vault.go 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. limitations under the License.
  10. */
  11. package vault
  12. import (
  13. "fmt"
  14. // nolint
  15. . "github.com/onsi/ginkgo/v2"
  16. v1 "k8s.io/api/core/v1"
  17. "github.com/external-secrets/external-secrets-e2e/framework"
  18. "github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
  19. esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  20. )
  21. const (
  22. withTokenAuth = "with token auth"
  23. withCertAuth = "with cert auth"
  24. withApprole = "with approle auth"
  25. withV1 = "with v1 provider"
  26. withJWT = "with jwt provider"
  27. withJWTK8s = "with jwt k8s provider"
  28. withK8s = "with kubernetes provider"
  29. withReferentAuth = "with referent provider"
  30. )
  31. var _ = Describe("[vault]", Label("vault"), func() {
  32. f := framework.New("eso-vault")
  33. prov := newVaultProvider(f)
  34. DescribeTable("sync secrets",
  35. framework.TableFunc(f, prov),
  36. // uses token auth
  37. framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth),
  38. framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useTokenAuth),
  39. framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useTokenAuth),
  40. framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useTokenAuth),
  41. framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useTokenAuth),
  42. framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useTokenAuth),
  43. framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useTokenAuth),
  44. framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useTokenAuth),
  45. framework.Compose(withTokenAuth, f, common.SyncV1Alpha1, useTokenAuth),
  46. framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useTokenAuth),
  47. // use cert auth
  48. framework.Compose(withCertAuth, f, common.FindByName, useCertAuth),
  49. framework.Compose(withCertAuth, f, common.FindByNameAndRewrite, useCertAuth),
  50. framework.Compose(withCertAuth, f, common.JSONDataFromSync, useCertAuth),
  51. framework.Compose(withCertAuth, f, common.JSONDataFromRewrite, useCertAuth),
  52. framework.Compose(withCertAuth, f, common.JSONDataWithProperty, useCertAuth),
  53. framework.Compose(withCertAuth, f, common.JSONDataWithTemplate, useCertAuth),
  54. framework.Compose(withCertAuth, f, common.DataPropertyDockerconfigJSON, useCertAuth),
  55. framework.Compose(withCertAuth, f, common.JSONDataWithoutTargetName, useCertAuth),
  56. // use approle auth
  57. framework.Compose(withApprole, f, common.FindByName, useApproleAuth),
  58. framework.Compose(withApprole, f, common.FindByNameAndRewrite, useApproleAuth),
  59. framework.Compose(withApprole, f, common.JSONDataFromSync, useApproleAuth),
  60. framework.Compose(withApprole, f, common.JSONDataFromRewrite, useApproleAuth),
  61. framework.Compose(withApprole, f, common.JSONDataWithProperty, useApproleAuth),
  62. framework.Compose(withApprole, f, common.JSONDataWithTemplate, useApproleAuth),
  63. framework.Compose(withApprole, f, common.DataPropertyDockerconfigJSON, useApproleAuth),
  64. framework.Compose(withApprole, f, common.JSONDataWithoutTargetName, useApproleAuth),
  65. // use v1 provider
  66. framework.Compose(withV1, f, common.JSONDataFromSync, useV1Provider),
  67. framework.Compose(withV1, f, common.JSONDataFromRewrite, useV1Provider),
  68. framework.Compose(withV1, f, common.JSONDataWithProperty, useV1Provider),
  69. framework.Compose(withV1, f, common.JSONDataWithTemplate, useV1Provider),
  70. framework.Compose(withV1, f, common.DataPropertyDockerconfigJSON, useV1Provider),
  71. framework.Compose(withV1, f, common.JSONDataWithoutTargetName, useV1Provider),
  72. // use jwt provider
  73. framework.Compose(withJWT, f, common.FindByName, useJWTProvider),
  74. framework.Compose(withJWT, f, common.FindByNameAndRewrite, useJWTProvider),
  75. framework.Compose(withJWT, f, common.JSONDataFromSync, useJWTProvider),
  76. framework.Compose(withJWT, f, common.JSONDataFromRewrite, useJWTProvider),
  77. framework.Compose(withJWT, f, common.JSONDataWithProperty, useJWTProvider),
  78. framework.Compose(withJWT, f, common.JSONDataWithTemplate, useJWTProvider),
  79. framework.Compose(withJWT, f, common.DataPropertyDockerconfigJSON, useJWTProvider),
  80. framework.Compose(withJWT, f, common.JSONDataWithoutTargetName, useJWTProvider),
  81. // use jwt k8s provider
  82. framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider),
  83. framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider),
  84. framework.Compose(withJWTK8s, f, common.JSONDataWithProperty, useJWTK8sProvider),
  85. framework.Compose(withJWTK8s, f, common.JSONDataWithTemplate, useJWTK8sProvider),
  86. framework.Compose(withJWTK8s, f, common.DataPropertyDockerconfigJSON, useJWTK8sProvider),
  87. framework.Compose(withJWTK8s, f, common.JSONDataWithoutTargetName, useJWTK8sProvider),
  88. // use kubernetes provider
  89. framework.Compose(withK8s, f, common.FindByName, useKubernetesProvider),
  90. framework.Compose(withK8s, f, common.FindByNameAndRewrite, useKubernetesProvider),
  91. framework.Compose(withK8s, f, common.JSONDataFromSync, useKubernetesProvider),
