feat: [MEC-1478] fix tests

Author: ContentfulCormac

controllers/syncedsecret_controller.go

@@ -101,42 +101,42 @@ func (r *SyncedSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	log = log.WithValues(LogFieldK8SSecret, K8SSecretName.String())
 
 	if cs.Spec.AWSAccountID != nil {
-		// IAMRole := fmt.Sprintf("arn:aws:iam::%s:role/secret-syncer", *cs.Spec.AWSAccountID)
-		// var secretRef *string // secretID of the secret in secret Manager
+		IAMRole := fmt.Sprintf("arn:aws:iam::%s:role/secret-syncer", *cs.Spec.AWSAccountID)
+		var secretRef *string // secretID of the secret in secret Manager
 
 		// We need to check each secret in Data and DataFrom to see if they are allowed in the namespace
-		// if cs.Spec.DataFrom != nil {
-		// 	if cs.Spec.DataFrom.SecretRef != nil {
-		// 		secretRef = cs.Spec.DataFrom.SecretRef.Name
-		// 		if secretRef == nil {
-		// 			return ctrl.Result{}, errors.WithMessagef(err, "secretRef name is invalid %s", *secretRef)
-		// 		}
-
-		// 		allowed, err := r.secretAllowedInNamespace(*secretRef, IAMRole, cs.Namespace, cs.Name)
-
-		// 		if !allowed || err != nil {
-		// 			return ctrl.Result{}, errors.WithMessagef(err, "failed to validate if secret %s with role %s is allowed in namespace %s", *secretRef, IAMRole, cs.Namespace)
-		// 		}
-		// 	}
-
-		// }
-
-		// if cs.Spec.Data != nil {
-		// 	for _, field := range cs.Spec.Data {
-		// 		if field.ValueFrom.SecretRef != nil {
-		// 			secretRef = field.ValueFrom.SecretKeyRef.Name
-		// 			if secretRef == nil {
-		// 				return ctrl.Result{}, errors.WithMessagef(err, "secretRef name is invalid %s", *secretRef)
-		// 			}
-
-		// 			allowed, err := r.secretAllowedInNamespace(*secretRef, IAMRole, cs.Namespace, cs.Name)
-
-		// 			if !allowed || err != nil {
-		// 				return ctrl.Result{}, errors.WithMessagef(err, "failed to validate if secret %s with role %s is allowed in namespace %s", *secretRef, IAMRole, cs.Namespace)
-		// 			}
-		// 		}
-		// 	}
-		// }
+		if cs.Spec.DataFrom != nil {
+			if cs.Spec.DataFrom.SecretRef != nil {
+				secretRef = cs.Spec.DataFrom.SecretRef.Name
+				if secretRef == nil {
+					return ctrl.Result{}, errors.WithMessagef(err, "secretRef name is invalid %s", *secretRef)
+				}
+
+				allowed, err := r.secretAllowedInNamespace(*secretRef, IAMRole, cs.Namespace, cs.Name)
+
+				if !allowed || err != nil {
+					return ctrl.Result{}, errors.WithMessagef(err, "failed to validate if secret %s with role %s is allowed in namespace %s", *secretRef, IAMRole, cs.Namespace)
+				}
+			}
+
+		}
+
+		if cs.Spec.Data != nil {
+			for _, field := range cs.Spec.Data {
+				if field.ValueFrom.SecretRef != nil {
+					secretRef = field.ValueFrom.SecretKeyRef.Name
+					if secretRef == nil {
+						return ctrl.Result{}, errors.WithMessagef(err, "secretRef name is invalid %s", *secretRef)
+					}
+
+					allowed, err := r.secretAllowedInNamespace(*secretRef, IAMRole, cs.Namespace, cs.Name)
+
+					if !allowed || err != nil {
+						return ctrl.Result{}, errors.WithMessagef(err, "failed to validate if secret %s with role %s is allowed in namespace %s", *secretRef, IAMRole, cs.Namespace)
+					}
+				}
+			}
+		}
 
 	} else {
 		allowed, err := r.RoleValidator.IsWhitelisted(*cs.Spec.IAMRole, cs.Namespace)

controllers/syncedsecret_controller_test.go

@@ -2,8 +2,6 @@ package controllers
 
 import (
 	"context"
-	"encoding/base64"
-	"fmt"
 	"reflect"
 	"time"
 
@@ -219,9 +217,8 @@ var _ = Describe("SyncedSecret Controller", func() {
 		})
 	})
 
-	Context("For a single SyncedSecret", func() {
+	Context("For a single SyncedSecret with AWSAccountID", func() {
 		// TODO do a test for DataFrom as well
-		// TODO do a test for update secret with new way
 		secretKey := types.NamespacedName{
 			Name:      "another-secret-name",
 			Namespace: TEST_NAMESPACE2,
@@ -281,33 +278,17 @@ var _ = Describe("SyncedSecret Controller", func() {
 					"DB_PASS": []byte("cupofcoffee"),
 				},
 			}
-			// Expect(k8sClient.Create(context.Background(), toCreate)).Should(Succeed())
 			err := k8sClient.Create(context.Background(), toCreate)
 			Expect(err).ToNot(HaveOccurred())
-			// Expect(func() bool {
-			// 	return true
-			// }).Should(Succeed())
 
 			fetchedSecret := &corev1.Secret{}
 			Eventually(func() bool {
 				err := k8sClient.Get(context.Background(), secretKey, fetchedSecret)
-				// Expect(err).ToNot(HaveOccurred())
 				return k8serrors.IsNotFound(err)
 			}, timeout, interval).Should(BeFalse())
 
