From 13fbd5c38e699df085029a3da76d3c5468f80839 Mon Sep 17 00:00:00 2001 From: Rohan Chakravarthy Date: Mon, 30 Jul 2018 11:44:41 -0700 Subject: [PATCH] use secure value in ACI for secrets (#276) * use secure value in ACI for secrets * add tests for env variable conversion --- providers/azure/aci.go | 23 +++++++++++++--- providers/azure/aci_test.go | 52 +++++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 4 deletions(-) diff --git a/providers/azure/aci.go b/providers/azure/aci.go index 58b533979..fc13c318e 100644 --- a/providers/azure/aci.go +++ b/providers/azure/aci.go @@ -676,10 +676,8 @@ func (p *ACIProvider) getContainers(pod *v1.Pod) ([]aci.Container, error) { c.EnvironmentVariables = make([]aci.EnvironmentVariable, 0, len(container.Env)) for _, e := range container.Env { - c.EnvironmentVariables = append(c.EnvironmentVariables, aci.EnvironmentVariable{ - Name: e.Name, - Value: e.Value, - }) + envVar := getACIEnvVar(e) + c.EnvironmentVariables = append(c.EnvironmentVariables, envVar) } // NOTE(robbiezhang): ACI CPU request must be times of 10m @@ -1058,3 +1056,20 @@ func filterServiceAccountSecretVolume(osType string, containerGroup *aci.Contain containerGroup.ContainerGroupProperties.Volumes = volumes } } + +func getACIEnvVar(e v1.EnvVar) aci.EnvironmentVariable { + var envVar aci.EnvironmentVariable + // If the variable is a secret, use SecureValue + if e.ValueFrom.SecretKeyRef != nil { + envVar = aci.EnvironmentVariable{ + Name: e.Name, + SecureValue: e.Value, + } + } else { + envVar = aci.EnvironmentVariable{ + Name: e.Name, + Value: e.Value, + } + } + return envVar +} diff --git a/providers/azure/aci_test.go b/providers/azure/aci_test.go index 81d7e3722..a71e5101e 100644 --- a/providers/azure/aci_test.go +++ b/providers/azure/aci_test.go @@ -363,6 +363,58 @@ func TestGetPodWithoutResourceRequestsLimits(t *testing.T) { "Containers[0].Resources.Requests.Memory doesn't match") } +func TestPodToACISecretEnvVar(t *testing.T) { + + testKey := "testVar" + testVal := "testVal" + + e := v1.EnvVar{ + Name: testKey, + Value: testVal, + ValueFrom: &v1.EnvVarSource{ + SecretKeyRef: &v1.SecretKeySelector{}, + }, + } + aciEnvVar := getACIEnvVar(e) + + if aciEnvVar.Value != "" { + t.Fatalf("ACI Env Variable Value should be empty for a secret") + } + + if aciEnvVar.Name != testKey { + t.Fatalf("ACI Env Variable Name does not match expected Name") + } + + if aciEnvVar.SecureValue != testVal { + t.Fatalf("ACI Env Variable Secure Value does not match expected value") + } +} + +func TestPodToACIEnvVar(t *testing.T) { + + testKey := "testVar" + testVal := "testVal" + + e := v1.EnvVar{ + Name: testKey, + Value: testVal, + ValueFrom: &v1.EnvVarSource{}, + } + aciEnvVar := getACIEnvVar(e) + + if aciEnvVar.SecureValue != "" { + t.Fatalf("ACI Env Variable Secure Value should be empty for non-secret variables") + } + + if aciEnvVar.Name != testKey { + t.Fatalf("ACI Env Variable Name does not match expected Name") + } + + if aciEnvVar.Value != testVal { + t.Fatalf("ACI Env Variable Value does not match expected value") + } +} + func prepareMocks() (*AADMock, *ACIMock, *ACIProvider, error) { aadServerMocker := NewAADMock() aciServerMocker := NewACIMock()