pushsecret_controller_test.go 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package pushsecret
  13. import (
  14. "bytes"
  15. "context"
  16. "fmt"
  17. "os"
  18. "strconv"
  19. "time"
  20. . "github.com/onsi/ginkgo/v2"
  21. . "github.com/onsi/gomega"
  22. v1 "k8s.io/api/core/v1"
  23. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  24. "k8s.io/apimachinery/pkg/types"
  25. "sigs.k8s.io/controller-runtime/pkg/client"
  26. v1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
  27. v1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  28. ctest "github.com/external-secrets/external-secrets/pkg/controllers/commontest"
  29. "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
  30. )
  31. var (
  32. fakeProvider *fake.Client
  33. timeout = time.Second * 10
  34. interval = time.Millisecond * 250
  35. )
  36. type testCase struct {
  37. store v1beta1.GenericStore
  38. pushsecret *v1alpha1.PushSecret
  39. secret *v1.Secret
  40. assert func(pushsecret *v1alpha1.PushSecret, secret *v1.Secret) bool
  41. }
  42. func init() {
  43. fakeProvider = fake.New()
  44. v1beta1.ForceRegister(fakeProvider, &v1beta1.SecretStoreProvider{
  45. Fake: &v1beta1.FakeProvider{},
  46. })
  47. }
  48. func checkCondition(status v1alpha1.PushSecretStatus, cond v1alpha1.PushSecretStatusCondition) bool {
  49. for _, condition := range status.Conditions {
  50. if condition.Message == cond.Message &&
  51. condition.Reason == cond.Reason &&
  52. condition.Status == cond.Status &&
  53. condition.Type == cond.Type {
  54. return true
  55. }
  56. }
  57. return false
  58. }
  59. type testTweaks func(*testCase)
  60. var _ = Describe("ExternalSecret controller", func() {
  61. const (
  62. PushSecretName = "test-es"
  63. PushSecretFQDN = "externalsecrets.external-secrets.io/test-es"
  64. PushSecretStore = "test-store"
  65. SecretName = "test-secret"
  66. PushSecretTargetSecretName = "test-secret"
  67. FakeManager = "fake.manager"
  68. expectedSecretVal = "SOMEVALUE was templated"
  69. targetPropObj = "{{ .targetProperty | toString | upper }} was templated"
  70. FooValue = "map-foo-value"
  71. BarValue = "map-bar-value"
  72. )
  73. var PushSecretNamespace string
  74. // if we are in debug and need to increase the timeout for testing, we can do so by using an env var
  75. if customTimeout := os.Getenv("TEST_CUSTOM_TIMEOUT_SEC"); customTimeout != "" {
  76. if t, err := strconv.Atoi(customTimeout); err == nil {
  77. timeout = time.Second * time.Duration(t)
  78. }
  79. }
  80. BeforeEach(func() {
  81. var err error
  82. PushSecretNamespace, err = ctest.CreateNamespace("test-ns", k8sClient)
  83. Expect(err).ToNot(HaveOccurred())
  84. fakeProvider.Reset()
  85. })
  86. AfterEach(func() {
  87. Expect(k8sClient.Delete(context.Background(), &v1.Namespace{
  88. ObjectMeta: metav1.ObjectMeta{
  89. Name: PushSecretNamespace,
  90. },
  91. })).To(Succeed())
  92. k8sClient.Delete(context.Background(), &v1beta1.SecretStore{
  93. ObjectMeta: metav1.ObjectMeta{
  94. Name: PushSecretStore,
  95. Namespace: PushSecretNamespace,
  96. },
  97. })
  98. k8sClient.Delete(context.Background(), &v1beta1.ClusterSecretStore{
  99. ObjectMeta: metav1.ObjectMeta{
  100. Name: PushSecretStore,
  101. },
  102. })
  103. k8sClient.Delete(context.Background(), &v1.Secret{
  104. ObjectMeta: metav1.ObjectMeta{
  105. Name: SecretName,
  106. Namespace: PushSecretNamespace,
  107. },
  108. })
  109. })
  110. makeDefaultTestcase := func() *testCase {
  111. return &testCase{
  112. pushsecret: &v1alpha1.PushSecret{
  113. ObjectMeta: metav1.ObjectMeta{
  114. Name: PushSecretName,
  115. Namespace: PushSecretNamespace,
  116. },
  117. Spec: v1alpha1.PushSecretSpec{
  118. SecretStoreRefs: []v1alpha1.PushSecretStoreRef{
  119. {
