From 8ac8c927ddcdb9bc9596cfc5d4a2484b8a824381 Mon Sep 17 00:00:00 2001 From: Devin Christensen Date: Mon, 5 Aug 2024 13:14:31 -0600 Subject: [PATCH] chore: respond to PR feedback - added correct annotations to the secret - pulled duplicated types out to shared context --- e2e/test/secret-docker-json-key-vault.yaml | 21 +++++++++ e2e/test/secret-docker-json-key.yaml | 20 -------- e2e/webhook_test.go | 53 ++++++++-------------- 3 files changed, 41 insertions(+), 53 deletions(-) create mode 100644 e2e/test/secret-docker-json-key-vault.yaml delete mode 100644 e2e/test/secret-docker-json-key.yaml diff --git a/e2e/test/secret-docker-json-key-vault.yaml b/e2e/test/secret-docker-json-key-vault.yaml new file mode 100644 index 0000000..22234c3 --- /dev/null +++ b/e2e/test/secret-docker-json-key-vault.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-docker-json-key-vault + annotations: + secrets-webhook.security.bank-vaults.io/provider: "vault" + secrets-webhook.security.bank-vaults.io/vault-addr: "https://vault.default.svc.cluster.local:8200" + secrets-webhook.security.bank-vaults.io/vault-role: "default" + secrets-webhook.security.bank-vaults.io/vault-tls-secret: vault-tls + # secrets-webhook.security.bank-vaults.io/vault-skip-verify: "true" + secrets-webhook.security.bank-vaults.io/vault-path: "kubernetes" +type: kubernetes.io/dockerconfigjson +stringData: + .dockerconfigjson: | + { + "auths": { + "https://index.docker.io/v1/": { + "auth": "dmF1bHQ6c2VjcmV0L2RhdGEvZG9ja2VycmVwbyNET0NLRVJfUkVQT19KU09OX0tFWQ==" + } + } + } diff --git a/e2e/test/secret-docker-json-key.yaml b/e2e/test/secret-docker-json-key.yaml deleted file mode 100644 index 48169da..0000000 --- a/e2e/test/secret-docker-json-key.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: test-secret-docker-json-key - annotations: - vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200" - vault.security.banzaicloud.io/vault-role: "default" - vault.security.banzaicloud.io/vault-tls-secret: vault-tls - # vault.security.banzaicloud.io/vault-skip-verify: "true" - vault.security.banzaicloud.io/vault-path: "kubernetes" -type: kubernetes.io/dockerconfigjson -stringData: - .dockerconfigjson: | - { - "auths": { - "https://index.docker.io/v1/": { - "auth": "dmF1bHQ6c2VjcmV0L2RhdGEvZG9ja2VycmVwbyNET0NLRVJfUkVQT19KU09OX0tFWQ==" - } - } - } diff --git a/e2e/webhook_test.go b/e2e/webhook_test.go index c53c6a5..28f101f 100644 --- a/e2e/webhook_test.go +++ b/e2e/webhook_test.go @@ -39,6 +39,19 @@ import ( ) func TestSecretValueInjection(t *testing.T) { + type dockerAuth struct { + Username string `json:"username"` + Password string `json:"password"` + Auth string `json:"auth"` + } + + type auths struct { + DockerAuth dockerAuth `json:"https://index.docker.io/v1/"` + } + + type dockerconfig struct { + Auths auths `json:"auths"` + } secretVault := applyResource(features.New("secret-vault"), "secret-vault.yaml"). Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { secrets := &v1.SecretList{ @@ -61,41 +74,27 @@ func TestSecretValueInjection(t *testing.T) { err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-vault", cfg.Namespace(), &secret) require.NoError(t, err) - type v1 struct { - Username string `json:"username"` - Password string `json:"password"` - Auth string `json:"auth"` - } - - type auths struct { - V1 v1 `json:"https://index.docker.io/v1/"` - } - - type dockerconfig struct { - Auths auths `json:"auths"` - } - var dockerconfigjson dockerconfig err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson) require.NoError(t, err) dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("dockerrepouser:dockerrepopassword")) - assert.Equal(t, "dockerrepouser", dockerconfigjson.Auths.V1.Username) - assert.Equal(t, "dockerrepopassword", dockerconfigjson.Auths.V1.Password) - assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth) + assert.Equal(t, "dockerrepouser", dockerconfigjson.Auths.DockerAuth.Username) + assert.Equal(t, "dockerrepopassword", dockerconfigjson.Auths.DockerAuth.Password) + assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.DockerAuth.Auth) assert.Equal(t, "Inline: secretId AWS_ACCESS_KEY_ID", string(secret.Data["inline"])) return ctx }). Feature() - secretDockerJsonKey := applyResource(features.New("secret-docker-json-key"), "secret-docker-json-key.yaml"). + secretDockerJsonKey := applyResource(features.New("secret-docker-json-key-vault"), "secret-docker-json-key-vault.yaml"). Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { secrets := &v1.SecretList{ Items: []v1.Secret{ { - ObjectMeta: metav1.ObjectMeta{Name: "test-secret-docker-json-key", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-secret-docker-json-key-vault", Namespace: cfg.Namespace()}, }, }, } @@ -109,28 +108,16 @@ func TestSecretValueInjection(t *testing.T) { Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { var secret v1.Secret - err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-docker-json-key", cfg.Namespace(), &secret) + err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-docker-json-key-vault", cfg.Namespace(), &secret) require.NoError(t, err) - type v1 struct { - Auth string `json:"auth"` - } - - type auths struct { - V1 v1 `json:"https://index.docker.io/v1/"` - } - - type dockerconfig struct { - Auths auths `json:"auths"` - } - var dockerconfigjson dockerconfig err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson) require.NoError(t, err) dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("_json_key: {\n \"type\": \"service_account\",\n \"project_id\": \"test\"\n}\n")) - assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth) + assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.DockerAuth.Auth) return ctx }).