@@ -29,6 +29,9 @@ const (
2929 case9EncryptionSecretName = "policy-encryption-key"
3030 case9SecretName = "case9-secret"
3131 IVAnnotation = "policy.open-cluster-management.io/encryption-iv"
32+ case9PolicyNameCopy = "case9-test-policy-copy"
33+ case9PolicyYamlCopy = "../resources/case9_templates/case9-test-policy_copy.yaml"
34+ case9PolicyYamlCopiedRepl = "../resources/case9_templates/case9-test-replpolicy_copied-"
3235)
3336
3437var _ = Describe ("Test policy templates" , func () {
@@ -282,3 +285,150 @@ var _ = Describe("Test encrypted policy templates", func() {
282285 }
283286 })
284287})
288+
289+ var _ = Describe ("Test encrypted policy templates with secret copy" , func () {
290+ Describe ("Create policy, placement and referenced resource in ns: " + testNamespace , Ordered , func () {
291+ for i := 1 ; i <= 2 ; i ++ {
292+ managedCluster := "managed" + fmt .Sprint (i )
293+
294+ It ("should be created in user ns" , func () {
295+ By ("Creating " + case9PolicyYamlCopy )
296+ utils .Kubectl ("apply" ,
297+ "-f" , case9PolicyYamlCopy ,
298+ "-n" , testNamespace )
299+ plc := utils .GetWithTimeout (
300+ clientHubDynamic , gvrPolicy , case9PolicyNameCopy , testNamespace ,
301+ true , defaultTimeoutSeconds ,
302+ )
303+ Expect (plc ).NotTo (BeNil ())
304+ })
305+
306+ It ("should resolve templates and propagate to cluster ns " + managedCluster , func () {
307+ By ("Initializing AES Encryption Secret" )
308+ _ , err := utils .KubectlWithOutput ("apply" ,
309+ "-f" , case9EncryptionSecret ,
310+ "-n" , managedCluster )
311+ Expect (err ).To (BeNil ())
312+
313+ By ("Patching test-policy-plr with decision of cluster " + managedCluster )
314+ plr := utils .GetWithTimeout (
315+ clientHubDynamic , gvrPlacementRule , case9PolicyNameCopy + "-plr" , testNamespace ,
316+ true , defaultTimeoutSeconds ,
317+ )
318+ plr .Object ["status" ] = utils .GeneratePlrStatus (managedCluster )
319+ _ , err = clientHubDynamic .Resource (gvrPlacementRule ).Namespace (testNamespace ).UpdateStatus (
320+ context .TODO (), plr , metav1.UpdateOptions {},
321+ )
322+ Expect (err ).To (BeNil ())
323+
324+ var replicatedPlc * unstructured.Unstructured
325+ By ("Waiting for encrypted values" )
326+ Eventually (func () interface {} {
327+ replicatedPlc = utils .GetWithTimeout (
328+ clientHubDynamic ,
329+ gvrPolicy ,
330+ testNamespace + "." + case9PolicyNameCopy ,
331+ managedCluster ,
332+ true ,
333+ defaultTimeoutSeconds ,
334+ )
335+
336+ return fmt .Sprint (replicatedPlc .Object ["spec" ])
337+ }, defaultTimeoutSeconds , 1 ).Should (ContainSubstring ("$ocm_encrypted:" ))
338+
339+ By ("Patching the initialization vector with a static value" )
340+ // Setting Initialization Vector so that the test results will be deterministic
341+ initializationVector := "7cznVUq5SXEE4RMZNkGOrQ=="
342+ annotations := replicatedPlc .GetAnnotations ()
343+ annotations [IVAnnotation ] = initializationVector
344+ replicatedPlc .SetAnnotations (annotations )
345+ _ , err = clientHubDynamic .Resource (gvrPolicy ).Namespace (managedCluster ).Update (
