Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/test/tests/components/ws-manager/protected_secrets_test.go
2500 views
1
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package wsmanager

6


7
import (

8
	"context"

9
	"fmt"

10
	"strings"

11
	"testing"

12
	"time"

13


14
	"sigs.k8s.io/e2e-framework/pkg/envconf"

15
	"sigs.k8s.io/e2e-framework/pkg/features"

16


17
	csapi "github.com/gitpod-io/gitpod/content-service/api"

18
	agent "github.com/gitpod-io/gitpod/test/pkg/agent/workspace/api"

19
	"github.com/gitpod-io/gitpod/test/pkg/integration"

20
	wsmanapi "github.com/gitpod-io/gitpod/ws-manager/api"

21
	corev1 "k8s.io/api/core/v1"

22
)

23


24
const (

25
	SECRET_NAME  = "USER_SECRET"

26
	SECRET_VALUE = "a9upr238"

27
)

28


29
func TestProtectedSecrets(t *testing.T) {

30
	f := features.New("protected_secrets").WithLabel("component", "ws-manager").Assess("can use protected secrets", func(testCtx context.Context, t *testing.T, cfg *envconf.Config) context.Context {

31
		t.Parallel()

32


33
		ctx, cancel := context.WithTimeout(testCtx, 5*time.Minute)

34
		defer cancel()

35


36
		api := integration.NewComponentAPI(ctx, cfg.Namespace(), kubeconfig, cfg.Client())

37
		t.Cleanup(func() {

38
			api.Done(t)

39
		})

40


41
		swr := func(req *wsmanapi.StartWorkspaceRequest) error {

42
			req.Spec.Envvars = append(req.Spec.Envvars, &wsmanapi.EnvironmentVariable{

43
				Name:  SECRET_NAME,

44
				Value: SECRET_VALUE,

45
			})

46


47
			req.Spec.Initializer = &csapi.WorkspaceInitializer{

48
				Spec: &csapi.WorkspaceInitializer_Git{

49
					Git: &csapi.GitInitializer{

50
						RemoteUri:        "https://github.com/gitpod-io/empty",

51
						CheckoutLocation: "empty",

52
						Config:           &csapi.GitConfig{},

53
					},

54
				},

55
			}

56


57
			req.Spec.WorkspaceLocation = "empty"

58
			return nil

59
		}

60


61
		ws, stopWs, err := integration.LaunchWorkspaceDirectly(t, ctx, api, integration.WithRequestModifier(swr))

62
		if err != nil {

63
			t.Fatalf("cannot launch a workspace: %q", err)

64
		}

65


66
		t.Cleanup(func() {

67
			sctx, scancel := context.WithTimeout(context.Background(), 5*time.Minute)

68
			defer scancel()

69


70
			sapi := integration.NewComponentAPI(sctx, cfg.Namespace(), kubeconfig, cfg.Client())

71
			defer sapi.Done(t)

72


73
			_, err = stopWs(true, sapi)

74
			if err != nil {

75
				t.Errorf("cannot stop workspace: %q", err)

76
			}

77
		})

78


79
		k8sClient := cfg.Client()

80
		var wsPod corev1.Pod

81
		if err := k8sClient.Resources().Get(context.Background(), "ws-"+ws.Req.Id, cfg.Namespace(), &wsPod); err != nil {

82
			t.Fatal(err)

83
		}

84


85
		assertEnvSuppliedBySecret(t, &wsPod, SECRET_NAME)

86


87
		rsa, closer, err := integration.Instrument(integration.ComponentWorkspace, "workspace", cfg.Namespace(), kubeconfig, cfg.Client(),

88
			integration.WithInstanceID(ws.Req.Id),

89
			integration.WithContainer("workspace"),

90
			integration.WithWorkspacekitLift(true),

91
		)

92
		if err != nil {

93
			t.Fatal(err)

94
		}

95


96
		assertEnvAvailableInWs(t, rsa)

97


98
		integration.DeferCloser(t, closer)

99
		defer rsa.Close()

100


101
		return testCtx

102
	}).Feature()

103


104
	testEnv.Test(t, f)

105
}

106


107
func assertEnvSuppliedBySecret(t *testing.T, wsPod *corev1.Pod, secretEnv string) {

108
	for _, c := range wsPod.Spec.Containers {

109
		if c.Name != "workspace" {

110
			continue

111
		}

112


113
		for _, env := range c.Env {

114
			if env.Name == secretEnv {

115
				if env.Value != "" {

116
					t.Fatalf("environment variable has plain text value")

117
				}

118


119
				if env.ValueFrom == nil || env.ValueFrom.SecretKeyRef == nil {

120
					t.Fatalf("environment variable value is not supplied by secret")

121
				}

122


123
				expectedName := fmt.Sprintf("%s-env", strings.TrimPrefix(wsPod.Name, "ws-"))

124
				if env.ValueFrom.SecretKeyRef.Name != expectedName {

125
					t.Fatalf("expected environment variable values are not supplied by secret %s", expectedName)

126
				}

127
			}

128
		}

129
	}

130
}

131


132
func assertEnvAvailableInWs(t *testing.T, rsa *integration.RpcClient) {

133
	var grepResp agent.ExecResponse

134
	err := rsa.Call("WorkspaceAgent.Exec", &agent.ExecRequest{

135
		Dir:     prebuildLogPath,

136
		Command: "bash",

137
		Args: []string{

138
			"-c",

139
			fmt.Sprintf("env | grep %s", SECRET_NAME),

140
		},

141
	}, &grepResp)

142


143
	if err != nil {

144
		t.Fatal(err)

145
	}

146


147
	expected := fmt.Sprintf("%s=%s", SECRET_NAME, SECRET_VALUE)

148
	if strings.TrimSpace(grepResp.Stdout) != expected {

149
		t.Fatalf("expected environment variable to be %s, but was %s", expected, grepResp.Stdout)

150
	}

151
}

152


153