mirror of
https://github.com/1Password/onepassword-operator.git
synced 2025-10-22 07:28:06 +00:00
Merge pull request #74 from Nuglif/main
Verify secrets and FromEnv in addition to Env
This commit is contained in:
Marton Soos
@@ -1,6 +1,8 @@
|
|||||||
package onepassword
|
package onepassword
|
||||||
|
|
||||||
import corev1 "k8s.io/api/core/v1"
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
)
|
||||||
|
|
||||||
func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
|
func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
|
||||||
for i := 0; i < len(containers); i++ {
|
for i := 0; i < len(containers); i++ {
|
||||||
@@ -13,6 +15,15 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
envFromVariables := containers[i].EnvFrom
|
||||||
|
for j := 0; j < len(envFromVariables); j++ {
|
||||||
|
if envFromVariables[j].SecretRef != nil {
|
||||||
|
_, ok := secrets[envFromVariables[j].SecretRef.Name]
|
||||||
|
if ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@@ -28,6 +39,15 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
envFromVariables := containers[i].EnvFrom
|
||||||
|
for j := 0; j < len(envFromVariables); j++ {
|
||||||
|
if envFromVariables[j].SecretRef != nil {
|
||||||
|
secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name]
|
||||||
|
if ok {
|
||||||
|
updatedDeploymentSecrets[secret.Name] = secret
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return updatedDeploymentSecrets
|
return updatedDeploymentSecrets
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,9 +4,10 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestAreContainersUsingSecrets(t *testing.T) {
|
func TestAreContainersUsingSecretsFromEnv(t *testing.T) {
|
||||||
secretNamesToSearch := map[string]*corev1.Secret{
|
secretNamesToSearch := map[string]*corev1.Secret{
|
||||||
"onepassword-database-secret": &corev1.Secret{},
|
"onepassword-database-secret": &corev1.Secret{},
|
||||||
"onepassword-api-key": &corev1.Secret{},
|
"onepassword-api-key": &corev1.Secret{},
|
||||||
@@ -18,7 +19,26 @@ func TestAreContainersUsingSecrets(t *testing.T) {
|
|||||||
"some_other_key",
|
"some_other_key",
|
||||||
}
|
}
|
||||||
|
|
||||||
containers := generateContainers(containerSecretNames)
|
containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
|
||||||
|
|
||||||
|
if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
|
||||||
|
t.Errorf("Expected that containers were using secrets but they were not detected.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) {
|
||||||
|
secretNamesToSearch := map[string]*corev1.Secret{
|
||||||
|
"onepassword-database-secret": {},
|
||||||
|
"onepassword-api-key": {},
|
||||||
|
}
|
||||||
|
|
||||||
|
containerSecretNames := []string{
|
||||||
|
"onepassword-database-secret",
|
||||||
|
"onepassword-api-key",
|
||||||
|
"some_other_key",
|
||||||
|
}
|
||||||
|
|
||||||
|
containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
|
||||||
|
|
||||||
if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
|
if !AreContainersUsingSecrets(containers, secretNamesToSearch) {
|
||||||
t.Errorf("Expected that containers were using secrets but they were not detected.")
|
t.Errorf("Expected that containers were using secrets but they were not detected.")
|
||||||
@@ -27,17 +47,39 @@ func TestAreContainersUsingSecrets(t *testing.T) {
|
|||||||
|
|
||||||
func TestAreContainersNotUsingSecrets(t *testing.T) {
|
func TestAreContainersNotUsingSecrets(t *testing.T) {
|
||||||
secretNamesToSearch := map[string]*corev1.Secret{
|
secretNamesToSearch := map[string]*corev1.Secret{
|
||||||
"onepassword-database-secret": &corev1.Secret{},
|
"onepassword-database-secret": {},
|
||||||
"onepassword-api-key": &corev1.Secret{},
|
"onepassword-api-key": {},
|
||||||
}
|
}
|
||||||
|
|
||||||
containerSecretNames := []string{
|
containerSecretNames := []string{
|
||||||
"some_other_key",
|
"some_other_key",
|
||||||
}
|
}
|
||||||
|
|
||||||
containers := generateContainers(containerSecretNames)
|
containers := generateContainersWithSecretRefsFromEnv(containerSecretNames)
|
||||||
|
|
||||||
if AreContainersUsingSecrets(containers, secretNamesToSearch) {
|
if AreContainersUsingSecrets(containers, secretNamesToSearch) {
|
||||||
t.Errorf("Expected that containers were not using secrets but they were detected.")
|
t.Errorf("Expected that containers were not using secrets but they were detected.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAppendUpdatedContainerSecretsParsesEnvFromEnv(t *testing.T) {
|
||||||
|
secretNamesToSearch := map[string]*corev1.Secret{
|
||||||
|
"onepassword-database-secret": {},
|
||||||
|
"onepassword-api-key": {ObjectMeta: metav1.ObjectMeta{Name: "onepassword-api-key"}},
|
||||||
|
}
|
||||||
|
|
||||||
|
containerSecretNames := []string{
|
||||||
|
"onepassword-api-key",
|
||||||
|
}
|
||||||
|
|
||||||
|
containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames)
|
||||||
|
|
||||||
|
updatedDeploymentSecrets := map[string]*corev1.Secret{}
|
||||||
|
updatedDeploymentSecrets = AppendUpdatedContainerSecrets(containers, secretNamesToSearch, updatedDeploymentSecrets)
|
||||||
|
|
||||||
|
secretKeyName := "onepassword-api-key"
|
||||||
|
|
||||||
|
if updatedDeploymentSecrets[secretKeyName] != secretNamesToSearch[secretKeyName] {
|
||||||
|
t.Errorf("Expected that updated Secret from envfrom is found.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -39,7 +39,7 @@ func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
deployment := &appsv1.Deployment{}
|
deployment := &appsv1.Deployment{}
|
||||||
deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames)
|
deployment.Spec.Template.Spec.Containers = generateContainersWithSecretRefsFromEnv(containerSecretNames)
|
||||||
if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
|
if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
|
||||||
t.Errorf("Expected that deployment was using secrets but they were not detected.")
|
t.Errorf("Expected that deployment was using secrets but they were not detected.")
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -17,8 +17,7 @@ func generateVolumes(names []string) []corev1.Volume {
|
|||||||
}
|
}
|
||||||
return volumes
|
return volumes
|
||||||
}
|
}
|
||||||
|
func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
|
||||||
func generateContainers(names []string) []corev1.Container {
|
|
||||||
containers := []corev1.Container{}
|
containers := []corev1.Container{}
|
||||||
for i := 0; i < len(names); i++ {
|
for i := 0; i < len(names); i++ {
|
||||||
container := corev1.Container{
|
container := corev1.Container{
|
||||||
@@ -40,3 +39,16 @@ func generateContainers(names []string) []corev1.Container {
|
|||||||
}
|
}
|
||||||
return containers
|
return containers
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func generateContainersWithSecretRefsFromEnvFrom(names []string) []corev1.Container {
|
||||||
|
containers := []corev1.Container{}
|
||||||
|
for i := 0; i < len(names); i++ {
|
||||||
|
container := corev1.Container{
|
||||||
|
EnvFrom: []corev1.EnvFromSource{
|
||||||
|
{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: names[i]}}},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
containers = append(containers, container)
|
||||||
|
}
|
||||||
|
return containers
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user