2016-11-10 22:33:06 +00:00
/ *
Copyright 2014 The Kubernetes Authors .
Licensed under the Apache License , Version 2.0 ( the "License" ) ;
you may not use this file except in compliance with the License .
You may obtain a copy of the License at
http : //www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing , software
distributed under the License is distributed on an "AS IS" BASIS ,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
See the License for the specific language governing permissions and
limitations under the License .
* /
package common
import (
"fmt"
"path"
2017-06-22 18:24:23 +00:00
"k8s.io/api/core/v1"
2016-11-10 22:33:06 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/kubernetes/test/e2e/framework"
2018-08-14 13:37:40 +00:00
imageutils "k8s.io/kubernetes/test/utils/image"
2016-11-10 22:33:06 +00:00
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
2018-09-25 00:44:00 +00:00
var _ = Describe ( "[sig-storage] Projected secret" , func ( ) {
2016-11-10 22:33:06 +00:00
f := framework . NewDefaultFramework ( "projected" )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , volume mode default
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key with default permission mode . Pod MUST be able to read the content of the key successfully and the mode MUST be - rw - r -- r -- by default .
2017-10-25 06:34:42 +00:00
* /
2018-05-22 01:09:33 +00:00
framework . ConformanceIt ( "should be consumable from pods in volume [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
doProjectedSecretE2EWithoutMapping ( f , nil /* default mode */ , "projected-secret-test-" + string ( uuid . NewUUID ( ) ) , nil , nil )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , volume mode 0400
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key with permission mode set to 0x400 on the Pod . Pod MUST be able to read the content of the key successfully and the mode MUST be - r — - — — — — — .
2019-01-23 03:05:50 +00:00
This test is marked LinuxOnly since Windows does not support setting specific file permissions .
2017-10-25 06:34:42 +00:00
* /
2019-01-23 03:05:50 +00:00
framework . ConformanceIt ( "should be consumable from pods in volume with defaultMode set [LinuxOnly] [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
defaultMode := int32 ( 0400 )
doProjectedSecretE2EWithoutMapping ( f , & defaultMode , "projected-secret-test-" + string ( uuid . NewUUID ( ) ) , nil , nil )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Project Volume , Secrets , non - root , custom fsGroup
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key . The volume has permission mode set to 0440 , fsgroup set to 1001 and user set to non - root uid of 1000. Pod MUST be able to read the content of the key successfully and the mode MUST be - r — - r — — — — - .
2019-01-23 03:05:50 +00:00
This test is marked LinuxOnly since Windows does not support setting specific file permissions , or running as UID / GID .
2017-10-25 06:34:42 +00:00
* /
2019-01-23 03:05:50 +00:00
framework . ConformanceIt ( "should be consumable from pods in volume as non-root with defaultMode and fsGroup set [LinuxOnly] [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
defaultMode := int32 ( 0440 ) /* setting fsGroup sets mode to at least 440 */
2017-06-21 07:13:36 +00:00
fsGroup := int64 ( 1001 )
uid := int64 ( 1000 )
2016-11-10 22:33:06 +00:00
doProjectedSecretE2EWithoutMapping ( f , & defaultMode , "projected-secret-test-" + string ( uuid . NewUUID ( ) ) , & fsGroup , & uid )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , mapped
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key with default permission mode . The secret is also mapped to a custom path . Pod MUST be able to read the content of the key successfully and the mode MUST be - r — - — — — — — — on the mapped volume .
2017-10-25 06:34:42 +00:00
* /
2018-05-22 01:09:33 +00:00
framework . ConformanceIt ( "should be consumable from pods in volume with mappings [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
doProjectedSecretE2EWithMapping ( f , nil )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , mapped , volume mode 0400
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key with permission mode set to 0400. The secret is also mapped to a specific name . Pod MUST be able to read the content of the key successfully and the mode MUST be - r — - — — — — — — on the mapped volume .
2019-01-23 03:05:50 +00:00
This test is marked LinuxOnly since Windows does not support setting specific file permissions .