  92. framework.Compose(withK8s, f, common.JSONDataFromRewrite, useKubernetesProvider),
  93. framework.Compose(withK8s, f, common.JSONDataWithProperty, useKubernetesProvider),
  94. framework.Compose(withK8s, f, common.JSONDataWithTemplate, useKubernetesProvider),
  95. framework.Compose(withK8s, f, common.DataPropertyDockerconfigJSON, useKubernetesProvider),
  96. framework.Compose(withK8s, f, common.JSONDataWithoutTargetName, useKubernetesProvider),
  97. // use referent auth
  98. framework.Compose(withReferentAuth, f, common.JSONDataFromSync, useReferentAuth),
  99. // vault-specific test cases
  100. Entry("secret value via data without property should return json-encoded string", Label("json"), testJSONWithoutProperty),
  101. Entry("secret value via data with property should return json-encoded string", Label("json"), testJSONWithProperty),
  102. Entry("dataFrom without property should extract key/value pairs", Label("json"), testDataFromJSONWithoutProperty),
  103. Entry("dataFrom with property should extract key/value pairs", Label("json"), testDataFromJSONWithProperty),
  104. )
  105. })
  106. func useTokenAuth(tc *framework.TestCase) {
  107. tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
  108. }
  109. func useCertAuth(tc *framework.TestCase) {
  110. tc.ExternalSecret.Spec.SecretStoreRef.Name = certAuthProviderName
  111. }
  112. func useApproleAuth(tc *framework.TestCase) {
  113. tc.ExternalSecret.Spec.SecretStoreRef.Name = appRoleAuthProviderName
  114. }
  115. func useV1Provider(tc *framework.TestCase) {
  116. tc.ExternalSecret.Spec.SecretStoreRef.Name = kvv1ProviderName
  117. }
  118. func useJWTProvider(tc *framework.TestCase) {
  119. tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtProviderName
  120. }
  121. func useJWTK8sProvider(tc *framework.TestCase) {
  122. tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
  123. }
  124. func useKubernetesProvider(tc *framework.TestCase) {
  125. tc.ExternalSecret.Spec.SecretStoreRef.Name = kubernetesProviderName
  126. }
  127. func useReferentAuth(tc *framework.TestCase) {
  128. tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework)
  129. tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
  130. }
  131. const jsonVal = `{"foo":{"nested":{"bar":"mysecret","baz":"bang"}}}`
  132. // when no property is set it should return the json-encoded at path.
  133. func testJSONWithoutProperty(tc *framework.TestCase) {
  134. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  135. tc.Secrets = map[string]framework.SecretEntry{
  136. secretKey: {Value: jsonVal},
  137. }
  138. tc.ExpectedSecret = &v1.Secret{
  139. Type: v1.SecretTypeOpaque,
  140. Data: map[string][]byte{
  141. secretKey: []byte(jsonVal),
  142. },
  143. }
  144. tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
  145. {
  146. SecretKey: secretKey,
  147. RemoteRef: esapi.ExternalSecretDataRemoteRef{
  148. Key: secretKey,
  149. },
  150. },
  151. }
  152. }
  153. // when property is set it should return the json-encoded at path.
  154. func testJSONWithProperty(tc *framework.TestCase) {
  155. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  156. expectedVal := `{"bar":"mysecret","baz":"bang"}`
  157. tc.Secrets = map[string]framework.SecretEntry{
  158. secretKey: {Value: jsonVal},
  159. }
  160. tc.ExpectedSecret = &v1.Secret{
  161. Type: v1.SecretTypeOpaque,
  162. Data: map[string][]byte{
  163. secretKey: []byte(expectedVal),
  164. },
  165. }
  166. tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
  167. {
  168. SecretKey: secretKey,
  169. RemoteRef: esapi.ExternalSecretDataRemoteRef{
  170. Key: secretKey,
  171. Property: "foo.nested",
  172. },
  173. },
  174. }
  175. }
  176. // when no property is set it should extract the key/value pairs at the given path
  177. // note: it should json-encode if a value contains nested data
  178. func testDataFromJSONWithoutProperty(tc *framework.TestCase) {
  179. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  180. tc.Secrets = map[string]framework.SecretEntry{
  181. secretKey: {Value: jsonVal},
  182. }
  183. tc.ExpectedSecret = &v1.Secret{
  184. Type: v1.SecretTypeOpaque,
  185. Data: map[string][]byte{
  186. "foo": []byte(`{"nested":{"bar":"mysecret","baz":"bang"}}`),
  187. },
  188. }
  189. tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
  190. {
  191. Extract: &esapi.ExternalSecretDataRemoteRef{
  192. Key: secretKey,
  193. },
  194. },
  195. }
  196. }
  197. // when property is set it should extract values with dataFrom at the given path.
  198. func testDataFromJSONWithProperty(tc *framework.TestCase) {
  199. secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
  200. tc.Secrets = map[string]framework.SecretEntry{
  201. secretKey: {Value: jsonVal},
  202. }
  203. tc.ExpectedSecret = &v1.Secret{
  204. Type: v1.SecretTypeOpaque,
  205. Data: map[string][]byte{
  206. "bar": []byte(`mysecret`),
  207. "baz": []byte(`bang`),
  208. },
  209. }
  210. tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
  211. {
  212. Extract: &esapi.ExternalSecretDataRemoteRef{
  213. Key: secretKey,
  214. Property: "foo.nested",
  215. },
  216. },
  217. }
  218. }