ContainerImage.Pinniped/test/integration/supervisor_secrets_test.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"encoding/json"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"gopkg.in/square/go-jose.v2"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
	"go.pinniped.dev/test/library"
)

func TestSupervisorSecrets(t *testing.T) {
	env := library.IntegrationEnv(t)
	kubeClient := library.NewKubernetesClientset(t)
	supervisorClient := library.NewSupervisorClientset(t)

	library.AssertNoRestartsDuringTest(t, env.SupervisorNamespace, "")

	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
	defer cancel()

	// Create our FederationDomain under test.
	federationDomain := library.CreateTestFederationDomain(ctx, t, "", "", "")

	tests := []struct {
		name        string
		secretName  func(federationDomain *configv1alpha1.FederationDomain) string
		ensureValid func(t *testing.T, secret *corev1.Secret)
	}{
		{
			name: "csrf cookie signing key",
			secretName: func(federationDomain *configv1alpha1.FederationDomain) string {
				return env.SupervisorAppName + "-key"
			},
			ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/supervisor-csrf-signing-key"),
		},
		{
			name: "jwks",
			secretName: func(federationDomain *configv1alpha1.FederationDomain) string {
				return federationDomain.Status.Secrets.JWKS.Name
			},
			ensureValid: ensureValidJWKS,
		},
		{
			name: "hmac signing secret",
			secretName: func(federationDomain *configv1alpha1.FederationDomain) string {
				return federationDomain.Status.Secrets.TokenSigningKey.Name
			},
			ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-token-signing-key"),
		},
		{
			name: "state signature secret",
			secretName: func(federationDomain *configv1alpha1.FederationDomain) string {
				return federationDomain.Status.Secrets.StateSigningKey.Name
			},
			ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-state-signing-key"),
		},
		{
			name: "state encryption secret",
			secretName: func(federationDomain *configv1alpha1.FederationDomain) string {
				return federationDomain.Status.Secrets.StateEncryptionKey.Name
			},
			ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-state-encryption-key"),
		},
	}
	for _, test := range tests {
		test := test
		t.Run(test.name, func(t *testing.T) {
			// Ensure a secret is created with the FederationDomain's JWKS.
			var updatedFederationDomain *configv1alpha1.FederationDomain
			var err error
			assert.Eventually(t, func() bool {
				updatedFederationDomain, err = supervisorClient.
					ConfigV1alpha1().
					FederationDomains(env.SupervisorNamespace).
					Get(ctx, federationDomain.Name, metav1.GetOptions{})
				return err == nil && test.secretName(updatedFederationDomain) != ""
			}, time.Second*10, time.Millisecond*500)
			require.NoError(t, err)
			require.NotEmpty(t, test.secretName(updatedFederationDomain))

			// Ensure the secret actually exists.
			secret, err := kubeClient.
				CoreV1().
				Secrets(env.SupervisorNamespace).
				Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{})
			require.NoError(t, err)

			// Ensure that the secret was labelled.
			for k, v := range env.SupervisorCustomLabels {
				require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
			}
			require.Equal(t, env.SupervisorAppName, secret.Labels["app"])

			// Ensure that the secret is valid.
			test.ensureValid(t, secret)

			// Ensure upon deleting the secret, it is eventually brought back.
			err = kubeClient.
				CoreV1().
				Secrets(env.SupervisorNamespace).
				Delete(ctx, test.secretName(updatedFederationDomain), metav1.DeleteOptions{})
			require.NoError(t, err)
			assert.Eventually(t, func() bool {
				secret, err = kubeClient.
					CoreV1().
					Secrets(env.SupervisorNamespace).
					Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{})
				return err == nil
			}, time.Second*10, time.Millisecond*500)
			require.NoError(t, err)

			// Ensure that the new secret is valid.
			test.ensureValid(t, secret)
		})
	}

	// Upon deleting the FederationDomain, the secret is deleted (we test this behavior in our uninstall tests).
}

func ensureValidJWKS(t *testing.T, secret *corev1.Secret) {
	t.Helper()

	// Ensure the secret has the right type.
	require.Equal(t, corev1.SecretType("secrets.pinniped.dev/federation-domain-jwks"), secret.Type)

	// Ensure the secret has an active key.
	jwkData, ok := secret.Data["activeJWK"]
	require.True(t, ok, "secret is missing active jwk")

	// Ensure the secret's active key is valid.
	var activeJWK jose.JSONWebKey
	require.NoError(t, json.Unmarshal(jwkData, &activeJWK))
	require.True(t, activeJWK.Valid(), "active jwk is invalid")
	require.False(t, activeJWK.IsPublic(), "active jwk is public")

