diff --git a/docker-compose.yaml b/docker-compose.yaml index 04e954e..577ff33 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,7 +3,7 @@ version: "3.9" services: vault: container_name: secrets-webhook-vault - image: hashicorp/vault:1.14.1 + image: hashicorp/vault:1.14.8 ports: - 127.0.0.1:8200:8200 environment: diff --git a/e2e/main_test.go b/e2e/main_test.go index fbc9035..3f446df 100644 --- a/e2e/main_test.go +++ b/e2e/main_test.go @@ -210,6 +210,28 @@ func useNamespace(ns string) env.Func { } } +type reverseFinishEnvironment struct { + env.Environment + + finishFuncs []env.Func +} + +// Finish registers funcs that are executed at the end of the test suite in a reverse order. +func (e *reverseFinishEnvironment) Finish(f ...env.Func) env.Environment { + e.finishFuncs = append(f[:], e.finishFuncs...) + + return e +} + +// Run launches the test suite from within a TestMain. +func (e *reverseFinishEnvironment) Run(m *testing.M) int { + e.Environment.Finish(e.finishFuncs...) + + return e.Environment.Run(m) +} + +// ======== VAULT ======== + func installVault(ctx context.Context, cfg *envconf.Config) (context.Context, error) { r, err := resources.New(cfg.Client().RESTConfig()) if err != nil { @@ -290,23 +312,3 @@ func uninstallVault(ctx context.Context, cfg *envconf.Config) (context.Context, return ctx, nil } - -type reverseFinishEnvironment struct { - env.Environment - - finishFuncs []env.Func -} - -// Finish registers funcs that are executed at the end of the test suite in a reverse order. -func (e *reverseFinishEnvironment) Finish(f ...env.Func) env.Environment { - e.finishFuncs = append(f[:], e.finishFuncs...) - - return e -} - -// Run launches the test suite from within a TestMain. -func (e *reverseFinishEnvironment) Run(m *testing.M) int { - e.Environment.Finish(e.finishFuncs...) - - return e.Environment.Run(m) -} diff --git a/e2e/test/configmap.yaml b/e2e/test/configmap-vault.yaml similarity index 96% rename from e2e/test/configmap.yaml rename to e2e/test/configmap-vault.yaml index d6d3382..1291912 100644 --- a/e2e/test/configmap.yaml +++ b/e2e/test/configmap-vault.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: test-configmap + name: test-configmap-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200" diff --git a/e2e/test/deployment-init-seccontext.yaml b/e2e/test/deployment-init-seccontext-vault.yaml similarity index 86% rename from e2e/test/deployment-init-seccontext.yaml rename to e2e/test/deployment-init-seccontext-vault.yaml index 8246c0e..65c289a 100644 --- a/e2e/test/deployment-init-seccontext.yaml +++ b/e2e/test/deployment-init-seccontext-vault.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: test-deployment-init-seccontext + name: test-deployment-init-seccontext-vault spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: test-deployment-init-seccontext + app.kubernetes.io/name: test-deployment-init-seccontext-vault template: metadata: labels: - app.kubernetes.io/name: test-deployment-init-seccontext + app.kubernetes.io/name: test-deployment-init-seccontext-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" secrets-webhook.security.banzaicloud.io/run-as-non-root: "true" diff --git a/e2e/test/deployment-seccontext.yaml b/e2e/test/deployment-seccontext-vault.yaml similarity index 89% rename from e2e/test/deployment-seccontext.yaml rename to e2e/test/deployment-seccontext-vault.yaml index 8dad319..f34a9d9 100644 --- a/e2e/test/deployment-seccontext.yaml +++ b/e2e/test/deployment-seccontext-vault.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: test-deployment-seccontext + name: test-deployment-seccontext-vault spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: test-deployment-seccontext + app.kubernetes.io/name: test-deployment-seccontext-vault template: metadata: labels: - app.kubernetes.io/name: test-deployment-seccontext + app.kubernetes.io/name: test-deployment-seccontext-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200" diff --git a/e2e/test/deployment-template.yaml b/e2e/test/deployment-template-vault.yaml similarity index 89% rename from e2e/test/deployment-template.yaml rename to e2e/test/deployment-template-vault.yaml index 0a5a22a..2707d73 100644 --- a/e2e/test/deployment-template.yaml +++ b/e2e/test/deployment-template-vault.