Add test case for ignore-secret tag

2025-10-22 15:38:06 +00:00 · 2025-08-22 11:22:39 -05:00
parent 05ad484bd6
commit 9aac824066
4 changed files with 75 additions and 0 deletions
--- a/pkg/testhelper/kube/kube.go
+++ b/pkg/testhelper/kube/kube.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 	//nolint:staticcheck // ST1001
@@ -83,6 +84,26 @@ func CheckSecretPasswordWasUpdated(name, oldPassword string) {
 	}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed())
 }
 func CheckSecretPasswordNotUpdated(name, newPassword, oldPassword string) {
 	By("Ensuring '" + name + "' secret password has NOT been updated")
 	intervalStr := readPullingInterval()
 	Expect(intervalStr).NotTo(BeEmpty())
 	i, err := strconv.Atoi(intervalStr)
 	Expect(err).NotTo(HaveOccurred())
 	interval := time.Duration(i) * time.Second // convert to duration in seconds
 	time.Sleep(interval + 2*time.Second)       // wait for one polling interval + 2 seconds to make sure updated secret is pulled
 	// read password again
 	currentPassword, err := ReadingSecretData(name, "password")
 	Expect(err).NotTo(HaveOccurred())
 	Expect(currentPassword).To(Equal(oldPassword))
 	Expect(currentPassword).NotTo(Equal(newPassword))
 }
 // Apply applies a kubernetes manifest file
 func Apply(yamlPath string) {
 	_, err := system.Run("kubectl", "apply", "-f", yamlPath)
@@ -142,3 +163,15 @@ func withOperatorRestart(operation func()) func() {
 		}, 120*time.Second, 1*time.Second).Should(Succeed())
 	}
 }
 // readPullingInterval reads the POLLING_INTERVAL env variable from the operator deployment
 // returns pulling interval in seconds as string
 func readPullingInterval() string {
 	output, err := system.Run(
 		"kubectl", "get", "deployment", "onepassword-connect-operator",
 		"-o", "jsonpath={.spec.template.spec.containers[0].env[?(@.name==\"POLLING_INTERVAL\")].value}",
 	)
 	Expect(err).NotTo(HaveOccurred())
 	return output
 }
--- a/pkg/testhelper/op/op.go
+++ b/pkg/testhelper/op/op.go
@@ -1,6 +1,8 @@
 package op
 import (
 	"fmt"
 	"github.com/1Password/onepassword-operator/pkg/testhelper/system"
 )
@@ -12,3 +14,12 @@ func UpdateItemPassword(item string) error {
 	}
 	return nil
 }
 // ReadItemPassword reads the password of an item in 1Password
 func ReadItemPassword(item, vault string) (string, error) {
 	output, err := system.Run("op", "read", fmt.Sprintf("op://%s/%s/password", vault, item))
 	if err != nil {
 		return "", err
 	}
 	return output, nil
 }
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -15,6 +15,7 @@ import (
 const (
 	operatorImageName = "1password/onepassword-operator:latest"
 	vaultName         = "operator-acceptance-tests"
 )
 var _ = Describe("Onepassword Operator e2e", Ordered, func() {
@@ -88,4 +89,28 @@ func runCommonTestCases() {
 		kube.CheckSecretPasswordWasUpdated(secretName, oldPassword)
 	})
 	It("1Password item with `ignore-secret` doesn't pull updates to kubernetes secret", func() {
 		itemName := "secret-ignored"
 		secretName := itemName
 		By("Creating secret `" + secretName + "` from 1Password item")
 		root, err := system.GetProjectRoot()
 		Expect(err).NotTo(HaveOccurred())
 		yamlPath := filepath.Join(root, "test", "e2e", "manifests", secretName+".yaml")
 		kube.Apply(yamlPath)
 		kube.CheckSecretExists(secretName)
 		By("Reading old password")
 		oldPassword, err := kube.ReadingSecretData(secretName, "password")
 		Expect(err).NotTo(HaveOccurred())
 		By("Updating `" + secretName + "` 1Password item")
 		err = op.UpdateItemPassword(itemName)
 		Expect(err).NotTo(HaveOccurred())
 		newPassword, err := op.ReadItemPassword(itemName, vaultName)
 		kube.CheckSecretPasswordNotUpdated(secretName, newPassword, oldPassword)
 	})
 }
--- a/test/e2e/manifests/secret-ignored.yaml
+++ b/test/e2e/manifests/secret-ignored.yaml
@@ -0,0 +1,6 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
  name: secret-ignored
 spec:
  itemPath: "vaults/operator-acceptance-tests/items/secret-ignored"