2017-10-25 06:34:42 +00:00
* /
2019-01-23 03:05:50 +00:00
framework . ConformanceIt ( "should be consumable from pods in volume with mappings and Item Mode set [LinuxOnly] [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
mode := int32 ( 0400 )
doProjectedSecretE2EWithMapping ( f , & mode )
} )
2018-05-22 04:28:42 +00:00
It ( "should be able to mount in a volume regardless of a different secret existing with same name in different namespace [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
var (
namespace2 * v1 . Namespace
err error
secret2Name = "projected-secret-test-" + string ( uuid . NewUUID ( ) )
)
if namespace2 , err = f . CreateNamespace ( "secret-namespace" , nil ) ; err != nil {
framework . Failf ( "unable to create new namespace %s: %v" , namespace2 . Name , err )
}
secret2 := secretForTest ( namespace2 . Name , secret2Name )
secret2 . Data = map [ string ] [ ] byte {
"this_should_not_match_content_of_other_secret" : [ ] byte ( "similarly_this_should_not_match_content_of_other_secret\n" ) ,
}
2017-10-25 15:54:32 +00:00
if secret2 , err = f . ClientSet . CoreV1 ( ) . Secrets ( namespace2 . Name ) . Create ( secret2 ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , secret2 . Name , err )
}
doProjectedSecretE2EWithoutMapping ( f , nil /* default mode */ , secret2 . Name , nil , nil )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , mapped , multiple paths
Description : A Pod is created with a projected volume source ‘ secret ’ to store a secret with a specified key . The secret is mapped to two different volume mounts . Pod MUST be able to read the content of the key successfully from the two volume mounts and the mode MUST be - r — - — — — — — — on the mapped volumes .
2017-10-25 06:34:42 +00:00
* /
2018-05-22 01:09:33 +00:00
framework . ConformanceIt ( "should be consumable in multiple volumes in a pod [NodeConformance]" , func ( ) {
2016-11-10 22:33:06 +00:00
// This test ensures that the same secret can be mounted in multiple
// volumes in the same pod. This test case exists to prevent
// regressions that break this use-case.
var (
name = "projected-secret-test-" + string ( uuid . NewUUID ( ) )
volumeName = "projected-secret-volume"
volumeMountPath = "/etc/projected-secret-volume"
volumeName2 = "projected-secret-volume-2"
volumeMountPath2 = "/etc/projected-secret-volume-2"
secret = secretForTest ( f . Namespace . Name , name )
)
By ( fmt . Sprintf ( "Creating secret with name %s" , secret . Name ) )
var err error
2017-10-25 15:54:32 +00:00
if secret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( secret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , secret . Name , err )
}
pod := & v1 . Pod {
ObjectMeta : metav1 . ObjectMeta {
Name : "pod-projected-secrets-" + string ( uuid . NewUUID ( ) ) ,
} ,
Spec : v1 . PodSpec {
Volumes : [ ] v1 . Volume {
{
Name : volumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : name ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
{
Name : volumeName2 ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : name ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
Containers : [ ] v1 . Container {
{
Name : "secret-volume-test" ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2016-11-10 22:33:06 +00:00
Args : [ ] string {
"--file_content=/etc/projected-secret-volume/data-1" ,
"--file_mode=/etc/projected-secret-volume/data-1" } ,
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : volumeName ,
MountPath : volumeMountPath ,
ReadOnly : true ,
} ,
{
Name : volumeName2 ,
MountPath : volumeMountPath2 ,
ReadOnly : true ,
} ,
} ,
} ,
} ,
RestartPolicy : v1 . RestartPolicyNever ,
} ,
}
2018-04-04 12:20:05 +00:00
fileModeRegexp := framework . GetFileModeRegex ( "/etc/projected-secret-volume/data-1" , nil )
f . TestContainerOutputRegexp ( "consume secrets" , pod , 0 , [ ] string {
2016-11-10 22:33:06 +00:00
"content of file \"/etc/projected-secret-volume/data-1\": value-1" ,
2018-04-04 12:20:05 +00:00
fileModeRegexp ,
2016-11-10 22:33:06 +00:00
} )
} )
2017-10-25 06:34:42 +00:00
/ *
2018-02-27 22:57:56 +00:00
Release : v1 .9
Testname : Projected Volume , Secrets , create , update delete
Description : Create a Pod with three containers with secrets namely a create , update and delete container . Create Container when started MUST no have a secret , update and delete containers MUST be created with a secret value . Create a secret in the create container , the Pod MUST be able to read the secret from the create container . Update the secret in the update container , Pod MUST be able to read the updated secret value . Delete the secret in the delete container . Pod MUST fail to read the secret from the delete container .
