logic855
/
helm-external-secrets
espejo de https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package framework

import (
	"context"
	"strings"
	"time"

	v1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/util/wait"
	"sigs.k8s.io/controller-runtime/pkg/client"

	//nolint
	"github.com/external-secrets/external-secrets-e2e/framework/log"
	"github.com/external-secrets/external-secrets-e2e/framework/util"
	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"

	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"
)

var TargetSecretName = "target-secret"

const (
	createObjectRetryPollInterval = 250 * time.Millisecond
	createObjectRetryTimeout      = 30 * time.Second
)

// TestCase contains the test infra to run a table driven test.
type TestCase struct {
	Framework               *Framework
	ExternalSecret          *esv1.ExternalSecret
	PushSecret              *esv1alpha1.PushSecret
	PushSecretSource        *v1.Secret
	AdditionalObjects       []client.Object
	Secrets                 map[string]SecretEntry
	ExpectedSecret          *v1.Secret
	Prepare                 func(*TestCase, SecretStoreProvider)
	Cleanup                 func()
	ProviderOverride        SecretStoreProvider
	AfterSync               func(SecretStoreProvider, *v1.Secret)
	VerifyPushSecretOutcome func(ps *esv1alpha1.PushSecret, pushClient esv1.SecretsClient)
}

type SecretEntry struct {
	Value string
	Tags  map[string]string
}

// SecretStoreProvider is a interface that must be implemented
// by a provider that runs the e2e test.
type SecretStoreProvider interface {
	CreateSecret(key string, val SecretEntry)
	DeleteSecret(key string)
}

// TableFuncWithExternalSecret returns the main func that runs a TestCase in a table driven test.
func TableFuncWithExternalSecret(f *Framework, prov SecretStoreProvider) func(...func(*TestCase)) {
	return func(tweaks ...func(*TestCase)) {
		// make default test case
		// and apply customization to it
		tc := makeDefaultExternalSecretTestCase(f)
		for _, tweak := range tweaks {
			tweak(tc)
		}

		defer func() {
			if tc.Cleanup != nil {
				tc.Cleanup()
			}
		}()

		prov = prepareTestCase(tc, prov)

		// create secrets & defer delete
		var deferRemoveKeys []string
		for k, v := range tc.Secrets {
			key := k
			prov.CreateSecret(key, v)
			deferRemoveKeys = append(deferRemoveKeys, key)
		}

		defer func() {
			for _, k := range deferRemoveKeys {
				prov.DeleteSecret(k)
			}
		}()

		// create additional objects
		generateAdditionalObjects(tc)

		// create v1alpha1 external secret, if provided
		createProvidedExternalSecret(tc)

		// wait for Kind=Secret to have the expected data
		executeAfterSync(tc, f, prov)
	}
}

func executeAfterSync(tc *TestCase, f *Framework, prov SecretStoreProvider) {
	if tc.ExpectedSecret != nil {
		secret, err := tc.Framework.WaitForSecretValue(tc.Framework.Namespace.Name, externalSecretTargetName(tc), tc.ExpectedSecret)
		if err != nil {
			f.printESDebugLogs(tc.ExternalSecret.Name, tc.ExternalSecret.Namespace)
			log.Logf("Did not match. Expected: %+v, Got: %+v", tc.ExpectedSecret, secret)
		}

		Expect(err).ToNot(HaveOccurred())
		tc.AfterSync(prov, secret)
	} else {
		tc.AfterSync(prov, nil)
	}
}

func externalSecretTargetName(tc *TestCase) string {
	if tc == nil || tc.ExternalSecret == nil {
		return TargetSecretName
	}
	if tc.ExternalSecret.Spec.Target.Name != "" {
		return tc.ExternalSecret.Spec.Target.Name
	}
	if tc.ExternalSecret.Name != "" {
		return tc.ExternalSecret.Name
	}
	return TargetSecretName
}

func generateAdditionalObjects(tc *TestCase) {
	if tc.AdditionalObjects != nil {
		for _, obj := range tc.AdditionalObjects {
			err := tc.Framework.CreateObjectWithRetry(obj)
			Expect(err).ToNot(HaveOccurred())
		}
	}
}

func createProvidedExternalSecret(tc *TestCase) {
	if tc.ExternalSecret == nil {
		return
	}
	err := tc.Framework.CreateObjectWithRetry(tc.ExternalSecret)
	Expect(err).ToNot(HaveOccurred())
}

// TableFuncWithPushSecret returns the main func that runs a TestCase in a table driven test for push secrets.
func TableFuncWithPushSecret(f *Framework, prov SecretStoreProvider, pushClient esv1.SecretsClient) func(...func(*TestCase)) {
	return func(tweaks ...func(*TestCase)) {
		var err error

