mirror of
				https://github.com/1Password/onepassword-operator.git
				synced 2025-10-25 08:50:45 +00:00 
			
		
		
		
	Compare commits
	
		
			3 Commits
		
	
	
		
			v1.1.0
			...
			feature/se
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 717f9bc33f | ||
|   | d9e003bdb7 | ||
|   | b25f943b3a | 
| @@ -1,11 +1,16 @@ | |||||||
| package onepassword | package onepassword | ||||||
|  |  | ||||||
| import corev1 "k8s.io/api/core/v1" | import ( | ||||||
|  | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | ) | ||||||
|  |  | ||||||
| func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool { | func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool { | ||||||
| 	for i := 0; i < len(containers); i++ { | 	for i := 0; i < len(containers); i++ { | ||||||
| 		envVariables := containers[i].Env | 		envVariables := containers[i].Env | ||||||
|  | 		envVariableNames := map[string]struct{}{} | ||||||
|  |  | ||||||
| 		for j := 0; j < len(envVariables); j++ { | 		for j := 0; j < len(envVariables); j++ { | ||||||
|  | 			envVariableNames[envVariables[j].Name] = struct{}{} | ||||||
| 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil { | 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil { | ||||||
| 				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name] | 				_, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name] | ||||||
| 				if ok { | 				if ok { | ||||||
| @@ -13,6 +18,19 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string | |||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|  | 		envFromVariables := containers[i].EnvFrom | ||||||
|  | 		for j := 0; j < len(envFromVariables); j++ { | ||||||
|  | 			if envFromVariables[j].SecretRef != nil { | ||||||
|  | 				// Skip env variables that will be overwritten by Env | ||||||
|  | 				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok { | ||||||
|  | 					continue; | ||||||
|  | 				} | ||||||
|  | 				_, ok := secrets[envFromVariables[j].SecretRef.Name] | ||||||
|  | 				if ok { | ||||||
|  | 					return true | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
| 	return false | 	return false | ||||||
| } | } | ||||||
| @@ -20,7 +38,10 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string | |||||||
| func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | ||||||
| 	for i := 0; i < len(containers); i++ { | 	for i := 0; i < len(containers); i++ { | ||||||
| 		envVariables := containers[i].Env | 		envVariables := containers[i].Env | ||||||
|  | 		envVariableNames := map[string]struct{}{} | ||||||
|  |  | ||||||
| 		for j := 0; j < len(envVariables); j++ { | 		for j := 0; j < len(envVariables); j++ { | ||||||
|  | 			envVariableNames[envVariables[j].Name] = struct{}{} | ||||||
| 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil { | 			if envVariables[j].ValueFrom != nil && envVariables[j].ValueFrom.SecretKeyRef != nil { | ||||||
| 				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name] | 				secret, ok := secrets[envVariables[j].ValueFrom.SecretKeyRef.Name] | ||||||
| 				if ok { | 				if ok { | ||||||
| @@ -28,6 +49,19 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st | |||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|  | 		envFromVariables := containers[i].EnvFrom | ||||||
|  | 		for j := 0; j < len(envFromVariables); j++ { | ||||||
|  | 			if envFromVariables[j].SecretRef != nil { | ||||||
|  | 				// Skip env variables that will be overwritten by Env | ||||||
|  | 				if _, ok := envVariableNames[envFromVariables[i].SecretRef.Name]; ok { | ||||||
|  | 					continue; | ||||||
|  | 				} | ||||||
|  | 				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name] | ||||||
|  | 				if ok { | ||||||
|  | 					updatedDeploymentSecrets[secret.Name] = secret | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
| 	return updatedDeploymentSecrets | 	return updatedDeploymentSecrets | ||||||
| } | } | ||||||
|   | |||||||
| @@ -4,9 +4,10 @@ import ( | |||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	corev1 "k8s.io/api/core/v1" | 	corev1 "k8s.io/api/core/v1" | ||||||
|  | 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func TestAreContainersUsingSecrets(t *testing.T) { | func TestAreContainersUsingSecretsFromEnv(t *testing.T) { | ||||||
| 	secretNamesToSearch := map[string]*corev1.Secret{ | 	secretNamesToSearch := map[string]*corev1.Secret{ | ||||||
| 		"onepassword-database-secret": &corev1.Secret{}, | 		"onepassword-database-secret": &corev1.Secret{}, | ||||||
| 		"onepassword-api-key":         &corev1.Secret{}, | 		"onepassword-api-key":         &corev1.Secret{}, | ||||||
| @@ -18,7 +19,26 @@ func TestAreContainersUsingSecrets(t *testing.T) { | |||||||
| 		"some_other_key", | 		"some_other_key", | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	containers := generateContainers(containerSecretNames) | 	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames) | ||||||
|  |  | ||||||
|  | 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) { | ||||||
|  | 		t.Errorf("Expected that containers were using secrets but they were not detected.") | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func TestAreContainersUsingSecretsFromEnvFrom(t *testing.T) { | ||||||
|  | 	secretNamesToSearch := map[string]*corev1.Secret{ | ||||||
