forked from bitnami-labs/sealed-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
488 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
// +build integration | ||
|
||
package integration | ||
|
||
import ( | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"fmt" | ||
|
||
"k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/client-go/kubernetes/scheme" | ||
corev1 "k8s.io/client-go/kubernetes/typed/core/v1" | ||
certUtil "k8s.io/client-go/util/cert" | ||
|
||
ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealed-secrets/v1alpha1" | ||
ssclient "github.com/bitnami-labs/sealed-secrets/pkg/client/clientset/versioned" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
func getData(s *v1.Secret) map[string][]byte { | ||
return s.Data | ||
} | ||
|
||
func fetchKeys(c corev1.SecretsGetter) (*rsa.PrivateKey, []*x509.Certificate, error) { | ||
s, err := c.Secrets("kube-system").Get("sealed-secrets-key", metav1.GetOptions{}) | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
|
||
privKey, err := certUtil.ParsePrivateKeyPEM(s.Data[v1.TLSPrivateKeyKey]) | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
|
||
certs, err := certUtil.ParseCertsPEM(s.Data[v1.TLSCertKey]) | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
|
||
if len(certs) == 0 { | ||
return nil, nil, fmt.Errorf("Failed to read any certificates") | ||
} | ||
|
||
return privKey.(*rsa.PrivateKey), certs, nil | ||
} | ||
|
||
var _ = Describe("create", func() { | ||
var c corev1.CoreV1Interface | ||
var ssc ssclient.Interface | ||
var ns string | ||
const secretName = "testsecret" | ||
var ss *ssv1alpha1.SealedSecret | ||
var s *v1.Secret | ||
|
||
BeforeEach(func() { | ||
conf := clusterConfigOrDie() | ||
c = corev1.NewForConfigOrDie(conf) | ||
ssc = ssclient.NewForConfigOrDie(conf) | ||
ns = createNsOrDie(c, "create") | ||
s = &v1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: ns, | ||
Name: secretName, | ||
}, | ||
Data: map[string][]byte{ | ||
"foo": []byte("bar"), | ||
}, | ||
} | ||
}) | ||
AfterEach(func() { | ||
deleteNsOrDie(c, ns) | ||
}) | ||
|
||
Describe("Simple change", func() { | ||
BeforeEach(func() { | ||
_, certs, err := fetchKeys(c) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
ss, err = ssv1alpha1.NewSealedSecret(scheme.Codecs, certs[0].PublicKey.(*rsa.PublicKey), s) | ||
Expect(err).NotTo(HaveOccurred()) | ||
}) | ||
JustBeforeEach(func() { | ||
var err error | ||
ss, err = ssc.BitnamiV1alpha1().SealedSecrets(ns).Create(ss) | ||
Expect(err).NotTo(HaveOccurred()) | ||
}) | ||
|
||
Context("With no existing object (create)", func() { | ||
It("should produce expected Secret", func() { | ||
Eventually(func() (*v1.Secret, error) { | ||
return c.Secrets(ns).Get(secretName, metav1.GetOptions{}) | ||
}).Should(WithTransform(getData, Equal(s.Data))) | ||
}) | ||
}) | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
// +build integration | ||
|
||
package integration | ||
|
||
import ( | ||
"bytes" | ||
"flag" | ||
"fmt" | ||
"io" | ||
"os/exec" | ||
"testing" | ||
|
||
"k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/client-go/kubernetes/scheme" | ||
corev1 "k8s.io/client-go/kubernetes/typed/core/v1" | ||
"k8s.io/client-go/rest" | ||
"k8s.io/client-go/tools/clientcmd" | ||
|
||
ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealed-secrets/v1alpha1" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
|
||
// For client auth plugins | ||
_ "k8s.io/client-go/plugin/pkg/client/auth" | ||
) | ||
|
||
var kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file") | ||
var kubesealBin = flag.String("kubeseal-bin", "kubeseal", "path to kubeseal executable under test") | ||
|
||
func clusterConfigOrDie() *rest.Config { | ||
var config *rest.Config | ||
var err error | ||
|
||
if *kubeconfig != "" { | ||
config, err = clientcmd.BuildConfigFromFlags("", *kubeconfig) | ||
} else { | ||
config, err = rest.InClusterConfig() | ||
} | ||
if err != nil { | ||
panic(err.Error()) | ||
} | ||
|
||
return config | ||
} | ||
|
||
func createNsOrDie(c corev1.NamespacesGetter, ns string) string { | ||
result, err := c.Namespaces().Create( | ||
&v1.Namespace{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
GenerateName: ns, | ||
}, | ||
}) | ||
if err != nil { | ||
panic(err.Error()) | ||
} | ||
name := result.GetName() | ||
fmt.Fprintf(GinkgoWriter, "Created namespace %s\n", name) | ||
return name | ||
} | ||
|
||
func deleteNsOrDie(c corev1.NamespacesGetter, ns string) { | ||
err := c.Namespaces().Delete(ns, &metav1.DeleteOptions{}) | ||
if err != nil { | ||
panic(err.Error()) | ||
} | ||
} | ||
|
||
func containsString(haystack []string, needle string) bool { | ||
for _, s := range haystack { | ||
if s == needle { | ||
return true | ||
} | ||
} | ||
return false | ||
} | ||
|
||
func runKubeseal(flags []string, input io.Reader, output io.Writer) error { | ||
args := []string{} | ||
if *kubeconfig != "" && !containsString(flags, "--kubeconfig") { | ||
args = append(args, "--kubeconfig", *kubeconfig) | ||
} | ||
args = append(args, flags...) | ||
|
||
fmt.Fprintf(GinkgoWriter, "Running %q %q\n", *kubesealBin, args) | ||
cmd := exec.Command(*kubesealBin, args...) | ||
cmd.Stdin = input | ||
cmd.Stdout = output | ||
cmd.Stderr = GinkgoWriter | ||
|
||
return cmd.Run() | ||
} | ||
|
||
func runKubesealWith(flags []string, input runtime.Object) (runtime.Object, error) { | ||
enc := scheme.Codecs.LegacyCodec(v1.SchemeGroupVersion) | ||
indata, err := runtime.Encode(enc, input) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
fmt.Fprintf(GinkgoWriter, "kubeseal input:\n%s", indata) | ||
|
||
outbuf := bytes.Buffer{} | ||
|
||
if err := runKubeseal(flags, bytes.NewReader(indata), &outbuf); err != nil { | ||
return nil, err | ||
} | ||
|
||
fmt.Fprintf(GinkgoWriter, "kubeseal output:\n%s", outbuf.Bytes()) | ||
|
||
outputObj, err := runtime.Decode(scheme.Codecs.UniversalDecoder(ssv1alpha1.SchemeGroupVersion), outbuf.Bytes()) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return outputObj, nil | ||
} | ||
|
||
func TestE2e(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
RunSpecs(t, "sealed-secrets integration tests") | ||
} |
Oops, something went wrong.