feat: add e2e test for naming conventions enforcement (external-secre…

…ts#412) Co-authored-by: Nabil BENDAFI <[email protected]>
umlublin · Jun 22, 2020 · bfb5ed2 · bfb5ed2
1 parent bc59f08
commit bfb5ed2
Showing 1 changed file with 110 additions and 43 deletions.
diff --git a/e2e/tests/secrets-manager.test.js b/e2e/tests/secrets-manager.test.js
@@ -142,65 +142,132 @@ describe('secretsmanager', async () => {
  body: {
  metadata: {
  annotations: {
- 'iam.amazonaws.com/permitted': '.*'
+ 'iam.amazonaws.com/permitted': '.*',
+ 'externalsecrets.kubernetes-client.io/permitted-key-name': '.*'
  }
  }
  }
  })
  })
 
- it('should not pull from secretsmanager', async () => {
- let result = await createSecret({
- Name: `e2e/${uuid}/tls/permitted`,
- SecretString: '{"crt":"foo","key":"bar"}'
- }).catch(err => {
- expect(err).to.equal(null)
+ describe('assuming role', async () => {
+ it('should not pull from secretsmanager', async () => {
+ let result = await createSecret({
+ Name: `e2e/${uuid}/tls/permitted`,
+ SecretString: '{"crt":"foo","key":"bar"}'
+ }).catch(err => {
+ expect(err).to.equal(null)
+ })
+
+ result = await kubeClient
+ .apis[customResourceManifest.spec.group]
+ .v1.namespaces('default')[customResourceManifest.spec.names.plural]
+ .post({
+ body: {
+ apiVersion: 'kubernetes-client.io/v1',
+ kind: 'ExternalSecret',
+ metadata: {
+ name: `e2e-secretmanager-permitted-tls-${uuid}`
+ },
+ spec: {
+ backendType: 'secretsManager',
+ type: 'kubernetes.io/tls',
+ // this should not be allowed
+ roleArn: 'let-me-be-root',
+ data: [
+ {
+ key: `e2e/${uuid}/tls/permitted`,
+ property: 'crt',
+ name: 'tls.crt'
+ },
+ {
+ key: `e2e/${uuid}/tls/permitted`,
+ property: 'key',
+ name: 'tls.key'
+ }
+ ]
+ }
+ }
+ })
+
+ expect(result).to.not.equal(undefined)
+ expect(result.statusCode).to.equal(201)
+
+ const secret = await waitForSecret('default', `e2e-secretmanager-permitted-tls-${uuid}`)
+ expect(secret).to.equal(undefined)
+
+ result = await kubeClient
+ .apis[customResourceManifest.spec.group]
+ .v1.namespaces('default')
+ .externalsecrets(`e2e-secretmanager-permitted-tls-${uuid}`)
+ .get()
+ expect(result).to.not.equal(undefined)
+ expect(result.body.status.status).to.contain('namespace does not allow to assume role let-me-be-root')
  })
+ })
 
- result = await kubeClient
- .apis[customResourceManifest.spec.group]
- .v1.namespaces('default')[customResourceManifest.spec.names.plural]
- .post({
+ describe('enforcing naming convention', async () => {
+ it('should not pull from secretsmanager', async () => {
+ await kubeClient.api.v1.namespaces('default').patch({
  body: {
- apiVersion: 'kubernetes-client.io/v1',
- kind: 'ExternalSecret',
  metadata: {
- name: `e2e-secretmanager-permitted-tls-${uuid}`
- },
- spec: {
- backendType: 'secretsManager',
- type: 'kubernetes.io/tls',
- // this should not be allowed
- roleArn: 'let-me-be-root',
- data: [
- {
- key: `e2e/${uuid}/tls/permitted`,
- property: 'crt',
- name: 'tls.crt'
- },
- {
- key: `e2e/${uuid}/tls/permitted`,
- property: 'key',
- name: 'tls.key'
- }
- ]
+ annotations: {
+ 'iam.amazonaws.com/permitted': '.*',
+ 'externalsecrets.kubernetes-client.io/permitted-key-name': '/permitted/path/.*'
+ }
  }
  }
  })
 
- expect(result).to.not.equal(undefined)
- expect(result.statusCode).to.equal(201)
+ let result = await createSecret({
+ Name: `e2e/${uuid}/another_credentials`,
+ SecretString: '{"username":"foo","password":"bar"}'
+ }).catch(err => {
+ expect(err).to.equal(null)
+ })
+
+ result = await kubeClient
+ .apis[customResourceManifest.spec.group]
+ .v1.namespaces('default')[customResourceManifest.spec.names.plural]
+ .post({
+ body: {
+ apiVersion: 'kubernetes-client.io/v1',
+ kind: 'ExternalSecret',
+ metadata: {
+ name: `e2e-secretmanager-permitted-key-${uuid}`
+ },
+ spec: {
+ backendType: 'secretsManager',
+ data: [
+ {
+ key: `e2e/${uuid}/another_credentials`,
+ property: 'password',
+ name: 'password'
+ },
+ {
+ key: `e2e/${uuid}/another_credentials`,
+ property: 'username',
+ name: 'username'
+ }
+ ]
+ }
+ }
+ })
+
+ expect(result).to.not.equal(undefined)
+ expect(result.statusCode).to.equal(201)
 
- const secret = await waitForSecret('default', `e2e-secretmanager-permitted-tls-${uuid}`)
- expect(secret).to.equal(undefined)
+  const secret = await waitForSecret('default', `e2e-secretmanager-permitted-key-${uuid}`)
+  expect(secret).to.equal(undefined)
 
- result = await kubeClient
- .apis[customResourceManifest.spec.group]
- .v1.namespaces('default')
- .externalsecrets(`e2e-secretmanager-permitted-tls-${uuid}`)
- .get()
- expect(result).to.not.equal(undefined)
- expect(result.body.status.status).to.contain('namespace does not allow to assume role let-me-be-root')
+ result = await kubeClient
+ .apis[customResourceManifest.spec.group]
+ .v1.namespaces('default')
+ .externalsecrets(`e2e-secretmanager-permitted-key-${uuid}`)
+ .get()
+ expect(result).to.not.equal(undefined)
+ expect(result.body.status.status).to.contain(`key name e2e/${uuid}/another_credentials does not match naming convention /permitted/path/.*`)
+ })
  })
  })
 })