mirror of
https://github.com/1Password/onepassword-operator.git
synced 2025-10-22 15:38:06 +00:00
Make secret names DNS1123 Subdomain compiant
This is done while ensuring that secret keys are compliant (contain alphanumeric characters, `-`, `_` and `.`)
This commit is contained in:
@@ -232,7 +232,7 @@ var tests = []testReconcileItem{
|
|||||||
expectedError: nil,
|
expectedError: nil,
|
||||||
expectedResultSecret: &corev1.Secret{
|
expectedResultSecret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "my-sECReT-it3m",
|
Name: "my-secret-it3m",
|
||||||
Namespace: namespace,
|
Namespace: namespace,
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
op.VersionAnnotation: fmt.Sprint(version),
|
op.VersionAnnotation: fmt.Sprint(version),
|
||||||
@@ -264,7 +264,7 @@ var tests = []testReconcileItem{
|
|||||||
expectedError: nil,
|
expectedError: nil,
|
||||||
expectedResultSecret: &corev1.Secret{
|
expectedResultSecret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "my-sECReT-it3m",
|
Name: "my-secret-it3m",
|
||||||
Namespace: namespace,
|
Namespace: namespace,
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
op.VersionAnnotation: fmt.Sprint(version),
|
op.VersionAnnotation: fmt.Sprint(version),
|
||||||
@@ -287,7 +287,7 @@ var tests = []testReconcileItem{
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
testName: "Secret from 1Password item with `_` and `.`",
|
testName: "Secret from 1Password item with `-`, `_` and `.`",
|
||||||
customResource: &onepasswordv1.OnePasswordItem{
|
customResource: &onepasswordv1.OnePasswordItem{
|
||||||
TypeMeta: metav1.TypeMeta{
|
TypeMeta: metav1.TypeMeta{
|
||||||
Kind: onePasswordItemKind,
|
Kind: onePasswordItemKind,
|
||||||
@@ -305,18 +305,18 @@ var tests = []testReconcileItem{
|
|||||||
expectedError: nil,
|
expectedError: nil,
|
||||||
expectedResultSecret: &corev1.Secret{
|
expectedResultSecret: &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "my_sECReT.it3m",
|
Name: "my-secret.it3m",
|
||||||
Namespace: namespace,
|
Namespace: namespace,
|
||||||
Annotations: map[string]string{
|
Annotations: map[string]string{
|
||||||
op.VersionAnnotation: fmt.Sprint(version),
|
op.VersionAnnotation: fmt.Sprint(version),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Data: map[string][]byte{
|
Data: map[string][]byte{
|
||||||
"password": []byte(password),
|
"password": []byte(password),
|
||||||
"username": []byte(username),
|
"username": []byte(username),
|
||||||
"first-host": []byte(firstHost),
|
"first-host": []byte(firstHost),
|
||||||
"AWS-Access-Key": []byte(awsKey),
|
"AWS-Access-Key": []byte(awsKey),
|
||||||
"ice_cream.type": []byte(iceCream),
|
"-_ice_cream.type.": []byte(iceCream),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
opItem: map[string]string{
|
opItem: map[string]string{
|
||||||
|
@@ -80,16 +80,17 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
|
|||||||
secretData := map[string][]byte{}
|
secretData := map[string][]byte{}
|
||||||
for i := 0; i < len(fields); i++ {
|
for i := 0; i < len(fields); i++ {
|
||||||
if fields[i].Value != "" {
|
if fields[i].Value != "" {
|
||||||
key := formatSecretName(fields[i].Label)
|
key := formatSecretDataName(fields[i].Label)
|
||||||
secretData[key] = []byte(fields[i].Value)
|
secretData[key] = []byte(fields[i].Value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return secretData
|
return secretData
|
||||||
}
|
}
|
||||||
|
|
||||||
// formatSecretName rewrites a value to be a valid Secret name or Secret data key.
|
// formatSecretName rewrites a value to be a valid Secret name.
