Browse Source

test: add kubernetes v2 push recovery coverage

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Moritz Johner 2 months ago
parent
commit
4b74ce8537
1 changed files with 124 additions and 2 deletions
  1. 124 2
      e2e/suites/provider/cases/kubernetes/push_v2.go

+ 124 - 2
e2e/suites/provider/cases/kubernetes/push_v2.go

@@ -173,6 +173,58 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
 		}, defaultV2WaitTimeout, defaultV2PollInterval).Should(BeTrue())
 	})
 
+	It("rejects remote namespace overrides when pushing through a namespaced Provider", func() {
+		overrideNamespace := createE2ENamespace(f, "push-provider-override")
+		sourceSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "source-secret-provider-override",
+				Namespace: f.Namespace.Name,
+			},
+			Data: map[string][]byte{
+				"value": []byte("should-not-push"),
+			},
+		}
+		Expect(f.CRClient.Create(context.Background(), sourceSecret)).To(Succeed())
+
+		pushSecret := &esv1alpha1.PushSecret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "test-pushsecret-provider-override",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: esv1alpha1.PushSecretSpec{
+				RefreshInterval: &metav1.Duration{Duration: defaultV2RefreshInterval},
+				SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{
+					{
+						Name:       f.Namespace.Name,
+						Kind:       f.DefaultPushSecretStoreRefKind,
+						APIVersion: f.DefaultPushSecretStoreRefAPIVersion,
+					},
+				},
+				Selector: esv1alpha1.PushSecretSelector{
+					Secret: &esv1alpha1.PushSecretSecret{
+						Name: sourceSecret.Name,
+					},
+				},
+				Data: []esv1alpha1.PushSecretData{{
+					Match: esv1alpha1.PushSecretMatch{
+						SecretKey: "value",
+						RemoteRef: esv1alpha1.PushSecretRemoteRef{
+							RemoteKey: "pushed-secret-provider-override",
+							Property:  "value",
+						},
+					},
+					Metadata: &apiextensionsv1.JSON{Raw: []byte(fmt.Sprintf(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1","kind":"PushSecretMetadata","spec":{"remoteNamespace":"%s"}}`, overrideNamespace))},
+				}},
+			},
+		}
+		Expect(f.CRClient.Create(context.Background(), pushSecret)).To(Succeed())
+
+		waitForPushSecretErrored(f, pushSecret.Name)
+		expectNoSecretInNamespace(f, f.Namespace.Name, "pushed-secret-provider-override")
+		expectNoSecretInNamespace(f, overrideNamespace, "pushed-secret-provider-override")
+		expectPushSecretEvent(f, f.Namespace.Name, pushSecret.Name, "remoteNamespace override is only supported with ClusterSecretStore")
+	})
+
 	It("pushes through a ClusterProvider when authenticationScope=ManifestNamespace", func() {
 		s := newClusterProviderV2Scenario(f, "push-manifest")
 		s.allowRemoteAccessFrom(s.workloadNamespace, "push-manifest")
@@ -221,6 +273,68 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
 		waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "provider-push-value")
 	})
 
