Add test case for ignore-secret tag

2025-10-21 23:18:06 +00:00 · 2025-08-22 11:22:39 -05:00
parent 05ad484bd6
commit 9aac824066
4 changed files with 75 additions and 0 deletions
--- a/pkg/testhelper/kube/kube.go
+++ b/pkg/testhelper/kube/kube.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"os"
 	"path/filepath"
+	"strconv"
 	"time"

 	//nolint:staticcheck // ST1001
@@ -83,6 +84,26 @@ func CheckSecretPasswordWasUpdated(name, oldPassword string) {
 	}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed())
 }

+func CheckSecretPasswordNotUpdated(name, newPassword, oldPassword string) {
+	By("Ensuring '" + name + "' secret password has NOT been updated")
+
+	intervalStr := readPullingInterval()
+	Expect(intervalStr).NotTo(BeEmpty())
+
+	i, err := strconv.Atoi(intervalStr)
+	Expect(err).NotTo(HaveOccurred())
+
+	interval := time.Duration(i) * time.Second // convert to duration in seconds
+	time.Sleep(interval + 2*time.Second)       // wait for one polling interval + 2 seconds to make sure updated secret is pulled
+
+	// read password again
+	currentPassword, err := ReadingSecretData(name, "password")
+	Expect(err).NotTo(HaveOccurred())
+
+	Expect(currentPassword).To(Equal(oldPassword))
+	Expect(currentPassword).NotTo(Equal(newPassword))
+}
+
 // Apply applies a kubernetes manifest file
 func Apply(yamlPath string) {
 	_, err := system.Run("kubectl", "apply", "-f", yamlPath)
@@ -142,3 +163,15 @@ func withOperatorRestart(operation func()) func() {
 		}, 120*time.Second, 1*time.Second).Should(Succeed())
 	}
 }
+
+// readPullingInterval reads the POLLING_INTERVAL env variable from the operator deployment
+// returns pulling interval in seconds as string
+func readPullingInterval() string {
+	output, err := system.Run(
+		"kubectl", "get", "deployment", "onepassword-connect-operator",
+		"-o", "jsonpath={.spec.template.spec.containers[0].env[?(@.name==\"POLLING_INTERVAL\")].value}",
+	)
+	Expect(err).NotTo(HaveOccurred())
+
+	return output
+}
--- a/pkg/testhelper/op/op.go
+++ b/pkg/testhelper/op/op.go
@@ -1,6 +1,8 @@
 package op

 import (
+	"fmt"
+
 	"github.com/1Password/onepassword-operator/pkg/testhelper/system"
 )

@@ -12,3 +14,12 @@ func UpdateItemPassword(item string) error {
 	}
 	return nil
 }
+
+// ReadItemPassword reads the password of an item in 1Password
+func ReadItemPassword(item, vault string) (string, error) {
+	output, err := system.Run("op", "read", fmt.Sprintf("op://%s/%s/password", vault, item))
+	if err != nil {
+		return "", err
+	}
+	return output, nil
+}
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -15,6 +15,7 @@ import (

 const (
 	operatorImageName = "1password/onepassword-operator:latest"
+	vaultName         = "operator-acceptance-tests"
 )

 var _ = Describe("Onepassword Operator e2e", Ordered, func() {
@@ -88,4 +89,28 @@ func runCommonTestCases() {

 		kube.CheckSecretPasswordWasUpdated(secretName, oldPassword)
 	})
+
+	It("1Password item with `ignore-secret` doesn't pull updates to kubernetes secret", func() {
+		itemName := "secret-ignored"
+		secretName := itemName
+
+		By("Creating secret `" + secretName + "` from 1Password item")
+		root, err := system.GetProjectRoot()
+		Expect(err).NotTo(HaveOccurred())
+
+		yamlPath := filepath.Join(root, "test", "e2e", "manifests", secretName+".yaml")
+		kube.Apply(yamlPath)
+		kube.CheckSecretExists(secretName)
+
+		By("Reading old password")
+		oldPassword, err := kube.ReadingSecretData(secretName, "password")
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Updating `" + secretName + "` 1Password item")
+		err = op.UpdateItemPassword(itemName)
+		Expect(err).NotTo(HaveOccurred())
+
+		newPassword, err := op.ReadItemPassword(itemName, vaultName)
+		kube.CheckSecretPasswordNotUpdated(secretName, newPassword, oldPassword)
+	})
 }
--- a/test/e2e/manifests/secret-ignored.yaml
+++ b/test/e2e/manifests/secret-ignored.yaml
@@ -0,0 +1,6 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: secret-ignored
+spec:
+  itemPath: "vaults/operator-acceptance-tests/items/secret-ignored"