  120. Name: PushSecretStore,
  121. Kind: "SecretStore",
  122. },
  123. },
  124. Selector: v1alpha1.PushSecretSelector{
  125. Secret: v1alpha1.PushSecretSecret{
  126. Name: SecretName,
  127. },
  128. },
  129. Data: []v1alpha1.PushSecretData{
  130. {
  131. Match: v1alpha1.PushSecretMatch{
  132. SecretKey: "key",
  133. RemoteRef: v1alpha1.PushSecretRemoteRef{
  134. RemoteKey: "path/to/key",
  135. },
  136. },
  137. },
  138. },
  139. },
  140. },
  141. secret: &v1.Secret{
  142. ObjectMeta: metav1.ObjectMeta{
  143. Name: SecretName,
  144. Namespace: PushSecretNamespace,
  145. },
  146. Data: map[string][]byte{
  147. "key": []byte("value"),
  148. },
  149. },
  150. store: &v1beta1.SecretStore{
  151. ObjectMeta: metav1.ObjectMeta{
  152. Name: PushSecretStore,
  153. Namespace: PushSecretNamespace,
  154. },
  155. TypeMeta: metav1.TypeMeta{
  156. Kind: "SecretStore",
  157. },
  158. Spec: v1beta1.SecretStoreSpec{
  159. Provider: &v1beta1.SecretStoreProvider{
  160. Fake: &v1beta1.FakeProvider{
  161. Data: []v1beta1.FakeProviderData{},
  162. },
  163. },
  164. },
  165. },
  166. }
  167. }
  168. // if target Secret name is not specified it should use the ExternalSecret name.
  169. syncSuccessfully := func(tc *testCase) {
  170. fakeProvider.SetSecretFn = func() error {
  171. return nil
  172. }
  173. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  174. Eventually(func() bool {
  175. By("checking if Provider value got updated")
  176. secretValue := secret.Data["key"]
  177. providerValue, ok := fakeProvider.SetSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey]
  178. if !ok {
  179. return false
  180. }
  181. got := providerValue.Value
  182. return bytes.Equal(got, secretValue)
  183. }, time.Second*10, time.Second).Should(BeTrue())
  184. return true
  185. }
  186. }
  187. // if target Secret name is not specified it should use the ExternalSecret name.
  188. syncAndDeleteSuccessfully := func(tc *testCase) {
  189. fakeProvider.SetSecretFn = func() error {
  190. return nil
  191. }
  192. tc.pushsecret = &v1alpha1.PushSecret{
  193. ObjectMeta: metav1.ObjectMeta{
  194. Name: PushSecretName,
  195. Namespace: PushSecretNamespace,
  196. },
  197. Spec: v1alpha1.PushSecretSpec{
  198. DeletionPolicy: v1alpha1.PushSecretDeletionPolicyDelete,
  199. SecretStoreRefs: []v1alpha1.PushSecretStoreRef{
  200. {
  201. Name: PushSecretStore,
  202. Kind: "SecretStore",
  203. },
  204. },
  205. Selector: v1alpha1.PushSecretSelector{
  206. Secret: v1alpha1.PushSecretSecret{
  207. Name: SecretName,
  208. },
  209. },
  210. Data: []v1alpha1.PushSecretData{
  211. {
  212. Match: v1alpha1.PushSecretMatch{
  213. SecretKey: "key",
  214. RemoteRef: v1alpha1.PushSecretRemoteRef{
  215. RemoteKey: "path/to/key",
  216. },
  217. },
  218. },
  219. },
  220. },
  221. }
  222. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  223. ps.Spec.Data[0].Match.RemoteRef.RemoteKey = "different-key"
  224. updatedPS := &v1alpha1.PushSecret{}
  225. Expect(k8sClient.Update(context.Background(), ps, &client.UpdateOptions{})).Should(Succeed())
  226. Eventually(func() bool {
  227. psKey := types.NamespacedName{Name: PushSecretName, Namespace: PushSecretNamespace}
  228. By("checking if Provider value got updated")
  229. err := k8sClient.Get(context.Background(), psKey, updatedPS)
  230. if err != nil {
  231. return false
  232. }
  233. key, ok := updatedPS.Status.SyncedPushSecrets[fmt.Sprintf("SecretStore/%v", PushSecretStore)]["different-key"]
  234. if !ok {
  235. return false
  236. }
  237. return key.Match.SecretKey == "key"
  238. }, time.Second*10, time.Second).Should(BeTrue())
  239. return true
  240. }
  241. }
  242. // if target Secret name is not specified it should use the ExternalSecret name.
