Merge pull request #170 from mmorejon/add-volumes-projected-detection

Add volumes projected detection

Author: jillianwilson

pkg/onepassword/deployments_test.go

@@ -9,18 +9,30 @@ import (
 
 func TestIsDeploymentUsingSecretsUsingVolumes(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
-		"onepassword-api-key":         {},
+		"onepassword-database-secret":  {},
+		"onepassword-api-key":          {},
+		"onepassword-app-token":        {},
+		"onepassword-user-credentials": {},
 	}
 
 	volumeSecretNames := []string{
 		"onepassword-database-secret",
 		"onepassword-api-key",
-		"some_other_key",
 	}
 
+	volumes := generateVolumes(volumeSecretNames)
+
+	volumeProjectedSecretNames := []string{
+		"onepassword-app-token",
+		"onepassword-user-credentials",
+	}
+
+	volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
+
+	volumes = append(volumes, volumeProjected)
+
 	deployment := &appsv1.Deployment{}
-	deployment.Spec.Template.Spec.Volumes = generateVolumes(volumeSecretNames)
+	deployment.Spec.Template.Spec.Volumes = volumes
 	if !IsDeploymentUsingSecrets(deployment, secretNamesToSearch) {
 		t.Errorf("Expected that deployment was using secrets but they were not detected.")
 	}

pkg/onepassword/object_generators_for_test.go

@@ -17,6 +17,29 @@ func generateVolumes(names []string) []corev1.Volume {
 	}
 	return volumes
 }
+func generateVolumesProjected(names []string) corev1.Volume {
+	volumesProjection := []corev1.VolumeProjection{}
+	for i := 0; i < len(names); i++ {
+		volumeProjection := corev1.VolumeProjection{
+			Secret: &corev1.SecretProjection{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: names[i],
+				},
+			},
+		}
+		volumesProjection = append(volumesProjection, volumeProjection)
+	}
+	volume := corev1.Volume{
+		Name: "someName",
+		VolumeSource: corev1.VolumeSource{
+			Projected: &corev1.ProjectedVolumeSource{
+				Sources: volumesProjection,
+			},
+		},
+	}
+
+	return volume
+}
 func generateContainersWithSecretRefsFromEnv(names []string) []corev1.Container {
 	containers := []corev1.Container{}
 	for i := 0; i < len(names); i++ {

pkg/onepassword/volumes.go

@@ -4,26 +4,55 @@ import corev1 "k8s.io/api/core/v1"
 
 func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(volumes); i++ {
-		if secret := volumes[i].Secret; secret != nil {
-			secretName := secret.SecretName
-			_, ok := secrets[secretName]
-			if ok {
-				return true
-			}
+		secret := IsVolumeUsingSecret(volumes[i], secrets)
+		secretProjection := IsVolumeUsingSecretProjection(volumes[i], secrets)
+		if secret == nil && secretProjection == nil {
+			return false
 		}
 	}
-	return false
+	if len(volumes) == 0 {
+		return false
+	}
+	return true
 }
 
 func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret {
 	for i := 0; i < len(volumes); i++ {
-		if secret := volumes[i].Secret; secret != nil {
-			secretName := secret.SecretName
-			secret, ok := secrets[secretName]
-			if ok {
-				updatedDeploymentSecrets[secret.Name] = secret
+		secret := IsVolumeUsingSecret(volumes[i], secrets)
+		if secret != nil {
+			updatedDeploymentSecrets[secret.Name] = secret
+		} else {
+			secretProjection := IsVolumeUsingSecretProjection(volumes[i], secrets)
+			if secretProjection != nil {
+				updatedDeploymentSecrets[secretProjection.Name] = secretProjection
 			}
 		}
 	}
 	return updatedDeploymentSecrets
 }
+
+func IsVolumeUsingSecret(volume corev1.Volume, secrets map[string]*corev1.Secret) *corev1.Secret {
+	if secret := volume.Secret; secret != nil {
+		secretName := secret.SecretName
+		secretFound, ok := secrets[secretName]
+		if ok {
+			return secretFound
+		}
+	}
+	return nil
+}
+
+func IsVolumeUsingSecretProjection(volume corev1.Volume, secrets map[string]*corev1.Secret) *corev1.Secret {
+	if volume.Projected != nil {
+		for i := 0; i < len(volume.Projected.Sources); i++ {
+			if secret := volume.Projected.Sources[i].Secret; secret != nil {
+				secretName := secret.Name
+				secretFound, ok := secrets[secretName]
+				if ok {
+					return secretFound
+				}
+			}
+		}
+	}
+	return nil
+}

pkg/onepassword/volumes_test.go

@@ -8,18 +8,28 @@ import (
 
 func TestAreVolmesUsingSecrets(t *testing.T) {
 	secretNamesToSearch := map[string]*corev1.Secret{
-		"onepassword-database-secret": {},
-		"onepassword-api-key":         {},
+		"onepassword-database-secret":  {},
+		"onepassword-api-key":          {},
+		"onepassword-app-token":        {},
+		"onepassword-user-credentials": {},
 	}
 
 	volumeSecretNames := []string{
 		"onepassword-database-secret",
 		"onepassword-api-key",
-		"some_other_key",
 	}
 
 	volumes := generateVolumes(volumeSecretNames)
 
+	volumeProjectedSecretNames := []string{
+		"onepassword-app-token",
+		"onepassword-user-credentials",
+	}
+
+	volumeProjected := generateVolumesProjected(volumeProjectedSecretNames)
+
+	volumes = append(volumes, volumeProjected)
+
 	if !AreVolumesUsingSecrets(volumes, secretNamesToSearch) {
 		t.Errorf("Expected that volumes were using secrets but they were not detected.")
 	}