use secure value in ACI for secrets (#276)
* use secure value in ACI for secrets * add tests for env variable conversion
This commit is contained in:
Rohan Chakravarthy
committed by
Robbie Zhang
Robbie Zhang
parent
ef6ae9ecf4
commit
13fbd5c38e
@@ -676,10 +676,8 @@ func (p *ACIProvider) getContainers(pod *v1.Pod) ([]aci.Container, error) {
|
||||
|
||||
c.EnvironmentVariables = make([]aci.EnvironmentVariable, 0, len(container.Env))
|
||||
for _, e := range container.Env {
|
||||
c.EnvironmentVariables = append(c.EnvironmentVariables, aci.EnvironmentVariable{
|
||||
Name: e.Name,
|
||||
Value: e.Value,
|
||||
})
|
||||
envVar := getACIEnvVar(e)
|
||||
c.EnvironmentVariables = append(c.EnvironmentVariables, envVar)
|
||||
}
|
||||
|
||||
// NOTE(robbiezhang): ACI CPU request must be times of 10m
|
||||
@@ -1058,3 +1056,20 @@ func filterServiceAccountSecretVolume(osType string, containerGroup *aci.Contain
|
||||
containerGroup.ContainerGroupProperties.Volumes = volumes
|
||||
}
|
||||
}
|
||||
|
||||
func getACIEnvVar(e v1.EnvVar) aci.EnvironmentVariable {
|
||||
var envVar aci.EnvironmentVariable
|
||||
// If the variable is a secret, use SecureValue
|
||||
if e.ValueFrom.SecretKeyRef != nil {
|
||||
envVar = aci.EnvironmentVariable{
|
||||
Name: e.Name,
|
||||
SecureValue: e.Value,
|
||||
}
|
||||
} else {
|
||||
envVar = aci.EnvironmentVariable{
|
||||
Name: e.Name,
|
||||
Value: e.Value,
|
||||
}
|
||||
}
|
||||
return envVar
|
||||
}
|
||||
|
||||
@@ -363,6 +363,58 @@ func TestGetPodWithoutResourceRequestsLimits(t *testing.T) {
|
||||
"Containers[0].Resources.Requests.Memory doesn't match")
|
||||
}
|
||||
|
||||
func TestPodToACISecretEnvVar(t *testing.T) {
|
||||
|
||||
testKey := "testVar"
|
||||
testVal := "testVal"
|
||||
|
||||
e := v1.EnvVar{
|
||||
Name: testKey,
|
||||
Value: testVal,
|
||||
ValueFrom: &v1.EnvVarSource{
|
||||
SecretKeyRef: &v1.SecretKeySelector{},
|
||||
},
|
||||
}
|
||||
aciEnvVar := getACIEnvVar(e)
|
||||
|
||||
if aciEnvVar.Value != "" {
|
||||
t.Fatalf("ACI Env Variable Value should be empty for a secret")
|
||||
}
|
||||
|
||||
if aciEnvVar.Name != testKey {
|
||||
t.Fatalf("ACI Env Variable Name does not match expected Name")
|
||||
}
|
||||
|
||||
if aciEnvVar.SecureValue != testVal {
|
||||
t.Fatalf("ACI Env Variable Secure Value does not match expected value")
|
||||
}
|
||||
}
|
||||
|
||||
func TestPodToACIEnvVar(t *testing.T) {
|
||||
|
||||
testKey := "testVar"
|
||||
testVal := "testVal"
|
||||
|
||||
e := v1.EnvVar{
|
||||
Name: testKey,
|
||||
Value: testVal,
|
||||
ValueFrom: &v1.EnvVarSource{},
|
||||
}
|
||||
aciEnvVar := getACIEnvVar(e)
|
||||
|
||||
if aciEnvVar.SecureValue != "" {
|
||||
t.Fatalf("ACI Env Variable Secure Value should be empty for non-secret variables")
|
||||
}
|
||||
|
||||
if aciEnvVar.Name != testKey {
|
||||
t.Fatalf("ACI Env Variable Name does not match expected Name")
|
||||
}
|
||||
|
||||
if aciEnvVar.Value != testVal {
|
||||
t.Fatalf("ACI Env Variable Value does not match expected value")
|
||||
}
|
||||
}
|
||||
|
||||
func prepareMocks() (*AADMock, *ACIMock, *ACIProvider, error) {
|
||||
aadServerMocker := NewAADMock()
|
||||
aciServerMocker := NewACIMock()
|
||||
|
||||
Reference in New Issue
Block a user