Make secret names DNS1123 Subdomain compiant

This is done while ensuring that secret keys are compliant (contain alphanumeric characters, `-`, `_` and `.`)
This commit is contained in:
Eddy Filip
2021-09-08 15:36:40 +03:00
parent d80e8dd799
commit a45a310611
3 changed files with 42 additions and 20 deletions

View File

@@ -232,7 +232,7 @@ var tests = []testReconcileItem{
expectedError: nil, expectedError: nil,
expectedResultSecret: &corev1.Secret{ expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "my-sECReT-it3m", Name: "my-secret-it3m",
Namespace: namespace, Namespace: namespace,
Annotations: map[string]string{ Annotations: map[string]string{
op.VersionAnnotation: fmt.Sprint(version), op.VersionAnnotation: fmt.Sprint(version),
@@ -264,7 +264,7 @@ var tests = []testReconcileItem{
expectedError: nil, expectedError: nil,
expectedResultSecret: &corev1.Secret{ expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "my-sECReT-it3m", Name: "my-secret-it3m",
Namespace: namespace, Namespace: namespace,
Annotations: map[string]string{ Annotations: map[string]string{
op.VersionAnnotation: fmt.Sprint(version), op.VersionAnnotation: fmt.Sprint(version),
@@ -287,7 +287,7 @@ var tests = []testReconcileItem{
}, },
}, },
{ {
testName: "Secret from 1Password item with `_` and `.`", testName: "Secret from 1Password item with `-`, `_` and `.`",
customResource: &onepasswordv1.OnePasswordItem{ customResource: &onepasswordv1.OnePasswordItem{
TypeMeta: metav1.TypeMeta{ TypeMeta: metav1.TypeMeta{
Kind: onePasswordItemKind, Kind: onePasswordItemKind,
@@ -305,18 +305,18 @@ var tests = []testReconcileItem{
expectedError: nil, expectedError: nil,
expectedResultSecret: &corev1.Secret{ expectedResultSecret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "my_sECReT.it3m", Name: "my-secret.it3m",
Namespace: namespace, Namespace: namespace,
Annotations: map[string]string{ Annotations: map[string]string{
op.VersionAnnotation: fmt.Sprint(version), op.VersionAnnotation: fmt.Sprint(version),
}, },
}, },
Data: map[string][]byte{ Data: map[string][]byte{
"password": []byte(password), "password": []byte(password),
"username": []byte(username), "username": []byte(username),
"first-host": []byte(firstHost), "first-host": []byte(firstHost),
"AWS-Access-Key": []byte(awsKey), "AWS-Access-Key": []byte(awsKey),
"ice_cream.type": []byte(iceCream), "-_ice_cream.type.": []byte(iceCream),
}, },
}, },
opItem: map[string]string{ opItem: map[string]string{

View File

@@ -80,16 +80,17 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
secretData := map[string][]byte{} secretData := map[string][]byte{}
for i := 0; i < len(fields); i++ { for i := 0; i < len(fields); i++ {
if fields[i].Value != "" { if fields[i].Value != "" {
key := formatSecretName(fields[i].Label) key := formatSecretDataName(fields[i].Label)
secretData[key] = []byte(fields[i].Value) secretData[key] = []byte(fields[i].Value)
} }
} }
return secretData return secretData
} }
// formatSecretName rewrites a value to be a valid Secret name or Secret data key. // formatSecretName rewrites a value to be a valid Secret name.
// //
// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets) // The Secret meta.name and data keys must be valid DNS subdomain names
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
func formatSecretName(value string) string { func formatSecretName(value string) string {
if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 { if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
return value return value
@@ -97,15 +98,36 @@ func formatSecretName(value string) string {
return createValidSecretName(value) return createValidSecretName(value)
} }
var invalidDNS1123Chars = regexp.MustCompile("[^a-zA-Z0-9-_.]+") // formatSecretDataName rewrites a value to be a valid Secret data key.
//
// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
func formatSecretDataName(value string) string {
if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
return value
}
return createValidSecretDataName(value)
}
var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
func createValidSecretName(value string) string { func createValidSecretName(value string) string {
result := invalidDNS1123Chars.ReplaceAllString(value, "-") result := strings.ToLower(value)
result = invalidDNS1123Chars.ReplaceAllString(result, "-")
if len(result) > kubeValidate.DNS1123SubdomainMaxLength { if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
result = result[0:kubeValidate.DNS1123SubdomainMaxLength] result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
} }
// first and last character MUST be alphanumeric // first and last character MUST be alphanumeric
return strings.Trim(result, "-._") return strings.Trim(result, "-.")
}
var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
func createValidSecretDataName(value string) string {
result := invalidStartEndChars.ReplaceAllString(value, "")
result = invalidDataChars.ReplaceAllString(result, "-")
return result
} }

View File

@@ -3,13 +3,13 @@ package kubernetessecrets
import ( import (
"context" "context"
"fmt" "fmt"
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
"strings" "strings"
"testing" "testing"
"github.com/1Password/connect-sdk-go/onepassword" "github.com/1Password/connect-sdk-go/onepassword"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
kubeValidate "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"sigs.k8s.io/controller-runtime/pkg/client/fake" "sigs.k8s.io/controller-runtime/pkg/client/fake"
) )
@@ -102,7 +102,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
item.Fields = generateFields(5) item.Fields = generateFields(5)
kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item) kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
if kubeSecret.Name != name { if kubeSecret.Name != strings.ToLower(name) {
t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name) t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
} }
if kubeSecret.Namespace != namespace { if kubeSecret.Namespace != namespace {
@@ -116,7 +116,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
name := "inV@l1d k8s secret%name" name := "inV@l1d k8s secret%name"
expectedName := "inV-l1d-k8s-secret-name" expectedName := "inv-l1d-k8s-secret-name"
namespace := "someNamespace" namespace := "someNamespace"
annotations := map[string]string{ annotations := map[string]string{
"annotationKey": "annotationValue", "annotationKey": "annotationValue",
@@ -129,7 +129,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
Value: "value1", Value: "value1",
}, },
{ {
Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1), Label: strings.Repeat("x", kubeValidate.LabelValueMaxLength+1),
Value: "name exceeds max length", Value: "name exceeds max length",
}, },
} }
@@ -205,7 +205,7 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
} }
func validLabel(v string) bool { func validLabel(v string) bool {
if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 { if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
return false return false
} }
return true return true