vault.go 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. limitations under the License.
  10. */
  11. package vault
  12. import (
  13. "fmt"
  14. // nolint
  15. . "github.com/onsi/ginkgo/v2"
  16. v1 "k8s.io/api/core/v1"
  17. esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  18. "github.com/external-secrets/external-secrets/e2e/framework"
  19. "github.com/external-secrets/external-secrets/e2e/suites/provider/cases/common"
  20. )
  21. const (
  22. withTokenAuth = "with token auth"
  23. withCertAuth = "with cert auth"
  24. withApprole = "with approle auth"
  25. withV1 = "with v1 provider"
  26. withJWT = "with jwt provider"
  27. withJWTK8s = "with jwt k8s provider"
  28. withK8s = "with kubernetes provider"
  29. withReferentAuth = "with referent provider"
  30. )
  31. var _ = Describe("[vault]", Label("vault"), func() {
  32. f := framework.New("eso-vault")
  33. prov := newVaultProvider(f)
  34. DescribeTable("sync secrets",
  35. framework.TableFunc(f, prov),
  36. // uses token auth
  37. framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth),
  38. framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useTokenAuth),
  39. framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useTokenAuth),
  40. framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useTokenAuth),
  41. framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useTokenAuth),
  42. framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useTokenAuth),
  43. framework.Compose(withTokenAuth, f, common.SyncV1Alpha1, useTokenAuth),
  44. // use cert auth
  45. framework.Compose(withCertAuth, f, common.FindByName, useCertAuth),
  46. framework.Compose(withCertAuth, f, common.JSONDataFromSync, useCertAuth),
  47. framework.Compose(withCertAuth, f, common.JSONDataWithProperty, useCertAuth),
  48. framework.Compose(withCertAuth, f, common.JSONDataWithTemplate, useCertAuth),
  49. framework.Compose(withCertAuth, f, common.DataPropertyDockerconfigJSON, useCertAuth),
  50. framework.Compose(withCertAuth, f, common.JSONDataWithoutTargetName, useCertAuth),
  51. // use approle auth
  52. framework.Compose(withApprole, f, common.FindByName, useApproleAuth),
  53. framework.Compose(withApprole, f, common.JSONDataFromSync, useApproleAuth),
  54. framework.Compose(withApprole, f, common.JSONDataWithProperty, useApproleAuth),
  55. framework.Compose(withApprole, f, common.JSONDataWithTemplate, useApproleAuth),
  56. framework.Compose(withApprole, f, common.DataPropertyDockerconfigJSON, useApproleAuth),
  57. framework.Compose(withApprole, f, common.JSONDataWithoutTargetName, useApproleAuth),
  58. // use v1 provider
  59. framework.Compose(withV1, f, common.JSONDataFromSync, useV1Provider),
  60. framework.Compose(withV1, f, common.JSONDataWithProperty, useV1Provider),
  61. framework.Compose(withV1, f, common.JSONDataWithTemplate, useV1Provider),
  62. framework.Compose(withV1, f, common.DataPropertyDockerconfigJSON, useV1Provider),
  63. framework.Compose(withV1, f, common.JSONDataWithoutTargetName, useV1Provider),
  64. // use jwt provider
  65. framework.Compose(withJWT, f, common.FindByName, useJWTProvider),
  66. framework.Compose(withJWT, f, common.JSONDataFromSync, useJWTProvider),
  67. framework.Compose(withJWT, f, common.JSONDataWithProperty, useJWTProvider),
  68. framework.Compose(withJWT, f, common.JSONDataWithTemplate, useJWTProvider),
  69. framework.Compose(withJWT, f, common.DataPropertyDockerconfigJSON, useJWTProvider),
  70. framework.Compose(withJWT, f, common.JSONDataWithoutTargetName, useJWTProvider),
  71. // use jwt k8s provider
  72. framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider),
  73. framework.Compose(withJWTK8s, f, common.JSONDataWithProperty, useJWTK8sProvider),
  74. framework.Compose(withJWTK8s, f, common.JSONDataWithTemplate, useJWTK8sProvider),
  75. framework.Compose(withJWTK8s, f, common.DataPropertyDockerconfigJSON, useJWTK8sProvider),
  76. framework.Compose(withJWTK8s, f, common.JSONDataWithoutTargetName, useJWTK8sProvider),
  77. // use kubernetes provider
  78. framework.Compose(withK8s, f, common.FindByName, useKubernetesProvider),
  79. framework.Compose(withK8s, f, common.JSONDataFromSync, useKubernetesProvider),
  80. framework.Compose(withK8s, f, common.JSONDataWithProperty, useKubernetesProvider),
  81. framework.Compose(withK8s, f, common.JSONDataWithTemplate, useKubernetesProvider),
  82. framework.Compose(withK8s, f, common.DataPropertyDockerconfigJSON, useKubernetesProvider),
  83. framework.Compose(withK8s, f, common.JSONDataWithoutTargetName, useKubernetesProvider),
  84. // use referent auth
