From 82385a5aacd9f6839fddf703bfc8ed71f4c6c078 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 24 May 2022 15:41:57 -0700 Subject: [PATCH] refactor: add functions to get parameters and add constants (#896) * refactor: add functions to get parameters and add constants Signed-off-by: Anish Ramasekar * review feedback Signed-off-by: Anish Ramasekar --- pkg/provider/provider.go | 163 ++----- pkg/provider/provider_test.go | 13 +- pkg/provider/types/parameters.go | 83 ++++ pkg/provider/types/parameters_test.go | 583 ++++++++++++++++++++++++ pkg/provider/types/types.go | 84 ++++ test/e2e/auto_rotation_test.go | 52 +-- test/e2e/certificates_test.go | 34 +- test/e2e/custom_cloudenv_test.go | 20 +- test/e2e/key_test.go | 38 +- test/e2e/pod_identity_test.go | 20 +- test/e2e/secret_file_permission_test.go | 14 +- test/e2e/secret_test.go | 18 +- test/e2e/user_assigned_identity_test.go | 20 +- test/e2e/workload_identity_test.go | 22 +- 14 files changed, 923 insertions(+), 241 deletions(-) create mode 100644 pkg/provider/types/parameters.go create mode 100644 pkg/provider/types/parameters_test.go create mode 100644 pkg/provider/types/types.go diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index d8f9f5c39..0439cb0cf 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -21,6 +21,7 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/auth" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/metrics" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/version" kv "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault" @@ -37,33 +38,6 @@ var ( ConstructPEMChain = flag.Bool("construct-pem-chain", true, "explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT") ) -// Type of Azure Key Vault objects -const ( - // VaultObjectTypeSecret secret vault object type - VaultObjectTypeSecret string = "secret" - // VaultObjectTypeKey key vault object type - VaultObjectTypeKey string = "key" - // VaultObjectTypeCertificate certificate vault object type - VaultObjectTypeCertificate string = "cert" - - certTypePem = "application/x-pem-file" - certTypePfx = "application/x-pkcs12" - certificateType = "CERTIFICATE" - objectFormatPEM = "pem" - objectFormatPFX = "pfx" - objectEncodingHex = "hex" - objectEncodingBase64 = "base64" - objectEncodingUtf8 = "utf-8" - - // pod identity NMI port - // TODO (aramase) make this configurable during the provider deployment - podIdentityNMIPort = "2579" - - attributePodName = "csi.storage.k8s.io/pod.name" - attributePodNamespace = "csi.storage.k8s.io/pod.namespace" - attributeServiceAccountTokens = "csi.storage.k8s.io/serviceAccount.tokens" // nolint -) - // Provider implements the secrets-store-csi-driver provider interface type Provider struct { reporter metrics.StatsReporter @@ -85,40 +59,6 @@ type mountConfig struct { podNamespace string } -// KeyVaultObject holds keyvault object related config -type KeyVaultObject struct { - // the name of the Azure Key Vault objects - ObjectName string `json:"objectName" yaml:"objectName"` - // the filename the object will be written to - ObjectAlias string `json:"objectAlias" yaml:"objectAlias"` - // the version of the Azure Key Vault objects - ObjectVersion string `json:"objectVersion" yaml:"objectVersion"` - // the type of the Azure Key Vault objects - ObjectType string `json:"objectType" yaml:"objectType"` - // the format of the Azure Key Vault objects - // supported formats are PEM, PFX - ObjectFormat string `json:"objectFormat" yaml:"objectFormat"` - // The encoding of the object in KeyVault - // Supported encodings are Base64, Hex, Utf-8 - ObjectEncoding string `json:"objectEncoding" yaml:"objectEncoding"` - // FilePermission is the file permissions - FilePermission string `json:"filePermission" yaml:"filePermission"` -} - -// SecretFile holds content and metadata of a secret file -type SecretFile struct { - Content []byte - Path string - FileMode int32 - UID string - Version string -} - -// StringArray ... -type StringArray struct { - Array []string `json:"array" yaml:"array"` -} - // NewProvider creates a new provider func NewProvider() *Provider { return &Provider{ @@ -172,25 +112,32 @@ func (mc *mountConfig) getVaultURL() (vaultURL *string, err error) { // GetAuthorizer returns an Azure authorizer based on the provided azure identity func (mc *mountConfig) GetAuthorizer(ctx context.Context, resource string) (autorest.Authorizer, error) { - return mc.authConfig.GetAuthorizer(ctx, mc.podName, mc.podNamespace, resource, mc.azureCloudEnvironment.ActiveDirectoryEndpoint, mc.tenantID, podIdentityNMIPort) + return mc.authConfig.GetAuthorizer(ctx, mc.podName, mc.podNamespace, resource, mc.azureCloudEnvironment.ActiveDirectoryEndpoint, mc.tenantID, types.PodIdentityNMIPort) } // GetSecretsStoreObjectContent gets the objects (secret, key, certificate) from keyvault and returns the content // to the CSI driver. The driver will write the content to the file system. -func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, secrets map[string]string, targetPath string, defaultFilePermission os.FileMode) ([]SecretFile, error) { - keyvaultName := strings.TrimSpace(attrib["keyvaultName"]) - cloudName := strings.TrimSpace(attrib["cloudName"]) - usePodIdentityStr := strings.TrimSpace(attrib["usePodIdentity"]) - useVMManagedIdentityStr := strings.TrimSpace(attrib["useVMManagedIdentity"]) - userAssignedIdentityID := strings.TrimSpace(attrib["userAssignedIdentityID"]) - tenantID := strings.TrimSpace(attrib["tenantId"]) - cloudEnvFileName := strings.TrimSpace(attrib["cloudEnvFileName"]) - podName := strings.TrimSpace(attrib[attributePodName]) - podNamespace := strings.TrimSpace(attrib[attributePodNamespace]) +func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, secrets