mirror of
				https://github.com/1Password/onepassword-operator.git
				synced 2025-10-22 23:48:05 +00:00 
			
		
		
		
	Make secret names DNS1123 Subdomain compiant
This is done while ensuring that secret keys are compliant (contain alphanumeric characters, `-`, `_` and `.`)
This commit is contained in:
		| @@ -232,7 +232,7 @@ var tests = []testReconcileItem{ | |||||||
| 		expectedError:  nil, | 		expectedError:  nil, | ||||||
| 		expectedResultSecret: &corev1.Secret{ | 		expectedResultSecret: &corev1.Secret{ | ||||||
| 			ObjectMeta: metav1.ObjectMeta{ | 			ObjectMeta: metav1.ObjectMeta{ | ||||||
| 				Name:      "my-sECReT-it3m", | 				Name:      "my-secret-it3m", | ||||||
| 				Namespace: namespace, | 				Namespace: namespace, | ||||||
| 				Annotations: map[string]string{ | 				Annotations: map[string]string{ | ||||||
| 					op.VersionAnnotation: fmt.Sprint(version), | 					op.VersionAnnotation: fmt.Sprint(version), | ||||||
| @@ -264,7 +264,7 @@ var tests = []testReconcileItem{ | |||||||
| 		expectedError:  nil, | 		expectedError:  nil, | ||||||
| 		expectedResultSecret: &corev1.Secret{ | 		expectedResultSecret: &corev1.Secret{ | ||||||
| 			ObjectMeta: metav1.ObjectMeta{ | 			ObjectMeta: metav1.ObjectMeta{ | ||||||
| 				Name:      "my-sECReT-it3m", | 				Name:      "my-secret-it3m", | ||||||
| 				Namespace: namespace, | 				Namespace: namespace, | ||||||
| 				Annotations: map[string]string{ | 				Annotations: map[string]string{ | ||||||
| 					op.VersionAnnotation: fmt.Sprint(version), | 					op.VersionAnnotation: fmt.Sprint(version), | ||||||
| @@ -287,7 +287,7 @@ var tests = []testReconcileItem{ | |||||||
| 		}, | 		}, | ||||||
| 	}, | 	}, | ||||||
| 	{ | 	{ | ||||||
| 		testName: "Secret from 1Password item with `_` and `.`", | 		testName: "Secret from 1Password item with `-`, `_` and `.`", | ||||||
| 		customResource: &onepasswordv1.OnePasswordItem{ | 		customResource: &onepasswordv1.OnePasswordItem{ | ||||||
| 			TypeMeta: metav1.TypeMeta{ | 			TypeMeta: metav1.TypeMeta{ | ||||||
| 				Kind:       onePasswordItemKind, | 				Kind:       onePasswordItemKind, | ||||||
| @@ -305,18 +305,18 @@ var tests = []testReconcileItem{ | |||||||
| 		expectedError:  nil, | 		expectedError:  nil, | ||||||
| 		expectedResultSecret: &corev1.Secret{ | 		expectedResultSecret: &corev1.Secret{ | ||||||
| 			ObjectMeta: metav1.ObjectMeta{ | 			ObjectMeta: metav1.ObjectMeta{ | ||||||
| 				Name:      "my_sECReT.it3m", | 				Name:      "my-secret.it3m", | ||||||
| 				Namespace: namespace, | 				Namespace: namespace, | ||||||
| 				Annotations: map[string]string{ | 				Annotations: map[string]string{ | ||||||
| 					op.VersionAnnotation: fmt.Sprint(version), | 					op.VersionAnnotation: fmt.Sprint(version), | ||||||
| 				}, | 				}, | ||||||
| 			}, | 			}, | ||||||
| 			Data: map[string][]byte{ | 			Data: map[string][]byte{ | ||||||
| 				"password":       []byte(password), | 				"password":          []byte(password), | ||||||
| 				"username":       []byte(username), | 				"username":          []byte(username), | ||||||
| 				"first-host":     []byte(firstHost), | 				"first-host":        []byte(firstHost), | ||||||
| 				"AWS-Access-Key": []byte(awsKey), | 				"AWS-Access-Key":    []byte(awsKey), | ||||||
| 				"ice_cream.type": []byte(iceCream), | 				"-_ice_cream.type.": []byte(iceCream), | ||||||
| 			}, | 			}, | ||||||
| 		}, | 		}, | ||||||
| 		opItem: map[string]string{ | 		opItem: map[string]string{ | ||||||
|   | |||||||
| @@ -80,16 +80,17 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt | |||||||
| 	secretData := map[string][]byte{} | 	secretData := map[string][]byte{} | ||||||
| 	for i := 0; i < len(fields); i++ { | 	for i := 0; i < len(fields); i++ { | ||||||
| 		if fields[i].Value != "" { | 		if fields[i].Value != "" { | ||||||
| 			key := formatSecretName(fields[i].Label) | 			key := formatSecretDataName(fields[i].Label) | ||||||
| 			secretData[key] = []byte(fields[i].Value) | 			secretData[key] = []byte(fields[i].Value) | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 	return secretData | 	return secretData | ||||||
| } | } | ||||||
|  |  | ||||||
| // formatSecretName rewrites a value to be a valid Secret name or Secret data key. | // formatSecretName rewrites a value to be a valid Secret name. | ||||||
| // | // | ||||||
| // The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets) | // The Secret meta.name and data keys must be valid DNS subdomain names | ||||||
|  | // (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets) | ||||||
| func formatSecretName(value string) string { | func formatSecretName(value string) string { | ||||||
| 	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 { | 	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 { | ||||||
| 		return value | 		return value | ||||||
| @@ -97,15 +98,36 @@ func formatSecretName(value string) string { | |||||||
