Merge pull request #512 from cyberark/base64_e2e_tests

Base64 decoding e2e tests

CHANGELOG.md

@@ -11,7 +11,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Adds support for binary secret values and values with special characters.
   [cyberark/secrets-provider-for-k8s#500](https://github.com/cyberark/secrets-provider-for-k8s/pull/500)
-- Adds support for content-type annotation.
+- Adds support for content-type annotation (K8s secrets) and base64 secrets decoding.
+  [cyberark/secrets-provider-for-k8s#508](https://github.com/cyberark/secrets-provider-for-k8s/pull/508)
+- Adds support for content-type annotation (P2F) and base64 secrets decoding.
   [cyberark/secrets-provider-for-k8s#511](https://github.com/cyberark/secrets-provider-for-k8s/pull/511)
 - Updating documentation for base64 decoding.
   [cyberark/secrets-provider-for-k8s#513](https://github.com/cyberark/secrets-provider-for-k8s/pull/513)

deploy/config/k8s/k8s-secret.yml

@@ -9,7 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
-    var_with_encoded:
+    var_with_base64:
       id: secrets/encoded
       content-type: base64
   non-conjur-key: some-value

deploy/config/k8s/test-env-k8s-rotation.sh.yml

@@ -69,6 +69,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/config/k8s/test-env-p2f-rotation.sh.yml

@@ -34,12 +34,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/config/k8s/test-env-push-to-file.sh.yml

@@ -31,11 +31,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/config/k8s/test-env.sh.yml

@@ -56,6 +56,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/config/openshift/k8s-secret.yml

@@ -9,7 +9,7 @@ stringData:
     var_with_spaces: secrets/var with spaces
     var_with_pluses: secrets/var+with+pluses
     var_with_umlaut: secrets/umlaut
-    var_with_encoded:
+    var_with_base64:
       id: secrets/encoded
       content-type: base64
   non-conjur-key: some-value

deploy/config/openshift/test-env-k8s-rotation.sh.yml

@@ -63,6 +63,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_pluses
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/config/openshift/test-env-p2f-rotation.sh.yml

@@ -33,12 +33,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/config/openshift/test-env-push-to-file.sh.yml

@@ -30,11 +30,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/config/openshift/test-env.sh.yml

@@ -55,6 +55,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
+          - name: VARIABLE_WITH_BASE64_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: test-k8s-secret
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/dev/config/k8s/secrets-provider-init-container.sh.yml

@@ -46,11 +46,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
-          - name: VARIABLE_WITH_ENCODED_SECRET
+          - name: VARIABLE_WITH_BASE64_SECRET
             valueFrom:
               secretKeyRef:
                 name: test-k8s-secret
-                key: var_with_encoded
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/dev/config/k8s/secrets-provider-init-push-to-file.sh.yml

@@ -31,11 +31,15 @@ spec:
           - url: secrets/url
           - username: secrets/username
           - password: secrets/password
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml

@@ -69,11 +69,11 @@ spec:
               secretKeyRef:
                 name: test-k8s-secret
                 key: var_with_umlaut
-          - name: VARIABLE_WITH_ENCODED_SECRET
+          - name: VARIABLE_WITH_BASE64_SECRET
             valueFrom:
               secretKeyRef:
                 name: test-k8s-secret
-                key: var_with_encoded
+                key: var_with_base64
           - name: NON_CONJUR_SECRET
             valueFrom:
               secretKeyRef:

deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml

@@ -34,12 +34,16 @@ spec:
           - username: secrets/username
           - password: secrets/password
           - test: secrets/test_secret
+          - encoded: secrets/encoded
+            content-type: base64
         conjur.org/conjur-secrets-policy-path.group2: secrets
         conjur.org/conjur-secrets.group2: |
           - url: url
           - username: username
           - password: password
           - test: test_secret
+          - still_encoded: encoded
+            content-type: text
         conjur.org/secret-file-format.group2: json
         conjur.org/conjur-secrets-policy-path.group3: secrets
         conjur.org/secret-file-path.group3: some-dotenv.env

deploy/policy/load_policies.sh

@@ -34,7 +34,7 @@ conjur variable set -i secrets/test_secret -v "some-secret"
 conjur variable set -i "secrets/var with spaces" -v "some-secret"
 conjur variable set -i "secrets/var+with+pluses" -v "some-secret"
 conjur variable set -i "secrets/umlaut" -v "some-secret"
-conjur variable set -i "secrets/encoded" -v "c2VjcmV0LXZhbHVl" # == secret-value
+conjur variable set -i "secrets/encoded" -v "$(echo "secret-value" | tr -d '\n' | base64)" # == "c2VjcmV0LXZhbHVl"
 conjur variable set -i secrets/url -v "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 conjur variable set -i secrets/username -v "some-user"
 conjur variable set -i secrets/password -v "7H1SiSmYp@5Sw0rd"

deploy/test/test_cases/TEST_ID_1.6_providing_variables_with_base64_decoding_successfully.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+secret_value="secret-value"
+environment_variable_name="VARIABLE_WITH_BASE64_SECRET"
+
+set_namespace "$APP_NAMESPACE_NAME"
+deploy_env
+
+echo "Verifying pod test_env has environment variable '$environment_variable_name' with value '$secret_value'"
+pod_name="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
+verify_secret_value_in_pod "$pod_name" "$environment_variable_name" "$secret_value"

