forked from volck/raven
-
Notifications
You must be signed in to change notification settings - Fork 0
/
k8s_test.go
executable file
·382 lines (333 loc) · 11.5 KB
/
k8s_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
package main
import (
"context"
"fmt"
log "github.com/sirupsen/logrus"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
testclient "k8s.io/client-go/kubernetes/fake"
"strings"
"testing"
)
func TestCreatek8sSecretWithMissingDataField(t *testing.T) {
t.Parallel()
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "kv",
}
// make testable secrets for cluster
secrets := map[string]interface{}{
"data": nil,
"metadata": nil,
}
_, err := client.Logical().Write("kv/data/secret", secrets)
if err != nil {
log.WithFields(log.Fields{"error": err}).Error("Could not get list of secrets for kubernetes namespace")
}
singleSecret := getSingleKV(client, "kv", "secret")
k8sSecret := createK8sSecret("secret", config, singleSecret)
fmt.Println("k8sSecret created successfully without any fields", k8sSecret)
}
func TestCreatek8sSecret(t *testing.T) {
t.Parallel()
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "kv",
}
// make testable secrets for cluster
secrets := map[string]interface{}{
"data": map[string]interface{}{"secretKey": "secretValue"},
"metadata": map[string]interface{}{"version": 2},
}
_, err := client.Logical().Write("kv/data/secret", secrets)
if err != nil {
log.WithFields(log.Fields{"error": err}).Error("Could not get list of secrets for kubernetes namespace")
}
singleSecret := getSingleKV(client, "kv", "secret")
k8sSecret := createK8sSecret("secret", config, singleSecret)
if k8sSecret.Data == nil && k8sSecret.StringData == nil {
t.Fatal("k8sSecret nil, data not loaded")
}
fmt.Println("k8sSecret", k8sSecret)
}
func TestInitKubernetesConfig(t *testing.T) {
Clientset := testclient.NewSimpleClientset()
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "default",
pemFile: "cert.pem",
Clientset: Clientset,
}
metaforone := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetaforone := metav1.ObjectMeta{
Name: "secret",
Labels: applyRavenLabels(),
}
metafortwo := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetafortwo := metav1.ObjectMeta{
Name: "secrettwo",
Labels: applyRavenLabels(),
}
var secretOne = v1.Secret{
TypeMeta: metaforone,
ObjectMeta: objectmetaforone,
}
var secretTwo = v1.Secret{
TypeMeta: metafortwo,
ObjectMeta: objectmetafortwo,
Immutable: nil,
Data: nil,
StringData: nil,
Type: "",
}
_, err := Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretOne, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
_, err = Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretTwo, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
fmt.Println(kubernetesSecretList(Clientset, config.destEnv))
}
func TestCreatek8sSecretwWithBase64Data(t *testing.T) {
// init client
t.Parallel()
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "kv",
}
//create base64Datasecret
b64DataSecret := map[string]interface{}{
"data": map[string]interface{}{"b64secretData": `base64:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZWekNDQXorZ0F3SUJBZ0lKQU9MTEw2V2Va
b0VrTUEwR0NTcUdTSWIzRFFFQkN3VUFNRUl4Q3pBSkJnTlYKQkFZVEFsaFlNUlV3RXdZRFZRUUhE
QXhFWldaaGRXeDBJRU5wZEhreEhEQWFCZ05WQkFvTUUwUmxabUYxYkhRZwpRMjl0Y0dGdWVTQk1k
R1F3SGhjTk1qRXdOekF4TURVek16UXpXaGNOTWpJd056QXhNRFV6TXpReldqQkNNUXN3CkNRWURW
