From 182a1bff26eba74af7792803490b073ebf4eb1fe Mon Sep 17 00:00:00 2001
From: Devin Christensen <quixoten@gmail.com>
Date: Sat, 3 Aug 2024 09:55:14 -0600
Subject: [PATCH] add e2e test for docker auth with _json_key

Signed-off-by: Devin Christensen <quixoten@gmail.com>
---
 e2e/deploy/vault/vault.yaml          |  5 +++
 e2e/test/secret-docker-json-key.yaml | 20 +++++++++++
 e2e/webhook_test.go                  | 50 +++++++++++++++++++++++++++-
 3 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 e2e/test/secret-docker-json-key.yaml

diff --git a/e2e/deploy/vault/vault.yaml b/e2e/deploy/vault/vault.yaml
index 972b028..ea1164f 100644
--- a/e2e/deploy/vault/vault.yaml
+++ b/e2e/deploy/vault/vault.yaml
@@ -146,6 +146,11 @@ spec:
           data:
             DOCKER_REPO_USER: dockerrepouser
             DOCKER_REPO_PASSWORD: dockerrepopassword
+            DOCKER_REPO_JSON_KEY: |
+              _json_key: {
+                "type": "service_account",
+                "project_id": "test"
+              }
       - type: kv
         path: secret/data/mysql
         data:
diff --git a/e2e/test/secret-docker-json-key.yaml b/e2e/test/secret-docker-json-key.yaml
new file mode 100644
index 0000000..48169da
--- /dev/null
+++ b/e2e/test/secret-docker-json-key.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret-docker-json-key
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+    vault.security.banzaicloud.io/vault-role: "default"
+    vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+    # vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+        "auths": {
+            "https://index.docker.io/v1/": {
+                "auth": "dmF1bHQ6c2VjcmV0L2RhdGEvZG9ja2VycmVwbyNET0NLRVJfUkVQT19KU09OX0tFWQ=="
+            }
+        }
+    }
diff --git a/e2e/webhook_test.go b/e2e/webhook_test.go
index 4a0389f..c53c6a5 100644
--- a/e2e/webhook_test.go
+++ b/e2e/webhook_test.go
@@ -80,14 +80,62 @@ func TestSecretValueInjection(t *testing.T) {
 			err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson)
 			require.NoError(t, err)
 
+			dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("dockerrepouser:dockerrepopassword"))
 			assert.Equal(t, "dockerrepouser", dockerconfigjson.Auths.V1.Username)
 			assert.Equal(t, "dockerrepopassword", dockerconfigjson.Auths.V1.Password)
+			assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth)
 			assert.Equal(t, "Inline: secretId AWS_ACCESS_KEY_ID", string(secret.Data["inline"]))
 
 			return ctx
 		}).
 		Feature()
 
+	secretDockerJsonKey := applyResource(features.New("secret-docker-json-key"), "secret-docker-json-key.yaml").
+		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			secrets := &v1.SecretList{
+				Items: []v1.Secret{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "test-secret-docker-json-key", Namespace: cfg.Namespace()},
+					},
+				},
+			}
+
+			// wait for the secret to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(secrets), wait.WithTimeout(defaultTimeout))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			var secret v1.Secret
+
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-docker-json-key", cfg.Namespace(), &secret)
+			require.NoError(t, err)
+
+			type v1 struct {
+				Auth     string `json:"auth"`
+			}
+
+			type auths struct {
+				V1 v1 `json:"https://index.docker.io/v1/"`
+			}
+
+			type dockerconfig struct {
+				Auths auths `json:"auths"`
+			}
+
+			var dockerconfigjson dockerconfig
+
+			err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson)
+			require.NoError(t, err)
+
+			dockerrepoauth := base64.StdEncoding.EncodeToString([]byte("_json_key: {\n  \"type\": \"service_account\",\n  \"project_id\": \"test\"\n}\n"))
+			assert.Equal(t, dockerrepoauth, dockerconfigjson.Auths.V1.Auth)
+
+			return ctx
+		}).
+		Feature()
+
 	configMapVault := applyResource(features.New("configmap-vault"), "configmap-vault.yaml").
 		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			configMaps := &v1.ConfigMapList{
@@ -119,7 +167,7 @@ func TestSecretValueInjection(t *testing.T) {
 		}).
 		Feature()
 
-	testenv.Test(t, secretVault, configMapVault)
+	testenv.Test(t, secretVault, secretDockerJsonKey, configMapVault)
 }
 
 func TestPodMutation(t *testing.T) {