Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix(gcpsm): SecretExists should check for regional secrets when store location is specified (#5708)

Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Alvin Wong 4 months ago
parent
860e21dbf1
commit
35f235a392
2 changed files with 80 additions and 0 deletions
Split View Show Diff Stats
  1. 3 0
      providers/v1/gcp/secretmanager/client.go
  2. 77 0
      providers/v1/gcp/secretmanager/client_test.go

+ 3 - 0
providers/v1/gcp/secretmanager/client.go
View File 

@@ -150,6 +150,9 @@ func parseError(err error) error {
 
 // It verifies the existence of a secret in Google Cloud Secret Manager AND that it has at least one version.
 
 func (c *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 
 	secretName := fmt.Sprintf(globalSecretPath, c.store.ProjectID, ref.GetRemoteKey())
 
+	if c.store.Location != "" {
 
+		secretName = fmt.Sprintf(regionalSecretPath, c.store.ProjectID, c.store.Location, ref.GetRemoteKey())
 
+	}
 
 	gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
 
 		Name: secretName,
 
 	})

+ 77 - 0
providers/v1/gcp/secretmanager/client_test.go
View File 

@@ -1137,6 +1137,83 @@ func TestSecretExists(t *testing.T) {
 
 	}
 
 }
 
 
+func TestSecretExistsWithRegionalEndpoint(t *testing.T) {
 
+	tests := []struct {
 
+		name                          string
 
+		location                      string
 
+		ref                           esv1.PushSecretRemoteRef
 
+		getSecretMockReturn           fakesm.SecretMockReturn
 
+		accessSecretVersionMockReturn fakesm.AccessSecretVersionMockReturn
 
+		expectedSecret                bool
 
+		expectedErr                   func(t *testing.T, err error)
 
+	}{
 
+		{
 
+			name:     "secret exists with regional endpoint",
 
+			location: usEast1,
 
+			ref: v1alpha1.PushSecretRemoteRef{
 
+				RemoteKey: "bar",
 
+			},
 
+			getSecretMockReturn: fakesm.SecretMockReturn{
 
+				Secret: &secretmanagerpb.Secret{
 
+					Name: testSecretName,
 
+				},
 
+				Err: nil,
 
+			},
 
+			accessSecretVersionMockReturn: fakesm.AccessSecretVersionMockReturn{
 
+				Res: &secretmanagerpb.AccessSecretVersionResponse{
 
+					Name: "projects/foo/locations/us-east1/secrets/bar/versions/latest",
 
+					Payload: &secretmanagerpb.SecretPayload{
 
+						Data: []byte("test-data"),
 
+					},
 
+				},
 
+				Err: nil,
 
+			},
 
+			expectedSecret: true,
 
+			expectedErr: func(t *testing.T, err error) {
 
+				require.NoError(t, err)
 
+			},
 
+		},
 
+		{
 
+			name:     "secret does not exist with regional endpoint",
 
+			location: usEast1,
 
+			ref: v1alpha1.PushSecretRemoteRef{
 
+				RemoteKey: "bar",
 
+			},
 
+			getSecretMockReturn: fakesm.SecretMockReturn{
 
+				Secret: nil,
 
+				Err:    status.Errorf(codes.NotFound, "secret not found"),
 
+			},
 
+			accessSecretVersionMockReturn: fakesm.AccessSecretVersionMockReturn{},
 
+			expectedSecret:                false,
 
+			expectedErr: func(t *testing.T, err error) {
 
+				require.NoError(t, err)
 
+			},
 
+		},
 
+	}
 
+
 
+	for _, tc := range tests {
 
+		t.Run(tc.name, func(t *testing.T) {
 
+			smClient := fakesm.MockSMClient{}
 
+			smClient.NewGetSecretFn(tc.getSecretMockReturn)
 
+			smClient.NewAccessSecretVersionFn(tc.accessSecretVersionMockReturn)
 
+
 
+			client := Client{
 
+				smClient: &smClient,
 
+				store: &esv1.GCPSMProvider{
 
+					ProjectID: "foo",
 
+					Location:  tc.location,
 
+				},
 
+			}
 
+			got, err := client.SecretExists(t.Context(), tc.ref)
 
+			tc.expectedErr(t, err)
 
+
 
+			if got != tc.expectedSecret {
 
+				t.Fatalf("unexpected secret: expected %t, got %t", tc.expectedSecret, got)
 
+			}
 
+		})
 
+	}
 
+}
 
+
 
 func TestPushSecretProperty(t *testing.T) {
 
 	secretKey := "secret-key"
 
 	defaultAddSecretVersionMockReturn := func(gotPayload, expectedPayload string) (*secretmanagerpb.SecretVersion, error) {