UVFHRXdKWVdERVZNQk1HQTFVRUJ3d01SR1ZtWVhWc2RDQkRhWFI1TVJ3d0dnWURWUVFLREJORVpX
WmgKZFd4MElFTnZiWEJoYm5rZ1RIUmtNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1J
SUNDZ0tDQWdFQQp0bGpEVEhibkJ0NlNJcDBRMW01RC9tbW9MdnJoeWJRRDFBa1VHTDVrSjhZcmdZ
OG5JSjM2bWRxemhma3dlcVViCkRPUzhOcEpzcHhjdlgyZWlRS1k5TWM1Vm9xa25FMC9lM1doRWdK
RndYYmRqREppdUlLNS8vcjFPM1NpKzArSWUKRUo1WWx3OWFYR0lJOWs0V1d0REFMMktlY1JrNWc5
VFlmTzdwRjd4TGRjUlhCcWNIbCszbUxDVnFQYXFpNEY3bgpnVDhwRjBtOG9HOHdCMXNvNzN1RFlt
NkRJd0VTVk55VytBL21oMGRZbk8rTHZaVURCb1pFaUcxMUdXTDY1bzBXClJwejZ1STYwRTR0NEVP
ZEt1UFBwM0FueHVHWnk5TzlZTWdJVHpUQjFSazJOOGxPT25jRzZtanRTN0cyZFRhOEMKVVJxc2pu
RldxZEpLRHNsTFhhWk05eEo3d3pVeStpaE5SKy91UEZKSXpEVXlFMVRNQjZGSDdLcysrQ0lzTm9N
VwpydFN4ckM4MlZ2UTdVSkViaGJ5azRqNXhWSzhWYk43M0dJOXNwN21mR0dBQnJKT2RkYTU5R0Yx
bUJHYllsMHdWCndvY2lIanozWjhMWXZKNXpCQjNSS1JGT1NGUXc3RTI3QzR0dXNXNTk3T2Z5MCta
R0VqQnR0QTZwV25BZjMzZ2sKTVVQMTYwczdTTGJ1dUNER2l2VmhDNlhkMDBJbTh0NGFmRUwxYmx6
M2tWd3pKR1ZMME94OFlSaUpROUY5czYycwpvRHdJNERPWHN5dTV2dUkxRmVXSVRRendxdnpXZjJR
VkM3NmVyR21xa00zcFdnUURtVHoyalNzbCt3ZS9BK1dCCmtUY0RiYXFuVWN6d0RUM2pMeXRleFVR
KzFpcUIxb3VjeXA0UUk5RnJ3ajhDQXdFQUFhTlFNRTR3SFFZRFZSME8KQkJZRUZPamk5SWJIVzFx
VFEwWHFyQlBHLzY2MlBJYkFNQjhHQTFVZEl3UVlNQmFBRk9qaTlJYkhXMXFUUTBYcQpyQlBHLzY2
MlBJYkFNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFDdXQvVmMw
CktLK0tPQ0xNU0JxbnFzaUppZW1FdUpEYXlKMFp3akpQT3JjSXJtY1FvcTdJODJDZ1pEeEMvK3Uy
aXVLc0JzU2oKMHF1aWpLRVhvcDg2QjkwZWFBVjUwcXRtZHpiNW84YTdwTFF2MmxHUGhreHVVcTR6
Ylk4Rkx4ZmhmMnBhQk5YTgpHM0ZPZU9wMkgxSWJkSWZyOVptL0x1UjkwQmJ3Mmh3SkVKSFNiTjZl
STE3ZFJwaVBFdlVuY09kS0M5Z1dFdVd2CjVNMkU5c1creS9TOU1LSEdkSWJCNjBLMjA1WjZrS1hx
ckNnWlg5Q1NNc3YwUDNoaFVqQmFCQWtmV0hQUU9BdVUKSG5yb2J5UG9kMmltN1RwZXdMZ1VvM1V5
UlVXT2lxdjNaMjZpZnZLNS8xNzJKaHFBRVpTTFQ3N095YkZIdzdPMApLc1VCVlBlQ3huWlhQNGlx
eWhYNHRoMkpXUHljaXlqTXB4TzhSd3hYKzBhVnErZnJYZmNrM0laalRqOSt4blI2Cld5RnlGVVZP
Z2VhOElzRXZReVo5WllOUVJKYWxkYnhZb0N5eGs1NFYydTdIdDUyU2hJWEtaam5INms3YVBTa2MK
c1FuUEc0THJRell3K3d1REtPTDZNZXpSbURsYzhvaHo5MVZrem9JVytxcXY5VTBUS3hjWCtGN01X
YkJCNjBoQgpVcVJoejVzY2Zmem5pdUJqNHJzdkcvQlRlR2NFVnZzSVZwRE5oRmF2OFNUaWYzNVB0
L1drYUxSaTh4OWVObElXCmRQZTc2anNVVHFMeTBDeVVtSDZDWk5ObTVKUVlIRzlBd3hUUkJiMCtU
Ri9YQklaeCtFU1VOcUlDR0JrV0hvNDUKZEpGM0UvN09NellDT1hEQ3lNR1lQZzBMQlJGNEJBM2tW
emxMCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
`},
"metadata": map[string]interface{}{"version": 2},
}
// write testobject
_, err := client.Logical().Write("kv/data/b64data", b64DataSecret)
if err != nil {
log.WithFields(log.Fields{"error": err}).Error("client.Logical().Write(\"kv/data/b64data\", b64DataSecret)")
}
singleSecret := getSingleKV(client, "kv", "b64data")
k8sSecret := createK8sSecret("b64data", config, singleSecret)
for _, v := range k8sSecret.Data {
if strings.Contains(string(v), "base64") {
t.Fatal("base64 not trimmed")
}
}
}
func TestCleanKubernetes(t *testing.T) {
Clientset := testclient.NewSimpleClientset()
metaforone := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetaforone := metav1.ObjectMeta{
Name: "secret",
Labels: applyRavenLabels(),
}
metafortwo := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetafortwo := metav1.ObjectMeta{
Name: "secrettwo",
Labels: applyRavenLabels(),
}
var secretOne = v1.Secret{
TypeMeta: metaforone,
ObjectMeta: objectmetaforone,
}
var secretTwo = v1.Secret{
TypeMeta: metafortwo,
ObjectMeta: objectmetafortwo,
Immutable: nil,
Data: nil,
StringData: nil,
Type: "",
