refactor: Final

Signed-off-by: Bence Csati <[email protected]>

docker-compose.yaml

@@ -3,7 +3,7 @@ version: "3.9"
 services:
   vault:
     container_name: secrets-webhook-vault
-    image: hashicorp/vault:1.14.1
+    image: hashicorp/vault:1.14.8
     ports:
       - 127.0.0.1:8200:8200
     environment:

e2e/main_test.go

@@ -210,6 +210,28 @@ func useNamespace(ns string) env.Func {
 	}
 }
 
+type reverseFinishEnvironment struct {
+	env.Environment
+
+	finishFuncs []env.Func
+}
+
+// Finish registers funcs that are executed at the end of the test suite in a reverse order.
+func (e *reverseFinishEnvironment) Finish(f ...env.Func) env.Environment {
+	e.finishFuncs = append(f[:], e.finishFuncs...)
+
+	return e
+}
+
+// Run launches the test suite from within a TestMain.
+func (e *reverseFinishEnvironment) Run(m *testing.M) int {
+	e.Environment.Finish(e.finishFuncs...)
+
+	return e.Environment.Run(m)
+}
+
+// ======== VAULT ========
+
 func installVault(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
 	r, err := resources.New(cfg.Client().RESTConfig())
 	if err != nil {
@@ -290,23 +312,3 @@ func uninstallVault(ctx context.Context, cfg *envconf.Config) (context.Context,
 
 	return ctx, nil
 }
-
-type reverseFinishEnvironment struct {
-	env.Environment
-
-	finishFuncs []env.Func
-}
-
-// Finish registers funcs that are executed at the end of the test suite in a reverse order.
-func (e *reverseFinishEnvironment) Finish(f ...env.Func) env.Environment {
-	e.finishFuncs = append(f[:], e.finishFuncs...)
-
-	return e
-}
-
-// Run launches the test suite from within a TestMain.
-func (e *reverseFinishEnvironment) Run(m *testing.M) int {
-	e.Environment.Finish(e.finishFuncs...)
-
-	return e.Environment.Run(m)
-}

e2e/test/configmap.yaml → e2e/test/configmap-vault.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: test-configmap
+  name: test-configmap-vault
   annotations:
     secrets-webhook.security.banzaicloud.io/provider: "vault"
     vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"

e2e/test/deployment-init-seccontext.yaml → e2e/test/deployment-init-seccontext-vault.yaml

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-deployment-init-seccontext
+  name: test-deployment-init-seccontext-vault
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: test-deployment-init-seccontext
+      app.kubernetes.io/name: test-deployment-init-seccontext-vault
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: test-deployment-init-seccontext
+        app.kubernetes.io/name: test-deployment-init-seccontext-vault
       annotations:
         secrets-webhook.security.banzaicloud.io/provider: "vault"
         secrets-webhook.security.banzaicloud.io/run-as-non-root: "true"

e2e/test/deployment-seccontext.yaml → e2e/test/deployment-seccontext-vault.yaml

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-deployment-seccontext
+  name: test-deployment-seccontext-vault
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: test-deployment-seccontext
+      app.kubernetes.io/name: test-deployment-seccontext-vault
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: test-deployment-seccontext
+        app.kubernetes.io/name: test-deployment-seccontext-vault
       annotations:
         secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"

e2e/test/deployment-template.yaml → e2e/test/deployment-template-vault.yaml

@@ -2,10 +2,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    app.kubernetes.io/name: my-app
-    my-app.kubernetes.io/name: my-app-vault-agent
+    app.kubernetes.io/name: my-app-vault
+    my-app.kubernetes.io/name: my-app-vault-agent-vault
     branches: "true"
-  name: my-app-vault-agent
+  name: my-app-vault-agent-vault
 data:
   config.hcl: |
     vault {
@@ -42,16 +42,16 @@ data:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-deployment-template
+  name: test-deployment-template-vault
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: test-deployment-template
+      app.kubernetes.io/name: test-deployment-template-vault
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: test-deployment-template
+        app.kubernetes.io/name: test-deployment-template-vault
       annotations:
         secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200
@@ -60,7 +60,7 @@ spec:
         vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # optional, the name of the Secret where the Vault CA cert is, if not defined it is not mounted
         vault.security.banzaicloud.io/vault-agent: "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and secret-init will do Kubernetes Service Account based Vault authentication
         vault.security.banzaicloud.io/vault-path: "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes"
-        vault.security.banzaicloud.io/vault-agent-configmap: "my-app-vault-agent"
+        vault.security.banzaicloud.io/vault-agent-configmap: "my-app-vault-agent-vault"
     spec:
       serviceAccountName: default
       containers:

