1Password/onepassword-operator
1
0
Fork 0
mirror of https://github.com/1Password/onepassword-operator.git synced 2025-10-22 15:38:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial 1Password Operator commit

Browse Source
This commit is contained in:
jillianwilson
2020-12-10 18:07:27 -04:00
commit 824f54b4fa
2651 changed files with 890643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
pkg/onepassword/annotations.go Normal file
View File

@@ -0,0 +1,50 @@
package onepassword
import (
"regexp"
appsv1 "k8s.io/api/apps/v1"
)
const (
OnepasswordPrefix = "onepasswordoperator"
ItemPathAnnotation = OnepasswordPrefix + "/item-path"
NameAnnotation = OnepasswordPrefix + "/item-name"
VersionAnnotation = OnepasswordPrefix + "/item-version"
RestartAnnotation = OnepasswordPrefix + "/lastRestarted"
)
func GetAnnotationsForDeployment(deployment *appsv1.Deployment, regex *regexp.Regexp) (map[string]string, bool) {
annotationsFound := false
annotations := FilterAnnotations(deployment.Annotations, regex)
if len(annotations) > 0 {
annotationsFound = true
} else {
annotations = FilterAnnotations(deployment.Spec.Template.Annotations, regex)
if len(annotations) > 0 {
annotationsFound = true
} else {
annotationsFound = false
}
}
return annotations, annotationsFound
}
func FilterAnnotations(annotations map[string]string, regex *regexp.Regexp) map[string]string {
filteredAnnotations := make(map[string]string)
for key, value := range annotations {
if regex.MatchString(key) {
filteredAnnotations[key] = value
}
}
return filteredAnnotations
}
func AreAnnotationsUsingSecrets(annotations map[string]string, secrets map[string]bool) bool {
_, ok := secrets[annotations[NameAnnotation]]
if ok {
return true
}
return false
}

93
pkg/onepassword/annotations_test.go Normal file
View File

@@ -0,0 +1,93 @@
package onepassword
import (
"regexp"
"testing"
appsv1 "k8s.io/api/apps/v1"
)
const AnnotationRegExpString = "^onepasswordoperator\\/[a-zA-Z\\.]+"
func TestFilterAnnotations(t *testing.T) {
invalidAnnotation1 := "onepasswordconnect/vaultId"
invalidAnnotation2 := "onepasswordconnectkubernetesSecrets"
annotations := getValidAnnotations()
annotations[invalidAnnotation1] = "This should be filtered"
annotations[invalidAnnotation2] = "This should be filtered too"
r, _ := regexp.Compile(AnnotationRegExpString)
filteredAnnotations := FilterAnnotations(annotations, r)
if len(filteredAnnotations) != 2 {
t.Errorf("Unexpected number of filtered annotations returned. Expected 2, got %v", len(filteredAnnotations))
}
_, found := filteredAnnotations[ItemPathAnnotation]
if !found {
t.Errorf("One Password Annotation was filtered when it should not have been")
}
_, found = filteredAnnotations[NameAnnotation]
if !found {
t.Errorf("One Password Annotation was filtered when it should not have been")
}
}
func TestGetTopLevelAnnotationsForDeployment(t *testing.T) {
annotations := getValidAnnotations()
expectedNumAnnotations := len(annotations)
r, _ := regexp.Compile(AnnotationRegExpString)
deployment := &appsv1.Deployment{}
deployment.Annotations = annotations
filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
if !annotationsFound {
t.Errorf("No annotations marked as found")
}
numAnnotations := len(filteredAnnotations)
if expectedNumAnnotations != numAnnotations {
t.Errorf("Expected %v annotations got %v", expectedNumAnnotations, numAnnotations)
}
}
func TestGetTemplateAnnotationsForDeployment(t *testing.T) {
annotations := getValidAnnotations()
expectedNumAnnotations := len(annotations)
r, _ := regexp.Compile(AnnotationRegExpString)
deployment := &appsv1.Deployment{}
deployment.Spec.Template.Annotations = annotations
filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
if !annotationsFound {
t.Errorf("No annotations marked as found")
}
numAnnotations := len(filteredAnnotations)
if expectedNumAnnotations != numAnnotations {
t.Errorf("Expected %v annotations got %v", expectedNumAnnotations, numAnnotations)
}
}
func TestGetNoAnnotationsForDeployment(t *testing.T) {
deployment := &appsv1.Deployment{}
r, _ := regexp.Compile(AnnotationRegExpString)
filteredAnnotations, annotationsFound := GetAnnotationsForDeployment(deployment, r)
if annotationsFound {
t.Errorf("No annotations should be found")
}
numAnnotations := len(filteredAnnotations)
if 0 != numAnnotations {
t.Errorf("Expected %v annotations got %v", 0, numAnnotations)
}
}
func getValidAnnotations() map[string]string {
return map[string]string{
ItemPathAnnotation: "vaults/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f/items/b3e4c7fc-8bf7-4c22-b8bb-147539f10e4f",
NameAnnotation: "secretName",
}
}