}
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "default",
pemFile: "cert.pem",
Clientset: Clientset,
}
_, err := config.Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretOne, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
_, err = config.Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretTwo, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
secretName := "secret"
secretNameTwo := "secrettwo"
generateTestSecrets(t, client, config, secretName)
generateTestSecrets(t, client, config, secretNameTwo)
PreviousKV, err := getAllKVs(client, config)
if err != nil {
fmt.Println(err)
}
previousKV := PreviousKV.Data["keys"].([]interface{})
persistVaultChanges(previousKV, client, config)
previouskvlst := mySecretList
deleteTestSecrets(t, client, config, secretName)
newKV, err := getAllKVs(client, config)
if err != nil {
fmt.Println(err)
}
newkvlst := newKV.Data["keys"].([]interface{})
persistVaultChanges(newkvlst,client, config )
picked := PickRipeSecrets(previouskvlst, mySecretList)
fmt.Println(picked, len(picked))
k8slistPre, err := kubernetesSecretList(Clientset, config.destEnv)
if err != nil {
fmt.Println("k8slist error", err)
}
kubernetesRemove(picked, k8slistPre, Clientset, config.destEnv)
k8slistAfter, err := kubernetesSecretList(Clientset, config.destEnv)
if k8slistPre == k8slistAfter {
fmt.Printf("pre: %v\n after: %v\n", k8slistPre, k8slistAfter)
t.Error("there is no difference between cluster snapshots. i.e. secrets were not deleted")
} else {
fmt.Printf("pre: %v\n after: %v\n. list should not match", k8slistPre.Items, k8slistAfter.Items)
}
}
func TestMonitorForSecret_find_secret(t *testing.T) {
Clientset := testclient.NewSimpleClientset()
metaforone := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetaforone := metav1.ObjectMeta{
Name: "secret",
Labels: applyRavenLabels(),
}
metafortwo := metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
}
objectmetafortwo := metav1.ObjectMeta{
Name: "secrettwo",
Labels: applyRavenLabels(),
}
var secretOne = v1.Secret{
TypeMeta: metaforone,
ObjectMeta: objectmetaforone,
}
var secretTwo = v1.Secret{
TypeMeta: metafortwo,
ObjectMeta: objectmetafortwo,
Immutable: nil,
Data: nil,
StringData: nil,
Type: "",
}
_, err := Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretOne, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
_, err = Clientset.CoreV1().Secrets("default").Create(context.TODO(), &secretTwo, metav1.CreateOptions{})
if err != nil {
fmt.Println("testing failed, err", err)
}
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "default",
pemFile: "cert.pem",
Clientset: Clientset,
}
secretName := "secret"
secretNameTwo := "secrettwo"
generateTestSecrets(t, client, config, secretName)
generateTestSecrets(t, client, config, secretNameTwo)
initKubernetesSearch(secretName, config)
}
func TestMonitorForSecret_ShouldExpire(t *testing.T) {
Clientset := testclient.NewSimpleClientset()
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
client := cluster.Cores[0].Client
config := config{
vaultEndpoint: cluster.Cores[0].Client.Address(),
secretEngine: "kv",
token: client.Token(),
destEnv: "default",
pemFile: "cert.pem",
Clientset: Clientset,
}
secretName := "secret"
secretNameTwo := "secrettwo"
generateTestSecrets(t, client, config, secretName)
generateTestSecrets(t, client, config, secretNameTwo)
initKubernetesSearch(secretName, config)
}