| 	return createValidSecretName(value) | 	return createValidSecretName(value) | ||||||
| } | } | ||||||
|  |  | ||||||
| var invalidDNS1123Chars = regexp.MustCompile("[^a-zA-Z0-9-_.]+") | // formatSecretDataName rewrites a value to be a valid Secret data key. | ||||||
|  | // | ||||||
|  | // The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.` | ||||||
|  | // (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets) | ||||||
|  | func formatSecretDataName(value string) string { | ||||||
|  | 	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 { | ||||||
|  | 		return value | ||||||
|  | 	} | ||||||
|  | 	return createValidSecretDataName(value) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+") | ||||||
|  |  | ||||||
| func createValidSecretName(value string) string { | func createValidSecretName(value string) string { | ||||||
| 	result := invalidDNS1123Chars.ReplaceAllString(value, "-") | 	result := strings.ToLower(value) | ||||||
|  | 	result = invalidDNS1123Chars.ReplaceAllString(result, "-") | ||||||
|  |  | ||||||
| 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength { | 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength { | ||||||
| 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength] | 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength] | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// first and last character MUST be alphanumeric | 	// first and last character MUST be alphanumeric | ||||||
| 	return strings.Trim(result, "-._") | 	return strings.Trim(result, "-.") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+") | ||||||
|  | var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)") | ||||||
|  |  | ||||||
|  | func createValidSecretDataName(value string) string { | ||||||
|  | 	result := invalidStartEndChars.ReplaceAllString(value, "") | ||||||
|  | 	result = invalidDataChars.ReplaceAllString(result, "-") | ||||||
|  | 	return result | ||||||
| } | } | ||||||
|   | |||||||
| @@ -3,13 +3,13 @@ package kubernetessecrets | |||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" |  | ||||||
| 	"strings" | 	"strings" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	"github.com/1Password/connect-sdk-go/onepassword" | 	"github.com/1Password/connect-sdk-go/onepassword" | ||||||
| 	corev1 "k8s.io/api/core/v1" | 	corev1 "k8s.io/api/core/v1" | ||||||
| 	"k8s.io/apimachinery/pkg/types" | 	"k8s.io/apimachinery/pkg/types" | ||||||
|  | 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | ||||||
| 	"k8s.io/client-go/kubernetes" | 	"k8s.io/client-go/kubernetes" | ||||||
| 	"sigs.k8s.io/controller-runtime/pkg/client/fake" | 	"sigs.k8s.io/controller-runtime/pkg/client/fake" | ||||||
| ) | ) | ||||||
| @@ -102,7 +102,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) { | |||||||
| 	item.Fields = generateFields(5) | 	item.Fields = generateFields(5) | ||||||
|  |  | ||||||
| 	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item) | 	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item) | ||||||
| 	if kubeSecret.Name != name { | 	if kubeSecret.Name != strings.ToLower(name) { | ||||||
| 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name) | 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name) | ||||||
| 	} | 	} | ||||||
| 	if kubeSecret.Namespace != namespace { | 	if kubeSecret.Namespace != namespace { | ||||||
| @@ -116,7 +116,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) { | |||||||
|  |  | ||||||
| func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { | func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { | ||||||
| 	name := "inV@l1d k8s secret%name" | 	name := "inV@l1d k8s secret%name" | ||||||
| 	expectedName := "inV-l1d-k8s-secret-name" | 	expectedName := "inv-l1d-k8s-secret-name" | ||||||
| 	namespace := "someNamespace" | 	namespace := "someNamespace" | ||||||
| 	annotations := map[string]string{ | 	annotations := map[string]string{ | ||||||
| 		"annotationKey": "annotationValue", | 		"annotationKey": "annotationValue", | ||||||
| @@ -129,7 +129,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { | |||||||
| 			Value: "value1", | 			Value: "value1", | ||||||
| 		}, | 		}, | ||||||
| 		{ | 		{ | ||||||
| 			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1), | 			Label: strings.Repeat("x", kubeValidate.LabelValueMaxLength+1), | ||||||
| 			Value: "name exceeds max length", | 			Value: "name exceeds max length", | ||||||
| 		}, | 		}, | ||||||
| 	} | 	} | ||||||
| @@ -205,7 +205,7 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) { | |||||||
| } | } | ||||||
|  |  | ||||||
| func validLabel(v string) bool { | func validLabel(v string) bool { | ||||||
| 	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 { | 	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 { | ||||||
| 		return false | 		return false | ||||||
| 	} | 	} | ||||||
| 	return true | 	return true | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Eddy Filip
					Eddy Filip