Skip to content

Commit

Permalink
Merge pull request #506 from cyberark/base64-annotations-k8s-secrets
Browse files Browse the repository at this point in the history 
Support content-type annotation for K8s secrets
  • Loading branch information
@gl-johnson
gl-johnson authored Mar 20, 2023
2 parents 88e9186 + 062433f commit b44c3c8
Show file tree
Hide file tree
Showing 8 changed files with 199 additions and 25 deletions.
3 changes: 3 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,6 @@ junit.xml

# Temporary directory to store the CyberArk proxy CA certificate
build_ca_certificate/

# Ignore generated policy files
deploy/policy/generated/
4 changes: 4 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,18 @@ require (
require (
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/alessio/shellescape v1.4.1 // indirect
github.com/danieljoos/wincred v1.1.2 // indirect
github.com/emicklei/go-restful/v3 v3.8.0 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/godbus/dbus/v5 v5.1.0 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/zalando/go-keyring v0.2.2 // indirect
)

require (
Expand Down
22 changes: 16 additions & 6 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN
github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
Expand All @@ -48,12 +50,14 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cyberark/conjur-api-go v0.10.2 h1:V2zip069ybE1ubAi2xsay4WGdXG4vIQZ1z7GXPRt7IY=
github.com/cyberark/conjur-api-go v0.10.2/go.mod h1:8+qYC7L6wPY1e56hoZmHSdGa2fHALck8PtS+cUky75Y=
github.com/cyberark/conjur-api-go v0.11.0 h1:LIkdS0zSi2o9AlOwqrIAowxg26kyPFG+XOZSK0dq9dc=
github.com/cyberark/conjur-api-go v0.11.0/go.mod h1:AbU7bDVW6ygUdgTDCKkh4wyfIVrOtdEeE/r01OE1EYo=
github.com/cyberark/conjur-authn-k8s-client v0.24.0 h1:M8Xd6+ztymxQiXUMfVdvpfsTQXJE059CfKVFMDyP1qo=
github.com/cyberark/conjur-authn-k8s-client v0.24.0/go.mod h1:+Yeek99Ijq2IB3WYHx+Wp9aUfyMm42WjZshVlbtIKcg=
github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-820 h1:NbEmFGPTY6vzeNSACrAJlbMe1YkwZoLroDaYTHGrJGc=
github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-820/go.mod h1:IU6D7QQezwoCi6GaKa+79ZrBNyJzFCbIAep0VrLHK6o=
github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-859 h1:Mm/kEw/EeJvGAxnWVmSfRHSWxCe7MAkOV0nUG//4NJo=
github.com/cyberark/conjur-opentelemetry-tracer v0.0.1-859/go.mod h1:knGjmz7WYYptFxOwbMTHD56oslEQrNTq2mDW9qix0fc=
github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand Down Expand Up @@ -84,6 +88,8 @@ github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng=
github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
Expand Down Expand Up @@ -191,6 +197,7 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
Expand All @@ -200,6 +207,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4=
github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
Expand Down Expand Up @@ -296,8 +305,9 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220111092808-5a964db01320/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
Expand Down Expand Up @@ -442,8 +452,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
Expand Down
2 changes: 1 addition & 1 deletion pkg/log/messages/error_messages.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ const CSPFK033E string = "CSPFK033E Failed to create DAP/Conjur client"
const CSPFK034E string = "CSPFK034E Failed to retrieve DAP/Conjur secrets. Reason: %s"
const CSPFK035E string = "CSPFK035E Failed to parse DAP/Conjur variable ID"
const CSPFK036E string = "CSPFK036E Variable ID '%s' is not in the format '<account>:variable:<variable_id>'"
const CSPFK037E string = "CSPFK037E Failed to parse DAP/Conjur variable IDs"
const CSPFK037E string = "CSPFK037E Failed to parse DAP/Conjur variable ID for secret '%s' in destination '%s'"

// General
const CSPFK038E string = "CSPFK038E Retransmission backoff exhausted"
Expand Down
1 change: 1 addition & 0 deletions pkg/log/messages/info_messages.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ const CSPFK018I string = "CSPFK018I No change in secret file, no secret files wr
const CSPFK019I string = "CSPFK019I Error fetching secrets, deleting secrets file"
const CSPFK020I string = "CSPFK020I No change in Kubernetes secret, no secrets updated"
const CSPFK021I string = "CSPFK021I Error fetching Conjur secrets, clearing Kubernetes secrets"
const CSPFK022I string = "CSPFK022I Storing secret with base64 content-type '%s' in destination '%s'"
2 changes: 1 addition & 1 deletion pkg/secrets/k8s_secrets_storage/mocks/k8s_secrets_client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (
// that should be used to retrieve the secret value.
type K8sSecrets map[string]k8sSecretData
type k8sSecretData map[string]k8sSecretDataValues
type k8sSecretDataValues map[string]string
type k8sSecretDataValues map[string]interface{}