  243. syncMatchingLabels := func(tc *testCase) {
  244. fakeProvider.SetSecretFn = func() error {
  245. return nil
  246. }
  247. tc.pushsecret = &v1alpha1.PushSecret{
  248. ObjectMeta: metav1.ObjectMeta{
  249. Name: PushSecretName,
  250. Namespace: PushSecretNamespace,
  251. },
  252. Spec: v1alpha1.PushSecretSpec{
  253. SecretStoreRefs: []v1alpha1.PushSecretStoreRef{
  254. {
  255. LabelSelector: &metav1.LabelSelector{
  256. MatchLabels: map[string]string{
  257. "foo": "bar",
  258. },
  259. },
  260. Kind: "SecretStore",
  261. },
  262. },
  263. Selector: v1alpha1.PushSecretSelector{
  264. Secret: v1alpha1.PushSecretSecret{
  265. Name: SecretName,
  266. },
  267. },
  268. Data: []v1alpha1.PushSecretData{
  269. {
  270. Match: v1alpha1.PushSecretMatch{
  271. SecretKey: "key",
  272. RemoteRef: v1alpha1.PushSecretRemoteRef{
  273. RemoteKey: "path/to/key",
  274. },
  275. },
  276. },
  277. },
  278. },
  279. }
  280. tc.store = &v1beta1.SecretStore{
  281. TypeMeta: metav1.TypeMeta{
  282. Kind: "SecretStore",
  283. },
  284. ObjectMeta: metav1.ObjectMeta{
  285. Name: PushSecretStore,
  286. Namespace: PushSecretNamespace,
  287. Labels: map[string]string{
  288. "foo": "bar",
  289. },
  290. },
  291. Spec: v1beta1.SecretStoreSpec{
  292. Provider: &v1beta1.SecretStoreProvider{
  293. Fake: &v1beta1.FakeProvider{
  294. Data: []v1beta1.FakeProviderData{},
  295. },
  296. },
  297. },
  298. }
  299. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  300. secretValue := secret.Data["key"]
  301. providerValue := fakeProvider.SetSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
  302. expected := v1alpha1.PushSecretStatusCondition{
  303. Type: v1alpha1.PushSecretReady,
  304. Status: v1.ConditionTrue,
  305. Reason: v1alpha1.ReasonSynced,
  306. Message: "PushSecret synced successfully",
  307. }
  308. return bytes.Equal(secretValue, providerValue) && checkCondition(ps.Status, expected)
  309. }
  310. }
  311. syncWithClusterStore := func(tc *testCase) {
  312. fakeProvider.SetSecretFn = func() error {
  313. return nil
  314. }
  315. tc.store = &v1beta1.ClusterSecretStore{
  316. TypeMeta: metav1.TypeMeta{
  317. Kind: "ClusterSecretStore",
  318. },
  319. ObjectMeta: metav1.ObjectMeta{
  320. Name: PushSecretStore,
  321. },
  322. Spec: v1beta1.SecretStoreSpec{
  323. Provider: &v1beta1.SecretStoreProvider{
  324. Fake: &v1beta1.FakeProvider{
  325. Data: []v1beta1.FakeProviderData{},
  326. },
  327. },
  328. },
  329. }
  330. tc.pushsecret.Spec.SecretStoreRefs[0].Kind = "ClusterSecretStore"
  331. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  332. secretValue := secret.Data["key"]
  333. providerValue := fakeProvider.SetSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
  334. expected := v1alpha1.PushSecretStatusCondition{
  335. Type: v1alpha1.PushSecretReady,
  336. Status: v1.ConditionTrue,
  337. Reason: v1alpha1.ReasonSynced,
  338. Message: "PushSecret synced successfully",
  339. }
  340. return bytes.Equal(secretValue, providerValue) && checkCondition(ps.Status, expected)
  341. }
  342. }
  343. // if target Secret name is not specified it should use the ExternalSecret name.