2017-10-25 06:34:42 +00:00
* /
2018-05-22 01:09:33 +00:00
framework . ConformanceIt ( "optional updates should be reflected in volume [NodeConformance]" , func ( ) {
2017-07-03 19:08:05 +00:00
podLogTimeout := framework . GetPodSecretUpdateTimeout ( f . ClientSet )
containerTimeoutArg := fmt . Sprintf ( "--retry_time=%v" , int ( podLogTimeout . Seconds ( ) ) )
2017-02-28 17:51:39 +00:00
trueVal := true
2016-11-10 22:33:06 +00:00
volumeMountPath := "/etc/projected-secret-volumes"
deleteName := "s-test-opt-del-" + string ( uuid . NewUUID ( ) )
deleteContainerName := "dels-volume-test"
deleteVolumeName := "deletes-volume"
deleteSecret := & v1 . Secret {
ObjectMeta : metav1 . ObjectMeta {
Namespace : f . Namespace . Name ,
Name : deleteName ,
} ,
Data : map [ string ] [ ] byte {
"data-1" : [ ] byte ( "value-1" ) ,
} ,
}
updateName := "s-test-opt-upd-" + string ( uuid . NewUUID ( ) )
updateContainerName := "upds-volume-test"
updateVolumeName := "updates-volume"
updateSecret := & v1 . Secret {
ObjectMeta : metav1 . ObjectMeta {
Namespace : f . Namespace . Name ,
Name : updateName ,
} ,
Data : map [ string ] [ ] byte {
"data-1" : [ ] byte ( "value-1" ) ,
} ,
}
createName := "s-test-opt-create-" + string ( uuid . NewUUID ( ) )
createContainerName := "creates-volume-test"
createVolumeName := "creates-volume"
createSecret := & v1 . Secret {
ObjectMeta : metav1 . ObjectMeta {
Namespace : f . Namespace . Name ,
Name : createName ,
} ,
Data : map [ string ] [ ] byte {
"data-1" : [ ] byte ( "value-1" ) ,
} ,
}
By ( fmt . Sprintf ( "Creating secret with name %s" , deleteSecret . Name ) )
2017-07-03 19:08:05 +00:00
var err error
2017-10-25 15:54:32 +00:00
if deleteSecret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( deleteSecret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , deleteSecret . Name , err )
}
By ( fmt . Sprintf ( "Creating secret with name %s" , updateSecret . Name ) )
2017-10-25 15:54:32 +00:00
if updateSecret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( updateSecret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , updateSecret . Name , err )
}
pod := & v1 . Pod {
ObjectMeta : metav1 . ObjectMeta {
Name : "pod-projected-secrets-" + string ( uuid . NewUUID ( ) ) ,
} ,
Spec : v1 . PodSpec {
Volumes : [ ] v1 . Volume {
{
Name : deleteVolumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : deleteName ,
} ,
Optional : & trueVal ,
} ,
} ,
} ,
} ,
} ,
} ,
{
Name : updateVolumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : updateName ,
} ,
Optional : & trueVal ,
} ,
} ,
} ,
} ,
} ,
} ,
{
Name : createVolumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : createName ,
} ,
Optional : & trueVal ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
Containers : [ ] v1 . Container {
{
Name : deleteContainerName ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2017-08-29 08:32:08 +00:00
Command : [ ] string { "/mounttest" , "--break_on_expected_content=false" , containerTimeoutArg , "--file_content_in_loop=/etc/projected-secret-volumes/delete/data-1" } ,
2016-11-10 22:33:06 +00:00
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : deleteVolumeName ,
MountPath : path . Join ( volumeMountPath , "delete" ) ,
ReadOnly : true ,
} ,
} ,
} ,
{
Name : updateContainerName ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2017-08-29 08:32:08 +00:00
Command : [ ] string { "/mounttest" , "--break_on_expected_content=false" , containerTimeoutArg , "--file_content_in_loop=/etc/projected-secret-volumes/update/data-3" } ,
2016-11-10 22:33:06 +00:00
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : updateVolumeName ,
MountPath : path . Join ( volumeMountPath , "update" ) ,
ReadOnly : true ,
} ,
} ,
} ,
{
Name : createContainerName ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2017-08-29 08:32:08 +00:00
Command : [ ] string { "/mounttest" , "--break_on_expected_content=false" , containerTimeoutArg , "--file_content_in_loop=/etc/projected-secret-volumes/create/data-1" } ,
2016-11-10 22:33:06 +00:00
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : createVolumeName ,
MountPath : path . Join ( volumeMountPath , "create" ) ,
ReadOnly : true ,
} ,
} ,
} ,
} ,
RestartPolicy : v1 . RestartPolicyNever ,