	// Ensure the secret has a JWKS.
	jwksData, ok := secret.Data["jwks"]
	require.True(t, ok, "secret is missing jwks")

	// Ensure the secret's JWKS is valid, public, and contains the singing key.
	var jwks jose.JSONWebKeySet
	require.NoError(t, json.Unmarshal(jwksData, &jwks))
	foundActiveJWK := false
	for _, jwk := range jwks.Keys {
		require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)
		require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)
		if jwk.KeyID == activeJWK.KeyID {
			foundActiveJWK = true
		}
	}
	require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)
}

func ensureValidSymmetricSecretOfTypeFunc(secretTypeValue string) func(*testing.T, *corev1.Secret) {
	return func(t *testing.T, secret *corev1.Secret) {
		t.Helper()
		require.Equal(t, corev1.SecretType(secretTypeValue), secret.Type)
		key, ok := secret.Data["key"]
		require.Truef(t, ok, "secret data does not contain 'key': %s", secret.Data)
		require.Equal(t, 32, len(key))
	}
}
Changing references from 1.19 to 1.20 2021-01-07 22:58:09 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package integration`

			`import (`
			`"context"`
			`"encoding/json"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`"gopkg.in/square/go-jose.v2"`
			`corev1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-16 19:00:08 +00:00			`configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`"go.pinniped.dev/test/library"`
			`)`

			`func TestSupervisorSecrets(t *testing.T) {`
			`env := library.IntegrationEnv(t)`
Allow multiple Pinnipeds to work on same cluster Yes, this is a huge commit. The middleware allows you to customize the API groups of all of the *.pinniped.dev API groups. Some notes about other small things in this commit: - We removed the internal/client package in favor of pkg/conciergeclient. The two packages do basically the same thing. I don't think we use the former anymore. - We re-enabled cluster-scoped owner assertions in the integration tests. This code was added in internal/ownerref. See a0546942 for when this assertion was removed. - Note: the middlware code is in charge of restoring the GV of a request object, so we should never need to write mutations that do that. - We updated the supervisor secret generation to no longer manually set an owner reference to the deployment since the middleware code now does this. I think we still need some way to make an initial event for the secret generator controller, which involves knowing the namespace and the name of the generated secret, so I still wired the deployment through. We could use a namespace/name tuple here, but I was lazy. Signed-off-by: Andrew Keesler <akeesler@vmware.com> Co-authored-by: Ryan Richard <richardry@vmware.com> 2021-01-13 01:27:41 +00:00			`kubeClient := library.NewKubernetesClientset(t)`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`supervisorClient := library.NewSupervisorClientset(t)`

test/integration: ensure no pods restart during integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-01-12 20:55:31 +00:00			`library.AssertNoRestartsDuringTest(t, env.SupervisorNamespace, "")`

Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)`
			`defer cancel()`

More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`// Create our FederationDomain under test.`
			`federationDomain := library.CreateTestFederationDomain(ctx, t, "", "", "")`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00
			`tests := []struct {`
			`name string`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName func(federationDomain *configv1alpha1.FederationDomain) string`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`ensureValid func(t testing.T, secret corev1.Secret)`
			`}{`
			`{`
			`name: "csrf cookie signing key",`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName: func(federationDomain *configv1alpha1.FederationDomain) string {`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`return env.SupervisorAppName + "-key"`
			`},`
Supervisor CSRF Secret has unique Type Signed-off-by: aram price <pricear@vmware.com> 2020-12-17 23:30:26 +00:00			`ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/supervisor-csrf-signing-key"),`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
			`{`
			`name: "jwks",`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName: func(federationDomain *configv1alpha1.FederationDomain) string {`
			`return federationDomain.Status.Secrets.JWKS.Name`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
			`ensureValid: ensureValidJWKS,`
			`},`
			`{`
			`name: "hmac signing secret",`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName: func(federationDomain *configv1alpha1.FederationDomain) string {`
			`return federationDomain.Status.Secrets.TokenSigningKey.Name`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
All FederationDomain Secrets have distinct Types Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-18 01:07:38 +00:00			`ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-token-signing-key"),`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
			`{`
			`name: "state signature secret",`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName: func(federationDomain *configv1alpha1.FederationDomain) string {`
			`return federationDomain.Status.Secrets.StateSigningKey.Name`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
All FederationDomain Secrets have distinct Types Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-18 01:07:38 +00:00			`ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-state-signing-key"),`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
			`{`
			`name: "state encryption secret",`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`secretName: func(federationDomain *configv1alpha1.FederationDomain) string {`
			`return federationDomain.Status.Secrets.StateEncryptionKey.Name`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
All FederationDomain Secrets have distinct Types Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-18 01:07:38 +00:00			`ensureValid: ensureValidSymmetricSecretOfTypeFunc("secrets.pinniped.dev/federation-domain-state-encryption-key"),`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`},`
			`}`
			`for _, test := range tests {`
			`test := test`
			`t.Run(test.name, func(t *testing.T) {`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`// Ensure a secret is created with the FederationDomain's JWKS.`
			`var updatedFederationDomain *configv1alpha1.FederationDomain`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`var err error`
			`assert.Eventually(t, func() bool {`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`updatedFederationDomain, err = supervisorClient.`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`ConfigV1alpha1().`
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`FederationDomains(env.SupervisorNamespace).`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`Get(ctx, federationDomain.Name, metav1.GetOptions{})`
			`return err == nil && test.secretName(updatedFederationDomain) != ""`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`}, time.Second10, time.Millisecond500)`
			`require.NoError(t, err)`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`require.NotEmpty(t, test.secretName(updatedFederationDomain))`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00
			`// Ensure the secret actually exists.`
			`secret, err := kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{})`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`require.NoError(t, err)`

