177 lines
5.6 KiB
Go
177 lines
5.6 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package secrets
|
|
|
|
// This file tests use of the secrets API resource.
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"encoding/json"
|
|
|
|
v1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
clientset "k8s.io/client-go/kubernetes"
|
|
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
|
"k8s.io/kubernetes/test/integration"
|
|
"k8s.io/kubernetes/test/integration/framework"
|
|
)
|
|
|
|
func deleteSecretOrErrorf(t *testing.T, c clientset.Interface, ns, name string) {
|
|
if err := c.CoreV1().Secrets(ns).Delete(context.TODO(), name, metav1.DeleteOptions{}); err != nil {
|
|
t.Errorf("unable to delete secret %v: %v", name, err)
|
|
}
|
|
}
|
|
|
|
// TestSecrets tests apiserver-side behavior of creation of secret objects and their use by pods.
|
|
func TestSecrets(t *testing.T) {
|
|
// Disable ServiceAccount admission plugin as we don't have serviceaccount controller running.
|
|
server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--disable-admission-plugins=ServiceAccount"}, framework.SharedEtcd())
|
|
defer server.TearDownFn()
|
|
|
|
client := clientset.NewForConfigOrDie(server.ClientConfig)
|
|
|
|
ns := framework.CreateNamespaceOrDie(client, "secret", t)
|
|
defer framework.DeleteNamespaceOrDie(client, ns, t)
|
|
|
|
DoTestSecrets(t, client, ns)
|
|
DoTestSecretsImmutableWithEmptyValue(t, client, ns)
|
|
}
|
|
|
|
// DoTestSecretsImmutableWithEmptyValue Test whether apiserver will judge the secret data inconsistency
|
|
// if the value of map in secret data is the empty string when patch secret,
|
|
// and if the Immutable value of secret is true, the patch request is rejected.
|
|
func DoTestSecretsImmutableWithEmptyValue(t *testing.T, client clientset.Interface, ns *v1.Namespace) {
|
|
// Make a secret object. Make a secret object. the map in the secret data contains the value of the empty string
|
|
// make Immutable true, so that if the apiserver judge that the patch secret is inconsistent, it will refuse the patch
|
|
trueVal := true
|
|
s := v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "secret",
|
|
Namespace: ns.Name,
|
|
},
|
|
Immutable: &trueVal,
|
|
Data: map[string][]byte{
|
|
"emptyData": {},
|
|
},
|
|
}
|
|
|
|
if _, err := client.CoreV1().Secrets(s.Namespace).Create(context.TODO(), &s, metav1.CreateOptions{}); err != nil {
|
|
t.Errorf("unable to create test secret: %v", err)
|
|
}
|
|
defer deleteSecretOrErrorf(t, client, s.Namespace, s.Name)
|
|
|
|
// Make a patch secret object
|
|
patchSecret := v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "secret",
|
|
Namespace: ns.Name,
|
|
Labels: map[string]string{
|
|
"foo": "bar",
|
|
},
|
|
},
|
|
Immutable: &trueVal,
|
|
Data: map[string][]byte{
|
|
"emptyData": {},
|
|
},
|
|
}
|
|
|
|
secretPatch, err := json.Marshal(patchSecret)
|
|
if err != nil {
|
|
t.Errorf("unable to marshal test secret: %v", err)
|
|
}
|
|
|
|
// Patch secret object, expect patch to succeed,
|
|
// more detailed discussion is at #119229
|
|
if _, err := client.CoreV1().Secrets(s.Namespace).Patch(context.TODO(), patchSecret.Name, types.StrategicMergePatchType, secretPatch, metav1.PatchOptions{}); err != nil {
|
|
t.Errorf("unable to patch test secret: %v", err)
|
|
}
|
|
}
|
|
|
|
// DoTestSecrets test secrets for one api version.
|
|
func DoTestSecrets(t *testing.T, client clientset.Interface, ns *v1.Namespace) {
|
|
// Make a secret object.
|
|
s := v1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "secret",
|
|
Namespace: ns.Name,
|
|
},
|
|
Data: map[string][]byte{
|
|
"data": []byte("value1\n"),
|
|
},
|
|
}
|
|
|
|
if _, err := client.CoreV1().Secrets(s.Namespace).Create(context.TODO(), &s, metav1.CreateOptions{}); err != nil {
|
|
t.Errorf("unable to create test secret: %v", err)
|
|
}
|
|
defer deleteSecretOrErrorf(t, client, s.Namespace, s.Name)
|
|
|
|
// Template for pods that use a secret.
|
|
pod := &v1.Pod{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "XXX",
|
|
Namespace: ns.Name,
|
|
},
|
|
Spec: v1.PodSpec{
|
|
Volumes: []v1.Volume{
|
|
{
|
|
Name: "secvol",
|
|
VolumeSource: v1.VolumeSource{
|
|
Secret: &v1.SecretVolumeSource{
|
|
SecretName: "secret",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Containers: []v1.Container{
|
|
{
|
|
Name: "fake-name",
|
|
Image: "fakeimage",
|
|
VolumeMounts: []v1.VolumeMount{
|
|
{
|
|
Name: "secvol",
|
|
MountPath: "/fake/path",
|
|
ReadOnly: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
// Create a pod to consume secret.
|
|
pod.ObjectMeta.Name = "uses-secret"
|
|
if _, err := client.CoreV1().Pods(ns.Name).Create(context.TODO(), pod, metav1.CreateOptions{}); err != nil {
|
|
t.Errorf("Failed to create pod: %v", err)
|
|
}
|
|
defer integration.DeletePodOrErrorf(t, client, ns.Name, pod.Name)
|
|
|
|
// Create a pod that consumes non-existent secret.
|
|
pod.ObjectMeta.Name = "uses-non-existent-secret"
|
|
if _, err := client.CoreV1().Pods(ns.Name).Create(context.TODO(), pod, metav1.CreateOptions{}); err != nil {
|
|
t.Errorf("Failed to create pod: %v", err)
|
|
}
|
|
defer integration.DeletePodOrErrorf(t, client, ns.Name, pod.Name)
|
|
// This pod may fail to run, but we don't currently prevent this, and this
|
|
// test can't check whether the kubelet actually pulls the secret.
|
|
|
|
// Verifying contents of the volumes is out of scope for a
|
|
// apiserver<->kubelet integration test. It is covered by an e2e test.
|
|
}
|