18
pkg/onepassword/containers.go Normal file
View File

@@ -0,0 +1,18 @@
package onepassword
import corev1 "k8s.io/api/core/v1"
func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]bool) bool {
for i := 0; i < len(containers); i++ {
envVariables := containers[i].Env
for j := 0; j < len(envVariables); j++ {
if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil {
_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name]
if ok {
return true
}
}
}
}
return false
}

41
pkg/onepassword/containers_test.go Normal file
View File

@@ -0,0 +1,41 @@
package onepassword
import (
"testing"
)
func TestAreContainersUsingSecrets(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
containerSecretNames := []string{
"onepassword-database-secret",
"onepassword-api-key",
"some_other_key",
}
containers := generateContainers(containerSecretNames)
if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
t.Errorf("Expected that containers were using secrets but they were not detected.")
}
}
func TestAreContainersNotUsingSecrets(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
containerSecretNames := []string{
"some_other_key",
}
containers := generateContainers(containerSecretNames)
if AreContainersUsingSecrets(containers, secretNamesToSearch) {
t.Errorf("Expected that containers were not using secrets but they were detected.")
}
}

10
pkg/onepassword/deployments.go Normal file
View File

@@ -0,0 +1,10 @@
package onepassword
import appsv1 "k8s.io/api/apps/v1"
func IsDeploymentUsingSecrets(deployment *appsv1.Deployment, secrets map[string]bool) bool {
volumes := deployment.Spec.Template.Spec.Volumes
containers := deployment.Spec.Template.Spec.Containers
containers = append(containers, deployment.Spec.Template.Spec.InitContainers...)
return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || AreContainersUsingSecrets(containers, secrets) || AreVolumesUsingSecrets(volumes, secrets)
}

57
pkg/onepassword/deployments_test.go Normal file
View File

@@ -0,0 +1,57 @@
package onepassword
import (
"testing"
appsv1 "k8s.io/api/apps/v1"
)
func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
volumeSecretNames := []string{
"onepassword-database-secret",
"onepassword-api-key",
"some_other_key",
}
deployment := &appsv1.Deployment{}
deployment.Spec.Template.Spec.Volumes = generateVolumes(volumeSecretNames)
if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
t.Errorf("Expected that deployment was using secrets but they were not detected.")
}
}
func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
containerSecretNames := []string{
"onepassword-database-secret",
"onepassword-api-key",
"some_other_key",
}
deployment := &appsv1.Deployment{}
deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
t.Errorf("Expected that deployment was using secrets but they were not detected.")
}
}
func TestIsDeploymentNotUSingSecrets(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
deployment := &appsv1.Deployment{}
if IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
t.Errorf("Expected that deployment was using not secrets but they were detected.")
}
}

29
pkg/onepassword/items.go Normal file
View File

@@ -0,0 +1,29 @@
package onepassword
import (
"fmt"
"strings"
"github.com/1Password/connect-sdk-go/connect"
"github.com/1Password/connect-sdk-go/onepassword"
)
func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
vaultId, itemId, err := ParseVaultIdAndItemIdFromPath(path)
if err != nil {
return nil, err
}
item, err := opConnectClient.GetItem(itemId, vaultId)
if err != nil {
return nil, err
}
return item, nil
}
func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
splitPath := strings.Split(path, "/")
if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {
return splitPath[1], splitPath[3], nil
}
return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path)
}