		// make default test case
		// and apply customization to it
		tc := makeDefaultPushSecretTestCase(f)
		for _, tweak := range tweaks {
			tweak(tc)
		}

		prov = prepareTestCase(tc, prov)

		// additional objects
		generateAdditionalObjects(tc)

		if tc.PushSecretSource != nil {
			err := tc.Framework.CreateObjectWithRetry(tc.PushSecretSource)
			Expect(err).ToNot(HaveOccurred())
		}

		// create v1alpha1 push secret, if provided
		if tc.PushSecret != nil {
			// create v1beta1 external secret otherwise
			err = tc.Framework.CreateObjectWithRetry(tc.PushSecret)
			Expect(err).ToNot(HaveOccurred())
		}

		// Run verification on the secret that push secret created or not.
		tc.VerifyPushSecretOutcome(tc.PushSecret, pushClient)
	}
}

func prepareTestCase(tc *TestCase, prov SecretStoreProvider) SecretStoreProvider {
	prov = effectiveTestCaseProvider(tc, prov)
	if tc.Prepare != nil {
		tc.Prepare(tc, prov)
	}
	return effectiveTestCaseProvider(tc, prov)
}

func effectiveTestCaseProvider(tc *TestCase, prov SecretStoreProvider) SecretStoreProvider {
	if tc.ProviderOverride != nil {
		return tc.ProviderOverride
	}
	return prov
}

func makeDefaultExternalSecretTestCase(f *Framework) *TestCase {
	return &TestCase{
		AfterSync: func(ssp SecretStoreProvider, s *v1.Secret) {},
		Framework: f,
		ExternalSecret: &esv1.ExternalSecret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "e2e-es",
				Namespace: f.Namespace.Name,
			},
			Spec: esv1.ExternalSecretSpec{
				RefreshInterval: &metav1.Duration{Duration: time.Second * 5},
				SecretStoreRef: esv1.SecretStoreRef{
					Name: f.Namespace.Name,
					Kind: f.DefaultSecretStoreRefKind,
				},
				Target: esv1.ExternalSecretTarget{
					Name: TargetSecretName,
				},
			},
		},
	}
}

func makeDefaultPushSecretTestCase(f *Framework) *TestCase {
	return &TestCase{
		Framework: f,
		PushSecret: &esv1alpha1.PushSecret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "e2e-ps",
				Namespace: f.Namespace.Name,
			},
			Spec: esv1alpha1.PushSecretSpec{
				RefreshInterval: &metav1.Duration{Duration: time.Second * 5},
				SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{
					{
						Name:       f.Namespace.Name,
						Kind:       f.DefaultPushSecretStoreRefKind,
						APIVersion: f.DefaultPushSecretStoreRefAPIVersion,
					},
				},
			},
		},
	}
}

func (f *Framework) CreateObjectWithRetry(obj client.Object) error {
	return f.CreateObjectWithRetryContext(GinkgoT().Context(), obj)
}

func (f *Framework) CreateObjectWithRetryContext(ctx context.Context, obj client.Object) error {
	return wait.PollUntilContextTimeout(ctx, createObjectRetryPollInterval, createObjectRetryTimeout, true, func(ctx context.Context) (bool, error) {
		err := f.CRClient.Create(ctx, obj)
		switch {
		case err == nil, apierrors.IsAlreadyExists(err):
			return true, nil
		case isRetryableCreateObjectError(err):
			if f.KubeConfig != nil {
				f.refreshClients()
			}
			return false, nil
		default:
			return false, err
		}
	})
}

func createObjectWithRetryPolling(ctx context.Context, c client.Client, obj client.Object, pollInterval, timeout time.Duration) error {
	return wait.PollUntilContextTimeout(ctx, pollInterval, timeout, true, func(ctx context.Context) (bool, error) {
		err := c.Create(ctx, obj)
		switch {
		case err == nil, apierrors.IsAlreadyExists(err):
			return true, nil
		case isRetryableCreateObjectError(err):
			return false, nil
		default:
			return false, err
		}
	})
}

func isRetryableCreateObjectError(err error) bool {
	if util.IsMissingAPIResourceError(err) {
		return true
	}
	if apierrors.IsNotFound(err) && strings.Contains(err.Error(), "could not find the requested resource") {
		return true
	}

	if !(apierrors.IsInternalError(err) || apierrors.IsServiceUnavailable(err)) {
		return false
	}

	msg := strings.ToLower(err.Error())
	return strings.Contains(msg, "failed calling webhook") &&
		(strings.Contains(msg, "connection refused") || strings.Contains(msg, "no endpoints available"))
}