From 96b5b3cd7d3473b57a728fa222d8391ed0b538a0 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 6 Feb 2023 08:31:57 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=85=20Added=20tests=20for=20new=20feature?= =?UTF-8?q?s?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .sops.yaml | 3 +- tests/sops-generator/expected/secrets.yaml | 30 ++++++++++++ tests/sops-generator/functions/secrets.yaml | 47 +++++++++++++++++++ tests/sops-generator/original/.gitkeep | 0 tests/sops-generator/source/secrets.dec.yaml | 35 ++++++++++++++ .../expected/argocd-cm.yaml | 36 ++++++++++++++ .../functions/argocd-values-replacements.yaml | 28 +++++++++++ .../original/argocd-cm.yaml | 36 ++++++++++++++ .../values/properties.yaml | 11 +++++ tests/test_krmfnbuiltin.sh | 9 ++++ tests/test_krmfnbuiltin_kpt.sh | 9 ++++ 11 files changed, 243 insertions(+), 1 deletion(-) create mode 100644 tests/sops-generator/expected/secrets.yaml create mode 100644 tests/sops-generator/functions/secrets.yaml create mode 100644 tests/sops-generator/original/.gitkeep create mode 100644 tests/sops-generator/source/secrets.dec.yaml create mode 100644 tests/sourced-replacement/expected/argocd-cm.yaml create mode 100644 tests/sourced-replacement/functions/argocd-values-replacements.yaml create mode 100644 tests/sourced-replacement/original/argocd-cm.yaml create mode 100644 tests/sourced-replacement/values/properties.yaml diff --git a/.sops.yaml b/.sops.yaml index f32d7dc..1c3fbf8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,2 +1,3 @@ creation_rules: - - encrypted_regex: '^(data|stringData)$' + - encrypted_regex: "^(data|stringData)$" + age: age166k86d56ejs2ydvaxv2x3vl3wajny6l52dlkncf2k58vztnlecjs0g5jqq diff --git a/tests/sops-generator/expected/secrets.yaml b/tests/sops-generator/expected/secrets.yaml new file mode 100644 index 0000000..b99dea3 --- /dev/null +++ b/tests/sops-generator/expected/secrets.yaml @@ -0,0 +1,30 @@ +apiVersion: config.kaweezle.com/v1alpha1 +kind: PlatformSecrets +metadata: + name: autocloud-secrets +data: + cloudflare: + credentials.json: | + {"AccountTag":"6b713ba4794bb6898c335a6e5e964bc0","TunnelSecret":"0rGDN8oqEVFWYvtUxPCckKpEMiM9I4bOuUsDXNXJVinSTHWs","TunnelID":"ca955c21-2606-4a5d-b217-341a3d12755e"} + apiKey: 597aa3a9f23465a7a2f133fda2b7fd11e82211df + ovh: + application_secret: 29s5X1U9YjFeRhjwat0gLIunwcsHKPe4 + consumer_key: pZzUg3Ux3mig3V50xOpUPK1BgCNK6Dal + github: + password: ghp_yHlZKZnbqd8uyTWL8LIuixxh8KOKViwTcXWJ + webhook_secret: 3AbUHdd35WE4HzYpk53jvzybY9QW4GDY + oidc_client_secret: 72d2976fcf260480dc3a2c392ef4a1cecba348a8 + ssh_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACA4nXPm/isSCn3Jmsj2cqBIRhoZ6ZTegcxgFZhDKJXDTwAAAJgOYygIDmMo + CAAAAAtzc2gtZWQyNTUxOQAAACA4nXPm/isSCn3Jmsj2cqBIRhoZ6ZTegcxgFZhDKJXDTw + AAAECApDmEpcj6BVxPhdt2ZJB5llYEcGKmapyGXlg/y9Sjejidc+b+KxIKfcmayPZyoEhG + GhnplN6BzGAVmEMolcNPAAAAD2FudG9pbmVAbXJ0bi5mcgECAwQFBg== + -----END OPENSSH PRIVATE KEY----- + sops: + age_key.txt: IyBjcmVhdGVkOiAyMDIzLTAxLTE5VDE5OjQxOjQ1WgojIHB1YmxpYyBrZXk6IGFnZTE2Nms4NmQ1NmVqczJ5ZHZheHYyeDN2bDN3YWpueTZsNTJkbGtuY2YyazU4dnp0bmxlY2pzMGc1anFxCkFHRS1TRUNSRVQtS0VZLTE1UktUUFFDQ0xXTTdFSFE4SkVQMFRRTFVXSkFFQ1ZQNzMzMk0zWlAwUkw5UjdKVDdNWjZTWTc5VjhRCg== + argocd: + admin_password: $2a$10$xdlX460lf/WbJNZU5bBoROj6U7oKgPbEcBrnXaemA6gsCzrAJtQ3y + chisel: + AUTH: user:password diff --git a/tests/sops-generator/functions/secrets.yaml b/tests/sops-generator/functions/secrets.yaml new file mode 100644 index 0000000..dd40c7f --- /dev/null +++ b/tests/sops-generator/functions/secrets.yaml @@ -0,0 +1,47 @@ +apiVersion: krmfnbuiltin.kaweezle.com/v1alpha1 +kind: SopsGenerator +metadata: + name: autocloud-secrets + annotations: + config.kaweezle.com/path: secrets.yaml + config.kubernetes.io/function: | + exec: + path: ../../krmfnbuiltin +data: + cloudflare: + credentials.json: ENC[AES256_GCM,data:BlMhafSS7U5ntdsXAOasRX3O2/f1J3bUfTn9NEjZomWLItDr0K+4/69UGMjSCfQgwx23YcHCD2ZWgOk6TnN0sqjXV9DuRpU9uCInk0gNgjUDGymnPjxK2mYxhybjhSuIh89ml1CZnjnDG5jRgcXLgJFzjR2esIqMufiQyJoj+cB3wY86o1srHZL47QD2XxMUeitI3QfWVEDTpQbdlNn6iVfVOUtWiA==,iv:5b+cilKQykqnO1yluXan2LVFX6a/kmccI+BQ3sZrq2Q=,tag:wLeubY5J0sqlJ9BMRRzHWg==,type:str] + apiKey: ENC[AES256_GCM,data:+luyBXKTRGs8k0EYjZzqoHFPP+PmnG4tND6SNCYTNQ5CaNUBOviOQA==,iv:j6niJC5BwYxhrw0wmQsD8fmkPo8cgacSbW8N1/Hi+hQ=,tag:uk75i1k+izzrK2CkjB8new==,type:str] + ovh: + application_secret: ENC[AES256_GCM,data:vXNXYymgcX6ZQPKN65aBHtWNxdqDJ7/kAvFc9W2qCrw=,iv:It3NPmTaZXwgRIPIolHo0h7w6vzAnvaLTcDQjBFFBZQ=,tag:f/3PD1ZVN7LzfDZ7GTav3A==,type:str] + consumer_key: ENC[AES256_GCM,data:q8iyMNPnKf/Or1gnnuHBPfX9X+5fsh5OxA0DxjnWric=,iv:dc5vRzH87jEYpQC6XZ89lPRgDFLig+rsBf3E6FBTHSk=,tag:ZIgPYc3Ro0gOMYxdBBwRsw==,type:str] + github: + password: ENC[AES256_GCM,data:InIPLpv58jMMpjp8sGVIfpxJ9HzAu3IIpSM6Jb8pUPzuJbWMxabQ6w==,iv:akbY8UCLloyAkkK0sLYk5KZ06+4EORv3rm7vZGwjWks=,tag:SXUtA28tHFKAFh4XL2w/XA==,type:str] + webhook_secret: ENC[AES256_GCM,data:ltrWxAW6hKTl7gZcDgMgu1IOwu6X07F+2TQFaMKrb1Q=,iv:lmX/M40uykMTwBY/kaoGXkeSCqAQ5Uq+bNK4slQOQyU=,tag:tyvEywVE1R1Eo8+w1lGlPA==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:d/kIhME8Ubuo4buueV6KGvcQwU5ZMR7TRjcRmSog/yicUGsY9IAN7Q==,iv:/JZsC6tAwvj+TFHrGRjwD3an1iD52S6KVzkZBU4/JJk=,tag:4dJ+4bjI2yRcGzRuPKeQRw==,type:str] + ssh_key: ENC[AES256_GCM,data:WHuUNL2zbA7Cf5CqoJ01RcVHcNdyKoTjaGXFIR60Q5yG+QSvAzJ4kCQevSVZAW7DokZYglA2bUtlDu61Gd2RFwWQJIQQgV2BTYbi/xAqta/8Inby7cKT3nH44Covws8LxUp/aZfls5SRS7kLgh/y8ispyJdCoanaPa73yvKInSLc1+fEt7FUh/O+rovJEEEZotXlhARoanZ5H+KrCff8uYv5d16ALII9PccLkIxcZYv/qXGSPZgmTVAOjMdDkw3jrr3xrk3xg34jNSjY964kxZ/P5NrnA4W99pU7fODZeRP/xyUt2MiAkktXODKBqgdZJ9RyNUXF2M8wzVqniCHb88lVj5HR5tqu/q4LyITIEPU1rRbFuRsV9gnT7VAUNiLzvvrKQ2/d8RzV3sU4U4PaAF+chtaKvSosd9BnUfjhhmaSr/vgsQsX34mdHdXoFOORKc+wclAF9p+/I36TEcOiqM7cazmADozj1ZNJ9gMySaC91IOaF7+bLE57ypaXfv68zHRNjdIro7QgwbS9yT9o4bE+0vQf40bl+/HY,iv:NMoplOfxWMZ4uKtOD4nAcgbUF9uL1lywILoSfBoY7qA=,tag:2dVYmbm5nYfjHuuOcJ8ncA==,type:str] + sops: + age_key.txt: ENC[AES256_GCM,data:/+aTppVhVAx2ZeKojI2A9LmMaV5GlFRAs2P6MBklaAF9E8gXb/UD4oBL7SZunw6osl0YQ3v5q8nGPrciRJ0pR6zjZ+BZqtEAAEpVlPv63PXB00KCOJhjlqKfxWiydacSI0GrgG+ua1k71rqTctiNy9CUoi3FNXvOJXVMsXzGl8YlkOX0qlbT1jOibLEmFWNUv10mRp4KidUfejGm5TGn1Q/M8KQi1BpK7EcdfBsAoFhriPBVDscqCLRWsnSPROEocnAJKFsfUs6a0A2Gwzxv/UcK0FHsn0BhnkL97Okxc71TXdatOuS4bdhi6F17zPaibsPy/ywv53c=,iv:MqyVHocL4zBG4dT2MtlSTEgW1r7TEMk6SA0ws2dtcmg=,tag:1sS0hG/PuZVMeTkfvNfjuA==,type:str] + argocd: + admin_password: ENC[AES256_GCM,data:xAYetqD6bK+a0RQ6HaY+re486hlMcWIuGbYsaj3+KtV+Zk/4Vc1GtjrXgaJLizj083B1Ku7bFvOrl6r/,iv:BxM/33tG2RxQk/IzJKk2XHNigax0wdWk/1UPgKGib8s=,tag:dTczApIQ+WbunrIH8Nje3A==,type:str] + chisel: + AUTH: ENC[AES256_GCM,data:Z4jqrFNLMu7s+n073g==,iv:2VrKCiJbFRvxgRzy+BFsfeon0kaAjZ88Vp4iaQRACvc=,tag:OE1KL24zg4U8znI22El+UA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age166k86d56ejs2ydvaxv2x3vl3wajny6l52dlkncf2k58vztnlecjs0g5jqq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbENqdGU4WTdqZkpoMWRp + QVpzcmJTSWxwRC8rK1dpMm41QkpVNVJ4RXpRCi9XYnRJcEhlWDhOalRMRVZFMzlY + TUNqbFkrUUxsVnU3NEh0QlpkczVwV0kKLS0tIGVZeTNVbzYzck1GRG9qVENxNmQ5 + bldBTnc3UXQvTWNHSnZDTzJpaG5LVW8KT6ISyKOyjkhaqaZcbb7F1BfAXXmmB1st + SsDJRd8GB6Me/JOeoXgRZJxYJNY0c/Gj/MZd5/YKjKaAmahfFd5wPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-02-05T21:26:29Z" + mac: ENC[AES256_GCM,data:nn+Zw4HbYbmqqTattvQCNv9wsg8pnA5WwINh/wujH3EpN/79G/A3lMhEiU/ItzEhr4Mr5C5zEnaPCBA7PBW+JPeMpNSYDQhnIvdm+Pyov22f6f5S7bhogeIdEi3Gk0ACIVxgW3k55Oby/fachbBKomc0tca1Wxz2/bQYIF+TVrI=,iv:FyOcWVXKS4XarZ8dJiTau3WcRwO/jsfiDosV9Yfwi4U=,tag:23HlsxeZ4XRm1CLn0eUy0A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/tests/sops-generator/original/.gitkeep b/tests/sops-generator/original/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/tests/sops-generator/source/secrets.dec.yaml b/tests/sops-generator/source/secrets.dec.yaml new file mode 100644 index 0000000..a32d7a3 --- /dev/null +++ b/tests/sops-generator/source/secrets.dec.yaml @@ -0,0 +1,35 @@ +apiVersion: krmfnbuiltin.kaweezle.com/v1alpha1 +kind: SopsGenerator +metadata: + name: autocloud-secrets + annotations: + config.kaweezle.com/path: "secrets.yaml" + config.kubernetes.io/function: | + exec: + path: ../../krmfnbuiltin +data: + cloudflare: + credentials.json: | + {"AccountTag":"6b713ba4794bb6898c335a6e5e964bc0","TunnelSecret":"0rGDN8oqEVFWYvtUxPCckKpEMiM9I4bOuUsDXNXJVinSTHWs","TunnelID":"ca955c21-2606-4a5d-b217-341a3d12755e"} + apiKey: 597aa3a9f23465a7a2f133fda2b7fd11e82211df + ovh: + application_secret: 29s5X1U9YjFeRhjwat0gLIunwcsHKPe4 + consumer_key: pZzUg3Ux3mig3V50xOpUPK1BgCNK6Dal + github: + password: ghp_yHlZKZnbqd8uyTWL8LIuixxh8KOKViwTcXWJ + webhook_secret: 3AbUHdd35WE4HzYpk53jvzybY9QW4GDY + oidc_client_secret: 72d2976fcf260480dc3a2c392ef4a1cecba348a8 + ssh_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACA4nXPm/isSCn3Jmsj2cqBIRhoZ6ZTegcxgFZhDKJXDTwAAAJgOYygIDmMo + CAAAAAtzc2gtZWQyNTUxOQAAACA4nXPm/isSCn3Jmsj2cqBIRhoZ6ZTegcxgFZhDKJXDTw + AAAECApDmEpcj6BVxPhdt2ZJB5llYEcGKmapyGXlg/y9Sjejidc+b+KxIKfcmayPZyoEhG + GhnplN6BzGAVmEMolcNPAAAAD2FudG9pbmVAbXJ0bi5mcgECAwQFBg== + -----END OPENSSH PRIVATE KEY----- + sops: + age_key.txt: IyBjcmVhdGVkOiAyMDIzLTAxLTE5VDE5OjQxOjQ1WgojIHB1YmxpYyBrZXk6IGFnZTE2Nms4NmQ1NmVqczJ5ZHZheHYyeDN2bDN3YWpueTZsNTJkbGtuY2YyazU4dnp0bmxlY2pzMGc1anFxCkFHRS1TRUNSRVQtS0VZLTE1UktUUFFDQ0xXTTdFSFE4SkVQMFRRTFVXSkFFQ1ZQNzMzMk0zWlAwUkw5UjdKVDdNWjZTWTc5VjhRCg== + argocd: + admin_password: $2a$10$xdlX460lf/WbJNZU5bBoROj6U7oKgPbEcBrnXaemA6gsCzrAJtQ3y + chisel: + AUTH: user:password diff --git a/tests/sourced-replacement/expected/argocd-cm.yaml b/tests/sourced-replacement/expected/argocd-cm.yaml new file mode 100644 index 0000000..019c5b3 --- /dev/null +++ b/tests/sourced-replacement/expected/argocd-cm.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + configManagementPlugins: | + - name: helmfile + generate: + command: ["/bin/sh", "-c"] + args: ["helmfile --namespace $ARGOCD_APP_NAMESPACE template | sed -e '1,/---/d' | sed -e 's|apiregistration.k8s.io/v1beta1|apiregistration.k8s.io/v1|g'"] + timeout.reconciliation: "15s" + kustomize.buildOptions: "--enable-alpha-plugins --enable-exec" + helm.valuesFileSchemes: "secrets+gpg-import, secrets+gpg-import-kubernetes, secrets+age-import, secrets+age-import-kubernetes, secrets, https,http" + # resource.exclusions: | + # - apiGroups: + # - "cert-manager.io" + # - "acme.cert-manager.io" + # kinds: + # - "CertificateRequest" + # - "Order" + # clusters: + # - https://kubernetes.default.svc + url: https://citest.holepunch.in + dex.config: | + connectors: + # GitHub example + - type: github + id: github + name: GitHub + config: + clientID: thisisfakeclientid + clientSecret: $dex.github.clientSecret + loadAllGroups: true + teamNameField: slug + orgs: + - name: thisisfakeorganization diff --git a/tests/sourced-replacement/functions/argocd-values-replacements.yaml b/tests/sourced-replacement/functions/argocd-values-replacements.yaml new file mode 100644 index 0000000..49d16d0 --- /dev/null +++ b/tests/sourced-replacement/functions/argocd-values-replacements.yaml @@ -0,0 +1,28 @@ +apiVersion: krmfnbuiltin.kaweezle.com/v1alpha1 +kind: ReplacementTransformer +metadata: + name: argocd-values-replacements + annotations: + config.kubernetes.io/function: | + exec: + path: ../../krmfnbuiltin +source: values/properties.yaml +replacements: + - source: + name: autocloud-values + fieldPath: data.github.clientID + targets: + - select: + kind: ConfigMap + name: argocd-cm + fieldPaths: + - data.dex\.config.!!yaml.connectors.[id=github].config.clientID + - source: + name: autocloud-values + fieldPath: data.github.organization + targets: + - select: + kind: ConfigMap + name: argocd-cm + fieldPaths: + - data.dex\.config.!!yaml.connectors.[id=github].config.orgs.0.name diff --git a/tests/sourced-replacement/original/argocd-cm.yaml b/tests/sourced-replacement/original/argocd-cm.yaml new file mode 100644 index 0000000..5131578 --- /dev/null +++ b/tests/sourced-replacement/original/argocd-cm.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm +data: + configManagementPlugins: | + - name: helmfile + generate: + command: ["/bin/sh", "-c"] + args: ["helmfile --namespace $ARGOCD_APP_NAMESPACE template | sed -e '1,/---/d' | sed -e 's|apiregistration.k8s.io/v1beta1|apiregistration.k8s.io/v1|g'"] + timeout.reconciliation: "15s" + kustomize.buildOptions: "--enable-alpha-plugins --enable-exec" + helm.valuesFileSchemes: "secrets+gpg-import, secrets+gpg-import-kubernetes, secrets+age-import, secrets+age-import-kubernetes, secrets, https,http" + # resource.exclusions: | + # - apiGroups: + # - "cert-manager.io" + # - "acme.cert-manager.io" + # kinds: + # - "CertificateRequest" + # - "Order" + # clusters: + # - https://kubernetes.default.svc + url: https://citest.holepunch.in + dex.config: | + connectors: + # GitHub example + - type: github + id: github + name: GitHub + config: + clientID: a98a3e6e82b3732c1bf2 + clientSecret: $dex.github.clientSecret + loadAllGroups: true + teamNameField: slug + orgs: + - name: johndoe diff --git a/tests/sourced-replacement/values/properties.yaml b/tests/sourced-replacement/values/properties.yaml new file mode 100644 index 0000000..82fe1a8 --- /dev/null +++ b/tests/sourced-replacement/values/properties.yaml @@ -0,0 +1,11 @@ +apiVersion: autocloud.config.kaweezle.com/v1alpha1 +kind: PlatformValues +metadata: + name: autocloud-values +data: + github: + organization: thisisfakeorganization + repository: autocloud + repo: antoinemartin/autocloud + email: john@doe.me + clientID: thisisfakeclientid diff --git a/tests/test_krmfnbuiltin.sh b/tests/test_krmfnbuiltin.sh index 3155d22..208fded 100755 --- a/tests/test_krmfnbuiltin.sh +++ b/tests/test_krmfnbuiltin.sh @@ -9,6 +9,15 @@ set -e pipefail trap "find . -type d -name 'applications' -exec rm -rf {} +" EXIT +export SOPS_AGE_KEY=$(cat - <