42
pkg/onepassword/object_generators_for_test.go Normal file
View File

@@ -0,0 +1,42 @@
package onepassword
import corev1 "k8s.io/api/core/v1"
func generateVolumes(names []string) []corev1.Volume {
volumes := []corev1.Volume{}
for i := 0; i < len(names); i++ {
volume := corev1.Volume{
Name: names[i],
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: names[i],
},
},
}
volumes = append(volumes, volume)
}
return volumes
}
func generateContainers(names []string) []corev1.Container {
containers := []corev1.Container{}
for i := 0; i < len(names); i++ {
container := corev1.Container{
Env: []corev1.EnvVar{
{
Name: "someName",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: names[i],
},
Key: "password",
},
},
},
},
}
containers = append(containers, container)
}
return containers
}

124
pkg/onepassword/secret_update_handler.go Normal file
View File

@@ -0,0 +1,124 @@
package onepassword
import (
"context"
"fmt"
"time"
kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
"github.com/1Password/connect-sdk-go/connect"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
logf "sigs.k8s.io/controller-runtime/pkg/log"
)
const envHostVariable = "OP_HOST"
var log = logf.Log.WithName("update_op_kubernetes_secrets_task")
func NewManager(kubernetesClient client.Client, opConnectClient connect.Client) *SecretUpdateHandler {
return &SecretUpdateHandler{
client: kubernetesClient,
opConnectClient: opConnectClient,
}
}
type SecretUpdateHandler struct {
client client.Client
opConnectClient connect.Client
}
func (h *SecretUpdateHandler) UpdateKubernetesSecretsTask() error {
updatedKubernetesSecrets, err := h.updateKubernetesSecrets()
if err != nil {
return err
}
return h.restartDeploymentsWithUpdatedSecrets(updatedKubernetesSecrets)
}
func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecretsByNamespace map[string]map[string]bool) error {
// No secrets to update. Exit
if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil {
return nil
}
deployments := &appsv1.DeploymentList{}
err := h.client.List(context.Background(), deployments)
if err != nil {
log.Error(err, "Failed to list kubernetes deployments")
return err
}
for i := 0; i < len(deployments.Items); i++ {
deployment := &deployments.Items[i]
updatedSecrets := updatedSecretsByNamespace[deployment.Namespace]
secretName := deployment.Annotations[NameAnnotation]
log.Info(fmt.Sprintf("Looking at secret %v for deployment %v", secretName, deployment.Name))
if isUpdatedSecret(secretName, updatedSecrets) || IsDeploymentUsingSecrets(deployment, updatedSecrets) {
h.restartDeployment(deployment)
} else {
log.Info(fmt.Sprintf("Deployment '%v' is up to date", deployment.GetName()))
}
}
return nil
}
func (h *SecretUpdateHandler) restartDeployment(deployment *appsv1.Deployment) {
log.Info(fmt.Sprintf("Deployment '%v' references an updated secret. Restarting", deployment.GetName()))
deployment.Spec.Template.Annotations = map[string]string{
RestartAnnotation: time.Now().String(),
}
err := h.client.Update(context.Background(), deployment)
if err != nil {
log.Error(err, "Problem restarting deployment")
}
}
func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]bool, error) {
secrets := &corev1.SecretList{}
err := h.client.List(context.Background(), secrets)
if err != nil {
log.Error(err, "Failed to list kubernetes secrets")
return nil, err
}
updatedSecrets := map[string]map[string]bool{}
for i := 0; i < len(secrets.Items); i++ {
secret := secrets.Items[i]
itemPath := secret.Annotations[ItemPathAnnotation]
currentVersion := secret.Annotations[VersionAnnotation]
if len(itemPath) == 0 || len(currentVersion) == 0 {
continue
}
item, err := GetOnePasswordItemByPath(h.opConnectClient, secret.Annotations[ItemPathAnnotation])
if err != nil {
return nil, fmt.Errorf("Failed to retrieve item: %v", err)
}
itemVersion := fmt.Sprint(item.Version)
if currentVersion != itemVersion {
log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
secret.Annotations[VersionAnnotation] = itemVersion
updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
h.client.Update(context.Background(), updatedSecret)
if updatedSecrets[secret.Namespace] == nil {
updatedSecrets[secret.Namespace] = make(map[string]bool)
}
updatedSecrets[secret.Namespace][secret.Name] = true
}
}
return updatedSecrets, nil
}
func isUpdatedSecret(secretName string, updatedSecrets map[string]bool) bool {
_, ok := updatedSecrets[secretName]
if ok {
return true
}
return false
}