 			// we need to ensure that that secretExpect.Data is a subset of fetchedSecret.Data
 			// the kubernetes client.go doesn't base64 values this is something that kubectl maybe does
-			for k, v := range fetchedSecret.Data {
-				decoded, _ := base64.StdEncoding.DecodeString(string(v))
-				fmt.Printf("fetchedSecret.Data[%s]: %s\n", k, decoded)
-				fmt.Printf("fetchedSecret.Data1[%s]: %s\n", k, v)
-			}
-			for k, v := range secretExpect.Data {
-				decoded, _ := base64.StdEncoding.DecodeString(string(v))
-				fmt.Printf("secretExpect.Data[%s]: %s\n", k, decoded)
-				fmt.Printf("secretExpect.Data1[%s]: %s\n", k, v)
-			}
-			//fmt.Printf("secretExpect.Data: %v\n", secretExpect.Data)
 			Expect(reflect.DeepEqual(fetchedSecret.Data, secretExpect.Data)).To(BeTrue())
 
 			fetchedCfSecret := &secretsv1.SyncedSecret{}
@@ -316,5 +297,122 @@ var _ = Describe("SyncedSecret Controller", func() {
 			resourceVersion = fetchedCfSecret.ResourceVersion
 
 		})
+
+		It("Should update k8s secret object if there is change in AwsSecret CRD with AWSAccountID", func() {
+			MockSecretsOutput.SecretsValueOutput = &secretsmanager.GetSecretValueOutput{
+				SecretString: _s(`{"database_name":"secretDB","database_pass":"cupofcoffee", "database_name1":"secretDB02"}`),
+				VersionId:    _s(`005`),
+			}
+			toUpdate := &secretsv1.SyncedSecret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:            secretKey.Name,
+					Namespace:       secretKey.Namespace,
+					ResourceVersion: resourceVersion,
+				},
+				Spec: secretsv1.SyncedSecretSpec{
+					SecretMetadata: metav1.ObjectMeta{
+						Name:      secretKey.Name,
+						Namespace: secretKey.Namespace,
+					},
+					IAMRole:      _s("test"),
+					AWSAccountID: _s("12345678910"),
+					Data: []*secretsv1.SecretField{
+						{
+							Name: _s("DB_NAME"),
+							ValueFrom: &secretsv1.ValueFrom{
+								SecretKeyRef: &secretsv1.SecretKeyRef{
+									Name: _s("random/aws/secret003"),
+									Key:  _s("database_name1"),
+								},
+							},
+						},
+						{
+							Name: _s("DB_PASS"),
+							ValueFrom: &secretsv1.ValueFrom{
+								SecretKeyRef: &secretsv1.SecretKeyRef{
+									Name: _s("random/aws/secret003"),
+									Key:  _s("database_pass"),
+								},
+							},
+						},
+					},
+				},
+			}
+
+			secretExpect := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretKey.Name,
+					Namespace: secretKey.Namespace,
+				},
+				Type: "Opaque",
+				Data: map[string][]byte{
+					"DB_NAME": []byte("secretDB02"),
+					"DB_PASS": []byte("cupofcoffee"),
+				},
+			}
+
+			Expect(k8sClient.Update(context.Background(), toUpdate)).Should(Succeed())
+
+			fetchedSecret := &corev1.Secret{}
+			Eventually(func() bool {
+				k8sClient.Get(context.Background(), secretKey, fetchedSecret)
+				return reflect.DeepEqual(fetchedSecret.Data, secretExpect.Data)
+			}, timeout, interval).Should(BeTrue())
+
+			fetchedCfSecret := &secretsv1.SyncedSecret{}
+			err := k8sClient.Get(context.Background(), secretKey, fetchedCfSecret)
+			Expect(err).ToNot(HaveOccurred())
+			resourceVersion = fetchedCfSecret.ResourceVersion
+		})
+
+		It("Should update the k8s secret object if the mapped AWS Secret changes with AWSAccountID", func() {
+			MockSecretsOutput.SecretsValueOutput = &secretsmanager.GetSecretValueOutput{
+				SecretString: _s(`{"database_pass":"cupoftea", "database_name1":"secretDB02"}`),
+				VersionId:    _s(`006`),
+			}
+
+			MockSecretsOutput.SecretsPageOutput = &secretsmanager.ListSecretsOutput{
+				SecretList: []*secretsmanager.SecretListEntry{
+					{
+						Name:            _s("random/aws/secret003"),
+						LastChangedDate: _t(time_now.AddDate(0, 0, -2)),
+						SecretVersionsToStages: map[string][]*string{
+							"002": []*string{
+								_s("AWSCURRENT"),
+							},
+						},
+					}, {
+						Name:            _s("random/aws/secret003"),
+						LastChangedDate: _t(time_now.AddDate(0, 0, -1)),
+						SecretVersionsToStages: map[string][]*string{
+							"005": {
+								_s("AWSPREVIOUS"),
+							},
+							"006": {
+								_s("AWSCURRENT"),
+							},
+						},
+					},
+				},
+			}
+
+			secretExpect := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      secretKey.Name,
+					Namespace: secretKey.Namespace,
+				},
+				Type: "Opaque",
+				Data: map[string][]byte{
+					"DB_NAME": []byte("secretDB02"),
+					"DB_PASS": []byte("cupoftea"),
+				},
+			}
+
+			fetchedSecret := &corev1.Secret{}
+			Eventually(func() bool {
+				k8sClient.Get(context.Background(), secretKey, fetchedSecret)
+				return reflect.DeepEqual(fetchedSecret.Data, secretExpect.Data)
+			}, timeout, interval).Should(BeTrue())
+		})
 	})
 })