+	It("recovers after repairing cluster provider auth for pushes when authenticationScope=ManifestNamespace", func() {
+		s := newClusterProviderV2Scenario(f, "push-manifest-recovery")
+		s.allowRemoteAccessFrom(s.workloadNamespace, "push-manifest-recovery")
+
+		sourceSecretName := fmt.Sprintf("%s-source", s.namePrefix)
+		remoteSecretName := fmt.Sprintf("%s-remote", s.namePrefix)
+		Expect(f.CRClient.Create(context.Background(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      sourceSecretName,
+				Namespace: s.workloadNamespace,
+			},
+			Data: map[string][]byte{
+				"value": []byte("manifest-push-recovered"),
+			},
+		})).To(Succeed())
+
+		clusterProviderName := s.createClusterProvider("push-manifest-recovery", esv1.AuthenticationScopeManifestNamespace, nil)
+		frameworkv2.WaitForClusterProviderReady(f, clusterProviderName, defaultV2WaitTimeout)
+
+		updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-manifest-recovery"), "missing-service-account")
+
+		pushSecretName := createClusterProviderPushSecretWithRefresh(f, s.workloadNamespace, clusterProviderName, sourceSecretName, remoteSecretName, time.Hour)
+		waitForPushSecretErrored(f, pushSecretName)
+		expectNoSecretInNamespace(f, s.remoteNamespace, remoteSecretName)
+
+		updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-manifest-recovery"), s.serviceAccount)
+
+		waitForPushSecretReady(f, pushSecretName)
+		waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "manifest-push-recovered")
+	})
+
+	It("recovers after repairing cluster provider auth for pushes when authenticationScope=ProviderNamespace", func() {
+		s := newClusterProviderV2Scenario(f, "push-provider-recovery")
+		s.allowRemoteAccessFrom(s.providerNamespace, "push-provider-recovery")
+
+		sourceSecretName := fmt.Sprintf("%s-source", s.namePrefix)
+		remoteSecretName := fmt.Sprintf("%s-remote", s.namePrefix)
+		Expect(f.CRClient.Create(context.Background(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      sourceSecretName,
+				Namespace: s.workloadNamespace,
+			},
+			Data: map[string][]byte{
+				"value": []byte("provider-push-recovered"),
+			},
+		})).To(Succeed())
+
+		clusterProviderName := s.createClusterProvider("push-provider-recovery", esv1.AuthenticationScopeProviderNamespace, nil)
+		frameworkv2.WaitForClusterProviderReady(f, clusterProviderName, defaultV2WaitTimeout)
+
+		updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-provider-recovery"), "missing-service-account")
+
+		pushSecretName := createClusterProviderPushSecretWithRefresh(f, s.workloadNamespace, clusterProviderName, sourceSecretName, remoteSecretName, time.Hour)
+		waitForPushSecretErrored(f, pushSecretName)
+		expectNoSecretInNamespace(f, s.remoteNamespace, remoteSecretName)
+
+		updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-provider-recovery"), s.serviceAccount)
+
+		waitForPushSecretReady(f, pushSecretName)
+		waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "provider-push-recovered")
+	})
+
 	It("allows ClusterProvider pushes to override the target remote namespace via metadata", func() {
 		s := newClusterProviderV2Scenario(f, "push-remote-override")
 		s.allowRemoteAccessFrom(s.workloadNamespace, "push-remote-override-default")
@@ -291,10 +405,18 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
 })
 
 func createClusterProviderPushSecret(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string) string {
-	return createClusterProviderPushSecretWithMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, nil)
+	return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, defaultV2RefreshInterval, nil)
+}
+
+func createClusterProviderPushSecretWithRefresh(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, refreshInterval time.Duration) string {
+	return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, refreshInterval, nil)
 }
 
 func createClusterProviderPushSecretWithMetadata(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, metadata *apiextensionsv1.JSON) string {
+	return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, defaultV2RefreshInterval, metadata)
+}
+
+func createClusterProviderPushSecretWithRefreshAndMetadata(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, refreshInterval time.Duration, metadata *apiextensionsv1.JSON) string {
 	pushSecretName := fmt.Sprintf("%s-push-secret", remoteSecretName)
 	Expect(f.CRClient.Create(context.Background(), &esv1alpha1.PushSecret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -302,7 +424,7 @@ func createClusterProviderPushSecretWithMetadata(f *framework.Framework, namespa
 			Namespace: namespace,
 		},
 		Spec: esv1alpha1.PushSecretSpec{
-			RefreshInterval: &metav1.Duration{Duration: defaultV2RefreshInterval},
+			RefreshInterval: &metav1.Duration{Duration: refreshInterval},
 			SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{{
 				Name:       clusterProviderName,
 				Kind:       esv1.ClusterProviderKindStr,