{}
+	item := onepassword.Item{}
+	secretType := ""
+
+	item.Fields = []*onepassword.ItemField{
+		{
+			Label: "label w%th invalid ch!rs-",
+			Value: "value1",
+		},
+		{
+			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
+			Value: "name exceeds max length",
+		},
+	}
+
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, secretType, item, nil)
+
+	// Assert Secret's meta.name was fixed
+	if kubeSecret.Name != expectedName {
+		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
+	}
+	if kubeSecret.Namespace != namespace {
+		t.Errorf("Expected namespace value: %v but got: %v", namespace, kubeSecret.Namespace)
+	}
+
+	// assert labels were fixed for each data key
+	for key := range kubeSecret.Data {
+		if !validLabel(key) {
+			t.Errorf("Expected valid kubernetes label, got %s", key)
+		}
+	}
+}
+
+func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) {
+	secretName := "tls-test-secret-name"
+	namespace := "test"
+
+	item := onepassword.Item{}
+	item.Fields = generateFields(5)
+	item.Version = 123
+	item.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
+	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
+
+	kubeClient := fake.NewFakeClient()
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	secretType := "kubernetes.io/tls"
+
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, secretAnnotations, nil)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	createdSecret := &corev1.Secret{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret)
+
+	if err != nil {
+		t.Errorf("Secret was not created: %v", err)
+	}
+
+	if createdSecret.Type != corev1.SecretTypeTLS {
+		t.Errorf("Expected secretType to be of tyype corev1.SecretTypeTLS, got %s", string(createdSecret.Type))
+	}
+}
+
+func compareAnnotationsToItem(annotations map[string]string, item onepassword.Item, t *testing.T) {
+	actualVaultId, actualItemId, err := ParseVaultIdAndItemIdFromPath(annotations[ItemPathAnnotation])
+	if err != nil {
+		t.Errorf("Was unable to parse Item Path")
+	}
+	if actualVaultId != item.Vault.ID {
+		t.Errorf("Expected annotation vault id to be %v but was %v", item.Vault.ID, actualVaultId)
+	}
+	if actualItemId != item.ID {
+		t.Errorf("Expected annotation item id to be %v but was %v", item.ID, actualItemId)
+	}
+	if annotations[VersionAnnotation] != fmt.Sprint(item.Version) {
+		t.Errorf("Expected annotation version to be %v but was %v", item.Version, annotations[VersionAnnotation])
+	}
+
+	if annotations[RestartDeploymentsAnnotation] != "false" {
+		t.Errorf("Expected restart deployments annotation to be %v but was %v", restartDeploymentAnnotation, RestartDeploymentsAnnotation)
+	}
+}
+
+func compareFields(actualFields []*onepassword.ItemField, secretData map[string][]byte, t *testing.T) {
+	for i := 0; i < len(actualFields); i++ {
+		value, found := secretData[actualFields[i].Label]
+		if !found {
+			t.Errorf("Expected key %v is missing from secret data", actualFields[i].Label)
+		}
+		if string(value) != actualFields[i].Value {
+			t.Errorf("Expected value %v but got %v", actualFields[i].Value, value)
+		}
+	}
+}
+
+func generateFields(numToGenerate int) []*onepassword.ItemField {
+	fields := []*onepassword.ItemField{}
+	for i := 0; i < numToGenerate; i++ {
+		field := onepassword.ItemField{
+			Label: "key" + fmt.Sprint(i),
+			Value: "value" + fmt.Sprint(i),
+		}
+		fields = append(fields, &field)
+	}
+	return fields
+}
+
+func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
+		return splitPath[1], splitPath[3], nil
+	}
+	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
+}
+
+func validLabel(v string) bool {
+	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
+		return false
+	}
+	return true
+}