1Password/onepassword-operator
1
0
Fork 0
mirror of https://github.com/1Password/onepassword-operator.git synced 2025-10-22 07:28:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add volumes projected detection

Browse Source 
Signed-off-by: Manuel Morejon <manuel@mmorejon.io>
This commit is contained in:
Manuel Morejon
2023-08-11 02:29:32 +02:00
parent 91c3422597
commit 9b4d8eb292
4 changed files with 80 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/onepassword/deployments_test.go
View File

@@ -9,18 +9,30 @@ import (
func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) { func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) {
secretNamesToSearch := map[string]*corev1.Secret{ secretNamesToSearch := map[string]*corev1.Secret{
"onepassword-database-secret": {}, "onepassword-database-secret": {},
"onepassword-api-key": {}, "onepassword-api-key": {},
"onepassword-app-token": {},
"onepassword-user-credentials": {},
} }
volumeSecretNames := []string{ volumeSecretNames := []string{
"onepassword-database-secret", "onepassword-database-secret",
"onepassword-api-key", "onepassword-api-key",
"some_other_key",
} }
volumes := generateVolumes(volumeSecretNames)
volumeProjectedSecretNames := []string{
"onepassword-app-token",
"onepassword-user-credentials",
}
volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
volumes = append(volumes, volumeProjected)
deployment := &appsv1.Deployment{} deployment := &appsv1.Deployment{}
deployment.Spec.Template.Spec.Volumes = generateVolumes(volumeSecretNames) deployment.Spec.Template.Spec.Volumes = volumes
if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) { if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
t.Errorf("Expected that deployment was using secrets but they were not detected.") t.Errorf("Expected that deployment was using secrets but they were not detected.")
} }

23
pkg/onepassword/object_generators_for_test.go
View File

@@ -17,6 +17,29 @@ func generateVolumes(names []string) []corev1.Volume {
} }
return volumes return volumes
} }
func generateVolumesProjected(names []string) corev1.Volume {
volumesProjection := []corev1.VolumeProjection{}
for i := 0; i < len(names); i++ {
volumeProjection := corev1.VolumeProjection{
Secret: &corev1.SecretProjection{
LocalObjectReference: corev1.LocalObjectReference{
Name: names[i],
},
},
}
volumesProjection = append(volumesProjection, volumeProjection)
}
volume := corev1.Volume{
Name: "someName",
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
Sources: volumesProjection,
},
},
}
return volume
}
func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container { func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
containers := []corev1.Container{} containers := []corev1.Container{}
for i := 0; i < len(names); i++ { for i := 0; i < len(names); i++ {

31
pkg/onepassword/volumes.go
View File

@@ -7,12 +7,26 @@ func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1.
if secret := volumes[i].Secret; secret != nil { if secret := volumes[i].Secret; secret != nil {
secretName := secret.SecretName secretName := secret.SecretName
_, ok := secrets[secretName] _, ok := secrets[secretName]
if ok { if !ok {
return true return false
}
}
if volumes[i].Projected != nil {
for j := 0; j < len(volumes[i].Projected.Sources); j++ {
if secret := volumes[i].Projected.Sources[j].Secret; secret != nil {
secretName := secret.Name
_, ok := secrets[secretName]
if !ok {
return false
}
}
} }
} }
} }
return false if len(volumes) == 0 {
return false
}
return true
} }
func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
@@ -24,6 +38,17 @@ func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*cor
updatedDeploymentSecrets[secret.Name] = secret updatedDeploymentSecrets[secret.Name] = secret
} }
} }
if volumes[i].Projected != nil {
for j := 0; j < len(volumes[i].Projected.Sources); j++ {
if secret := volumes[i].Projected.Sources[j].Secret; secret != nil {
secretName := secret.Name
secret, ok := secrets[secretName]
if ok {
updatedDeploymentSecrets[secret.Name] = secret
}
}
}
}
} }
return updatedDeploymentSecrets return updatedDeploymentSecrets
} }

16
pkg/onepassword/volumes_test.go
View File

@@ -8,18 +8,28 @@ import (
func TestAreVolmesUsingSecrets(t *testing.T) { func TestAreVolmesUsingSecrets(t *testing.T) {
secretNamesToSearch := map[string]*corev1.Secret{ secretNamesToSearch := map[string]*corev1.Secret{
"onepassword-database-secret": {}, "onepassword-database-secret": {},
"onepassword-api-key": {}, "onepassword-api-key": {},
"onepassword-app-token": {},
"onepassword-user-credentials": {},
} }
volumeSecretNames := []string{ volumeSecretNames := []string{
"onepassword-database-secret", "onepassword-database-secret",
"onepassword-api-key", "onepassword-api-key",
"some_other_key",
} }
volumes := generateVolumes(volumeSecretNames) volumes := generateVolumes(volumeSecretNames)
volumeProjectedSecretNames := []string{
"onepassword-app-token",
"onepassword-user-credentials",
}
volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
volumes = append(volumes, volumeProjected)
if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) { if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
t.Errorf("Expected that volumes were using secrets but they were not detected.") t.Errorf("Expected that volumes were using secrets but they were not detected.")
} }