// KubeSecretsClient implements a mock Kubernetes client for testing
// Kubernetes Secrets access by the Secrets Provider. This client provides:
Expand Down
58 changes: 41 additions & 17 deletions pkg/secrets/k8s_secrets_storage/provide_conjur_secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
type updateDestination struct {
k8sSecretName string
secretName string
contentType string
}

type k8sSecretsState struct {
Expand Down Expand Up @@ -67,11 +68,11 @@ type k8sProviderDeps struct {

// K8sProvider is the secret provider to be used for K8s Secrets mode. It
// makes secrets available to applications by:
// - Retrieving a list of required K8s Secrets
// - Retrieving all Conjur secrets that are referenced (via variable ID,
// a.k.a. policy path) by those K8s Secrets.
// - Updating the K8s Secrets by replacing each Conjur variable ID
// with the corresponding secret value that was retrieved from Conjur.
// - Retrieving a list of required K8s Secrets
// - Retrieving all Conjur secrets that are referenced (via variable ID,
// a.k.a. policy path) by those K8s Secrets.
// - Updating the K8s Secrets by replacing each Conjur variable ID
// with the corresponding secret value that was retrieved from Conjur.
type K8sProvider struct {
k8s k8sAccessDeps
conjur conjurAccessDeps
Expand Down Expand Up @@ -255,13 +256,10 @@ func (p K8sProvider) retrieveRequiredK8sSecret(k8sSecretName string) error {
return p.parseConjurSecretsYAML(conjurSecretsYAML, k8sSecretName)
}

// Parse the YAML-formatted Conjur secrets mapping that has been retrieved
// from a K8s Secret. This secrets mapping uses application secret names
// as keys and Conjur variable IDs (a.k.a. policy paths) as values.
func (p K8sProvider) parseConjurSecretsYAML(secretsYAML []byte,
k8sSecretName string) error {

conjurMap := map[string]string{}
// parseConjurSecretsYAML parses the YAML-formatted Conjur secrets mapping
// that has been retrieved from a K8s Secret.
func (p K8sProvider) parseConjurSecretsYAML(secretsYAML []byte, k8sSecretName string) error {
conjurMap := map[string]interface{}{}
if err := yaml.Unmarshal(secretsYAML, &conjurMap); err != nil {
p.log.debug(messages.CSPFK007D, k8sSecretName, config.ConjurMapKey, err.Error())
return p.log.recordedError(messages.CSPFK028E, k8sSecretName)
Expand All @@ -270,13 +268,39 @@ func (p K8sProvider) parseConjurSecretsYAML(secretsYAML []byte,
p.log.debug(messages.CSPFK007D, k8sSecretName, config.ConjurMapKey, "value is empty")
return p.log.recordedError(messages.CSPFK028E, k8sSecretName)
}
return p.refreshUpdateDestinations(conjurMap, k8sSecretName)
}

for secretName, varID := range conjurMap {
dest := updateDestination{k8sSecretName, secretName}
p.secretsState.updateDestinations[varID] =
append(p.secretsState.updateDestinations[varID], dest)
}
// refreshUpdateDestinations populates the Provider's updateDestinations
// with the Conjur secret variable ID, K8s secret, secret name, and
// content-type as specified in the Conjur secrets mapping.
// The key is an application secret name, the value can be either a
// string (varID) or a map {id: varID (required), content-type: base64 (optional)}.
func (p K8sProvider) refreshUpdateDestinations(conjurMap map[string]interface{}, k8sSecretName string) error {
for secretName, contents := range conjurMap {
switch value := contents.(type) {
case string:
dest := updateDestination{k8sSecretName, secretName, "text"}
p.secretsState.updateDestinations[value] = append(p.secretsState.updateDestinations[value], dest)
case map[interface{}]interface{}:
varId, ok := value["id"].(string)
if !ok || varId == "" {
return p.log.recordedError(messages.CSPFK037E, secretName, k8sSecretName)
}

contentType, ok := value["content-type"].(string)
if ok && contentType == "base64" {
dest := updateDestination{k8sSecretName, secretName, "base64"}
p.secretsState.updateDestinations[varId] = append(p.secretsState.updateDestinations[varId], dest)
p.log.info(messages.CSPFK022I, secretName, k8sSecretName)
} else {
dest := updateDestination{k8sSecretName, secretName, "text"}
p.secretsState.updateDestinations[varId] = append(p.secretsState.updateDestinations[varId], dest)
}
default:
return p.log.recordedError(messages.CSPFK028E, k8sSecretName)
}
}
return nil
}