  344. syncWithClusterStoreMatchingLabels := func(tc *testCase) {
  345. fakeProvider.SetSecretFn = func() error {
  346. return nil
  347. }
  348. tc.pushsecret = &v1alpha1.PushSecret{
  349. ObjectMeta: metav1.ObjectMeta{
  350. Name: PushSecretName,
  351. Namespace: PushSecretNamespace,
  352. },
  353. Spec: v1alpha1.PushSecretSpec{
  354. SecretStoreRefs: []v1alpha1.PushSecretStoreRef{
  355. {
  356. LabelSelector: &metav1.LabelSelector{
  357. MatchLabels: map[string]string{
  358. "foo": "bar",
  359. },
  360. },
  361. Kind: "ClusterSecretStore",
  362. },
  363. },
  364. Selector: v1alpha1.PushSecretSelector{
  365. Secret: v1alpha1.PushSecretSecret{
  366. Name: SecretName,
  367. },
  368. },
  369. Data: []v1alpha1.PushSecretData{
  370. {
  371. Match: v1alpha1.PushSecretMatch{
  372. SecretKey: "key",
  373. RemoteRef: v1alpha1.PushSecretRemoteRef{
  374. RemoteKey: "path/to/key",
  375. },
  376. },
  377. },
  378. },
  379. },
  380. }
  381. tc.store = &v1beta1.ClusterSecretStore{
  382. ObjectMeta: metav1.ObjectMeta{
  383. Name: PushSecretStore,
  384. Labels: map[string]string{
  385. "foo": "bar",
  386. },
  387. },
  388. Spec: v1beta1.SecretStoreSpec{
  389. Provider: &v1beta1.SecretStoreProvider{
  390. Fake: &v1beta1.FakeProvider{
  391. Data: []v1beta1.FakeProviderData{},
  392. },
  393. },
  394. },
  395. }
  396. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  397. secretValue := secret.Data["key"]
  398. providerValue := fakeProvider.SetSecretArgs[ps.Spec.Data[0].Match.RemoteRef.RemoteKey].Value
  399. expected := v1alpha1.PushSecretStatusCondition{
  400. Type: v1alpha1.PushSecretReady,
  401. Status: v1.ConditionTrue,
  402. Reason: v1alpha1.ReasonSynced,
  403. Message: "PushSecret synced successfully",
  404. }
  405. return bytes.Equal(secretValue, providerValue) && checkCondition(ps.Status, expected)
  406. }
  407. }
  408. // if target Secret name is not specified it should use the ExternalSecret name.
  409. failNoSecret := func(tc *testCase) {
  410. fakeProvider.SetSecretFn = func() error {
  411. return nil
  412. }
  413. tc.secret = nil
  414. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  415. expected := v1alpha1.PushSecretStatusCondition{
  416. Type: v1alpha1.PushSecretReady,
  417. Status: v1.ConditionFalse,
  418. Reason: v1alpha1.ReasonErrored,
  419. Message: "could not get source secret",
  420. }
  421. return checkCondition(ps.Status, expected)
  422. }
  423. }
  424. // if target Secret name is not specified it should use the ExternalSecret name.
  425. failNoSecretKey := func(tc *testCase) {
  426. fakeProvider.SetSecretFn = func() error {
  427. return nil
  428. }
  429. tc.pushsecret.Spec.Data[0].Match.SecretKey = "unexisting"
  430. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  431. expected := v1alpha1.PushSecretStatusCondition{
  432. Type: v1alpha1.PushSecretReady,
  433. Status: v1.ConditionFalse,
  434. Reason: v1alpha1.ReasonErrored,
  435. Message: "set secret failed: secret key unexisting does not exist",
  436. }
  437. return checkCondition(ps.Status, expected)
  438. }
  439. }
  440. // if target Secret name is not specified it should use the ExternalSecret name.
  441. failNoSecretStore := func(tc *testCase) {
  442. fakeProvider.SetSecretFn = func() error {
  443. return nil
  444. }
  445. tc.store = nil
  446. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  447. expected := v1alpha1.PushSecretStatusCondition{
  448. Type: v1alpha1.PushSecretReady,
  449. Status: v1.ConditionFalse,
  450. Reason: v1alpha1.ReasonErrored,
  451. Message: "could not get SecretStore \"test-store\", secretstores.external-secrets.io \"test-store\" not found",
  452. }
  453. return checkCondition(ps.Status, expected)
  454. }
  455. }
  456. // if target Secret name is not specified it should use the ExternalSecret name.
