k8s.io/kubernetes@v1.29.3/pkg/credentialprovider/secrets/secrets_test.go (about) 1 /* 2 Copyright 2020 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package secrets 18 19 import ( 20 "reflect" 21 "testing" 22 23 "k8s.io/api/core/v1" 24 "k8s.io/kubernetes/pkg/credentialprovider" 25 ) 26 27 // fakeKeyring is a fake docker auth config keyring 28 type fakeKeyring struct { 29 auth []credentialprovider.AuthConfig 30 ok bool 31 } 32 33 // Lookup implements the DockerKeyring method for fetching credentials based on image name. 34 // Returns fake results based on the auth and ok fields in fakeKeyring 35 func (f *fakeKeyring) Lookup(image string) ([]credentialprovider.AuthConfig, bool) { 36 return f.auth, f.ok 37 } 38 39 func Test_MakeDockerKeyring(t *testing.T) { 40 testcases := []struct { 41 name string 42 image string 43 defaultKeyring credentialprovider.DockerKeyring 44 pullSecrets []v1.Secret 45 authConfigs []credentialprovider.AuthConfig 46 found bool 47 }{ 48 { 49 name: "with .dockerconfigjson and auth field", 50 image: "test.registry.io", 51 defaultKeyring: &fakeKeyring{}, 52 pullSecrets: []v1.Secret{ 53 { 54 Type: v1.SecretTypeDockerConfigJson, 55 Data: map[string][]byte{ 56 v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`), 57 }, 58 }, 59 }, 60 authConfigs: []credentialprovider.AuthConfig{ 61 { 62 Username: "user", 63 Password: "password", 64 }, 65 }, 66 found: true, 67 }, 68 { 69 name: "with .dockerconfig and auth field", 70 image: "test.registry.io", 71 defaultKeyring: &fakeKeyring{}, 72 pullSecrets: []v1.Secret{ 73 { 74 Type: v1.SecretTypeDockercfg, 75 Data: map[string][]byte{ 76 v1.DockerConfigKey: []byte(`{"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`), 77 }, 78 }, 79 }, 80 authConfigs: []credentialprovider.AuthConfig{ 81 { 82 Username: "user", 83 Password: "password", 84 }, 85 }, 86 found: true, 87 }, 88 { 89 name: "with .dockerconfigjson and username/password fields", 90 image: "test.registry.io", 91 defaultKeyring: &fakeKeyring{}, 92 pullSecrets: []v1.Secret{ 93 { 94 Type: v1.SecretTypeDockerConfigJson, 95 Data: map[string][]byte{ 96 v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"username": "user", "password": "password"}}}`), 97 }, 98 }, 99 }, 100 authConfigs: []credentialprovider.AuthConfig{ 101 { 102 Username: "user", 103 Password: "password", 104 }, 105 }, 106 found: true, 107 }, 108 { 109 name: "with .dockerconfig and username/password fields", 110 image: "test.registry.io", 111 defaultKeyring: &fakeKeyring{}, 112 pullSecrets: []v1.Secret{ 113 { 114 Type: v1.SecretTypeDockercfg, 115 Data: map[string][]byte{ 116 v1.DockerConfigKey: []byte(`{"test.registry.io": {"username": "user", "password": "password"}}`), 117 }, 118 }, 119 }, 120 authConfigs: []credentialprovider.AuthConfig{ 121 { 122 Username: "user", 123 Password: "password", 124 }, 125 }, 126 found: true, 127 }, 128 { 129 name: "with .dockerconfigjson but with wrong Secret Type", 130 image: "test.registry.io", 131 defaultKeyring: &fakeKeyring{}, 132 pullSecrets: []v1.Secret{ 133 { 134 Type: v1.SecretTypeDockercfg, 135 Data: map[string][]byte{ 136 v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`), 137 }, 138 }, 139 }, 140 authConfigs: nil, 141 found: false, 142 }, 143 { 144 name: "with .dockerconfig but with wrong Secret Type", 145 image: "test.registry.io", 146 defaultKeyring: &fakeKeyring{}, 147 pullSecrets: []v1.Secret{ 148 { 149 Type: v1.SecretTypeDockerConfigJson, 