} ,
}
By ( "Creating the pod" )
f . PodClient ( ) . CreateSync ( pod )
pollCreateLogs := func ( ) ( string , error ) {
return framework . GetPodLogs ( f . ClientSet , f . Namespace . Name , pod . Name , createContainerName )
}
Eventually ( pollCreateLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "Error reading file /etc/projected-secret-volumes/create/data-1" ) )
pollUpdateLogs := func ( ) ( string , error ) {
return framework . GetPodLogs ( f . ClientSet , f . Namespace . Name , pod . Name , updateContainerName )
}
Eventually ( pollUpdateLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "Error reading file /etc/projected-secret-volumes/update/data-3" ) )
pollDeleteLogs := func ( ) ( string , error ) {
return framework . GetPodLogs ( f . ClientSet , f . Namespace . Name , pod . Name , deleteContainerName )
}
Eventually ( pollDeleteLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "value-1" ) )
By ( fmt . Sprintf ( "Deleting secret %v" , deleteSecret . Name ) )
2017-10-25 15:54:32 +00:00
err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Delete ( deleteSecret . Name , & metav1 . DeleteOptions { } )
2016-11-10 22:33:06 +00:00
Expect ( err ) . NotTo ( HaveOccurred ( ) , "Failed to delete secret %q in namespace %q" , deleteSecret . Name , f . Namespace . Name )
By ( fmt . Sprintf ( "Updating secret %v" , updateSecret . Name ) )
updateSecret . ResourceVersion = "" // to force update
delete ( updateSecret . Data , "data-1" )
updateSecret . Data [ "data-3" ] = [ ] byte ( "value-3" )
2017-10-25 15:54:32 +00:00
_ , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Update ( updateSecret )
2016-11-10 22:33:06 +00:00
Expect ( err ) . NotTo ( HaveOccurred ( ) , "Failed to update secret %q in namespace %q" , updateSecret . Name , f . Namespace . Name )
By ( fmt . Sprintf ( "Creating secret with name %s" , createSecret . Name ) )
2017-10-25 15:54:32 +00:00
if createSecret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( createSecret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , createSecret . Name , err )
}
By ( "waiting to observe update in volume" )
Eventually ( pollCreateLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "value-1" ) )
Eventually ( pollUpdateLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "value-3" ) )
Eventually ( pollDeleteLogs , podLogTimeout , framework . Poll ) . Should ( ContainSubstring ( "Error reading file /etc/projected-secret-volumes/delete/data-1" ) )
} )
2018-11-13 07:38:02 +00:00
//The secret is in pending during volume creation until the secret objects are available
//or until mount the secret volume times out. There is no secret object defined for the pod, so it should return timout exception unless it is marked optional.
//Slow (~5 mins)
It ( "Should fail non-optional pod creation due to secret object does not exist [Slow]" , func ( ) {
volumeMountPath := "/etc/projected-secret-volumes"
podName := "pod-secrets-" + string ( uuid . NewUUID ( ) )
err := createNonOptionalSecretPod ( f , volumeMountPath , podName )
Expect ( err ) . To ( HaveOccurred ( ) , "created pod %q with non-optional secret in namespace %q" , podName , f . Namespace . Name )
} )
//Secret object defined for the pod, If a key is specified which is not present in the secret,
// the volume setup will error unless it is marked optional, during the pod creation.
//Slow (~5 mins)
It ( "Should fail non-optional pod creation due to the key in the secret object does not exist [Slow]" , func ( ) {
volumeMountPath := "/etc/secret-volumes"
podName := "pod-secrets-" + string ( uuid . NewUUID ( ) )
err := createNonOptionalSecretPodWithSecret ( f , volumeMountPath , podName )
Expect ( err ) . To ( HaveOccurred ( ) , "created pod %q with non-optional secret in namespace %q" , podName , f . Namespace . Name )
} )
2016-11-10 22:33:06 +00:00
} )
2017-04-20 10:57:07 +00:00
func doProjectedSecretE2EWithoutMapping ( f * framework . Framework , defaultMode * int32 ,
2017-06-21 07:13:36 +00:00
secretName string , fsGroup * int64 , uid * int64 ) {
2016-11-10 22:33:06 +00:00
var (
volumeName = "projected-secret-volume"
volumeMountPath = "/etc/projected-secret-volume"
secret = secretForTest ( f . Namespace . Name , secretName )
)
