Skip to content

Commit

Permalink
Bugfix: Stop base64 decoding ConfigMap.BinaryData (#47)
Browse files Browse the repository at this point in the history
Ensure Kubernetes env provider does not decode binary data
as base64.
  • Loading branch information
thunderboltsid authored Nov 24, 2022
1 parent 634dac6 commit 4b6fb61
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 47 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
## [0.3.4] - 2022-11-24
### Changed
- Bugfix: Stop explicit base64 decoding of BinaryData from ConfigMap in Kubernetes env provider

## [0.3.3] - 2022-11-24
### Changed
- Kubernetes env provider can now read the trust bundle from both BinaryData and Data
Expand Down
7 changes: 1 addition & 6 deletions environment/providers/kubernetes/kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
package kubernetes

import (
"encoding/base64"
"fmt"
"net/url"

Expand Down Expand Up @@ -40,11 +39,7 @@ func (prov *provider) getAdditionalTrustBundle() (string, error) {
return cert, nil
}
if b64Cert, ok := cm.BinaryData[certBundleKey]; ok {
cert, err := base64.StdEncoding.DecodeString(string(b64Cert))
if err != nil {
return "", err
}
return string(cert), nil
return string(b64Cert), nil
}
return "", nil
}
Expand Down
88 changes: 47 additions & 41 deletions environment/providers/kubernetes/kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@ import (
. "github.com/onsi/gomega"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
krand "k8s.io/apimachinery/pkg/util/rand"
"k8s.io/client-go/informers"
coreinformers "k8s.io/client-go/informers/core/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/tools/cache"

"github.com/nutanix-cloud-native/prism-go-client/environment/credentials"
Expand Down Expand Up @@ -56,22 +59,21 @@ func runCMInformer(ctx context.Context, clientset kubernetes.Interface) coreinfo
var _ = Describe("Kubernetes Environment Provider", Ordered, func() {
expectedCACert, expectedB64CACert, err := certutils.GenerateCACertForTesting()
Expect(err).ToNot(HaveOccurred())

var (
secretName = "nutanix-credentials"
cmName = "user-ca-bundle"
secretNamespace = "kube-system"
secretInformer coreinformers.SecretInformer
cmInformer coreinformers.ConfigMapInformer
prov types.Provider
ip = krand.String(10)
username = krand.String(10)
password = krand.String(10)
cmName = "user-ca-bundle"
namespace = "kube-system"
secretName = "nutanix-credentials"
secretInformer coreinformers.SecretInformer
cmInformer coreinformers.ConfigMapInformer
prov types.Provider
ip = krand.String(10)
username = krand.String(10)
password = krand.String(10)

fakeSecret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: secretNamespace,
Namespace: namespace,
},
Data: map[string][]byte{
"credentials": []byte(fmt.Sprintf(`
Expand All @@ -90,49 +92,53 @@ var _ = Describe("Kubernetes Environment Provider", Ordered, func() {
`, username, password)),
},
}
fakeCM = &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: cmName,
Namespace: secretNamespace,
},
BinaryData: map[string][]byte{
certBundleKey: []byte(expectedB64CACert),
},
}

fakeClientset = fake.NewSimpleClientset(fakeSecret, fakeCM)
prismEndpoint = credentials.NutanixPrismEndpoint{
Address: ip,
Port: 9440,
Insecure: true,
CredentialRef: &credentials.NutanixCredentialReference{
Kind: credentials.SecretKind,
Name: secretName,
Namespace: secretNamespace,
},
AdditionalTrustBundle: &credentials.NutanixTrustBundleReference{
Kind: credentials.NutanixTrustBundleKindConfigMap,
Name: cmName,
Namespace: secretNamespace,
},
}
)

const fakeCMTemplate = `apiVersion: v1
kind: ConfigMap
metadata:
name: %s
namespace: %s
binaryData:
ca.crt: %s`
fakeCMStr := fmt.Sprintf(fakeCMTemplate, cmName, namespace, expectedB64CACert)
decoder := serializer.NewCodecFactory(scheme.Scheme).UniversalDecoder()
fakeCM := &corev1.ConfigMap{}
err = runtime.DecodeInto(decoder, []byte(fakeCMStr), fakeCM)
Expect(err).ToNot(HaveOccurred())

fakeClientset := fake.NewSimpleClientset(fakeSecret, fakeCM)
prismEndpoint := credentials.NutanixPrismEndpoint{
Address: ip,
Port: 9440,
Insecure: true,
CredentialRef: &credentials.NutanixCredentialReference{
Kind: credentials.SecretKind,
Name: secretName,
Namespace: namespace,
},
AdditionalTrustBundle: &credentials.NutanixTrustBundleReference{
Kind: credentials.NutanixTrustBundleKindConfigMap,
Name: cmName,
Namespace: namespace,
},
}
BeforeAll(func() {
secretInformer = runSecretInformer(context.TODO(), fakeClientset)
cmInformer = runCMInformer(context.TODO(), fakeClientset)
prov = NewProvider(prismEndpoint, secretInformer, cmInformer)
})
It("must be able to look up secret", func() {
_, err := fakeClientset.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
_, err := fakeClientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
Expect(err).To(Succeed())

_, err = secretInformer.Lister().Secrets(secretNamespace).Get(secretName)
_, err = secretInformer.Lister().Secrets(namespace).Get(secretName)
Expect(err).To(Succeed())

_, err = fakeClientset.CoreV1().ConfigMaps(secretNamespace).Get(context.TODO(), cmName, metav1.GetOptions{})
_, err = fakeClientset.CoreV1().ConfigMaps(namespace).Get(context.TODO(), cmName, metav1.GetOptions{})
Expect(err).To(Succeed())

_, err = cmInformer.Lister().ConfigMaps(secretNamespace).Get(cmName)
_, err = cmInformer.Lister().ConfigMaps(namespace).Get(cmName)
Expect(err).To(Succeed())
})
It("must get management endpoint", func() {
Expand Down

0 comments on commit 4b6fb61

Please sign in to comment.