deploy/test/test_cases/TEST_ID_1.7_providing_large_decoded_variable_successfully.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+# Generate a large base64 encoded string (> 65k characters)
+secret_value=$(openssl rand -base64 $((66 * 2**10)) | tr -d '\n')
+encoded_secret_value=$(echo "$secret_value" | base64)
+environment_variable_name="VARIABLE_WITH_BASE64_SECRET"
+
+# Set the encoded secret value in Conjur
+set_conjur_secret "secrets/encoded" "$encoded_secret_value"
+
+set_namespace "$APP_NAMESPACE_NAME"
+deploy_env
+
+echo "Verifying pod test_env has environment variable '$environment_variable_name' with expected value"
+test_pod="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
+actual_value=$($cli_with_timeout "exec $test_pod -- printenv | grep VARIABLE_WITH_BASE64_SECRET | cut -d= -f2")
+
+if [[ "$actual_value" == "$secret_value" ]]; then
+    echo "$environment_variable_name is set correctly"
+    # Reset the secret value to the original value for subsequent tests
+    set_conjur_secret secrets/encoded "$(echo "secret-value" | tr -d '\n' | base64)" # == "c2VjcmV0LXZhbHVl"
+else
+    echo "$environment_variable_name is not set correctly"
+    exit 1
+fi

deploy/test/test_cases/TEST_ID_27_push_to_file.sh

@@ -21,8 +21,9 @@ FILES="group1.yaml group2.json some-dotenv.env group4.bash group5.template"
 declare -A expected_content
 expected_content[group1.yaml]='"url": "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 "username": "some-user"
-"password": "7H1SiSmYp@5Sw0rd"'
-expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd"}'
+"password": "7H1SiSmYp@5Sw0rd"
+"encoded": "secret-value"'
+expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","still_encoded":"c2VjcmV0LXZhbHVl"}'
 expected_content[some-dotenv.env]='url="postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 username="some-user"
 password="7H1SiSmYp@5Sw0rd"'

deploy/test/test_cases/TEST_ID_28_push_to_file_secrets_rotation.sh

@@ -20,6 +20,7 @@ $cli_with_timeout "get pod $pod_name --namespace=$APP_NAMESPACE_NAME | grep -c 2
 
 # Change a conjur variable
 set_conjur_secret secrets/test_secret secret2
+set_conjur_secret secrets/encoded "$(echo "secret-value2" | tr -d '\n' | base64)" # == c2VjcmV0LXZhbHVlMg==
 
 # Check if the new value is picked up by secrets provider
 sleep 10
@@ -30,8 +31,9 @@ declare -A expected_content
 expected_content[group1.yaml]='"url": "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 "username": "some-user"
 "password": "7H1SiSmYp@5Sw0rd"
-"test": "secret2"'
-expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","test":"secret2"}'
+"test": "secret2"
+"encoded": "secret-value2"'
+expected_content[group2.json]='{"url":"postgresql://test-app-backend.app-test.svc.cluster.local:5432","username":"some-user","password":"7H1SiSmYp@5Sw0rd","test":"secret2","still_encoded":"c2VjcmV0LXZhbHVlMg=="}'
 expected_content[some-dotenv.env]='url="postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 username="some-user"
 password="7H1SiSmYp@5Sw0rd"

deploy/test/test_cases/TEST_ID_29_k8s_secrets_rotation.sh

@@ -5,6 +5,9 @@ create_secret_access_role
 
 create_secret_access_role_binding
 
+set_conjur_secret secrets/test_secret supersecret
+set_conjur_secret secrets/encoded "$(echo "secret-value" | base64)"
+
 export SECRETS_MODE="k8s-rotation"
 deploy_env
 
@@ -13,11 +16,17 @@ pod_name1="$(get_pod_name "$APP_NAMESPACE_NAME" 'app=test-env')"
 echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'supersecret'"
 verify_secret_value_in_pod $pod_name1 TEST_SECRET supersecret
 
+echo "Verify pod $pod_name1 has environment variable 'VARIABLE_WITH_BASE64_SECRET' with value 'secret-value'"
+verify_secret_value_in_pod $pod_name1 VARIABLE_WITH_BASE64_SECRET secret-value
+
 set_conjur_secret secrets/test_secret secret2
+set_conjur_secret secrets/encoded "$(echo "secret-value2" | base64)"
 sleep 10
 
 echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'secret2'"
 verify_secret_value_in_pod $pod_name1 TEST_SECRET secret2
+echo "Verify pod $pod_name1 has environment variable 'VARIABLE_WITH_BASE64_SECRET' with value 'secret-value2'"
+verify_secret_value_in_pod $pod_name1 VARIABLE_WITH_BASE64_SECRET secret-value2
 
 # Note: We're not testing secrets deletion here like we do in TEST_ID_28_push_to_file_secrets_rotation. This is because removing the
 # secret values from K8s will cause the pod to fail on startup due to the missing secretKeyRefs. We would need another way to test this

deploy/test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh

@@ -1,11 +1,9 @@
 #!/bin/bash
 set -euxo pipefail
 
-echo "Creating secrets access role"
-wait_for_it 600  "$CONFIG_DIR/secrets-access-role.sh.yml | $cli_without_timeout apply -f -"
+create_secret_access_role
 
-echo "Creating secrets access role binding"
-wait_for_it 600 "$CONFIG_DIR/secrets-access-role-binding.sh.yml | $cli_without_timeout apply -f -"
+create_secret_access_role_binding
 
 deploy_env
 

deploy/utils.sh

@@ -391,7 +391,7 @@ set_conjur_secret() {
   echo "Set secret '$SECRET_NAME' to '$SECRET_VALUE'"
   set_namespace "$CONJUR_NAMESPACE_NAME"
   configure_cli_pod
-  $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i $SECRET_NAME -v $SECRET_VALUE"
+  $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable set -i $SECRET_NAME -v \"$SECRET_VALUE\""
   set_namespace $APP_NAMESPACE_NAME
 }