			`// Ensure that the secret was labelled.`
			`for k, v := range env.SupervisorCustomLabels {`
			require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
			`}`
			`require.Equal(t, env.SupervisorAppName, secret.Labels["app"])`

			`// Ensure that the secret is valid.`
			`test.ensureValid(t, secret)`

			`// Ensure upon deleting the secret, it is eventually brought back.`
			`err = kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`Delete(ctx, test.secretName(updatedFederationDomain), metav1.DeleteOptions{})`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`require.NoError(t, err)`
			`assert.Eventually(t, func() bool {`
			`secret, err = kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`Get(ctx, test.secretName(updatedFederationDomain), metav1.GetOptions{})`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`return err == nil`
			`}, time.Second10, time.Millisecond500)`
			`require.NoError(t, err)`

			`// Ensure that the new secret is valid.`
			`test.ensureValid(t, secret)`
			`})`
			`}`

More "op" and "opc" local variable renames Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-17 21:49:53 +00:00			`// Upon deleting the FederationDomain, the secret is deleted (we test this behavior in our uninstall tests).`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`}`

			`func ensureValidJWKS(t testing.T, secret corev1.Secret) {`
			`t.Helper()`

Put a Type on the Secrets that we create for FederationDomain JWKS Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 22:48:49 +00:00			`// Ensure the secret has the right type.`
Add extra type info where SecretType is used 2020-12-17 23:43:20 +00:00			`require.Equal(t, corev1.SecretType("secrets.pinniped.dev/federation-domain-jwks"), secret.Type)`
Put a Type on the Secrets that we create for FederationDomain JWKS Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 22:48:49 +00:00
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`// Ensure the secret has an active key.`
			`jwkData, ok := secret.Data["activeJWK"]`
			`require.True(t, ok, "secret is missing active jwk")`

			`// Ensure the secret's active key is valid.`
			`var activeJWK jose.JSONWebKey`
			`require.NoError(t, json.Unmarshal(jwkData, &activeJWK))`
			`require.True(t, activeJWK.Valid(), "active jwk is invalid")`
			`require.False(t, activeJWK.IsPublic(), "active jwk is public")`

			`// Ensure the secret has a JWKS.`
			`jwksData, ok := secret.Data["jwks"]`
			`require.True(t, ok, "secret is missing jwks")`

			`// Ensure the secret's JWKS is valid, public, and contains the singing key.`
			`var jwks jose.JSONWebKeySet`
			`require.NoError(t, json.Unmarshal(jwksData, &jwks))`
			`foundActiveJWK := false`
			`for _, jwk := range jwks.Keys {`
			`require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)`
			`require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)`
			`if jwk.KeyID == activeJWK.KeyID {`
			`foundActiveJWK = true`
			`}`
			`}`
			`require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)`
			`}`

Supervisor CSRF Secret has unique Type Signed-off-by: aram price <pricear@vmware.com> 2020-12-17 23:30:26 +00:00			`func ensureValidSymmetricSecretOfTypeFunc(secretTypeValue string) func(testing.T, corev1.Secret) {`
			`return func(t testing.T, secret corev1.Secret) {`
			`t.Helper()`
			`require.Equal(t, corev1.SecretType(secretTypeValue), secret.Type)`
			`key, ok := secret.Data["key"]`
			`require.Truef(t, ok, "secret data does not contain 'key': %s", secret.Data)`
			`require.Equal(t, 32, len(key))`
			`}`
Integration test for Supervisor secret controllers This forced us to add labels to the CSRF cookie secret, just as we do for other Supervisor secrets. Yay tests. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-14 20:53:12 +00:00			`}`