From 9aac824066cea65a41631857917afbe4a099603b Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Fri, 22 Aug 2025 11:22:39 -0500 Subject: [PATCH] Add test case for `ignore-secret` tag --- pkg/testhelper/kube/kube.go | 33 ++++++++++++++++++++++++++ pkg/testhelper/op/op.go | 11 +++++++++ test/e2e/e2e_test.go | 25 +++++++++++++++++++ test/e2e/manifests/secret-ignored.yaml | 6 +++++ 4 files changed, 75 insertions(+) create mode 100644 test/e2e/manifests/secret-ignored.yaml diff --git a/pkg/testhelper/kube/kube.go b/pkg/testhelper/kube/kube.go index 7a3c5ad..0321acf 100644 --- a/pkg/testhelper/kube/kube.go +++ b/pkg/testhelper/kube/kube.go @@ -4,6 +4,7 @@ import ( "encoding/base64" "os" "path/filepath" + "strconv" "time" //nolint:staticcheck // ST1001 @@ -83,6 +84,26 @@ func CheckSecretPasswordWasUpdated(name, oldPassword string) { }, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) } +func CheckSecretPasswordNotUpdated(name, newPassword, oldPassword string) { + By("Ensuring '" + name + "' secret password has NOT been updated") + + intervalStr := readPullingInterval() + Expect(intervalStr).NotTo(BeEmpty()) + + i, err := strconv.Atoi(intervalStr) + Expect(err).NotTo(HaveOccurred()) + + interval := time.Duration(i) * time.Second // convert to duration in seconds + time.Sleep(interval + 2*time.Second) // wait for one polling interval + 2 seconds to make sure updated secret is pulled + + // read password again + currentPassword, err := ReadingSecretData(name, "password") + Expect(err).NotTo(HaveOccurred()) + + Expect(currentPassword).To(Equal(oldPassword)) + Expect(currentPassword).NotTo(Equal(newPassword)) +} + // Apply applies a kubernetes manifest file func Apply(yamlPath string) { _, err := system.Run("kubectl", "apply", "-f", yamlPath) @@ -142,3 +163,15 @@ func withOperatorRestart(operation func()) func() { }, 120*time.Second, 1*time.Second).Should(Succeed()) } } + +// readPullingInterval reads the POLLING_INTERVAL env variable from the operator deployment +// returns pulling interval in seconds as string +func readPullingInterval() string { + output, err := system.Run( + "kubectl", "get", "deployment", "onepassword-connect-operator", + "-o", "jsonpath={.spec.template.spec.containers[0].env[?(@.name==\"POLLING_INTERVAL\")].value}", + ) + Expect(err).NotTo(HaveOccurred()) + + return output +} diff --git a/pkg/testhelper/op/op.go b/pkg/testhelper/op/op.go index 94a8b8f..658cf21 100644 --- a/pkg/testhelper/op/op.go +++ b/pkg/testhelper/op/op.go @@ -1,6 +1,8 @@ package op import ( + "fmt" + "github.com/1Password/onepassword-operator/pkg/testhelper/system" ) @@ -12,3 +14,12 @@ func UpdateItemPassword(item string) error { } return nil } + +// ReadItemPassword reads the password of an item in 1Password +func ReadItemPassword(item, vault string) (string, error) { + output, err := system.Run("op", "read", fmt.Sprintf("op://%s/%s/password", vault, item)) + if err != nil { + return "", err + } + return output, nil +} diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index fc4685a..5436bb3 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -15,6 +15,7 @@ import ( const ( operatorImageName = "1password/onepassword-operator:latest" + vaultName = "operator-acceptance-tests" ) var _ = Describe("Onepassword Operator e2e", Ordered, func() { @@ -88,4 +89,28 @@ func runCommonTestCases() { kube.CheckSecretPasswordWasUpdated(secretName, oldPassword) }) + + It("1Password item with `ignore-secret` doesn't pull updates to kubernetes secret", func() { + itemName := "secret-ignored" + secretName := itemName + + By("Creating secret `" + secretName + "` from 1Password item") + root, err := system.GetProjectRoot() + Expect(err).NotTo(HaveOccurred()) + + yamlPath := filepath.Join(root, "test", "e2e", "manifests", secretName+".yaml") + kube.Apply(yamlPath) + kube.CheckSecretExists(secretName) + + By("Reading old password") + oldPassword, err := kube.ReadingSecretData(secretName, "password") + Expect(err).NotTo(HaveOccurred()) + + By("Updating `" + secretName + "` 1Password item") + err = op.UpdateItemPassword(itemName) + Expect(err).NotTo(HaveOccurred()) + + newPassword, err := op.ReadItemPassword(itemName, vaultName) + kube.CheckSecretPasswordNotUpdated(secretName, newPassword, oldPassword) + }) } diff --git a/test/e2e/manifests/secret-ignored.yaml b/test/e2e/manifests/secret-ignored.yaml new file mode 100644 index 0000000..847d18f --- /dev/null +++ b/test/e2e/manifests/secret-ignored.yaml @@ -0,0 +1,6 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: secret-ignored +spec: + itemPath: "vaults/operator-acceptance-tests/items/secret-ignored"