150 Data: map[string][]byte{ 151 v1.DockerConfigKey: []byte(`{"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`), 152 }, 153 }, 154 }, 155 authConfigs: nil, 156 found: false, 157 }, 158 { 159 name: "with not matcing .dockerconfigjson and default keyring", 160 image: "test.registry.io", 161 defaultKeyring: &fakeKeyring{ 162 auth: []credentialprovider.AuthConfig{ 163 { 164 Username: "default-user", 165 Password: "default-password", 166 }, 167 }, 168 }, 169 pullSecrets: []v1.Secret{ 170 { 171 Type: v1.SecretTypeDockerConfigJson, 172 Data: map[string][]byte{ 173 v1.DockerConfigJsonKey: []byte(`{"auths": {"foobar.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`), 174 }, 175 }, 176 }, 177 authConfigs: []credentialprovider.AuthConfig{ 178 { 179 Username: "default-user", 180 Password: "default-password", 181 }, 182 }, 183 found: true, 184 }, 185 { 186 name: "with not matching .dockerconfig and default keyring", 187 image: "test.registry.io", 188 defaultKeyring: &fakeKeyring{ 189 auth: []credentialprovider.AuthConfig{ 190 { 191 Username: "default-user", 192 Password: "default-password", 193 }, 194 }, 195 }, 196 pullSecrets: []v1.Secret{ 197 { 198 Type: v1.SecretTypeDockercfg, 199 Data: map[string][]byte{ 200 v1.DockerConfigKey: []byte(`{"foobar.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`), 201 }, 202 }, 203 }, 204 authConfigs: []credentialprovider.AuthConfig{ 205 { 206 Username: "default-user", 207 Password: "default-password", 208 }, 209 }, 210 found: true, 211 }, 212 { 213 name: "with no pull secrets but has default keyring", 214 image: "test.registry.io", 215 defaultKeyring: &fakeKeyring{ 216 auth: []credentialprovider.AuthConfig{ 217 { 218 Username: "default-user", 219 Password: "default-password", 220 }, 221 }, 222 }, 223 pullSecrets: []v1.Secret{}, 224 authConfigs: []credentialprovider.AuthConfig{ 225 { 226 Username: "default-user", 227 Password: "default-password", 228 }, 229 }, 230 found: false, 231 }, 232 { 233 name: "with pull secrets and has default keyring", 234 image: "test.registry.io", 235 defaultKeyring: &fakeKeyring{ 236 auth: []credentialprovider.AuthConfig{ 237 { 238 Username: "default-user", 239 Password: "default-password", 240 }, 241 }, 242 }, 243 pullSecrets: []v1.Secret{ 244 { 245 Type: v1.SecretTypeDockerConfigJson, 246 Data: map[string][]byte{ 247 v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`), 248 }, 249 }, 250 }, 251 authConfigs: []credentialprovider.AuthConfig{ 252 { 253 Username: "user", 254 Password: "password", 255 }, 256 { 257 Username: "default-user", 258 Password: "default-password", 259 }, 260 }, 261 found: true, 262 }, 263 } 264 265 for _, testcase := range testcases { 266 t.Run(testcase.name, func(t *testing.T) { 267 keyring, err := MakeDockerKeyring(testcase.pullSecrets, testcase.defaultKeyring) 268 if err != nil { 269 t.Fatalf("error creating secret-based docker keyring: %v", err) 270 } 271 272 authConfigs, found := keyring.Lookup(testcase.image) 273 if found != testcase.found { 274 t.Logf("actual lookup status: %v", found) 275 t.Logf("expected lookup status: %v", testcase.found) 276 t.Errorf("unexpected lookup for image: %s", testcase.image) 277 } 278 279 if !reflect.DeepEqual(authConfigs, testcase.authConfigs) { 280 t.Logf("actual auth configs: %#v", authConfigs) 281 t.Logf("expected auth configs: %#v", testcase.authConfigs) 282 t.Error("auth configs did not match") 283 } 284 }) 285 } 286 }