412
pkg/onepassword/secret_update_handler_test.go Normal file
View File

@@ -0,0 +1,412 @@
package onepassword
import (
"context"
"fmt"
"testing"
"github.com/1Password/onepassword-operator/pkg/mocks"
"github.com/1Password/connect-sdk-go/onepassword"
"github.com/stretchr/testify/assert"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
errors2 "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubectl/pkg/scheme"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
)
const (
deploymentKind = "Deployment"
deploymentAPIVersion = "v1"
name = "test-deployment"
namespace = "default"
vaultId = "hfnjvi6aymbsnfc2xeeoheizda"
itemId = "nwrhuano7bcwddcviubpp4mhfq"
username = "test-user"
password = "QmHumKc$mUeEem7caHtbaBaJ"
userKey = "username"
passKey = "password"
itemVersion = 123
)
type testUpdateSecretTask struct {
testName string
existingDeployment *appsv1.Deployment
existingSecret *corev1.Secret
expectedError error
expectedResultSecret *corev1.Secret
expectedEvents []string
opItem map[string]string
expectedRestart bool
}
var (
expectedSecretData = map[string][]byte{
"password": []byte(password),
"username": []byte(username),
}
itemPath = fmt.Sprintf("vaults/%v/items/%v", vaultId, itemId)
)
var tests = []testUpdateSecretTask{
{
testName: "Test unrelated deployment is not restarted with an updated secret",
existingDeployment: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: deploymentKind,
APIVersion: deploymentAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
NameAnnotation: "unlrelated secret",
ItemPathAnnotation: itemPath,
},
},
},
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: "old version",
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
expectedError: nil,
expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
opItem: map[string]string{
userKey: username,
passKey: password,
},
expectedRestart: false,
},
{
testName: "OP item has new version. Secret needs update. Deployment is restarted based on containers",
existingDeployment: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: deploymentKind,
APIVersion: deploymentAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Env: []corev1.EnvVar{
{
Name: name,
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: name,
},
Key: passKey,
},
},
},
},
},
},
},
},
},
},
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: "old version",
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
expectedError: nil,
expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
opItem: map[string]string{
userKey: username,
passKey: password,
},
expectedRestart: true,
},
{
testName: "OP item has new version. Secret needs update. Deployment is restarted based on annotation",
existingDeployment: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: deploymentKind,
APIVersion: deploymentAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
ItemPathAnnotation: itemPath,
NameAnnotation: name,
},
},
},
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: "old version",
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
expectedError: nil,
expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
opItem: map[string]string{
userKey: username,
passKey: password,
},
expectedRestart: true,
},
{
testName: "OP item has new version. Secret needs update. Deployment is restarted based on volume",
existingDeployment: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: deploymentKind,
APIVersion: deploymentAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Spec: appsv1.DeploymentSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
Volumes: []corev1.Volume{
{
Name: name,
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: name,
},
},
},
},
},
},
},
},
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: "old version",
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
expectedError: nil,
expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
opItem: map[string]string{
userKey: username,
passKey: password,
},
expectedRestart: true,
},
{
testName: "No secrets need update. No deployment is restarted",
existingDeployment: &appsv1.Deployment{
TypeMeta: metav1.TypeMeta{
Kind: deploymentKind,
APIVersion: deploymentAPIVersion,
},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
ItemPathAnnotation: itemPath,
NameAnnotation: name,
},
},
},
existingSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
expectedError: nil,
expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
Annotations: map[string]string{
VersionAnnotation: fmt.Sprint(itemVersion),
ItemPathAnnotation: itemPath,
},
},
Data: expectedSecretData,
},
opItem: map[string]string{
userKey: username,
passKey: password,
},
expectedRestart: false,
},
}
func TestReconcileDepoyment(t *testing.T) {
for _, testData := range tests {
t.Run(testData.testName, func(t *testing.T) {
// Register operator types with the runtime scheme.
s := scheme.Scheme
s.AddKnownTypes(appsv1.SchemeGroupVersion, testData.existingDeployment)
// Objects to track in the fake client.
objs := []runtime.Object{
testData.existingDeployment,
}
if testData.existingSecret != nil {
objs = append(objs, testData.existingSecret)
}
// Create a fake client to mock API calls.
cl := fake.NewFakeClientWithScheme(s, objs...)
opConnectClient := &mocks.TestClient{}
mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
item := onepassword.Item{}
item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
item.Version = itemVersion
item.Vault.ID = vaultUUID
item.ID = uuid
return &item, nil
}
h := &SecretUpdateHandler{
client: cl,
opConnectClient: opConnectClient,
}
err := h.UpdateKubernetesSecretsTask()
assert.Equal(t, testData.expectedError, err)
var expectedSecretName string
if testData.expectedResultSecret == nil {
expectedSecretName = testData.existingDeployment.Name
} else {
expectedSecretName = testData.expectedResultSecret.Name
}
// Check if Secret has been created and has the correct data
secret := &corev1.Secret{}
err = cl.Get(context.TODO(), types.NamespacedName{Name: expectedSecretName, Namespace: namespace}, secret)
if testData.expectedResultSecret == nil {
assert.Error(t, err)
assert.True(t, errors2.IsNotFound(err))
} else {
assert.Equal(t, testData.expectedResultSecret.Data, secret.Data)
assert.Equal(t, testData.expectedResultSecret.Name, secret.Name)
assert.Equal(t, testData.expectedResultSecret.Type, secret.Type)
assert.Equal(t, testData.expectedResultSecret.Annotations[VersionAnnotation], secret.Annotations[VersionAnnotation])
}
//check if deployment has been restarted
deployment := &appsv1.Deployment{}
err = cl.Get(context.TODO(), types.NamespacedName{Name: testData.existingDeployment.Name, Namespace: namespace}, deployment)
_, ok := deployment.Spec.Template.Annotations[RestartAnnotation]
if ok {
assert.True(t, testData.expectedRestart)
} else {
assert.False(t, testData.expectedRestart)
}
})
}
}
func TestIsUpdatedSecret(t *testing.T) {
secretName := "test-secret"
updatedSecrets := map[string]bool{
"some_secret": true,
}
assert.False(t, isUpdatedSecret(secretName, updatedSecrets))
updatedSecrets[secretName] = true
assert.True(t, isUpdatedSecret(secretName, updatedSecrets))
}
func generateFields(username, password string) []*onepassword.ItemField {
fields := []*onepassword.ItemField{
{
Label: "username",
Value: username,
},
{
Label: "password",
Value: password,
},
}
return fields
}

16
pkg/onepassword/volumes.go Normal file
View File

@@ -0,0 +1,16 @@
package onepassword
import corev1 "k8s.io/api/core/v1"
func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]bool) bool {
for i := 0; i < len(volumes); i++ {
if secret := volumes[i].Secret; secret != nil {
secretName := secret.SecretName
_, ok := secrets[secretName]
if ok {
return true
}
}
}
return false
}

41
pkg/onepassword/volumes_test.go Normal file
View File

@@ -0,0 +1,41 @@
package onepassword
import (
"testing"
)
func TestAreVolmesUsingSecrets(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
volumeSecretNames := []string{
"onepassword-database-secret",
"onepassword-api-key",
"some_other_key",
}
volumes := generateVolumes(volumeSecretNames)
if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
t.Errorf("Expected that volumes were using secrets but they were not detected.")
}
}
func TestAreVolumesNotUsingSecrets(t *testing.T) {
secretNamesToSearch := map[string]bool{
"onepassword-database-secret": true,
"onepassword-api-key": true,
}
volumeSecretNames := []string{
"some_other_key",
}
volumes := generateVolumes(volumeSecretNames)
if AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
t.Errorf("Expected that volumes were not using secrets but they were detected.")
}
}