- Create and Update Secret resources using stringData

- Improved SecretDat composable - Added tests for credential store
gardener · Dec 10, 2024 · c792b6f · c792b6f
1 parent 24bdd56
commit c792b6f
Show file tree

Hide file tree

Showing 24 changed files with 720 additions and 335 deletions.
diff --git a/backend/lib/services/cloudProviderCredentials.js b/backend/lib/services/cloudProviderCredentials.js
@@ -28,13 +28,15 @@ exports.list = async function ({ user, params }) {
     'kind',
     'metadata.name',
     'metadata.namespace',
+    'metadata.uid',
     'spec.scope',
     'spec.clusterLifetimeDays',
   ])
 
   const quotas = _
     .chain(secretBindings)
     .flatMap(resolveQuotas)
+    .uniqBy('metadata.uid')
     .filter('spec.clusterLifetimeDays')
     .map(pickQuotaProperties)
     .value()
@@ -54,10 +56,10 @@ exports.create = async function ({ user, params }) {
     secretBindingNamespace: secretNamespace,
     secretBindingName: secretName,
     poviderType,
-    secretData,
+    secretStringData,
   } = params
 
-  const secretResource = toSecretResource({ namespace: secretNamespace, name: secretName, data: secretData })
+  const secretResource = toSecretResource({ namespace: secretNamespace, name: secretName, stringData: secretStringData })
   const secret = await client.core.secrets.create(secretNamespace, secretResource)
 
   let secretBinding
@@ -84,7 +86,7 @@ exports.patch = async function ({ user, params }) {
   const {
     secretBindingNamespace,
     secretBindingName,
-    secretData,
+    secretStringData,
   } = params
 
   const secretBinding = await client['core.gardener.cloud'].secretbindings.get(secretBindingNamespace, secretBindingName)
@@ -95,17 +97,10 @@ exports.patch = async function ({ user, params }) {
     throw createError(422, 'Patch allowed only for secrets in own namespace')
   }
 
-  let data
-  try {
-    data = _.mapValues(secretData, encodeBase64)
-  } catch (err) {
-    throw createError(422, 'Failed to encode "base64" secret data')
-  }
-
   const patchOperations = [{
     op: 'replace',
-    path: '/data',
-    value: data,
+    path: '/stringData',
+    value: secretStringData,
   }]
 
   const secretRef = secretBinding.secretRef
@@ -151,7 +146,7 @@ function resolveQuotas (secretBinding) {
   }
 }
 
-function toSecretResource ({ namespace, name, data }) {
+function toSecretResource ({ namespace, name, stringData }) {
   const resource = Resources.Secret
   const apiVersion = resource.apiVersion
   const kind = resource.kind
@@ -160,12 +155,8 @@ function toSecretResource ({ namespace, name, data }) {
     namespace,
     name,
   }
-  try {
-    data = _.mapValues(data, encodeBase64)
-  } catch (err) {
-    throw createError(422, 'Failed to encode "base64" secret data')
-  }
-  return { apiVersion, kind, metadata, type, data }
+
+  return { apiVersion, kind, metadata, type, stringData }
 }
 
 function toSecretBindingResource ({ namespace, name, poviderType, secretRef }) {

diff --git a/frontend/__fixtures__/credentials.js b/frontend/__fixtures__/credentials.js
@@ -6,38 +6,79 @@
 
 function createProviderCredentials (type, options = {}) {
   const {
+    name = type,
     projectName = 'test',
+    secretNamepace = `garden-${projectName}`,
+    quotas = [],
   } = options
-  const secretBindingName = `${type}-secretbinding`
-  const secretName = `${type}-secret`
-  const namespace = `garden-${projectName}`
-  return {
-    secretBinding: {
+  const secretBindingName = `${name}-secretbinding`
+  const secretBindingNamespace = `garden-${projectName}`
+  const secretName = `${name}-secret`
+  const quotaName = `${name}-quota`
+  const secretBinding = {
+    metadata: {
+      namespace: secretBindingNamespace,
+      name: secretBindingName,
+    },
+    provider: {
+      type,
+    },
+    secretRef: {
+      name: secretName,
+      namespace: secretNamepace,
+    },
+  }
+
+  let secret
+  if (secretNamepace === secretBindingNamespace) {
+    // no secret if referenced in other namespace
+    secret = {
       metadata: {
-        namespace,
-        name: secretBindingName,
-      },
-      provider: {
-        type,
-      },
-      secretRef: {
+        namespace: secretNamepace,
         name: secretName,
-        namespace,
       },
-    },
-    secret: {
+      data: {
+        secret: 'c3VwZXJzZWNyZXQ=',
+      },
+    }
+  }
+
+  if (secretNamepace !== secretBindingNamespace) {
+    // always add default quota if secret is in different namespace (trial quota)
+    quotas.push({
       metadata: {
-        namespace,
-        name: secretName,
+        name: quotaName,
+        namespace: secretNamepace,
       },
-    },
+      spec: {
+        scope: {
+          kind: 'Project',
+          apiVersion: 'core.gardener.cloud/v1beta1',
+        },
+        clusterLifetimeDays: 7,
+      },
+    })
+  }
+
+  if (quotas.length > 0) {
+    secretBinding.quotas = quotas.map(({ metadata }) => metadata)
+  }
+
+  return {
+    secretBinding,
+    secret,
+    quotas,
   }
 }
 
 const credentials = [
   createProviderCredentials('alicloud'),
   createProviderCredentials('aws'),
-  createProviderCredentials('azure'),
+  createProviderCredentials('aws', { name: 'aws-trial', secretNamepace: 'garden-trial' }),
+  createProviderCredentials('azure', { quotas: [
+    { metadata: { name: 'azure-foo-quota', namespace: 'garden-trial' } },
+    { metadata: { name: 'azure-bar-quota', namespace: 'garden-test' } },
+  ] }),
   createProviderCredentials('openstack'),
   createProviderCredentials('gcp'),
   createProviderCredentials('ironcore'),
@@ -46,9 +87,11 @@ const credentials = [
 ]
 
 const secretBindings = credentials.map(item => item.secretBinding)
-const secrets = credentials.map(item => item.secret)
+const secrets = credentials.map(item => item.secret).filter(Boolean)
+const quotas = credentials.flatMap(item => item.quotas).filter(Boolean)
 
 export default {
   secretBindings,
   secrets,
+  quotas,
 }
diff --git a/frontend/__tests__/composables/useShootContext.spec.js b/frontend/__tests__/composables/useShootContext.spec.js
@@ -45,7 +45,7 @@ describe('composables', () => {
     const configStore = useConfigStore()
     configStore.setConfiguration(global.fixtures.config)
     const credentialStore = useCredentialStore()
-    credentialStore.cloudProviderCredentials = global.fixtures.credentials
+    credentialStore.setCredentials(global.fixtures.credentials)
     const cloudProfileStore = useCloudProfileStore()
     cloudProfileStore.setCloudProfiles(cloneDeep(global.fixtures.cloudprofiles))
     const gardenerExtensionStore = useGardenerExtensionStore()

diff --git a/frontend/__tests__/composables/useShootDns.spec.js b/frontend/__tests__/composables/useShootDns.spec.js
@@ -26,7 +26,7 @@ describe('composables', () => {
       setActivePinia(createPinia())
       manifest.spec = {}
       const credentialStore = useCredentialStore()
-      credentialStore.cloudProviderCredentials = global.fixtures.credentials
+      credentialStore.setCredentials(global.fixtures.credentials)
       const gardenerExtensionStore = useGardenerExtensionStore()
       gardenerExtensionStore.list = global.fixtures.gardenerExtensions