|  | 		"onepassword-database-secret": {}, | ||||||
|  | 		"onepassword-api-key":         {}, | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	containerSecretNames := []string{ | ||||||
|  | 		"onepassword-database-secret", | ||||||
|  | 		"onepassword-api-key", | ||||||
|  | 		"some_other_key", | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames) | ||||||
|  |  | ||||||
| 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) { | 	if !AreContainersUsingSecrets(containers, secretNamesToSearch) { | ||||||
| 		t.Errorf("Expected that containers were using secrets but they were not detected.") | 		t.Errorf("Expected that containers were using secrets but they were not detected.") | ||||||
| @@ -27,17 +47,39 @@ func TestAreContainersUsingSecrets(t *testing.T) { | |||||||
|  |  | ||||||
| func TestAreContainersNotUsingSecrets(t *testing.T) { | func TestAreContainersNotUsingSecrets(t *testing.T) { | ||||||
| 	secretNamesToSearch := map[string]*corev1.Secret{ | 	secretNamesToSearch := map[string]*corev1.Secret{ | ||||||
| 		"onepassword-database-secret": &corev1.Secret{}, | 		"onepassword-database-secret": {}, | ||||||
| 		"onepassword-api-key":         &corev1.Secret{}, | 		"onepassword-api-key":         {}, | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	containerSecretNames := []string{ | 	containerSecretNames := []string{ | ||||||
| 		"some_other_key", | 		"some_other_key", | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	containers := generateContainers(containerSecretNames) | 	containers := generateContainersWithSecretRefsFromEnv(containerSecretNames) | ||||||
|  |  | ||||||
| 	if AreContainersUsingSecrets(containers, secretNamesToSearch) { | 	if AreContainersUsingSecrets(containers, secretNamesToSearch) { | ||||||
| 		t.Errorf("Expected that containers were not using secrets but they were detected.") | 		t.Errorf("Expected that containers were not using secrets but they were detected.") | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func TestAppendUpdatedContainerSecretsParsesEnvFromEnv(t *testing.T) { | ||||||
|  | 	secretNamesToSearch := map[string]*corev1.Secret{ | ||||||
|  | 		"onepassword-database-secret": {}, | ||||||
|  | 		"onepassword-api-key":         {ObjectMeta: metav1.ObjectMeta{Name: "onepassword-api-key"}}, | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	containerSecretNames := []string{ | ||||||
|  | 		"onepassword-api-key", | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	containers := generateContainersWithSecretRefsFromEnvFrom(containerSecretNames) | ||||||
|  |  | ||||||
|  | 	updatedDeploymentSecrets := map[string]*corev1.Secret{} | ||||||
|  | 	updatedDeploymentSecrets = AppendUpdatedContainerSecrets(containers, secretNamesToSearch, updatedDeploymentSecrets) | ||||||
|  |  | ||||||
|  | 	secretKeyName := "onepassword-api-key" | ||||||
|  |  | ||||||
|  | 	if updatedDeploymentSecrets[secretKeyName] != secretNamesToSearch[secretKeyName] { | ||||||
|  | 		t.Errorf("Expected that updated Secret from envfrom is found.") | ||||||
|  | 	} | ||||||
|  | } | ||||||
|   | |||||||
| @@ -39,7 +39,7 @@ func TestIsDeploymentUsingSecretsUsingContainers(t *testing.T) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	deployment := &appsv1.Deployment{} | 	deployment := &appsv1.Deployment{} | ||||||
| 	deployment.Spec.Template.Spec.Containers = generateContainers(containerSecretNames) | 	deployment.Spec.Template.Spec.Containers = generateContainersWithSecretRefsFromEnv(containerSecretNames) | ||||||
| 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) { | 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) { | ||||||
| 		t.Errorf("Expected that deployment was using secrets but they were not detected.") | 		t.Errorf("Expected that deployment was using secrets but they were not detected.") | ||||||
| 	} | 	} | ||||||
|   | |||||||
| @@ -17,8 +17,7 @@ func generateVolumes(names []string) []corev1.Volume { | |||||||
| 	} | 	} | ||||||
| 	return volumes | 	return volumes | ||||||
| } | } | ||||||
|  | func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container { | ||||||
| func generateContainers(names []string) []corev1.Container { |  | ||||||
| 	containers := []corev1.Container{} | 	containers := []corev1.Container{} | ||||||
| 	for i := 0; i < len(names); i++ { | 	for i := 0; i < len(names); i++ { | ||||||
| 		container := corev1.Container{ | 		container := corev1.Container{ | ||||||
| @@ -40,3 +39,16 @@ func generateContainers(names []string) []corev1.Container { | |||||||
| 	} | 	} | ||||||
| 	return containers | 	return containers | ||||||
| } | } | ||||||
|  |  | ||||||
|  | func generateContainersWithSecretRefsFromEnvFrom(names []string) []corev1.Container { | ||||||
|  | 	containers := []corev1.Container{} | ||||||
|  | 	for i := 0; i < len(names); i++ { | ||||||
|  | 		container := corev1.Container{ | ||||||
|  | 			EnvFrom: []corev1.EnvFromSource{ | ||||||
|  | 				{SecretRef: &corev1.SecretEnvSource{LocalObjectReference: corev1.LocalObjectReference{Name: names[i]}}}, | ||||||
|  | 			}, | ||||||
|  | 		} | ||||||
|  | 		containers = append(containers, container) | ||||||
|  | 	} | ||||||
|  | 	return containers | ||||||
|  | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user