  457. failNoClusterStore := func(tc *testCase) {
  458. fakeProvider.SetSecretFn = func() error {
  459. return nil
  460. }
  461. tc.store = nil
  462. tc.pushsecret.Spec.SecretStoreRefs[0].Kind = "ClusterSecretStore"
  463. tc.pushsecret.Spec.SecretStoreRefs[0].Name = "unexisting"
  464. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  465. expected := v1alpha1.PushSecretStatusCondition{
  466. Type: v1alpha1.PushSecretReady,
  467. Status: v1.ConditionFalse,
  468. Reason: v1alpha1.ReasonErrored,
  469. Message: "could not get ClusterSecretStore \"unexisting\", clustersecretstores.external-secrets.io \"unexisting\" not found",
  470. }
  471. return checkCondition(ps.Status, expected)
  472. }
  473. } // if target Secret name is not specified it should use the ExternalSecret name.
  474. setSecretFail := func(tc *testCase) {
  475. fakeProvider.SetSecretFn = func() error {
  476. return fmt.Errorf("boom")
  477. }
  478. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  479. expected := v1alpha1.PushSecretStatusCondition{
  480. Type: v1alpha1.PushSecretReady,
  481. Status: v1.ConditionFalse,
  482. Reason: v1alpha1.ReasonErrored,
  483. Message: "set secret failed: could not write remote ref key to target secretstore test-store: boom",
  484. }
  485. return checkCondition(ps.Status, expected)
  486. }
  487. }
  488. // if target Secret name is not specified it should use the ExternalSecret name.
  489. newClientFail := func(tc *testCase) {
  490. fakeProvider.NewFn = func(context.Context, v1beta1.GenericStore, client.Client, string) (v1beta1.SecretsClient, error) {
  491. return nil, fmt.Errorf("boom")
  492. }
  493. tc.assert = func(ps *v1alpha1.PushSecret, secret *v1.Secret) bool {
  494. expected := v1alpha1.PushSecretStatusCondition{
  495. Type: v1alpha1.PushSecretReady,
  496. Status: v1.ConditionFalse,
  497. Reason: v1alpha1.ReasonErrored,
  498. Message: "set secret failed: could not get secrets client for store test-store: could not start secrets client",
  499. }
  500. return checkCondition(ps.Status, expected)
  501. }
  502. }
  503. DescribeTable("When reconciling a PushSecret",
  504. func(tweaks ...testTweaks) {
  505. tc := makeDefaultTestcase()
  506. for _, tweak := range tweaks {
  507. tweak(tc)
  508. }
  509. ctx := context.Background()
  510. By("creating a secret store, secret and pushsecret")
  511. if tc.store != nil {
  512. Expect(k8sClient.Create(ctx, tc.store)).To(Succeed())
  513. }
  514. if tc.secret != nil {
  515. Expect(k8sClient.Create(ctx, tc.secret)).To(Succeed())
  516. }
  517. if tc.pushsecret != nil {
  518. Expect(k8sClient.Create(ctx, tc.pushsecret)).Should(Succeed())
  519. }
  520. time.Sleep(2 * time.Second)
  521. psKey := types.NamespacedName{Name: PushSecretName, Namespace: PushSecretNamespace}
  522. createdPS := &v1alpha1.PushSecret{}
  523. By("checking the pushSecret condition")
  524. Eventually(func() bool {
  525. err := k8sClient.Get(ctx, psKey, createdPS)
  526. if err != nil {
  527. return false
  528. }
  529. return tc.assert(createdPS, tc.secret)
  530. }, timeout, interval).Should(BeTrue())
  531. // this must be optional so we can test faulty es configuration
  532. },
  533. Entry("should sync", syncSuccessfully),
  534. Entry("should delete if DeletionPolicy=Delete", syncAndDeleteSuccessfully),
  535. Entry("should sync to stores matching labels", syncMatchingLabels),
  536. Entry("should sync with ClusterStore", syncWithClusterStore),
  537. Entry("should sync with ClusterStore matching labels", syncWithClusterStoreMatchingLabels),
  538. Entry("should fail if Secret is not created", failNoSecret),
  539. Entry("should fail if Secret Key does not exist", failNoSecretKey),
  540. Entry("should fail if SetSecret fails", setSecretFail),
  541. Entry("should fail if no valid SecretStore", failNoSecretStore),
  542. Entry("should fail if no valid ClusterSecretStore", failNoClusterStore),
  543. Entry("should fail if NewClient fails", newClientFail),
  544. )
  545. })