Expand Down
132 changes: 132 additions & 0 deletions pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ var testConjurSecrets = map[string]string{
"conjur/var/umlaut": "ÄäÖöÜü",
"conjur/var/binary": "\xf0\xff\x4a\xc3",
"conjur/var/empty-secret": "",
"conjur/var/encoded1": "ZGVjb2RlZC12YWx1ZS0x", // == decoded-value-1
"conjur/var/encoded2": "ZGVjb2RlZC12YWx1ZS0y", // == decoded-value-2
"conjur/var/encoded3": "ZGVjb2RlZC12YWx1ZS0z", // == decoded-value-3
}

type testMocks struct {
Expand Down Expand Up @@ -136,6 +139,20 @@ func assertErrorLogged(msg string, args ...interface{}) assertFunc {
}
}

func assertInfoLogged(expected bool, msg string, args ...interface{}) assertFunc {
return func(t *testing.T, mocks testMocks, updated bool, err error, desc string) {
infoStr := fmt.Sprintf(msg, args...)
var logDesc string
if expected {
logDesc = ", expected info log to contain: "
} else {
logDesc = ", expected info log NOT to contain: "
}
newDesc := desc + logDesc + infoStr
assert.Equal(t, expected, mocks.logger.InfoWasLogged(infoStr), newDesc)
}
}

func TestProvide(t *testing.T) {
testCases := []struct {
desc string
Expand Down Expand Up @@ -325,6 +342,121 @@ func TestProvide(t *testing.T) {
),
},
},
{
desc: "Happy path, encoded secrets with valid content-type",
k8sSecrets: k8sStorageMocks.K8sSecrets{
"k8s-secret1": {
"conjur-map": {
"test-decoding": map[string]interface{}{
"id": "conjur/var/encoded1",
"content-type": "base64",
},
"test-decoding2": map[string]interface{}{
"id": "conjur/var/encoded2",
"content-type": "base64",
},
},
},
"k8s-secret2": {
"conjur-map": {
"test-still-encoded": "conjur/var/encoded1",
"test-still-encoded2": map[string]interface{}{
"id": "conjur/var/encoded2",
"content-type": "text",
},
},
},
},
requiredSecrets: []string{"k8s-secret1", "k8s-secret2"},
asserts: []assertFunc{
// TODO - uncomment when decoding is implemented
// assertSecretsUpdated(
// expectedK8sSecrets{
// "k8s-secret1": {
// "test-decoding": "decoded-value-1",
// "test-decoding2": "decoded-value-2",
// },
// "k8s-secret2": {
// "test-still-encoded": "ZGVjb2RlZC12YWx1ZS0x",
// "test-still-encoded2": "ZGVjb2RlZC12YWx1ZS0y",
// },
// },
// expectedMissingValues{},
// false,
// ),
assertInfoLogged(true, messages.CSPFK022I, "test-decoding", "k8s-secret1"),
assertInfoLogged(true, messages.CSPFK022I, "test-decoding2", "k8s-secret1"),
assertInfoLogged(false, messages.CSPFK022I, "test-still-encoded", "k8s-secret2"),
assertInfoLogged(false, messages.CSPFK022I, "test-still-encoded2", "k8s-secret2"),
},
},
{
desc: "Invalid or empty content-type is treated as text",
k8sSecrets: k8sStorageMocks.K8sSecrets{
"k8s-secret1": {
"conjur-map": {
"test-decoding": map[string]interface{}{
"id": "conjur/var/encoded1",
"content-type": "gibberish",
},
"test-decoding2": map[string]interface{}{
"id": "conjur/var/encoded2",
"content-type": "",
},
"test-decoding3": map[string]interface{}{
"id": "conjur/var/encoded3",
},
},
},
},
requiredSecrets: []string{"k8s-secret1"},
asserts: []assertFunc{
assertSecretsUpdated(
expectedK8sSecrets{
"k8s-secret1": {
"test-decoding": "ZGVjb2RlZC12YWx1ZS0x",
"test-decoding2": "ZGVjb2RlZC12YWx1ZS0y",
"test-decoding3": "ZGVjb2RlZC12YWx1ZS0z",
},
},
expectedMissingValues{},
false,
),
},
},
{
desc: "Empty var ID throws error",
k8sSecrets: k8sStorageMocks.K8sSecrets{
"k8s-secret1": {
"conjur-map": {
"test-decoding": map[string]interface{}{
"id": "",
"content-type": "text",
},
},
},
},
requiredSecrets: []string{"k8s-secret1"},
asserts: []assertFunc{
assertErrorLogged(messages.CSPFK037E, "test-decoding", "k8s-secret1"),
},
},
{
desc: "Missing var ID throws error",
k8sSecrets: k8sStorageMocks.K8sSecrets{
"k8s-secret1": {
"conjur-map": {
"test-decoding": map[string]interface{}{
"content-type": "text",
},
},
},
},
requiredSecrets: []string{"k8s-secret1"},
asserts: []assertFunc{
assertErrorLogged(messages.CSPFK037E, "test-decoding", "k8s-secret1"),
},
},
{
desc: "K8s Secrets maps to a non-existent Conjur secret",
k8sSecrets: k8sStorageMocks.K8sSecrets{
Expand Down

0 comments on commit b44c3c8

Please sign in to comment.