By ( fmt . Sprintf ( "Creating projection with secret that has name %s" , secret . Name ) )
var err error
2017-10-25 15:54:32 +00:00
if secret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( secret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , secret . Name , err )
}
pod := & v1 . Pod {
ObjectMeta : metav1 . ObjectMeta {
Name : "pod-projected-secrets-" + string ( uuid . NewUUID ( ) ) ,
Namespace : f . Namespace . Name ,
} ,
Spec : v1 . PodSpec {
Volumes : [ ] v1 . Volume {
{
Name : volumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : secretName ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
Containers : [ ] v1 . Container {
{
Name : "projected-secret-volume-test" ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2016-11-10 22:33:06 +00:00
Args : [ ] string {
"--file_content=/etc/projected-secret-volume/data-1" ,
"--file_mode=/etc/projected-secret-volume/data-1" } ,
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : volumeName ,
MountPath : volumeMountPath ,
} ,
} ,
} ,
} ,
RestartPolicy : v1 . RestartPolicyNever ,
} ,
}
if defaultMode != nil {
//pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.DefaultMode = defaultMode
pod . Spec . Volumes [ 0 ] . VolumeSource . Projected . DefaultMode = defaultMode
}
if fsGroup != nil || uid != nil {
pod . Spec . SecurityContext = & v1 . PodSecurityContext {
FSGroup : fsGroup ,
RunAsUser : uid ,
}
}
2018-04-04 12:20:05 +00:00
fileModeRegexp := framework . GetFileModeRegex ( "/etc/projected-secret-volume/data-1" , defaultMode )
2016-11-10 22:33:06 +00:00
expectedOutput := [ ] string {
"content of file \"/etc/projected-secret-volume/data-1\": value-1" ,
2018-04-04 12:20:05 +00:00
fileModeRegexp ,
2016-11-10 22:33:06 +00:00
}
2018-04-04 12:20:05 +00:00
f . TestContainerOutputRegexp ( "consume secrets" , pod , 0 , expectedOutput )
2016-11-10 22:33:06 +00:00
}
func doProjectedSecretE2EWithMapping ( f * framework . Framework , mode * int32 ) {
var (
name = "projected-secret-test-map-" + string ( uuid . NewUUID ( ) )
volumeName = "projected-secret-volume"
volumeMountPath = "/etc/projected-secret-volume"
secret = secretForTest ( f . Namespace . Name , name )
)
By ( fmt . Sprintf ( "Creating projection with secret that has name %s" , secret . Name ) )
var err error
2017-10-25 15:54:32 +00:00
if secret , err = f . ClientSet . CoreV1 ( ) . Secrets ( f . Namespace . Name ) . Create ( secret ) ; err != nil {
2016-11-10 22:33:06 +00:00
framework . Failf ( "unable to create test secret %s: %v" , secret . Name , err )
}
pod := & v1 . Pod {
ObjectMeta : metav1 . ObjectMeta {
Name : "pod-projected-secrets-" + string ( uuid . NewUUID ( ) ) ,
} ,
Spec : v1 . PodSpec {
Volumes : [ ] v1 . Volume {
{
Name : volumeName ,
VolumeSource : v1 . VolumeSource {
Projected : & v1 . ProjectedVolumeSource {
Sources : [ ] v1 . VolumeProjection {
{
Secret : & v1 . SecretProjection {
LocalObjectReference : v1 . LocalObjectReference {
Name : name ,
} ,
Items : [ ] v1 . KeyToPath {
{
Key : "data-1" ,
Path : "new-path-data-1" ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
Containers : [ ] v1 . Container {
{
Name : "projected-secret-volume-test" ,
2018-08-14 13:37:40 +00:00
Image : imageutils . GetE2EImage ( imageutils . Mounttest ) ,
2016-11-10 22:33:06 +00:00
Args : [ ] string {
"--file_content=/etc/projected-secret-volume/new-path-data-1" ,
"--file_mode=/etc/projected-secret-volume/new-path-data-1" } ,
VolumeMounts : [ ] v1 . VolumeMount {
{
Name : volumeName ,
MountPath : volumeMountPath ,
} ,
} ,
} ,
} ,
RestartPolicy : v1 . RestartPolicyNever ,
} ,
}
if mode != nil {
//pod.Spec.Volumes[0].VolumeSource.Projected.Sources[0].Secret.Items[0].Mode = mode
pod . Spec . Volumes [ 0 ] . VolumeSource . Projected . DefaultMode = mode
}
2018-04-04 12:20:05 +00:00
fileModeRegexp := framework . GetFileModeRegex ( "/etc/projected-secret-volume/new-path-data-1" , mode )
2016-11-10 22:33:06 +00:00
expectedOutput := [ ] string {
"content of file \"/etc/projected-secret-volume/new-path-data-1\": value-1" ,
2018-04-04 12:20:05 +00:00
fileModeRegexp ,
2016-11-10 22:33:06 +00:00
}
2018-04-04 12:20:05 +00:00
f . TestContainerOutputRegexp ( "consume secrets" , pod , 0 , expectedOutput )
2016-11-10 22:33:06 +00:00
}
