-
Notifications
You must be signed in to change notification settings - Fork 1
/
SopsEncodedSecrets_test.go
104 lines (86 loc) · 2.81 KB
/
SopsEncodedSecrets_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright 2019 The Kubernetes Authors.
// SPDX-License-Identifier: Apache-2.0
package main_test
import (
"testing"
"sigs.k8s.io/kustomize/v3/pkg/kusttest"
"sigs.k8s.io/kustomize/v3/pkg/plugins"
)
/*
# Writing a portable test for sops is problematic,
# because sops decoding assumes access to a local
# private key in some form, and these test need
# to run anywhere, and they don't use a real file
# system. Need to revisit this;
# maybe we can stick the private key in an ENV var?
# And use GPG instead of gcp_kms?
# To try this plugin by itself with real data
# in Google cloud kms, do the following:
gcloud kms keyrings create sops --location global
gcloud kms keys create sops-key --location global \
--keyring sops --purpose encryption
gcloud kms keys list --location global --keyring sops
project=$(\
gcloud kms keys list --location global --keyring sops |\
grep GOOGLE | cut -d" " -f1)
echo $project
go get -u go.mozilla.org/sops/cmd/sops
cat <<'EOF' >/tmp/sec_clear.yaml
VEGETABLE: carrot
ROCKET: saturn-v
FRUIT: apple
CAR: dymaxion
EOF
# Put the output of the following command into
# the encodedFileContent constant below:
sops --encrypt --gcp-kms $project /tmp/sec_clear.yaml
*/
func TestSopsEncodedSecretsPlugin(t *testing.T) {
tc := plugins.NewEnvForTest(t).Set()
defer tc.Reset()
tc.BuildGoPlugin(
"someteam.example.com", "v1", "SopsEncodedSecrets")
th := kusttest_test.NewKustTestPluginHarness(t, "/app")
const encodedFileContent = `
VEGETABLE: ENC[AES256_GCM,data:9mKo4gCm,iv:nkhvWPDbMkDeLXAhTxQOsCaz3ACAx4VS9CLR3tGe5zI=,tag:KIY4z/eE3DFnKHbHHB0ytQ==,type:str]
ROCKET: ENC[AES256_GCM,data:6C7vnZYkh+Q=,iv:66/EAqulH7OtMMvSyMZSL5ZbktEm4Yj5S7g/Zb+XgUk=,tag:yEaxZs57fKn7Uebk+ouDDw==,type:str]
FRUIT: ENC[AES256_GCM,data:2a/KQxA=,iv:7GmWqc6uA6h539DQVpGq8m0WZLAUi9jzZ6iQAnDEY0s=,tag:ItvY4ziCEW3yNLo/YKMxnw==,type:str]
CAR: ENC[AES256_GCM,data:SZFq30w5NZE=,iv:paZ+ghcYoIVIvuGvKP6K6+K7hIgS/l3KgoBxjzjIBHs=,tag:iNL2kvYMppDRXuybmsUFRw==,type:str]
sops:
kms: []
gcp_kms:
- resource_id: projects/__ELIDED_FOR_KUSTOMIZE_TEST__/locations/global/keyRings/sops/cryptoKeys/sops-key
created_at: '2019-06-19T22:32:52Z'
enc: __ELIDED_FOR_KUSTOMIZE_TEST__=
azure_kv: []
lastmodified: '2019-06-19T22:32:52Z'
mac: ENC[AES256_GCM,data:__ELIDED_FOR_KUSTOMIZE_TEST__:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.3.1
`
th.WriteF("/app/mySecrets.yaml", encodedFileContent)
m := th.LoadAndRunGenerator(`
apiVersion: someteam.example.com/v1
kind: SopsEncodedSecrets
metadata:
name: mySecretGenerator
name: forbiddenValues
namespace: production
file: mySecrets.yaml
keys:
- ROCKET
- CAR
`)
th.AssertActualEqualsExpected(m, `
apiVersion: v1
data:
CAR: ZHltYXhpb24=
ROCKET: c2F0dXJuLXY=
kind: Secret
metadata:
name: forbiddenValues
namespace: production
type: Opaque
`)
}