e2e/test/deployment.yaml → e2e/test/deployment-vault.yaml

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: test-deployment
+  name: test-deployment-vault
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/name: test-deployment
+      app.kubernetes.io/name: test-deployment-vault
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: test-deployment
+        app.kubernetes.io/name: test-deployment-vault
       annotations:
         secrets-webhook.security.banzaicloud.io/provider: "vault"
         vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"

e2e/test/secret.yaml → e2e/test/secret-vault.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: test-secret
+  name: test-secret-vault
   annotations:
     secrets-webhook.security.banzaicloud.io/provider: "vault"
     vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"

e2e/webhook_test.go

@@ -40,12 +40,12 @@ import (
 )
 
 func TestSecretValueInjection(t *testing.T) {
-	secret := applyResource(features.New("secret"), "secret.yaml").
+	secretVault := applyResource(features.New("secret-vault"), "secret-vault.yaml").
 		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			secrets := &v1.SecretList{
 				Items: []v1.Secret{
 					{
-						ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: cfg.Namespace()},
+						ObjectMeta: metav1.ObjectMeta{Name: "test-secret-vault", Namespace: cfg.Namespace()},
 					},
 				},
 			}
@@ -59,7 +59,7 @@ func TestSecretValueInjection(t *testing.T) {
 		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			var secret v1.Secret
 
-			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret", cfg.Namespace(), &secret)
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-vault", cfg.Namespace(), &secret)
 			require.NoError(t, err)
 
 			type v1 struct {
@@ -89,12 +89,12 @@ func TestSecretValueInjection(t *testing.T) {
 		}).
 		Feature()
 
-	configMap := applyResource(features.New("configmap"), "configmap.yaml").
+	configMapVault := applyResource(features.New("configmap-vault"), "configmap-vault.yaml").
 		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			configMaps := &v1.ConfigMapList{
 				Items: []v1.ConfigMap{
 					{
-						ObjectMeta: metav1.ObjectMeta{Name: "test-configmap", Namespace: cfg.Namespace()},
+						ObjectMeta: metav1.ObjectMeta{Name: "test-configmap-vault", Namespace: cfg.Namespace()},
 					},
 				},
 			}
@@ -108,7 +108,7 @@ func TestSecretValueInjection(t *testing.T) {
 		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			var configMap v1.ConfigMap
 
-			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-configmap", cfg.Namespace(), &configMap)
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-configmap-vault", cfg.Namespace(), &configMap)
 			require.NoError(t, err)
 
 			assert.Equal(t, "secretId", string(configMap.Data["aws-access-key-id"]))
@@ -120,14 +120,14 @@ func TestSecretValueInjection(t *testing.T) {
 		}).
 		Feature()
 
-	testenv.Test(t, secret, configMap)
+	testenv.Test(t, secretVault, configMapVault)
 }
 
 func TestPodMutation(t *testing.T) {
-	deployment := applyResource(features.New("deployment"), "deployment.yaml").
+	deploymentVault := applyResource(features.New("deployment-vault"), "deployment-vault.yaml").
 		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			deployment := &appsv1.Deployment{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment", Namespace: cfg.Namespace()},
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-vault", Namespace: cfg.Namespace()},
 			}
 
