keptn · RealAnna · Oct 13, 2021 · Oct 12, 2021 · Oct 12, 2021 · Oct 12, 2021
@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-
 	"github.com/keptn/keptn/secret-service/pkg/common"
 	"github.com/keptn/keptn/secret-service/pkg/model"
 	"github.com/keptn/keptn/secret-service/pkg/repository"
@@ -15,13 +14,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	"strings"
 )
 
 const SecretBackendTypeK8s = "kubernetes"
 const SecretServiceName = "keptn-secret-service"
 
 var ErrSecretAlreadyExists = errors.New("secret already exists")
 var ErrSecretNotFound = errors.New("secret not found")
+var ErrTooBigKeySize = errors.New("name and key values must be no more than 253 characters")
 
 type K8sSecretBackend struct {
 	KubeAPI                kubernetes.Interface
@@ -59,6 +60,9 @@ func (k K8sSecretBackend) CreateSecret(secret model.Secret) error {
 	_, err = k.KubeAPI.CoreV1().Secrets(namespace).Create(context.TODO(), k.createK8sSecretObj(secret, namespace), metav1.CreateOptions{})
 	if err != nil {
 		log.Errorf("Unable to create secret %s with scope %s: %s", secret.Name, secret.Scope, err)
+		if statusError, isStatus := err.(*k8serr.StatusError); isStatus && statusError.Status().Reason == metav1.StatusReasonInvalid && strings.Contains(statusError.Status().Message, "must be no more than 253 characters") {
+			return ErrTooBigKeySize
+		}
 		if statusError, isStatus := err.(*k8serr.StatusError); isStatus && statusError.Status().Reason == metav1.StatusReasonAlreadyExists {
 			return ErrSecretAlreadyExists
 		}

@@ -11,8 +11,11 @@ import (
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	k8serr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
 	k8stesting "k8s.io/client-go/testing"
 	"testing"
@@ -84,6 +87,30 @@ func TestCreateSecrets(t *testing.T) {
 	assert.Equal(t, []string{"my-secret", "my-secret-2"}, k8sRole2.Rules[0].ResourceNames)
 }
 
+func TestCreateSecrets_TooLongName(t *testing.T) {
+	kubernetes := k8sfake.NewSimpleClientset()
+	scopesRepository := &fake.ScopesRepositoryMock{}
+	scopesRepository.ReadFunc = func() (model.Scopes, error) { return createTestScopes(), nil }
+
+	backend := K8sSecretBackend{
+		KubeAPI:                kubernetes,
+		KeptnNamespaceProvider: FakeNamespaceProvider(),
+		ScopesRepository:       scopesRepository,
+	}
+
+	secret := createTestSecret("my-verylongname", "my-scope")
+	kubernetes.Fake.PrependReactor("create", "secrets", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) {
+
+		var errs = field.ErrorList{field.Invalid(nil, nil, " must be no more than 253 characters")}
+		return true, nil, k8serr.NewInvalid(schema.GroupKind{}, "secret", errs)
+	})
+
+	err := backend.CreateSecret(secret)
+
+	assert.NotNil(t, err)
+	assert.Equal(t, ErrTooBigKeySize, err)
+}
+
 func TestCreateSecret_FetchingScopesFails(t *testing.T) {
 	kubernetes := k8sfake.NewSimpleClientset()
 	scopesRepository := &fake.ScopesRepositoryMock{}

@@ -7,6 +7,8 @@ import (
 	"net/http"
 )
 
+var ErrCreation = "Unable to create secret"
+
 type ISecretHandler interface {
 	CreateSecret(c *gin.Context)
 	UpdateSecret(c *gin.Context)
@@ -37,7 +39,6 @@ type SecretHandler struct {
 // @Failure 500 {object} model.Error
 // @Router /secret [post]
 func (s SecretHandler) CreateSecret(c *gin.Context) {
-
 	secret := model.Secret{}
 	if err := c.ShouldBindJSON(&secret); err != nil {
 		SetBadRequestErrorResponse(err, c, "Invalid request format")
@@ -51,10 +52,14 @@ func (s SecretHandler) CreateSecret(c *gin.Context) {
 	err := s.SecretBackend.CreateSecret(secret)
 	if err != nil {
 		if err == backend.ErrSecretAlreadyExists {
-			SetConflictErrorResponse(err, c, "Unable to create secret")
+			SetConflictErrorResponse(err, c, ErrCreation)
+			return
+		}
+		if err == backend.ErrTooBigKeySize {
+			SetBadRequestErrorResponse(err, c, ErrCreation)
 			return
 		}
-		SetInternalServerErrorResponse(err, c, "Unable to create secret")
+		SetInternalServerErrorResponse(err, c, ErrCreation)
 		return
 	}
 

@@ -73,6 +73,16 @@ func TestHandler_CreateSecret(t *testing.T) {
 			request:            httptest.NewRequest("POST", "/secret", bytes.NewBuffer([]byte(`{"name":"my-secret","scope":"my-scope","data":{"username":"keptn"}}`))),
 			expectedHTTPStatus: http.StatusInternalServerError,
 		},
+		{
+			name: "POST Create Secret - too long name",
+			fields: fields{
+				Backend: &fake.SecretBackendMock{
+					CreateSecretFunc: func(secret model.Secret) error { return backend.ErrTooBigKeySize },
+				},
+			},
+			request:            httptest.NewRequest("POST", "/secret", bytes.NewBuffer([]byte(`{"verylongname":"my-secret","scope":"my-scope","data":{"username":"keptn"}}`))),
+			expectedHTTPStatus: http.StatusBadRequest,
+		},
 		{
 			name: "POST Create Secret - Input INVALID",
 			fields: fields{