Skip to content
This repository was archived by the owner on Jul 26, 2022. It is now read-only.

Commit bfb5ed2

Browse files
nbendafi-yseopnabilbendafi
nbendafi-yseop
and
nabilbendafi
authored
feat: add e2e test for naming conventions enforcement (#412)
Co-authored-by: Nabil BENDAFI <[email protected]>
1 parent bc59f08 commit bfb5ed2

File tree

1 file changed

+110
-43
lines changed

1 file changed

+110
-43
lines changed

e2e/tests/secrets-manager.test.js

+110-43
Original file line numberDiff line numberDiff line change
@@ -142,65 +142,132 @@ describe('secretsmanager', async () => {
142142
body: {
143143
metadata: {
144144
annotations: {
145-
'iam.amazonaws.com/permitted': '.*'
145+
'iam.amazonaws.com/permitted': '.*',
146+
'externalsecrets.kubernetes-client.io/permitted-key-name': '.*'
146147
}
147148
}
148149
}
149150
})
150151
})
151152

152-
it('should not pull from secretsmanager', async () => {
153-
let result = await createSecret({
154-
Name: `e2e/${uuid}/tls/permitted`,
155-
SecretString: '{"crt":"foo","key":"bar"}'
156-
}).catch(err => {
157-
expect(err).to.equal(null)
153+
describe('assuming role', async () => {
154+
it('should not pull from secretsmanager', async () => {
155+
let result = await createSecret({
156+
Name: `e2e/${uuid}/tls/permitted`,
157+
SecretString: '{"crt":"foo","key":"bar"}'
158+
}).catch(err => {
159+
expect(err).to.equal(null)
160+
})
161+
162+
result = await kubeClient
163+
.apis[customResourceManifest.spec.group]
164+
.v1.namespaces('default')[customResourceManifest.spec.names.plural]
165+
.post({
166+
body: {
167+
apiVersion: 'kubernetes-client.io/v1',
168+
kind: 'ExternalSecret',
169+
metadata: {
170+
name: `e2e-secretmanager-permitted-tls-${uuid}`
171+
},
172+
spec: {
173+
backendType: 'secretsManager',
174+
type: 'kubernetes.io/tls',
175+
// this should not be allowed
176+
roleArn: 'let-me-be-root',
177+
data: [
178+
{
179+
key: `e2e/${uuid}/tls/permitted`,
180+
property: 'crt',
181+
name: 'tls.crt'
182+
},
183+
{
184+
key: `e2e/${uuid}/tls/permitted`,
185+
property: 'key',
186+
name: 'tls.key'
187+
}
188+
]
189+
}
190+
}
191+
})
192+
193+
expect(result).to.not.equal(undefined)
194+
expect(result.statusCode).to.equal(201)
195+
196+
const secret = await waitForSecret('default', `e2e-secretmanager-permitted-tls-${uuid}`)
197+
expect(secret).to.equal(undefined)
198+
199+
result = await kubeClient
200+
.apis[customResourceManifest.spec.group]
201+
.v1.namespaces('default')
202+
.externalsecrets(`e2e-secretmanager-permitted-tls-${uuid}`)
203+
.get()
204+
expect(result).to.not.equal(undefined)
205+
expect(result.body.status.status).to.contain('namespace does not allow to assume role let-me-be-root')
158206
})
207+
})
159208

160-
result = await kubeClient
161-
.apis[customResourceManifest.spec.group]
162-
.v1.namespaces('default')[customResourceManifest.spec.names.plural]
163-
.post({
209+
describe('enforcing naming convention', async () => {
210+
it('should not pull from secretsmanager', async () => {
211+
await kubeClient.api.v1.namespaces('default').patch({
164212
body: {
165-
apiVersion: 'kubernetes-client.io/v1',
166-
kind: 'ExternalSecret',
167213
metadata: {
168-
name: `e2e-secretmanager-permitted-tls-${uuid}`
169-
},
170-
spec: {
171-
backendType: 'secretsManager',
172-
type: 'kubernetes.io/tls',
173-
// this should not be allowed
174-
roleArn: 'let-me-be-root',
175-
data: [
176-
{
177-
key: `e2e/${uuid}/tls/permitted`,
178-
property: 'crt',
179-
name: 'tls.crt'
180-
},
181-
{
182-
key: `e2e/${uuid}/tls/permitted`,
183-
property: 'key',
184-
name: 'tls.key'
185-
}
186-
]
214+
annotations: {
215+
'iam.amazonaws.com/permitted': '.*',
216+
'externalsecrets.kubernetes-client.io/permitted-key-name': '/permitted/path/.*'
217+
}
187218
}
188219
}
189220
})
190221

191-
expect(result).to.not.equal(undefined)
192-
expect(result.statusCode).to.equal(201)
222+
let result = await createSecret({
223+
Name: `e2e/${uuid}/another_credentials`,
224+
SecretString: '{"username":"foo","password":"bar"}'
225+
}).catch(err => {
226+
expect(err).to.equal(null)
227+
})
228+
229+
result = await kubeClient
230+
.apis[customResourceManifest.spec.group]
231+
.v1.namespaces('default')[customResourceManifest.spec.names.plural]
232+
.post({
233+
body: {
234+
apiVersion: 'kubernetes-client.io/v1',
235+
kind: 'ExternalSecret',
236+
metadata: {
237+
name: `e2e-secretmanager-permitted-key-${uuid}`
238+
},
239+
spec: {
240+
backendType: 'secretsManager',
241+
data: [
242+
{
243+
key: `e2e/${uuid}/another_credentials`,
244+
property: 'password',
245+
name: 'password'
246+
},
247+
{
248+
key: `e2e/${uuid}/another_credentials`,
249+
property: 'username',
250+
name: 'username'
251+
}
252+
]
253+
}
254+
}
255+
})
256+
257+
expect(result).to.not.equal(undefined)
258+
expect(result.statusCode).to.equal(201)
193259

194-
const secret = await waitForSecret('default', `e2e-secretmanager-permitted-tls-${uuid}`)
195-
expect(secret).to.equal(undefined)
260+
const secret = await waitForSecret('default', `e2e-secretmanager-permitted-key-${uuid}`)
261+
expect(secret).to.equal(undefined)
196262

197-
result = await kubeClient
198-
.apis[customResourceManifest.spec.group]
199-
.v1.namespaces('default')
200-
.externalsecrets(`e2e-secretmanager-permitted-tls-${uuid}`)
201-
.get()
202-
expect(result).to.not.equal(undefined)
203-
expect(result.body.status.status).to.contain('namespace does not allow to assume role let-me-be-root')
263+
result = await kubeClient
264+
.apis[customResourceManifest.spec.group]
265+
.v1.namespaces('default')
266+
.externalsecrets(`e2e-secretmanager-permitted-key-${uuid}`)
267+
.get()
268+
expect(result).to.not.equal(undefined)
269+
expect(result.body.status.status).to.contain(`key name e2e/${uuid}/another_credentials does not match naming convention /permitted/path/.*`)
270+
})
204271
})
205272
})
206273
})

0 commit comments

Comments
 (0)