|
||||||
//
|
//
|
||||||
// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
|
// The Secret meta.name and data keys must be valid DNS subdomain names
|
||||||
|
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
|
||||||
func formatSecretName(value string) string {
|
func formatSecretName(value string) string {
|
||||||
if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
|
if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
|
||||||
return value
|
return value
|
||||||
@@ -97,15 +98,36 @@ func formatSecretName(value string) string {
|
|||||||
return createValidSecretName(value)
|
return createValidSecretName(value)
|
||||||
}
|
}
|
||||||
|
|
||||||
var invalidDNS1123Chars = regexp.MustCompile("[^a-zA-Z0-9-_.]+")
|
// formatSecretDataName rewrites a value to be a valid Secret data key.
|
||||||
|
//
|
||||||
|
// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
|
||||||
|
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
|
||||||
|
func formatSecretDataName(value string) string {
|
||||||
|
if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
|
||||||
|
return value
|
||||||
|
}
|
||||||
|
return createValidSecretDataName(value)
|
||||||
|
}
|
||||||
|
|
||||||
|
var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
|
||||||
|
|
||||||
func createValidSecretName(value string) string {
|
func createValidSecretName(value string) string {
|
||||||
result := invalidDNS1123Chars.ReplaceAllString(value, "-")
|
result := strings.ToLower(value)
|
||||||
|
result = invalidDNS1123Chars.ReplaceAllString(result, "-")
|
||||||
|
|
||||||
if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
|
if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
|
||||||
result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
|
result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
|
||||||
}
|
}
|
||||||
|
|
||||||
// first and last character MUST be alphanumeric
|
// first and last character MUST be alphanumeric
|
||||||
return strings.Trim(result, "-._")
|
return strings.Trim(result, "-.")
|
||||||
|
}
|
||||||
|
|
||||||
|
var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
|
||||||
|
var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
|
||||||
|
|
||||||
|
func createValidSecretDataName(value string) string {
|
||||||
|
result := invalidStartEndChars.ReplaceAllString(value, "")
|
||||||
|
result = invalidDataChars.ReplaceAllString(result, "-")
|
||||||
|
return result
|
||||||
}
|
}
|
||||||
|
@@ -3,13 +3,13 @@ package kubernetessecrets
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
|
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/1Password/connect-sdk-go/onepassword"
|
"github.com/1Password/connect-sdk-go/onepassword"
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
|
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
||||||
)
|
)
|
||||||
@@ -102,7 +102,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
item.Fields = generateFields(5)
|
item.Fields = generateFields(5)
|
||||||
|
|
||||||
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
|
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
|
||||||
if kubeSecret.Name != name {
|
if kubeSecret.Name != strings.ToLower(name) {
|
||||||
t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
|
t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
|
||||||
}
|
}
|
||||||
if kubeSecret.Namespace != namespace {
|
if kubeSecret.Namespace != namespace {
|
||||||
@@ -116,7 +116,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
|
|||||||
|
|
||||||
func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
||||||
name := "inV@l1d k8s secret%name"
|
name := "inV@l1d k8s secret%name"
|
||||||
expectedName := "inV-l1d-k8s-secret-name"
|
expectedName := "inv-l1d-k8s-secret-name"
|
||||||
namespace := "someNamespace"
|
namespace := "someNamespace"
|
||||||
annotations := map[string]string{
|
annotations := map[string]string{
|
||||||
"annotationKey": "annotationValue",
|
"annotationKey": "annotationValue",
|
||||||
@@ -129,7 +129,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
|
|||||||
Value: "value1",
|
Value: "value1",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
|
Label: strings.Repeat("x", kubeValidate.LabelValueMaxLength+1),
|
||||||
Value: "name exceeds max length",
|
Value: "name exceeds max length",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@@ -205,7 +205,7 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func validLabel(v string) bool {
|
func validLabel(v string) bool {
|
||||||
if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
|
if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
return true
|
return true
|
||||||
|
Reference in New Issue
Block a user