Merge pull request #173 from 1Password/release/v1.8.0

Preparing release v1.8.0

.VERSION

@@ -1 +1 @@
-1.7.1
+1.8.0

CHANGELOG.md

@@ -12,6 +12,14 @@
 
 ---
 
+[//]: # (START/v1.8.0)
+# v1.8.0
+
+## Features
+  * Added volume projected detection. Credit to @mmorejon. {#168}
+
+---
+
 [//]: # (START/v1.7.1)
 # v1.7.1
 

pkg/onepassword/deployments_test.go

@@ -9,18 +9,30 @@ import (
 
 func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
+		"onepassword-database-secret":  {},
-		"onepassword-api-key":         {},
+		"onepassword-api-key":          {},
+		"onepassword-app-token":        {},
+		"onepassword-user-credentials": {},
 	}
 
 	volumeSecretNames := []string{
 		"onepassword-database-secret",
 		"onepassword-api-key",
-		"some_other_key",
 	}
 
+	volumes := generateVolumes(volumeSecretNames)
+
+	volumeProjectedSecretNames := []string{
+		"onepassword-app-token",
+		"onepassword-user-credentials",
+	}
+
+	volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
+
+	volumes = append(volumes, volumeProjected)
+
 	deployment := &appsv1.Deployment{}
-	deployment.Spec.Template.Spec.Volumes = generateVolumes(volumeSecretNames)
+	deployment.Spec.Template.Spec.Volumes = volumes
 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
 		t.Errorf("Expected that deployment was using secrets but they were not detected.")
 	}

pkg/onepassword/object_generators_for_test.go

@@ -17,6 +17,29 @@ func generateVolumes(names []string) []corev1.Volume {
 	}
 	return volumes
 }
+func generateVolumesProjected(names []string) corev1.Volume {
+	volumesProjection := []corev1.VolumeProjection{}
+	for i := 0; i < len(names); i++ {
+		volumeProjection := corev1.VolumeProjection{
+			Secret: &corev1.SecretProjection{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: names[i],
+				},
+			},
+		}
+		volumesProjection = append(volumesProjection, volumeProjection)
+	}
+	volume := corev1.Volume{
+		Name: "someName",
+		VolumeSource: corev1.VolumeSource{
+			Projected: &corev1.ProjectedVolumeSource{
+				Sources: volumesProjection,
+			},
+		},
+	}
+
+	return volume
+}
 func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {

pkg/onepassword/volumes.go

@@ -4,26 +4,55 @@ import corev1 "k8s.io/api/core/v1"
 
 func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(volumes); i++ {
-		if secret := volumes[i].Secret; secret != nil {
+		secret := IsVolumeUsingSecret(volumes[i], secrets)
-			secretName := secret.SecretName
+		secretProjection := IsVolumeUsingSecretProjection(volumes[i], secrets)
-			_, ok := secrets[secretName]
+		if secret == nil && secretProjection == nil {
-			if ok {
+			return false
-				return true
-			}
 		}
 	}
-	return false
+	if len(volumes) == 0 {
+		return false
+	}
+	return true
 }
 
 func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
 	for i := 0; i < len(volumes); i++ {
-		if secret := volumes[i].Secret; secret != nil {
+		secret := IsVolumeUsingSecret(volumes[i], secrets)
-			secretName := secret.SecretName
+		if secret != nil {
-			secret, ok := secrets[secretName]
+			updatedDeploymentSecrets[secret.Name] = secret
-			if ok {
+		} else {
-				updatedDeploymentSecrets[secret.Name] = secret
+			secretProjection := IsVolumeUsingSecretProjection(volumes[i], secrets)
+			if secretProjection != nil {
+				updatedDeploymentSecrets[secretProjection.Name] = secretProjection
 			}
 		}
 	}
 	return updatedDeploymentSecrets
 }
+
+func IsVolumeUsingSecret(volume corev1.Volume, secrets map[string]*corev1.Secret) *corev1.Secret {
+	if secret := volume.Secret; secret != nil {
+		secretName := secret.SecretName
+		secretFound, ok := secrets[secretName]
+		if ok {
+			return secretFound
+		}
+	}
+	return nil
+}
+
+func IsVolumeUsingSecretProjection(volume corev1.Volume, secrets map[string]*corev1.Secret) *corev1.Secret {
+	if volume.Projected != nil {
+		for i := 0; i < len(volume.Projected.Sources); i++ {
+			if secret := volume.Projected.Sources[i].Secret; secret != nil {
+				secretName := secret.Name
+				secretFound, ok := secrets[secretName]
+				if ok {
+					return secretFound
+				}
+			}
+		}
+	}
+	return nil
+}

pkg/onepassword/volumes_test.go

@@ -8,18 +8,28 @@ import (
 
 func TestAreVolmesUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
+		"onepassword-database-secret":  {},
-		"onepassword-api-key":         {},
+		"onepassword-api-key":          {},
+		"onepassword-app-token":        {},
+		"onepassword-user-credentials": {},
 	}
 
 	volumeSecretNames := []string{
 		"onepassword-database-secret",
 		"onepassword-api-key",
-		"some_other_key",
 	}
 
 	volumes := generateVolumes(volumeSecretNames)
 
+	volumeProjectedSecretNames := []string{
+		"onepassword-app-token",
+		"onepassword-user-credentials",
+	}
+
+	volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
+
+	volumes = append(volumes, volumeProjected)
+
 	if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
 		t.Errorf("Expected that volumes were using secrets but they were not detected.")
 	}

version/version.go

@@ -1,6 +1,6 @@
 package version
 
 var (
-	OperatorVersion    = "1.6.0"
+	OperatorVersion    = "1.8.0"
 	OperatorSDKVersion = "1.29.0"
 )