346+ context .TODO (), replicatedPlc , metav1.UpdateOptions {},
347+ )
348+ Expect (err ).To (BeNil ())
349+
350+ By ("Verifying the replicated policy against a snapshot" )
351+ yamlPlc := utils .ParseYaml (case9PolicyYamlCopiedRepl + managedCluster + ".yaml" )
352+ Eventually (func () interface {} {
353+ replicatedPlc = utils .GetWithTimeout (
354+ clientHubDynamic ,
355+ gvrPolicy ,
356+ testNamespace + "." + case9PolicyNameCopy ,
357+ managedCluster ,
358+ true ,
359+ defaultTimeoutSeconds ,
360+ )
361+
362+ return replicatedPlc .Object ["spec" ]
363+ }, defaultTimeoutSeconds , 1 ).Should (utils .SemanticEqual (yamlPlc .Object ["spec" ]))
364+ })
365+
366+ It ("should reconcile when the secret referenced in the template is updated" , func () {
367+ By ("Updating the secret " + case9SecretName )
368+ newToken := "THVrZS4gSSBhbSB5b3VyIGZhdGhlci4="
369+ patch := []byte (`{"data": {"token": "` + newToken + `"}}` )
370+ _ , err := clientHub .CoreV1 ().Secrets (testNamespace ).Patch (
371+ context .TODO (), case9SecretName , types .StrategicMergePatchType , patch , metav1.PatchOptions {},
372+ )
373+ Expect (err ).To (BeNil ())
374+
375+ By ("Verifying the replicated policy was updated" )
376+ expected := "$ocm_encrypted:dbHPzG98PxV7RXcAx25mMGPBAUbfjJTEMyFc7kE2W7U3FW5+X31LkidHu/25ic4m"
377+ Eventually (func () string {
378+ replicatedPlc := utils .GetWithTimeout (
379+ clientHubDynamic ,
380+ gvrPolicy ,
381+ testNamespace + "." + case9PolicyNameCopy ,
382+ managedCluster ,
383+ true ,
384+ defaultTimeoutSeconds ,
385+ )
386+
387+ templates , _ , _ := unstructured .NestedSlice (replicatedPlc .Object , "spec" , "policy-templates" )
388+ if len (templates ) < 1 {
389+ return ""
390+ }
391+
392+ template , ok := templates [0 ].(map [string ]interface {})
393+ if ! ok {
394+ return ""
395+ }
396+
397+ objectTemplates , _ , _ := unstructured .NestedSlice (
398+ template , "objectDefinition" , "spec" , "object-templates" ,
399+ )
400+ if len (objectTemplates ) < 1 {
401+ return ""
402+ }
403+
404+ objectTemplate , ok := objectTemplates [0 ].(map [string ]interface {})
405+ if ! ok {
406+ return ""
407+ }
408+
409+ secretValue , _ , _ := unstructured .NestedString (
410+ objectTemplate , "objectDefinition" , "data" , "token" ,
411+ )
412+
413+ return secretValue
414+ }, defaultTimeoutSeconds , 1 ).Should (Equal (expected ))
415+ })
416+
417+ It ("should clean up the encryption key" , func () {
418+ utils .Kubectl ("delete" , "secret" ,
419+ case9EncryptionSecretName ,
420+ "-n" , managedCluster )
421+ utils .GetWithTimeout (
422+ clientHubDynamic , gvrSecret , case9EncryptionSecretName , managedCluster ,
423+ false , defaultTimeoutSeconds ,
424+ )
425+ })
426+
427+ It ("should clean up" , func () {
428+ utils .Kubectl ("delete" , "-f" , case9PolicyYamlCopy , "-n" , testNamespace )
429+ opt := metav1.ListOptions {}
430+ utils .ListWithTimeout (clientHubDynamic , gvrPolicy , opt , 0 , false , defaultTimeoutSeconds )
431+ })
432+ }
433+ })
434+ })
0 commit comments