map[string]string, targetPath string, defaultFilePermission os.FileMode) ([]types.SecretFile, error) { + keyvaultName := types.GetKeyVaultName(attrib) + cloudName := types.GetCloudName(attrib) + userAssignedIdentityID := types.GetUserAssignedIdentityID(attrib) + tenantID := types.GetTenantID(attrib) + cloudEnvFileName := types.GetCloudEnvFileName(attrib) + podName := types.GetPodName(attrib) + podNamespace := types.GetPodNamespace(attrib) + + usePodIdentity, err := types.GetUsePodIdentity(attrib) + if err != nil { + return nil, fmt.Errorf("failed to parse usePodIdentity flag, error: %w", err) + } + useVMManagedIdentity, err := types.GetUseVMManagedIdentity(attrib) + if err != nil { + return nil, fmt.Errorf("failed to parse useVMManagedIdentity flag, error: %w", err) + } // attributes for workload identity - workloadIdentityClientID := strings.TrimSpace(attrib["clientID"]) - saTokens := strings.TrimSpace(attrib[attributeServiceAccountTokens]) + workloadIdentityClientID := types.GetClientID(attrib) + saTokens := types.GetServiceAccountTokens(attrib) if keyvaultName == "" { return nil, fmt.Errorf("keyvaultName is not set") @@ -198,20 +145,6 @@ func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec if tenantID == "" { return nil, fmt.Errorf("tenantId is not set") } - if len(usePodIdentityStr) == 0 { - usePodIdentityStr = "false" - } - usePodIdentity, err := strconv.ParseBool(usePodIdentityStr) - if err != nil { - return nil, fmt.Errorf("failed to parse usePodIdentity flag, error: %w", err) - } - if len(useVMManagedIdentityStr) == 0 { - useVMManagedIdentityStr = "false" - } - useVMManagedIdentity, err := strconv.ParseBool(useVMManagedIdentityStr) - if err != nil { - return nil, fmt.Errorf("failed to parse useVMManagedIdentity flag, error: %w", err) - } err = setAzureEnvironmentFilePath(cloudEnvFileName) if err != nil { @@ -244,21 +177,21 @@ func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec podNamespace: podNamespace, } - objectsStrings := attrib["objects"] + objectsStrings := types.GetObjects(attrib) if objectsStrings == "" { return nil, fmt.Errorf("objects is not set") } klog.V(2).InfoS("objects string defined in secret provider class", "objects", objectsStrings, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName}) - var objects StringArray - err = yaml.Unmarshal([]byte(objectsStrings), &objects) + objects, err := types.GetObjectsArray(objectsStrings) if err != nil { return nil, fmt.Errorf("failed to yaml unmarshal objects, error: %w", err) } klog.V(2).InfoS("unmarshaled objects yaml array", "objectsArray", objects.Array, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName}) - keyVaultObjects := []KeyVaultObject{} + + keyVaultObjects := []types.KeyVaultObject{} for i, object := range objects.Array { - var keyVaultObject KeyVaultObject + var keyVaultObject types.KeyVaultObject err = yaml.Unmarshal([]byte(object), &keyVaultObject) if err != nil { return nil, fmt.Errorf("unmarshal failed for keyVaultObjects at index %d, error: %w", i, err) @@ -286,7 +219,7 @@ func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec return nil, errors.Wrap(err, "failed to get keyvault client") } - files := []SecretFile{} + files := []types.SecretFile{} for _, keyVaultObject := range keyVaultObjects { klog.V(5).InfoS("fetching object from key vault", "objectName", keyVaultObject.ObjectName, "objectType", keyVaultObject.ObjectType, "keyvault", mc.keyvaultName, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName}) if err := validateObjectFormat(keyVaultObject.ObjectFormat, keyVaultObject.ObjectType); err != nil { @@ -324,7 +257,7 @@ func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec objectUID := getObjectUID(keyVaultObject.ObjectName, keyVaultObject.ObjectType) // these files will be returned to the CSI driver as part of gRPC response - files = append(files, SecretFile{ + files = append(files, types.SecretFile{ Path: fileName, Content: objectContent, FileMode: filePermission, @@ -338,7 +271,7 @@ func (p *Provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec } // GetKeyVaultObjectContent get content of the keyvault object -func (p *Provider) getKeyVaultObjectContent(ctx context.Context, kvClient *kv.BaseClient, kvObject KeyVaultObject, vaultURL string) (content, version string, err error) { +func (p *Provider) getKeyVaultObjectContent(ctx context.Context, kvClient *kv.BaseClient, kvObject types.KeyVaultObject, vaultURL string) (content, version string, err error) { start := time.Now() defer func() { var errMsg string @@ -349,11 +282,11 @@ func (p *Provider) getKeyVaultObjectContent(ctx context.Context, kvClient *kv.Ba }() switch kvObject.ObjectType { - case VaultObjectTypeSecret: + case types.VaultObjectTypeSecret: return getSecret(ctx, kvClient, vaultURL, kvObject) - case VaultObjectTypeKey: + case types.VaultObjectTypeKey: return getKey(ctx, kvClient, vaultURL, kvObject) - case VaultObjectTypeCertificate: + case types.VaultObjectTypeCertificate: return getCertificate(ctx, kvClient, vaultURL, kvObject) default: err := errors.Errorf("Invalid vaultObjectTypes. Should be secret, key, or cert") @@ -362,7 +295,7 @@ func (p *Provider) getKeyVaultObjectContent(ctx context.Context, kvClient *kv.Ba } // getSecret retrieves the secret from the vault -func getSecret(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject KeyVaultObject) (string, string, error) { +func getSecret(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject types.KeyVaultObject) (string, string, error) { secret, err := kvClient.GetSecret(ctx, vaultURL, kvObject.ObjectName, kvObject.ObjectVersion) if err != nil { return "", "", wrapObjectTypeError(err, kvObject.ObjectType, kvObject.ObjectName, kvObject.ObjectVersion) @@ -378,11 +311,11 @@ func getSecret(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kv // if the secret is part of a certificate, then we need to convert the certificate and key to PEM format if secret.Kid != nil && len(*secret.Kid) > 0 { switch *secret.ContentType { - case certTypePem: + case types.CertTypePem: return content, version, nil - case certTypePfx: + case types.CertTypePfx: // object format requested is pfx, then return the content as is - if strings.EqualFold(kvObject.ObjectFormat, objectFormatPFX) { + if strings.EqualFold(kvObject.ObjectFormat, types.ObjectFormatPFX) { return content, version, err } // convert to pem as that's the default object format for this provider @@ -400,7 +333,7 @@ func getSecret(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kv } // getKey retrieves the key from the vault -func getKey(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject KeyVaultObject) (string, string, error) { +func getKey(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject types.KeyVaultObject) (string, string, error) { keybundle, err := kvClient.GetKey(ctx, vaultURL, kvObject.ObjectName, kvObject.ObjectVersion) if err != nil { return "", "", wrapObjectTypeError(err, kvObject.ObjectType, kvObject.ObjectName, kvObject.ObjectVersion) @@ -479,7 +412,7 @@ func getKey(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObj } // getCertificate retrieves the certificate from the vault -func getCertificate(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject KeyVaultObject) (string, string, error) { +func getCertificate(ctx context.Context, kvClient *kv.BaseClient, vaultURL string, kvObject types.KeyVaultObject) (string, string, error) { // for object type "cert" the certificate is written to the file in PEM format certbundle, err := kvClient.GetCertificate(ctx, vaultURL, kvObject.ObjectName, kvObject.ObjectVersion) if err != nil { @@ -528,7 +461,7 @@ func decodePKCS12(value string) (content string, err error) { // -----END Type----- // Setting headers to nil to ensure no headers included in the encoded block block.Headers = make(map[string]string) - if block.Type == certificateType { + if block.Type == types.CertificateType { pemCertData = append(pemCertData, pem.EncodeToMemory(block)...) } else { key, err := parsePrivateKey(block.Bytes) @@ -604,12 +537,12 @@ func validateObjectFormat(objectFormat, objectType string) error { if len(objectFormat) == 0 { return nil } - if !strings.EqualFold(objectFormat, objectFormatPEM) && !strings.EqualFold(objectFormat, objectFormatPFX) { + if !strings.EqualFold(objectFormat, types.ObjectFormatPEM) && !strings.EqualFold(objectFormat, types.ObjectFormatPFX) { return fmt.Errorf("invalid objectFormat: %v, should be PEM or PFX", objectFormat) } // Azure Key Vault returns the base64 encoded binary content only for type secret // for types cert/key, the content is always in pem format - if objectFormat == objectFormatPFX && objectType != VaultObjectTypeSecret { + if objectFormat == types.ObjectFormatPFX && objectType != types.VaultObjectTypeSecret { return fmt.Errorf("PFX format only supported for objectType: secret") } return nil @@ -639,11 +572,11 @@ func validateObjectEncoding(objectEncoding, objectType string) error { } // ObjectEncoding is supported only for secret types - if objectType != VaultObjectTypeSecret { + if objectType != types.VaultObjectTypeSecret { return fmt.Errorf("objectEncoding only supported for objectType: secret") } - if !strings.EqualFold(objectEncoding, objectEncodingHex) && !strings.EqualFold(objectEncoding, objectEncodingBase64) && !strings.EqualFold(objectEncoding, objectEncodingUtf8) { + if !strings.EqualFold(objectEncoding, types.ObjectEncodingHex) && !strings.EqualFold(objectEncoding, types.ObjectEncodingBase64) && !strings.EqualFold(objectEncoding, types.ObjectEncodingUtf8) { return fmt.Errorf("invalid objectEncoding: %v, should be hex, base64 or utf-8", objectEncoding) } @@ -653,15 +586,15 @@ func validateObjectEncoding(objectEncoding, objectType string) error { // getContentBytes takes the given content string and returns the bytes to write to disk // If an encoding is specified it will decode the string first func getContentBytes(content, objectType, objectEncoding string) ([]byte, error) { - if !strings.EqualFold(objectType, VaultObjectTypeSecret) || len(objectEncoding) == 0 || strings.EqualFold(objectEncoding, objectEncodingUtf8) { + if !strings.EqualFold(objectType, types.VaultObjectTypeSecret) || len(objectEncoding) == 0 || strings.EqualFold(objectEncoding, types.ObjectEncodingUtf8) { return []byte(content), nil } - if strings.EqualFold(objectEncoding, objectEncodingBase64) { + if strings.EqualFold(objectEncoding, types.ObjectEncodingBase64) { return base64.StdEncoding.DecodeString(content) } - if strings.EqualFold(objectEncoding, objectEncodingHex) { + if strings.EqualFold(objectEncoding, types.ObjectEncodingHex) { return hex.DecodeString(content) } @@ -669,7 +602,7 @@ func getContentBytes(content, objectType, objectEncoding string) ([]byte, error) } // formatKeyVaultObject formats the fields in KeyVaultObject -func formatKeyVaultObject(object *KeyVaultObject) { +func formatKeyVaultObject(object *types.KeyVaultObject) { if object == nil { return } @@ -799,7 +732,7 @@ func fetchCertChains(data []byte) ([]byte, error) { for _, cert := range newCertChain { b := &pem.Block{ - Type: certificateType, + Type: types.CertificateType, Bytes: cert.Raw, } pemData = append(pemData, pem.EncodeToMemory(b)...) diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index fb62d59b8..b077bac13 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -20,6 +20,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/auth" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/version" ) @@ -429,19 +430,19 @@ func TestGetContentBytes(t *testing.T) { func TestFormatKeyVaultObject(t *testing.T) { cases := []struct { desc string - keyVaultObject KeyVaultObject - expectedKeyVaultObject KeyVaultObject + keyVaultObject types.KeyVaultObject + expectedKeyVaultObject types.KeyVaultObject }{ { desc: "leading and trailing whitespace trimmed from all fields", - keyVaultObject: KeyVaultObject{ + keyVaultObject: types.KeyVaultObject{ ObjectName: "secret1 ", ObjectVersion: "", ObjectEncoding: "base64 ", ObjectType: " secret", ObjectAlias: "", }, - expectedKeyVaultObject: KeyVaultObject{ + expectedKeyVaultObject: types.KeyVaultObject{ ObjectName: "secret1", ObjectVersion: "", ObjectEncoding: "base64", @@ -451,14 +452,14 @@ func TestFormatKeyVaultObject(t *testing.T) { }, { desc: "no data loss for already sanitized object", - keyVaultObject: KeyVaultObject{ + keyVaultObject: types.KeyVaultObject{ ObjectName: "secret1", ObjectVersion: "version1", ObjectEncoding: "base64", ObjectType: "secret", ObjectAlias: "alias", }, - expectedKeyVaultObject: KeyVaultObject{ + expectedKeyVaultObject: types.KeyVaultObject{ ObjectName: "secret1", ObjectVersion: "version1", ObjectEncoding: "base64", diff --git a/pkg/provider/types/parameters.go b/pkg/provider/types/parameters.go new file mode 100644 index 000000000..6ece41f9c --- /dev/null +++ b/pkg/provider/types/parameters.go @@ -0,0 +1,83 @@ +package types + +import ( + "strconv" + "strings" + + "gopkg.in/yaml.v2" +) + +// GetKeyVaultName returns the key vault name +func GetKeyVaultName(parameters map[string]string) string { + return strings.TrimSpace(parameters[KeyVaultNameParameter]) +} + +// GetCloudName returns the cloud name +func GetCloudName(parameters map[string]string) string { + return strings.TrimSpace(parameters[CloudNameParameter]) +} + +// GetUsePodIdentity returns if pod identity is enabled +func GetUsePodIdentity(parameters map[string]string) (bool, error) { + str := strings.TrimSpace(parameters[UsePodIdentityParameter]) + if str == "" { + return false, nil + } + return strconv.ParseBool(str) +} + +// GetUseVMManagedIdentity returns if VM managed identity is enabled +func GetUseVMManagedIdentity(parameters map[string]string) (bool, error) { + str := strings.TrimSpace(parameters[UseVMManagedIdentityParameter]) + if str == "" { + return false, nil + } + return strconv.ParseBool(str) +} + +// GetUserAssignedIdentityID returns the user assigned identity ID +func GetUserAssignedIdentityID(parameters map[string]string) string { + return strings.TrimSpace(parameters[UserAssignedIdentityIDParameter]) +} + +// GetTenantID returns the tenant ID +func GetTenantID(parameters map[string]string) string { + return strings.TrimSpace(parameters[TenantIDParameter]) +} + +// GetCloudEnvFileName returns the cloud env file name +func GetCloudEnvFileName(parameters map[string]string) string { + return strings.TrimSpace(parameters[CloudEnvFileNameParameter]) +} + +// GetPodName returns the pod name +func GetPodName(parameters map[string]string) string { + return strings.TrimSpace(parameters[CSIAttributePodName]) +} + +// GetPodNamespace returns the pod namespace +func GetPodNamespace(parameters map[string]string) string { + return strings.TrimSpace(parameters[CSIAttributePodNamespace]) +} + +// GetClientID returns the client ID +func GetClientID(parameters map[string]string) string { + return strings.TrimSpace(parameters[ClientIDParameter]) +} + +// GetServiceAccountTokens returns the service account tokens +func GetServiceAccountTokens(parameters map[string]string) string { + return strings.TrimSpace(parameters[CSIAttributeServiceAccountTokens]) +} + +// GetObjects returns the key vault objects +func GetObjects(parameters map[string]string) string { + return strings.TrimSpace(parameters[ObjectsParameter]) +} + +// GetObjectsArray returns the key vault objects array +func GetObjectsArray(objects string) (StringArray, error) { + var a StringArray + err := yaml.Unmarshal([]byte(objects), &a) + return a, err +} diff --git a/pkg/provider/types/parameters_test.go b/pkg/provider/types/parameters_test.go new file mode 100644 index 000000000..6e46eac16 --- /dev/null +++ b/pkg/provider/types/parameters_test.go @@ -0,0 +1,583 @@ +package types + +import ( + "reflect" + "testing" +) + +func TestGetKeyVaultName(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + KeyVaultNameParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + KeyVaultNameParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + KeyVaultNameParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetKeyVaultName(test.parameters) + if actual != test.expected { + t.Errorf("GetKeyVaultName() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetCloudName(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + CloudNameParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + CloudNameParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + CloudNameParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetCloudName(test.parameters) + if actual != test.expected { + t.Errorf("GetCloudName() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetUsePodIdentity(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected bool + }{ + { + name: "empty", + parameters: map[string]string{ + UsePodIdentityParameter: "", + }, + expected: false, + }, + { + name: "set to true", + parameters: map[string]string{ + UsePodIdentityParameter: "true", + }, + expected: true, + }, + { + name: "set to false", + parameters: map[string]string{ + UsePodIdentityParameter: "false", + }, + expected: false, + }, + { + name: "set to True", + parameters: map[string]string{ + UsePodIdentityParameter: "True", + }, + expected: true, + }, + { + name: "set to False", + parameters: map[string]string{ + UsePodIdentityParameter: "False", + }, + expected: false, + }, + { + name: "trim spaces", + parameters: map[string]string{ + UsePodIdentityParameter: " true ", + }, + expected: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual, err := GetUsePodIdentity(test.parameters) + if err != nil { + t.Errorf("GetUsePodIdentity() error = %v, expected nil", err) + } + if actual != test.expected { + t.Errorf("GetUsePodIdentity() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetUsePodIdentityError(t *testing.T) { + parameters := map[string]string{ + UsePodIdentityParameter: "test", + } + if _, err := GetUsePodIdentity(parameters); err == nil { + t.Errorf("GetUsePodIdentity() error = nil, expected error") + } +} + +func TestGetUseVMManagedIdentity(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected bool + }{ + { + name: "empty", + parameters: map[string]string{ + UseVMManagedIdentityParameter: "", + }, + expected: false, + }, + { + name: "set to true", + parameters: map[string]string{ + UseVMManagedIdentityParameter: "true", + }, + expected: true, + }, + { + name: "set to false", + parameters: map[string]string{ + UseVMManagedIdentityParameter: "false", + }, + expected: false, + }, + { + name: "set to True", + parameters: map[string]string{ + UseVMManagedIdentityParameter: "True", + }, + expected: true, + }, + { + name: "set to False", + parameters: map[string]string{ + UseVMManagedIdentityParameter: "False", + }, + expected: false, + }, + { + name: "trim spaces", + parameters: map[string]string{ + UseVMManagedIdentityParameter: " true ", + }, + expected: true, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual, err := GetUseVMManagedIdentity(test.parameters) + if err != nil { + t.Errorf("GetUseVMManagedIdentity() error = %v, expected nil", err) + } + if actual != test.expected { + t.Errorf("GetUseVMManagedIdentity() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetUseVMManagedIdentityError(t *testing.T) { + parameters := map[string]string{ + UseVMManagedIdentityParameter: "test", + } + if _, err := GetUseVMManagedIdentity(parameters); err == nil { + t.Errorf("GetUseVMManagedIdentity() error = nil, expected error") + } +} + +func TestGetUserAssignedIdentityID(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + UserAssignedIdentityIDParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + UserAssignedIdentityIDParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + UserAssignedIdentityIDParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetUserAssignedIdentityID(test.parameters) + if actual != test.expected { + t.Errorf("GetUserAssignedIdentityID() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetTenantID(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + TenantIDParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + TenantIDParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + TenantIDParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetTenantID(test.parameters) + if actual != test.expected { + t.Errorf("GetTenantID() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetCloudEnvFileName(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + CloudEnvFileNameParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + CloudEnvFileNameParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + CloudEnvFileNameParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetCloudEnvFileName(test.parameters) + if actual != test.expected { + t.Errorf("GetCloudEnvFileName() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetPodName(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + CSIAttributePodName: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + CSIAttributePodName: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + CSIAttributePodName: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetPodName(test.parameters) + if actual != test.expected { + t.Errorf("GetPodName() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetPodNamespace(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + CSIAttributePodNamespace: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + CSIAttributePodNamespace: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + CSIAttributePodNamespace: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetPodNamespace(test.parameters) + if actual != test.expected { + t.Errorf("GetPodNamespace() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetClientID(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + "clientID": "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + "clientID": "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + "clientID": " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetClientID(test.parameters) + if actual != test.expected { + t.Errorf("GetClientID() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetServiceAccountTokens(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + CSIAttributeServiceAccountTokens: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + CSIAttributeServiceAccountTokens: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + CSIAttributeServiceAccountTokens: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetServiceAccountTokens(test.parameters) + if actual != test.expected { + t.Errorf("GetServiceAccountTokens() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetObjects(t *testing.T) { + tests := []struct { + name string + parameters map[string]string + expected string + }{ + { + name: "empty", + parameters: map[string]string{ + ObjectsParameter: "", + }, + expected: "", + }, + { + name: "not empty", + parameters: map[string]string{ + ObjectsParameter: "test", + }, + expected: "test", + }, + { + name: "trim spaces", + parameters: map[string]string{ + ObjectsParameter: " test ", + }, + expected: "test", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual := GetObjects(test.parameters) + if actual != test.expected { + t.Errorf("GetObjects() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetObjectsArray(t *testing.T) { + tests := []struct { + name string + objects string + expected StringArray + }{ + { + name: "empty", + objects: "", + expected: StringArray{}, + }, + { + name: "valid yaml", + objects: "array:\n- |\n filePermission: \"\"\n objectAlias: \"\"\n objectEncoding: \"\"\n objectFormat: \"\"\n objectName: secret1\n objectType: cert\n objectVersion: \"\"\n- |\n filePermission: \"\"\n objectAlias: \"\"\n objectEncoding: \"\"\n objectFormat: \"\"\n objectName: secret2\n objectType: cert\n objectVersion: \"\"\n", + expected: StringArray{ + Array: []string{ + "filePermission: \"\"\nobjectAlias: \"\"\nobjectEncoding: \"\"\nobjectFormat: \"\"\nobjectName: secret1\nobjectType: cert\nobjectVersion: \"\"\n", + "filePermission: \"\"\nobjectAlias: \"\"\nobjectEncoding: \"\"\nobjectFormat: \"\"\nobjectName: secret2\nobjectType: cert\nobjectVersion: \"\"\n", + }, + }, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + actual, err := GetObjectsArray(test.objects) + if err != nil { + t.Errorf("GetObjectsArray() error = %v", err) + } + if !reflect.DeepEqual(actual, test.expected) { + t.Errorf("GetObjectsArray() = %v, expected %v", actual, test.expected) + } + }) + } +} + +func TestGetObjectsArrayError(t *testing.T) { + objects := "invalid" + if _, err := GetObjectsArray(objects); err == nil { + t.Errorf("GetObjectsArray() error is nil, expected error") + } +} diff --git a/pkg/provider/types/types.go b/pkg/provider/types/types.go new file mode 100644 index 000000000..f37bb5e47 --- /dev/null +++ b/pkg/provider/types/types.go @@ -0,0 +1,84 @@ +package types + +const ( + // VaultObjectTypeSecret secret vault object type + VaultObjectTypeSecret = "secret" + // VaultObjectTypeKey key vault object type + VaultObjectTypeKey = "key" + // VaultObjectTypeCertificate certificate vault object type + VaultObjectTypeCertificate = "cert" + + CertTypePem = "application/x-pem-file" + CertTypePfx = "application/x-pkcs12" + + CertificateType = "CERTIFICATE" + + ObjectFormatPEM = "pem" + ObjectFormatPFX = "pfx" + + ObjectEncodingHex = "hex" + ObjectEncodingBase64 = "base64" + ObjectEncodingUtf8 = "utf-8" + + // pod identity NMI port + PodIdentityNMIPort = "2579" + + CSIAttributePodName = "csi.storage.k8s.io/pod.name" + CSIAttributePodNamespace = "csi.storage.k8s.io/pod.namespace" + CSIAttributeServiceAccountTokens = "csi.storage.k8s.io/serviceAccount.tokens" // nolint + + // KeyVaultNameParameter is the name of the key vault name parameter + KeyVaultNameParameter = "keyvaultName" + // CloudNameParameter is the name of the cloud name parameter + CloudNameParameter = "cloudName" + // UsePodIdentityParameter is the name of the use pod identity parameter + UsePodIdentityParameter = "usePodIdentity" + // UseVMManagedIdentityParameter is the name of the use VM managed identity parameter + UseVMManagedIdentityParameter = "useVMManagedIdentity" + // UserAssignedIdentityIDParameter is the name of the user assigned identity ID parameter + UserAssignedIdentityIDParameter = "userAssignedIdentityID" + // TenantIDParameter is the name of the tenant ID parameter + TenantIDParameter = "tenantId" + // CloudEnvFileNameParameter is the name of the cloud env file name parameter + CloudEnvFileNameParameter = "cloudEnvFileName" + // ClientIDParameter is the name of the client ID parameter + // This clientID is used for workload identity + ClientIDParameter = "clientID" + // ObjectsParameter is the name of the objects parameter + ObjectsParameter = "objects" +) + +// KeyVaultObject holds keyvault object related config +type KeyVaultObject struct { + // the name of the Azure Key Vault objects + ObjectName string `json:"objectName" yaml:"objectName"` + // the filename the object will be written to + ObjectAlias string `json:"objectAlias" yaml:"objectAlias"` + // the version of the Azure Key Vault objects + ObjectVersion string `json:"objectVersion" yaml:"objectVersion"` + // the type of the Azure Key Vault objects + ObjectType string `json:"objectType" yaml:"objectType"` + // the format of the Azure Key Vault objects + // supported formats are PEM, PFX + ObjectFormat string `json:"objectFormat" yaml:"objectFormat"` + // The encoding of the object in KeyVault + // Supported encodings are Base64, Hex, Utf-8 + ObjectEncoding string `json:"objectEncoding" yaml:"objectEncoding"` + // FilePermission is the file permissions + FilePermission string `json:"filePermission" yaml:"filePermission"` +} + +// SecretFile holds content and metadata of a secret file that is sent +// back to the driver +type SecretFile struct { + Content []byte + Path string + FileMode int32 + UID string + Version string +} + +// StringArray holds a list of strings +type StringArray struct { + Array []string `json:"array" yaml:"array"` +} diff --git a/test/e2e/auto_rotation_test.go b/test/e2e/auto_rotation_test.go index f18e2413e..8401920d7 100644 --- a/test/e2e/auto_rotation_test.go +++ b/test/e2e/auto_rotation_test.