|
|
@@ -173,6 +173,58 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
|
|
|
}, defaultV2WaitTimeout, defaultV2PollInterval).Should(BeTrue())
|
|
|
})
|
|
|
|
|
|
+ It("rejects remote namespace overrides when pushing through a namespaced Provider", func() {
|
|
|
+ overrideNamespace := createE2ENamespace(f, "push-provider-override")
|
|
|
+ sourceSecret := &corev1.Secret{
|
|
|
+ ObjectMeta: metav1.ObjectMeta{
|
|
|
+ Name: "source-secret-provider-override",
|
|
|
+ Namespace: f.Namespace.Name,
|
|
|
+ },
|
|
|
+ Data: map[string][]byte{
|
|
|
+ "value": []byte("should-not-push"),
|
|
|
+ },
|
|
|
+ }
|
|
|
+ Expect(f.CRClient.Create(context.Background(), sourceSecret)).To(Succeed())
|
|
|
+
|
|
|
+ pushSecret := &esv1alpha1.PushSecret{
|
|
|
+ ObjectMeta: metav1.ObjectMeta{
|
|
|
+ Name: "test-pushsecret-provider-override",
|
|
|
+ Namespace: f.Namespace.Name,
|
|
|
+ },
|
|
|
+ Spec: esv1alpha1.PushSecretSpec{
|
|
|
+ RefreshInterval: &metav1.Duration{Duration: defaultV2RefreshInterval},
|
|
|
+ SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{
|
|
|
+ {
|
|
|
+ Name: f.Namespace.Name,
|
|
|
+ Kind: f.DefaultPushSecretStoreRefKind,
|
|
|
+ APIVersion: f.DefaultPushSecretStoreRefAPIVersion,
|
|
|
+ },
|
|
|
+ },
|
|
|
+ Selector: esv1alpha1.PushSecretSelector{
|
|
|
+ Secret: &esv1alpha1.PushSecretSecret{
|
|
|
+ Name: sourceSecret.Name,
|
|
|
+ },
|
|
|
+ },
|
|
|
+ Data: []esv1alpha1.PushSecretData{{
|
|
|
+ Match: esv1alpha1.PushSecretMatch{
|
|
|
+ SecretKey: "value",
|
|
|
+ RemoteRef: esv1alpha1.PushSecretRemoteRef{
|
|
|
+ RemoteKey: "pushed-secret-provider-override",
|
|
|
+ Property: "value",
|
|
|
+ },
|
|
|
+ },
|
|
|
+ Metadata: &apiextensionsv1.JSON{Raw: []byte(fmt.Sprintf(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1","kind":"PushSecretMetadata","spec":{"remoteNamespace":"%s"}}`, overrideNamespace))},
|
|
|
+ }},
|
|
|
+ },
|
|
|
+ }
|
|
|
+ Expect(f.CRClient.Create(context.Background(), pushSecret)).To(Succeed())
|
|
|
+
|
|
|
+ waitForPushSecretErrored(f, pushSecret.Name)
|
|
|
+ expectNoSecretInNamespace(f, f.Namespace.Name, "pushed-secret-provider-override")
|
|
|
+ expectNoSecretInNamespace(f, overrideNamespace, "pushed-secret-provider-override")
|
|
|
+ expectPushSecretEvent(f, f.Namespace.Name, pushSecret.Name, "remoteNamespace override is only supported with ClusterSecretStore")
|
|
|
+ })
|
|
|
+
|
|
|
It("pushes through a ClusterProvider when authenticationScope=ManifestNamespace", func() {
|
|
|
s := newClusterProviderV2Scenario(f, "push-manifest")
|
|
|
s.allowRemoteAccessFrom(s.workloadNamespace, "push-manifest")
|
|
|
@@ -221,6 +273,68 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
|
|
|
waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "provider-push-value")
|
|
|
})
|
|
|
|
|
|
+ It("recovers after repairing cluster provider auth for pushes when authenticationScope=ManifestNamespace", func() {
|
|
|
+ s := newClusterProviderV2Scenario(f, "push-manifest-recovery")
|
|
|
+ s.allowRemoteAccessFrom(s.workloadNamespace, "push-manifest-recovery")
|
|
|
+
|
|
|
+ sourceSecretName := fmt.Sprintf("%s-source", s.namePrefix)
|
|
|
+ remoteSecretName := fmt.Sprintf("%s-remote", s.namePrefix)
|
|
|
+ Expect(f.CRClient.Create(context.Background(), &corev1.Secret{
|
|
|
+ ObjectMeta: metav1.ObjectMeta{
|
|
|
+ Name: sourceSecretName,
|
|
|
+ Namespace: s.workloadNamespace,
|
|
|
+ },
|
|
|
+ Data: map[string][]byte{
|
|
|
+ "value": []byte("manifest-push-recovered"),
|
|
|
+ },
|
|
|
+ })).To(Succeed())
|
|
|
+
|
|
|
+ clusterProviderName := s.createClusterProvider("push-manifest-recovery", esv1.AuthenticationScopeManifestNamespace, nil)
|
|
|
+ frameworkv2.WaitForClusterProviderReady(f, clusterProviderName, defaultV2WaitTimeout)
|
|
|
+
|
|
|
+ updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-manifest-recovery"), "missing-service-account")
|
|
|
+
|
|
|
+ pushSecretName := createClusterProviderPushSecretWithRefresh(f, s.workloadNamespace, clusterProviderName, sourceSecretName, remoteSecretName, time.Hour)
|
|
|
+ waitForPushSecretErrored(f, pushSecretName)
|
|
|
+ expectNoSecretInNamespace(f, s.remoteNamespace, remoteSecretName)
|
|
|
+
|
|
|
+ updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-manifest-recovery"), s.serviceAccount)
|
|
|
+
|
|
|
+ waitForPushSecretReady(f, pushSecretName)
|
|
|
+ waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "manifest-push-recovered")
|
|
|
+ })
|
|
|
+
|
|
|
+ It("recovers after repairing cluster provider auth for pushes when authenticationScope=ProviderNamespace", func() {
|
|
|
+ s := newClusterProviderV2Scenario(f, "push-provider-recovery")
|
|
|
+ s.allowRemoteAccessFrom(s.providerNamespace, "push-provider-recovery")
|
|
|
+
|
|
|
+ sourceSecretName := fmt.Sprintf("%s-source", s.namePrefix)
|
|
|
+ remoteSecretName := fmt.Sprintf("%s-remote", s.namePrefix)
|
|
|
+ Expect(f.CRClient.Create(context.Background(), &corev1.Secret{
|
|
|
+ ObjectMeta: metav1.ObjectMeta{
|
|
|
+ Name: sourceSecretName,
|
|
|
+ Namespace: s.workloadNamespace,
|
|
|
+ },
|
|
|
+ Data: map[string][]byte{
|
|
|
+ "value": []byte("provider-push-recovered"),
|
|
|
+ },
|
|
|
+ })).To(Succeed())
|
|
|
+
|
|
|
+ clusterProviderName := s.createClusterProvider("push-provider-recovery", esv1.AuthenticationScopeProviderNamespace, nil)
|
|
|
+ frameworkv2.WaitForClusterProviderReady(f, clusterProviderName, defaultV2WaitTimeout)
|
|
|
+
|
|
|
+ updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-provider-recovery"), "missing-service-account")
|
|
|
+
|
|
|
+ pushSecretName := createClusterProviderPushSecretWithRefresh(f, s.workloadNamespace, clusterProviderName, sourceSecretName, remoteSecretName, time.Hour)
|
|
|
+ waitForPushSecretErrored(f, pushSecretName)
|
|
|
+ expectNoSecretInNamespace(f, s.remoteNamespace, remoteSecretName)
|
|
|
+
|
|
|
+ updateKubernetesProviderServiceAccount(f, s.providerNamespace, s.providerConfigName("push-provider-recovery"), s.serviceAccount)
|
|
|
+
|
|
|
+ waitForPushSecretReady(f, pushSecretName)
|
|
|
+ waitForSecretValueInNamespace(f, s.remoteNamespace, remoteSecretName, "value", "provider-push-recovered")
|
|
|
+ })
|
|
|
+
|
|
|
It("allows ClusterProvider pushes to override the target remote namespace via metadata", func() {
|
|
|
s := newClusterProviderV2Scenario(f, "push-remote-override")
|
|
|
s.allowRemoteAccessFrom(s.workloadNamespace, "push-remote-override-default")
|
|
|
@@ -291,10 +405,18 @@ var _ = Describe("[kubernetes] v2 push secret", Label("kubernetes", "v2", "push-
|
|
|
})
|
|
|
|
|
|
func createClusterProviderPushSecret(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string) string {
|
|
|
- return createClusterProviderPushSecretWithMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, nil)
|
|
|
+ return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, defaultV2RefreshInterval, nil)
|
|
|
+}
|
|
|
+
|
|
|
+func createClusterProviderPushSecretWithRefresh(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, refreshInterval time.Duration) string {
|
|
|
+ return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, refreshInterval, nil)
|
|
|
}
|
|
|
|
|
|
func createClusterProviderPushSecretWithMetadata(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, metadata *apiextensionsv1.JSON) string {
|
|
|
+ return createClusterProviderPushSecretWithRefreshAndMetadata(f, namespace, clusterProviderName, sourceSecretName, remoteSecretName, defaultV2RefreshInterval, metadata)
|
|
|
+}
|
|
|
+
|
|
|
+func createClusterProviderPushSecretWithRefreshAndMetadata(f *framework.Framework, namespace, clusterProviderName, sourceSecretName, remoteSecretName string, refreshInterval time.Duration, metadata *apiextensionsv1.JSON) string {
|
|
|
pushSecretName := fmt.Sprintf("%s-push-secret", remoteSecretName)
|
|
|
Expect(f.CRClient.Create(context.Background(), &esv1alpha1.PushSecret{
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
@@ -302,7 +424,7 @@ func createClusterProviderPushSecretWithMetadata(f *framework.Framework, namespa
|
|
|
Namespace: namespace,
|
|
|
},
|
|
|
Spec: esv1alpha1.PushSecretSpec{
|
|
|
- RefreshInterval: &metav1.Duration{Duration: defaultV2RefreshInterval},
|
|
|
+ RefreshInterval: &metav1.Duration{Duration: refreshInterval},
|
|
|
SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{{
|
|
|
Name: clusterProviderName,
|
|
|
Kind: esv1.ClusterProviderKindStr,
|