 			// wait for the deployment to become available
@@ -141,7 +141,7 @@ func TestPodMutation(t *testing.T) {
 
 			pods := &v1.PodList{}
 
-			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment"))
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-vault"))
 			require.NoError(t, err)
 
 			if len(pods.Items) == 0 {
@@ -158,10 +158,10 @@ func TestPodMutation(t *testing.T) {
 		}).
 		Feature()
 
-	deploymentSeccontext := applyResource(features.New("deployment-seccontext"), "deployment-seccontext.yaml").
+	deploymentSeccontextVault := applyResource(features.New("deployment-seccontext-vault"), "deployment-seccontext-vault.yaml").
 		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			deployment := &appsv1.Deployment{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-seccontext", Namespace: cfg.Namespace()},
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-seccontext-vault", Namespace: cfg.Namespace()},
 			}
 
 			// wait for the deployment to become available
@@ -172,12 +172,12 @@ func TestPodMutation(t *testing.T) {
 		}).
 		Feature()
 
-	deploymentTemplating := applyResource(features.New("deployment-template"), "deployment-template.yaml").
+	deploymentTemplatingVault := applyResource(features.New("deployment-template-vault"), "deployment-template-vault.yaml").
 		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			r := cfg.Client().Resources()
 
 			deployment := &appsv1.Deployment{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-template", Namespace: cfg.Namespace()},
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-template-vault", Namespace: cfg.Namespace()},
 			}
 
 			// wait for the deployment to become available
@@ -191,7 +191,7 @@ func TestPodMutation(t *testing.T) {
 
 			pods := &v1.PodList{}
 
-			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-template"))
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-template-vault"))
 			require.NoError(t, err)
 
 			if len(pods.Items) == 0 {
@@ -217,10 +217,10 @@ func TestPodMutation(t *testing.T) {
 		}).
 		Feature()
 
-	deploymentInitSeccontext := applyResource(features.New("deployment-init-seccontext"), "deployment-init-seccontext.yaml").
+	deploymentInitSeccontextVault := applyResource(features.New("deployment-init-seccontext-vault"), "deployment-init-seccontext-vault.yaml").
 		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
 			deployment := &appsv1.Deployment{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-init-seccontext", Namespace: cfg.Namespace()},
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-init-seccontext-vault", Namespace: cfg.Namespace()},
 			}
 
 			// wait for the deployment to become available
@@ -234,7 +234,7 @@ func TestPodMutation(t *testing.T) {
 
 			pods := &v1.PodList{}
 
-			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-init-seccontext"))
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-init-seccontext-vault"))
 			require.NoError(t, err)
 
 			if len(pods.Items) == 0 {
@@ -258,7 +258,7 @@ func TestPodMutation(t *testing.T) {
 		}).
 		Feature()
 
-	testenv.Test(t, deployment, deploymentSeccontext, deploymentTemplating, deploymentInitSeccontext)
+	testenv.Test(t, deploymentVault, deploymentSeccontextVault, deploymentTemplatingVault, deploymentInitSeccontextVault)
 }
 
 func applyResource(builder *features.FeatureBuilder, file string) *features.FeatureBuilder {

pkg/common/config.go

@@ -190,5 +190,6 @@ func SetWebhookAndSecretInitDefaults() {
 	viper.SetDefault("SECRET_INIT_MEMORY_LIMIT", "")
 	viper.SetDefault("SECRET_INIT_LOG_SERVER", "")
 	viper.SetDefault("SECRET_INIT_LOG_LEVEL", "info")
+
 	viper.AutomaticEnv()
 }

pkg/provider/bao/config.go

@@ -400,5 +400,6 @@ func SetDefaults() {
 	viper.SetDefault("bao_transit_key_id", "")
 	viper.SetDefault("bao_transit_path", "")
 	viper.SetDefault("bao_transit_batch_size", 25)
+
 	viper.AutomaticEnv()
 }

pkg/provider/vault/config.go

@@ -401,5 +401,6 @@ func SetDefaults() {
 	viper.SetDefault("transit_key_id", "")
 	viper.SetDefault("transit_path", "")
 	viper.SetDefault("transit_batch_size", 25)
+
 	viper.AutomaticEnv()
 }