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/helm" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" @@ -76,14 +76,14 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() Expect(err).To(BeNil()) }() - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: secretName, - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -114,11 +114,11 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() }, }, Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "usePodIdentity": "false", - "useVMManagedIdentity": "false", + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UsePodIdentityParameter: "false", + types.UseVMManagedIdentityParameter: "false", }, }, }) @@ -195,14 +195,14 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() Expect(err).To(BeNil()) }() - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: secretName, - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -233,12 +233,12 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() }, }, Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "usePodIdentity": "false", - "useVMManagedIdentity": "true", - "userAssignedIdentityID": config.UserAssignedIdentityID, + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UsePodIdentityParameter: "false", + types.UseVMManagedIdentityParameter: "true", + types.UserAssignedIdentityIDParameter: config.UserAssignedIdentityID, }, }, }) @@ -317,14 +317,14 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() Expect(err).To(BeNil()) }() - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: secretName, - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -355,11 +355,11 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() }, }, Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "usePodIdentity": "true", - "useVMManagedIdentity": "false", + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UsePodIdentityParameter: "true", + types.UseVMManagedIdentityParameter: "false", }, }, }) diff --git a/test/e2e/certificates_test.go b/test/e2e/certificates_test.go index fecf7e8d5..6c88fd91c 100644 --- a/test/e2e/certificates_test.go +++ b/test/e2e/certificates_test.go @@ -7,7 +7,7 @@ import ( "encoding/base64" "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/certificates" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" @@ -46,64 +46,64 @@ var _ = Describe("When fetching certificates and private key from Key Vault", fu Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "pemcert1", - ObjectType: provider.VaultObjectTypeCertificate, + ObjectType: types.VaultObjectTypeCertificate, }, { ObjectName: "pkcs12cert1", - ObjectType: provider.VaultObjectTypeCertificate, + ObjectType: types.VaultObjectTypeCertificate, }, { ObjectName: "ecccert1", - ObjectType: provider.VaultObjectTypeCertificate, + ObjectType: types.VaultObjectTypeCertificate, }, { ObjectName: "pemcert1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, ObjectAlias: "pemcert1-pub-key", }, { ObjectName: "pkcs12cert1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, ObjectAlias: "pkcs12cert1-pub-key", }, { ObjectName: "ecccert1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, ObjectAlias: "ecccert1-pub-key", }, { ObjectName: "pemcert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "pemcert1-secret", }, { ObjectName: "pkcs12cert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "pkcs12cert1-secret", }, { ObjectName: "ecccert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "ecccert1-secret", }, { ObjectName: "pkcs12cert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "pkcs12cert1-secret-pfx", ObjectFormat: "pfx", }, { ObjectName: "ecccert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "ecccert1-secret-pfx", ObjectFormat: "pfx", }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -121,9 +121,9 @@ var _ = Describe("When fetching certificates and private key from Key Vault", fu Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), }, }, }) diff --git a/test/e2e/custom_cloudenv_test.go b/test/e2e/custom_cloudenv_test.go index 633476090..f537aa52c 100644 --- a/test/e2e/custom_cloudenv_test.go +++ b/test/e2e/custom_cloudenv_test.go @@ -6,7 +6,7 @@ package e2e import ( "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" @@ -43,19 +43,19 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets for custom Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "SECRET_1", }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -73,11 +73,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets for custom Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "cloudName": "AzureStackCloud", - "cloudEnvFileName": config.AzureEnvironmentFilePath, - "objects": string(objects), + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.CloudNameParameter: "AzureStackCloud", + types.CloudEnvFileNameParameter: config.AzureEnvironmentFilePath, + types.ObjectsParameter: string(objects), }, }, }) diff --git a/test/e2e/key_test.go b/test/e2e/key_test.go index 69041b1e6..509868af9 100644 --- a/test/e2e/key_test.go +++ b/test/e2e/key_test.go @@ -6,20 +6,18 @@ package e2e import ( "strings" - "github.com/ghodss/yaml" - - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secret" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secretproviderclass" + "github.com/ghodss/yaml" . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/secrets-store-csi-driver/apis/v1alpha1" - - . "github.com/onsi/gomega" ) var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { @@ -45,19 +43,19 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "key1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, { ObjectName: "key1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, ObjectAlias: "KEY_1", }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -75,9 +73,9 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), }, }, }) @@ -146,14 +144,14 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { } // update the secretproviderclass to reference rsa-hsm keys - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "rsahsmkey1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -163,7 +161,7 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { objects, err := yaml.Marshal(yamlArray) Expect(err).To(BeNil()) - spc.Spec.Parameters["objects"] = string(objects) + spc.Spec.Parameters[types.ObjectsParameter] = string(objects) spc = secretproviderclass.Update(secretproviderclass.UpdateInput{ Updater: kubeClient, SecretProviderClass: spc, @@ -200,14 +198,14 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { } // update the secretproviderclass to reference rsa-hsm keys - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "echsmkey1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -217,7 +215,7 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { objects, err := yaml.Marshal(yamlArray) Expect(err).To(BeNil()) - spc.Spec.Parameters["objects"] = string(objects) + spc.Spec.Parameters[types.ObjectsParameter] = string(objects) spc = secretproviderclass.Update(secretproviderclass.UpdateInput{ Updater: kubeClient, SecretProviderClass: spc, diff --git a/test/e2e/pod_identity_test.go b/test/e2e/pod_identity_test.go index f7ddc1fc0..ca05e1897 100644 --- a/test/e2e/pod_identity_test.go +++ b/test/e2e/pod_identity_test.go @@ -8,7 +8,7 @@ import ( "os" "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/helm" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" @@ -59,18 +59,18 @@ var _ = Describe("CSI inline volume test with aad-pod-identity", func() { Name: specName, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, { ObjectName: "key1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -88,11 +88,11 @@ var _ = Describe("CSI inline volume test with aad-pod-identity", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "usePodIdentity": "true", - "useVMManagedIdentity": "false", + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UsePodIdentityParameter: "true", + types.UseVMManagedIdentityParameter: "false", }, }, }) diff --git a/test/e2e/secret_file_permission_test.go b/test/e2e/secret_file_permission_test.go index b1f582943..3360eabf0 100644 --- a/test/e2e/secret_file_permission_test.go +++ b/test/e2e/secret_file_permission_test.go @@ -7,7 +7,7 @@ import ( "fmt" "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" @@ -45,15 +45,15 @@ var _ = Describe("When user provides file permission for secrets", func() { Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, FilePermission: fmt.Sprintf("0%s", expectedFilePermission), }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -71,9 +71,9 @@ var _ = Describe("When user provides file permission for secrets", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), }, }, }) diff --git a/test/e2e/secret_test.go b/test/e2e/secret_test.go index fa30f554f..586aa4ed7 100644 --- a/test/e2e/secret_test.go +++ b/test/e2e/secret_test.go @@ -6,7 +6,7 @@ package e2e import ( "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" @@ -45,23 +45,23 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets", func() { Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, ObjectAlias: "SECRET_1", }, { ObjectName: "pemcert1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -79,9 +79,9 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), }, SecretObjects: []*v1alpha1.SecretObject{ { diff --git a/test/e2e/user_assigned_identity_test.go b/test/e2e/user_assigned_identity_test.go index 57a8d78fb..faf5cb07d 100644 --- a/test/e2e/user_assigned_identity_test.go +++ b/test/e2e/user_assigned_identity_test.go @@ -6,7 +6,7 @@ package e2e import ( "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" @@ -33,18 +33,18 @@ var _ = Describe("CSI inline volume test with user assigned identity", func() { Name: specName, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, { ObjectName: "key1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -62,11 +62,11 @@ var _ = Describe("CSI inline volume test with user assigned identity", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "useVMManagedIdentity": "true", - "userAssignedIdentityID": config.UserAssignedIdentityID, + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UseVMManagedIdentityParameter: "true", + types.UserAssignedIdentityIDParameter: config.UserAssignedIdentityID, }, }, }) diff --git a/test/e2e/workload_identity_test.go b/test/e2e/workload_identity_test.go index 7c046336b..96b986588 100644 --- a/test/e2e/workload_identity_test.go +++ b/test/e2e/workload_identity_test.go @@ -6,7 +6,7 @@ package e2e import ( "strings" - "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider/types" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" @@ -38,18 +38,18 @@ var _ = Describe("CSI inline volume test with workload identity", func() { Name: specName, }) - keyVaultObjects := []provider.KeyVaultObject{ + keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", - ObjectType: provider.VaultObjectTypeSecret, + ObjectType: types.VaultObjectTypeSecret, }, { ObjectName: "key1", - ObjectType: provider.VaultObjectTypeKey, + ObjectType: types.VaultObjectTypeKey, }, } - yamlArray := provider.StringArray{Array: []string{}} + yamlArray := types.StringArray{Array: []string{}} for _, object := range keyVaultObjects { obj, err := yaml.Marshal(object) Expect(err).To(BeNil()) @@ -67,12 +67,12 @@ var _ = Describe("CSI inline volume test with workload identity", func() { Spec: v1alpha1.SecretProviderClassSpec{ Provider: "azure", Parameters: map[string]string{ - "keyvaultName": config.KeyvaultName, - "tenantId": config.TenantID, - "objects": string(objects), - "usePodIdentity": "false", - "useVMManagedIdentity": "false", - "clientID": config.AzureClientID, + types.KeyVaultNameParameter: config.KeyvaultName, + types.TenantIDParameter: config.TenantID, + types.ObjectsParameter: string(objects), + types.UsePodIdentityParameter: "false", + types.UseVMManagedIdentityParameter: "false", + types.ClientIDParameter: config.AzureClientID, }, }, })