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - app.kubernetes.io/name: my-app - my-app.kubernetes.io/name: my-app-vault-agent + app.kubernetes.io/name: my-app-vault + my-app.kubernetes.io/name: my-app-vault-agent-vault branches: "true" - name: my-app-vault-agent + name: my-app-vault-agent-vault data: config.hcl: | vault { @@ -42,16 +42,16 @@ data: apiVersion: apps/v1 kind: Deployment metadata: - name: test-deployment-template + name: test-deployment-template-vault spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: test-deployment-template + app.kubernetes.io/name: test-deployment-template-vault template: metadata: labels: - app.kubernetes.io/name: test-deployment-template + app.kubernetes.io/name: test-deployment-template-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200 @@ -60,7 +60,7 @@ spec: vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # optional, the name of the Secret where the Vault CA cert is, if not defined it is not mounted vault.security.banzaicloud.io/vault-agent: "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and secret-init will do Kubernetes Service Account based Vault authentication vault.security.banzaicloud.io/vault-path: "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes" - vault.security.banzaicloud.io/vault-agent-configmap: "my-app-vault-agent" + vault.security.banzaicloud.io/vault-agent-configmap: "my-app-vault-agent-vault" spec: serviceAccountName: default containers: diff --git a/e2e/test/deployment.yaml b/e2e/test/deployment-vault.yaml similarity index 92% rename from e2e/test/deployment.yaml rename to e2e/test/deployment-vault.yaml index e8095c0..1b25d5d 100644 --- a/e2e/test/deployment.yaml +++ b/e2e/test/deployment-vault.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: test-deployment + name: test-deployment-vault spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: test-deployment + app.kubernetes.io/name: test-deployment-vault template: metadata: labels: - app.kubernetes.io/name: test-deployment + app.kubernetes.io/name: test-deployment-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200" diff --git a/e2e/test/secret.yaml b/e2e/test/secret-vault.yaml similarity index 97% rename from e2e/test/secret.yaml rename to e2e/test/secret-vault.yaml index 7c879b9..a840861 100644 --- a/e2e/test/secret.yaml +++ b/e2e/test/secret-vault.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: test-secret + name: test-secret-vault annotations: secrets-webhook.security.banzaicloud.io/provider: "vault" vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200" diff --git a/e2e/webhook_test.go b/e2e/webhook_test.go index 9adbf9b..32080ee 100644 --- a/e2e/webhook_test.go +++ b/e2e/webhook_test.go @@ -40,12 +40,12 @@ import ( ) func TestSecretValueInjection(t *testing.T) { - secret := applyResource(features.New("secret"), "secret.yaml"). + secretVault := applyResource(features.New("secret-vault"), "secret-vault.yaml"). Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { secrets := &v1.SecretList{ Items: []v1.Secret{ { - ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-secret-vault", Namespace: cfg.Namespace()}, }, }, } @@ -59,7 +59,7 @@ func TestSecretValueInjection(t *testing.T) { Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { var secret v1.Secret - err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret", cfg.Namespace(), &secret) + err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret-vault", cfg.Namespace(), &secret) require.NoError(t, err) type v1 struct { @@ -89,12 +89,12 @@ func TestSecretValueInjection(t *testing.T) { }). Feature() - configMap := applyResource(features.New("configmap"), "configmap.yaml"). + configMapVault := applyResource(features.New("configmap-vault"), "configmap-vault.yaml"). Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { configMaps := &v1.ConfigMapList{ Items: []v1.ConfigMap{ { - ObjectMeta: metav1.ObjectMeta{Name: "test-configmap", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-configmap-vault", Namespace: cfg.Namespace()}, }, }, } @@ -108,7 +108,7 @@ func TestSecretValueInjection(t *testing.T) { Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { var configMap v1.ConfigMap - err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-configmap", cfg.Namespace(), &configMap) + err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-configmap-vault", cfg.Namespace(), &configMap) require.NoError(t, err) assert.Equal(t, "secretId", string(configMap.Data["aws-access-key-id"])) @@ -120,14 +120,14 @@ func TestSecretValueInjection(t *testing.T) { }). Feature() - testenv.Test(t, secret, configMap) + testenv.Test(t, secretVault, configMapVault) } func TestPodMutation(t *testing.T) { - deployment := applyResource(features.New("deployment"), "deployment.yaml"). + deploymentVault := applyResource(features.New("deployment-vault"), "deployment-vault.yaml"). Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{Name: "test-deployment", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-vault", Namespace: cfg.Namespace()}, } // wait for the deployment to become available @@ -141,7 +141,7 @@ func TestPodMutation(t *testing.T) { pods := &v1.PodList{} - err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment")) + err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-vault")) require.NoError(t, err) if len(pods.Items) == 0 { @@ -158,10 +158,10 @@ func TestPodMutation(t *testing.T) { }). Feature() - deploymentSeccontext := applyResource(features.New("deployment-seccontext"), "deployment-seccontext.yaml"). + deploymentSeccontextVault := applyResource(features.New("deployment-seccontext-vault"), "deployment-seccontext-vault.yaml"). Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-seccontext", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-seccontext-vault", Namespace: cfg.Namespace()}, } // wait for the deployment to become available @@ -172,12 +172,12 @@ func TestPodMutation(t *testing.T) { }). Feature() - deploymentTemplating := applyResource(features.New("deployment-template"), "deployment-template.yaml"). + deploymentTemplatingVault := applyResource(features.New("deployment-template-vault"), "deployment-template-vault.yaml"). Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { r := cfg.Client().Resources() deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-template", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-template-vault", Namespace: cfg.Namespace()}, } // wait for the deployment to become available @@ -191,7 +191,7 @@ func TestPodMutation(t *testing.T) { pods := &v1.PodList{} - err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-template")) + err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-template-vault")) require.NoError(t, err) if len(pods.Items) == 0 { @@ -217,10 +217,10 @@ func TestPodMutation(t *testing.T) { }). Feature() - deploymentInitSeccontext := applyResource(features.New("deployment-init-seccontext"), "deployment-init-seccontext.yaml"). + deploymentInitSeccontextVault := applyResource(features.New("deployment-init-seccontext-vault"), "deployment-init-seccontext-vault.yaml"). Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context { deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-init-seccontext", Namespace: cfg.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-init-seccontext-vault", Namespace: cfg.Namespace()}, } // wait for the deployment to become available @@ -234,7 +234,7 @@ func TestPodMutation(t *testing.T) { pods := &v1.PodList{} - err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-init-seccontext")) + err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-init-seccontext-vault")) require.NoError(t, err) if len(pods.Items) == 0 { @@ -258,7 +258,7 @@ func TestPodMutation(t *testing.T) { }). Feature() - testenv.Test(t, deployment, deploymentSeccontext, deploymentTemplating, deploymentInitSeccontext) + testenv.Test(t, deploymentVault, deploymentSeccontextVault, deploymentTemplatingVault, deploymentInitSeccontextVault) } func applyResource(builder *features.FeatureBuilder, file string) *features.FeatureBuilder { diff --git a/pkg/common/config.go b/pkg/common/config.go index 35c90d1..f68b194 100644 --- a/pkg/common/config.go +++ b/pkg/common/config.go @@ -190,5 +190,6 @@ func SetWebhookAndSecretInitDefaults() { viper.SetDefault("SECRET_INIT_MEMORY_LIMIT", "") viper.SetDefault("SECRET_INIT_LOG_SERVER", "") viper.SetDefault("SECRET_INIT_LOG_LEVEL", "info") + viper.AutomaticEnv() } diff --git a/pkg/provider/bao/config.go b/pkg/provider/bao/config.go index fd9fd4a..7d18fe6 100644 --- a/pkg/provider/bao/config.go +++ b/pkg/provider/bao/config.go @@ -400,5 +400,6 @@ func SetDefaults() { viper.SetDefault("bao_transit_key_id", "") viper.SetDefault("bao_transit_path", "") viper.SetDefault("bao_transit_batch_size", 25) + viper.AutomaticEnv() } diff --git a/pkg/provider/vault/config.go b/pkg/provider/vault/config.go index a59bd69..dfa7e74 100644 --- a/pkg/provider/vault/config.go +++ b/pkg/provider/vault/config.go @@ -401,5 +401,6 @@ func SetDefaults() { viper.SetDefault("transit_key_id", "") viper.SetDefault("transit_path", "") viper.SetDefault("transit_batch_size", 25) + viper.AutomaticEnv() }