198 lines
6.6 KiB
Go
198 lines
6.6 KiB
Go
/*
|
|
Copyright 2021 The Flux authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controller
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/fluxcd/pkg/apis/meta"
|
|
sourcev1 "github.com/fluxcd/source-controller/api/v1"
|
|
"github.com/hashicorp/vault/api"
|
|
. "github.com/onsi/gomega"
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
|
|
kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1"
|
|
)
|
|
|
|
func TestKustomizationReconciler_Decryptor(t *testing.T) {
|
|
g := NewWithT(t)
|
|
|
|
cli, err := api.NewClient(api.DefaultConfig())
|
|
g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client")
|
|
|
|
// create a master key on the vault transit engine
|
|
path, data := "sops/keys/vault", map[string]interface{}{"type": "rsa-4096"}
|
|
_, err = cli.Logical().Write(path, data)
|
|
g.Expect(err).NotTo(HaveOccurred(), "failed to write key")
|
|
|
|
// encrypt the testdata vault secret
|
|
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/vault", "--encrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
|
|
err = cmd.Run()
|
|
g.Expect(err).NotTo(HaveOccurred(), "failed to encrypt file")
|
|
|
|
// defer the testdata vault secret decryption, to leave a clean testdata vault secret
|
|
defer func() {
|
|
cmd := exec.Command("sops", "--hc-vault-transit", cli.Address()+"/v1/sops/keys/firstkey", "--decrypt", "--encrypted-regex", "^(data|stringData)$", "--in-place", "./testdata/sops/algorithms/vault.yaml")
|
|
err = cmd.Run()
|
|
}()
|
|
|
|
id := "sops-" + randStringRunes(5)
|
|
|
|
err = createNamespace(id)
|
|
g.Expect(err).NotTo(HaveOccurred(), "failed to create test namespace")
|
|
|
|
err = createKubeConfigSecret(id)
|
|
g.Expect(err).NotTo(HaveOccurred(), "failed to create kubeconfig secret")
|
|
|
|
artifactName := "sops-" + randStringRunes(5)
|
|
artifactChecksum, err := testServer.ArtifactFromDir("testdata/sops", artifactName)
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
|
|
repositoryName := types.NamespacedName{
|
|
Name: fmt.Sprintf("sops-%s", randStringRunes(5)),
|
|
Namespace: id,
|
|
}
|
|
|
|
err = applyGitRepository(repositoryName, artifactName, "main/"+artifactChecksum)
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
|
|
pgpKey, err := os.ReadFile("testdata/sops/keys/pgp.asc")
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
ageKey, err := os.ReadFile("testdata/sops/keys/age.txt")
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
|
|
sopsSecretKey := types.NamespacedName{
|
|
Name: "sops-" + randStringRunes(5),
|
|
Namespace: id,
|
|
}
|
|
sopsSecret := &corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: sopsSecretKey.Name,
|
|
Namespace: sopsSecretKey.Namespace,
|
|
},
|
|
StringData: map[string]string{
|
|
"pgp.asc": string(pgpKey),
|
|
"age.agekey": string(ageKey),
|
|
"sops.vault-token": "secret",
|
|
},
|
|
}
|
|
|
|
g.Expect(k8sClient.Create(context.Background(), sopsSecret)).To(Succeed())
|
|
|
|
kustomizationKey := types.NamespacedName{
|
|
Name: fmt.Sprintf("sops-%s", randStringRunes(5)),
|
|
Namespace: id,
|
|
}
|
|
kustomization := &kustomizev1.Kustomization{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: kustomizationKey.Name,
|
|
Namespace: kustomizationKey.Namespace,
|
|
},
|
|
Spec: kustomizev1.KustomizationSpec{
|
|
Interval: metav1.Duration{Duration: 2 * time.Minute},
|
|
Path: "./",
|
|
KubeConfig: &meta.KubeConfigReference{
|
|
SecretRef: meta.SecretKeyReference{
|
|
Name: "kubeconfig",
|
|
},
|
|
},
|
|
SourceRef: kustomizev1.CrossNamespaceSourceReference{
|
|
Name: repositoryName.Name,
|
|
Namespace: repositoryName.Namespace,
|
|
Kind: sourcev1.GitRepositoryKind,
|
|
},
|
|
Decryption: &kustomizev1.Decryption{
|
|
Provider: "sops",
|
|
SecretRef: &meta.LocalObjectReference{
|
|
Name: sopsSecretKey.Name,
|
|
},
|
|
},
|
|
TargetNamespace: id,
|
|
},
|
|
}
|
|
g.Expect(k8sClient.Create(context.TODO(), kustomization)).To(Succeed())
|
|
|
|
g.Eventually(func() bool {
|
|
var obj kustomizev1.Kustomization
|
|
_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), &obj)
|
|
return obj.Status.LastAppliedRevision == "main/"+artifactChecksum
|
|
}, timeout, time.Second).Should(BeTrue())
|
|
|
|
t.Run("decrypts SOPS secrets", func(t *testing.T) {
|
|
g := NewWithT(t)
|
|
|
|
secretNames := []string{
|
|
"sops-algo-age",
|
|
"sops-algo-pgp",
|
|
"sops-algo-vault",
|
|
"sops-component",
|
|
"sops-envs-secret",
|
|
"sops-files-secret",
|
|
"sops-inside-secret",
|
|
"sops-remote-secret",
|
|
}
|
|
for _, name := range secretNames {
|
|
var secret corev1.Secret
|
|
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &secret)).To(Succeed())
|
|
g.Expect(string(secret.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on secret %s", name))
|
|
}
|
|
|
|
configMapNames := []string{
|
|
"sops-envs-configmap",
|
|
"sops-files-configmap",
|
|
"sops-remote-configmap",
|
|
}
|
|
for _, name := range configMapNames {
|
|
var configMap corev1.ConfigMap
|
|
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: id}, &configMap)).To(Succeed())
|
|
g.Expect(string(configMap.Data["key"])).To(Equal("value"), fmt.Sprintf("failed on configmap %s", name))
|
|
}
|
|
|
|
var patchedSecret corev1.Secret
|
|
g.Expect(k8sClient.Get(context.TODO(), types.NamespacedName{Name: "sops-patches-secret", Namespace: id}, &patchedSecret)).To(Succeed())
|
|
g.Expect(string(patchedSecret.Data["key"])).To(Equal("merge1"))
|
|
g.Expect(string(patchedSecret.Data["merge2"])).To(Equal("merge2"))
|
|
})
|
|
|
|
t.Run("does not emit change events for identical secrets", func(t *testing.T) {
|
|
g := NewWithT(t)
|
|
|
|
resultK := &kustomizev1.Kustomization{}
|
|
revision := "v2.0.0"
|
|
err = applyGitRepository(repositoryName, artifactName, revision)
|
|
g.Expect(err).NotTo(HaveOccurred())
|
|
|
|
g.Eventually(func() bool {
|
|
_ = k8sClient.Get(context.Background(), client.ObjectKeyFromObject(kustomization), resultK)
|
|
return resultK.Status.LastAppliedRevision == revision
|
|
}, timeout, time.Second).Should(BeTrue())
|
|
|
|
events := getEvents(resultK.GetName(), map[string]string{"kustomize.toolkit.fluxcd.io/revision": revision})
|
|
g.Expect(len(events)).To(BeIdenticalTo(1))
|
|
g.Expect(events[0].Message).Should(ContainSubstring("Reconciliation finished"))
|
|
g.Expect(events[0].Message).ShouldNot(ContainSubstring("configured"))
|
|
})
|
|
}
|