Implement detection of changes in K8s Secret content with UT

[rpothier]

Desired Outcome

The Kubernetes secrets should only be updated when there is new content.

Implemented Changes

Updated to detect changes the k8s secrets values and Conjur secrets.

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue link: ONYX-17475

Definition of Done

• [] K8s secrets are updated only when there are changes in the k8s secrets content or Conjur secrets.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[szh]

Doesn't look like this is used anywhere

[rpothier]

This is needed for TestProvide() to zero out prevSecretsChecksums so that it writes values in this test.

[diverdane]

Oooh.... I'm glad @szh asked this question!!! I don't think we should be using a global variable for prevSecretsChecksums here, or for the Push-to-File provider either. The issue that we might face with using global variables is that if our UT test cases are ever run in parallel, then one test case could potentially stomp on another test case's values in the global prevSecretsChecksums.

I believe the prevSecretsChecksums should be moved to the K8sProvider struct. Each UT test case should be creating its own K8sProvider to test with, so each one should be created with its own prevSecretsChecksums. Thinking about this a bit more, this would also help in the future if we should ever need to run multiple K8sProviders in parallel.

We need to fix this for the Push-to-File provider as well. I don't know if you want to tackle that here or separately.

[szh]

I noticed this PR decreases the code coverage a bit. Should we add tests for this file?

[diverdane]

The "atomic write of secret files" is implemented now as well, so we might as well delete that item from this list of future enhancements.

[diverdane]

Oooh.... I'm glad @szh asked this question!!! I don't think we should be using a global variable for prevSecretsChecksums here, or for the Push-to-File provider either. The issue that we might face with using global variables is that if our UT test cases are ever run in parallel, then one test case could potentially stomp on another test case's values in the global prevSecretsChecksums.

I believe the prevSecretsChecksums should be moved to the K8sProvider struct. Each UT test case should be creating its own K8sProvider to test with, so each one should be created with its own prevSecretsChecksums. Thinking about this a bit more, this would also help in the future if we should ever need to run multiple K8sProviders in parallel.

We need to fix this for the Push-to-File provider as well. I don't know if you want to tackle that here or separately.

[diverdane]

While we're changing these unit tests, would you mind modifying the way that we're invoking test cases so that each is called via t.Run(tc.desc ...). What the iterations would look like is:

	for _, tc := range testCases {
		t.Run(tc.desc, func(t *testing.T) {
			// Set up test case
			mocks := newTestMocks()
			. . .

The advantage to doing this is that if/when UT failures occur, the tc.desc is displayed prominently in the failure summary, and it makes it very obvious which test case(s) have failed.

Also, I believe that we would need to run the test cases via t.Run(...) if we should ever want to run the test cases in parallel (reference: https://eleni.blog/2019/05/11/parallel-test-execution-in-go/).

[diverdane]

Ruh-Roh, the name of this test function uses snake_case. (Function name should be TestSecretContentChanges).

I fear we've been doing too many context switches between Bash and Go.

[diverdane]

Typo, should be "verify it doesn't ...".

[diverdane]

That's a clever way to detect that it's not trying to update! :)

[diverdane]

Something that might be worth considering here... this test involves a whole bunch of operations, and if when there's a test failure, it won't be immediately obvious which assert in this test is failing (and where in the sequence of operations it's failing), without having to match up line numbers in the source code. What you could do is to modify the desc string as you work your way through the sequence. That way, the failure summary for the assert that fails will provide us with details on where exactly it's failing.

[szh]

Looks great. I left a couple docs comments.

[szh]

I think there needs to be an empty line after the <summary> block. I think this is causing the hyperlinks to not render as links.

See here for example.

[rpothier]

Good catch!

[szh]

Looking at the changelog entries for the previous release, notably for for #432, and given that K8s secrets wasn't previously supported, I wonder if we should replace this with "Secrets rotation is now supported for Kubernetes Secrets"

[rpothier]

How about "Adds support for secrets rotation with Kubernetes Secrets."

[szh]

LGTM!

[codeclimate]

Code Climate has analyzed commit e7bd95e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 94.8% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.6% (-0.2% change).

View more on Code Climate.