mirror of
https://github.com/1Password/onepassword-operator.git
synced 2025-10-21 23:18:06 +00:00
178 lines
6.1 KiB
Go
178 lines
6.1 KiB
Go
package kube
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"time"
|
|
|
|
//nolint:staticcheck // ST1001
|
|
. "github.com/onsi/ginkgo/v2"
|
|
//nolint:staticcheck // ST1001
|
|
. "github.com/onsi/gomega"
|
|
|
|
"github.com/1Password/onepassword-operator/pkg/testhelper/defaults"
|
|
"github.com/1Password/onepassword-operator/pkg/testhelper/system"
|
|
)
|
|
|
|
// CreateSecretFromEnvVar creates a kubernetes secret from an environment variable
|
|
func CreateSecretFromEnvVar(envVar, secretName string) {
|
|
By("Creating '" + secretName + "' secret")
|
|
|
|
value, _ := os.LookupEnv(envVar)
|
|
Expect(value).NotTo(BeEmpty())
|
|
|
|
_, err := system.Run("kubectl", "create", "secret", "generic", secretName, "--from-literal=token="+value)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
}
|
|
|
|
// CreateSecretFromFile creates a kubernetes secret from a file
|
|
func CreateSecretFromFile(fileName, secretName string) {
|
|
By("Creating '" + secretName + "' secret from file")
|
|
_, err := system.Run("kubectl", "create", "secret", "generic", secretName, "--from-file="+fileName)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
}
|
|
|
|
// CreateOpCredentialsSecret creates a kubernetes secret from 1password-credentials.json file
|
|
// encodes it in base64 and saves it to op-session file
|
|
func CreateOpCredentialsSecret() {
|
|
rootDir, err := system.GetProjectRoot()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
credentialsFilePath := filepath.Join(rootDir, "1password-credentials.json")
|
|
data, err := os.ReadFile(credentialsFilePath)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
encoded := base64.RawURLEncoding.EncodeToString(data)
|
|
|
|
// create op-session file in project root
|
|
sessionFilePath := filepath.Join(rootDir, "op-session")
|
|
err = os.WriteFile(sessionFilePath, []byte(encoded), 0o600)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
CreateSecretFromFile("op-session", "op-credentials")
|
|
}
|
|
|
|
// DeleteSecret deletes a kubernetes secret
|
|
func DeleteSecret(name string) {
|
|
By("Deleting '" + name + "' secret")
|
|
_, err := system.Run("kubectl", "delete", "secret", name, "--ignore-not-found=true")
|
|
Expect(err).NotTo(HaveOccurred())
|
|
}
|
|
|
|
// CheckSecretExists checks if a kubernetes secret exists
|
|
func CheckSecretExists(name string) {
|
|
By("Checking '" + name + "' secret exists")
|
|
Eventually(func(g Gomega) {
|
|
output, err := system.Run("kubectl", "get", "secret", name, "-o", "jsonpath={.metadata.name}")
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
g.Expect(output).To(Equal(name))
|
|
}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed())
|
|
}
|
|
|
|
func ReadingSecretData(name, key string) (string, error) {
|
|
return system.Run("kubectl", "get", "secret", name, "-o", "jsonpath={.data."+key+"}")
|
|
}
|
|
|
|
func CheckSecretPasswordWasUpdated(name, oldPassword string) {
|
|
By("Checking '" + name + "' secret password was updated")
|
|
Eventually(func(g Gomega) {
|
|
newPassword, err := ReadingSecretData(name, "password")
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
g.Expect(newPassword).NotTo(Equal(oldPassword))
|
|
}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed())
|
|
}
|
|
|
|
func CheckSecretPasswordNotUpdated(name, newPassword, oldPassword string) {
|
|
By("Ensuring '" + name + "' secret password has NOT been updated")
|
|
|
|
intervalStr := readPullingInterval()
|
|
Expect(intervalStr).NotTo(BeEmpty())
|
|
|
|
i, err := strconv.Atoi(intervalStr)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
interval := time.Duration(i) * time.Second // convert to duration in seconds
|
|
time.Sleep(interval + 2*time.Second) // wait for one polling interval + 2 seconds to make sure updated secret is pulled
|
|
|
|
// read password again
|
|
currentPassword, err := ReadingSecretData(name, "password")
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
Expect(currentPassword).To(Equal(oldPassword))
|
|
Expect(currentPassword).NotTo(Equal(newPassword))
|
|
}
|
|
|
|
// Apply applies a kubernetes manifest file
|
|
func Apply(yamlPath string) {
|
|
_, err := system.Run("kubectl", "apply", "-f", yamlPath)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
}
|
|
|
|
// SetContextNamespace sets the current kubernetes context namespace
|
|
func SetContextNamespace(namespace string) {
|
|
By("Set namespace to " + namespace)
|
|
_, err := system.Run("kubectl", "config", "set-context", "--current", "--namespace="+namespace)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
}
|
|
|
|
// PatchOperatorToUseServiceAccount sets `OP_SERVICE_ACCOUNT_TOKEN` env variable
|
|
var PatchOperatorToUseServiceAccount = withOperatorRestart(func() {
|
|
By("patching the operator deployment with service account token")
|
|
_, err := system.Run(
|
|
"kubectl", "patch", "deployment", "onepassword-connect-operator",
|
|
"--type=json",
|
|
`-p=[{"op":"replace","path":"/spec/template/spec/containers/0/env","value":[
|
|
{"name":"OPERATOR_NAME","value":"onepassword-connect-operator"},
|
|
{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},
|
|
{"name":"WATCH_NAMESPACE","value":"default"},
|
|
{"name":"POLLING_INTERVAL","value":"10"},
|
|
{"name":"AUTO_RESTART","value":"false"},
|
|
{
|
|
"name":"OP_SERVICE_ACCOUNT_TOKEN",
|
|
"valueFrom":{
|
|
"secretKeyRef":{
|
|
"name":"onepassword-service-account-token",
|
|
"key":"token",
|
|
},
|
|
},
|
|
},
|
|
{"name":"MANAGE_CONNECT","value":"false"}
|
|
]}]`,
|
|
)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
// withOperatorRestart is a helper function that restarts the operator deployment
|
|
func withOperatorRestart(operation func()) func() {
|
|
return func() {
|
|
operation()
|
|
|
|
_, err := system.Run("kubectl", "rollout", "status",
|
|
"deployment/onepassword-connect-operator", "-n", "default", "--timeout=120s")
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Waiting for the operator pod to be 'Running'")
|
|
Eventually(func(g Gomega) {
|
|
output, err := system.Run("kubectl", "get", "pods",
|
|
"-l", "name=onepassword-connect-operator",
|
|
"-o", "jsonpath={.items[0].status.phase}")
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
g.Expect(output).To(ContainSubstring("Running"))
|
|
}, 120*time.Second, 1*time.Second).Should(Succeed())
|
|
}
|
|
}
|
|
|
|
// readPullingInterval reads the POLLING_INTERVAL env variable from the operator deployment
|
|
// returns pulling interval in seconds as string
|
|
func readPullingInterval() string {
|
|
output, err := system.Run(
|
|
"kubectl", "get", "deployment", "onepassword-connect-operator",
|
|
"-o", "jsonpath={.spec.template.spec.containers[0].env[?(@.name==\"POLLING_INTERVAL\")].value}",
|
|
)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
return output
|
|
}
|