  85. framework.Compose(withReferentAuth, f, common.JSONDataFromSync, useReferentAuth),
  86. // vault-specific test cases
  87. Entry("secret value via data without property should return json-encoded string", Label("json"), testJSONWithoutProperty),
  88. Entry("secret value via data with property should return json-encoded string", Label("json"), testJSONWithProperty),
  89. Entry("dataFrom without property should extract key/value pairs", Label("json"), testDataFromJSONWithoutProperty),
  90. Entry("dataFrom with property should extract key/value pairs", Label("json"), testDataFromJSONWithProperty),
  91. )
  92. })
  93. func useTokenAuth(tc *framework.TestCase) {
  94. tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
  95. }
  96. func useCertAuth(tc *framework.TestCase) {
  97. tc.ExternalSecret.Spec.SecretStoreRef.Name = certAuthProviderName
  98. }
  99. func useApproleAuth(tc *framework.TestCase) {
  100. tc.ExternalSecret.Spec.SecretStoreRef.Name = appRoleAuthProviderName
  101. }
  102. func useV1Provider(tc *framework.TestCase) {
  103. tc.ExternalSecret.Spec.SecretStoreRef.Name = kvv1ProviderName
  104. }
  105. func useJWTProvider(tc *framework.TestCase) {
  106. tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtProviderName
  107. }
  108. func useJWTK8sProvider(tc *framework.TestCase) {
  109. tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
  110. }
  111. func useKubernetesProvider(tc *framework.TestCase) {
  112. tc.ExternalSecret.Spec.SecretStoreRef.Name = kubernetesProviderName
  113. }
  114. func useReferentAuth(tc *framework.TestCase) {
  115. tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework)
  116. tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
  117. }
  118. const jsonVal = `{"foo":{"nested":{"bar":"mysecret","baz":"bang"}}}`
  119. // when no property is set it should return the json-encoded at path.
  120. func testJSONWithoutProperty(tc *framework.TestCase) {
  121. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  122. tc.Secrets = map[string]framework.SecretEntry{
  123. secretKey: {Value: jsonVal},
  124. }
  125. tc.ExpectedSecret = &v1.Secret{
  126. Type: v1.SecretTypeOpaque,
  127. Data: map[string][]byte{
  128. secretKey: []byte(jsonVal),
  129. },
  130. }
  131. tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
  132. {
  133. SecretKey: secretKey,
  134. RemoteRef: esapi.ExternalSecretDataRemoteRef{
  135. Key: secretKey,
  136. },
  137. },
  138. }
  139. }
  140. // when property is set it should return the json-encoded at path.
  141. func testJSONWithProperty(tc *framework.TestCase) {
  142. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  143. expectedVal := `{"bar":"mysecret","baz":"bang"}`
  144. tc.Secrets = map[string]framework.SecretEntry{
  145. secretKey: {Value: jsonVal},
  146. }
  147. tc.ExpectedSecret = &v1.Secret{
  148. Type: v1.SecretTypeOpaque,
  149. Data: map[string][]byte{
  150. secretKey: []byte(expectedVal),
  151. },
  152. }
  153. tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
  154. {
  155. SecretKey: secretKey,
  156. RemoteRef: esapi.ExternalSecretDataRemoteRef{
  157. Key: secretKey,
  158. Property: "foo.nested",
  159. },
  160. },
  161. }
  162. }
  163. // when no property is set it should extract the key/value pairs at the given path
  164. // note: it should json-encode if a value contains nested data
  165. func testDataFromJSONWithoutProperty(tc *framework.TestCase) {
  166. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  167. tc.Secrets = map[string]framework.SecretEntry{
  168. secretKey: {Value: jsonVal},
  169. }
  170. tc.ExpectedSecret = &v1.Secret{
  171. Type: v1.SecretTypeOpaque,
  172. Data: map[string][]byte{
  173. "foo": []byte(`{"nested":{"bar":"mysecret","baz":"bang"}}`),
  174. },
  175. }
  176. tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
  177. {
  178. Extract: &esapi.ExternalSecretDataRemoteRef{
  179. Key: secretKey,
  180. },
  181. },
  182. }
  183. }
  184. // when property is set it should extract values with dataFrom at the given path.
  185. func testDataFromJSONWithProperty(tc *framework.TestCase) {
  186. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  187. tc.Secrets = map[string]framework.SecretEntry{
  188. secretKey: {Value: jsonVal},
  189. }
  190. tc.ExpectedSecret = &v1.Secret{
  191. Type: v1.SecretTypeOpaque,
  192. Data: map[string][]byte{
  193. "bar": []byte(`mysecret`),
  194. "baz": []byte(`bang`),
  195. },
  196. }
  197. tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
  198. {
  199. Extract: &esapi.ExternalSecretDataRemoteRef{
  200. Key: secretKey,
  201. Property: "foo.nested",
  202. },
  203. },
  204. }
  205. }