Adds 'value-from : secret'

Alan Christie · Alan Christie · commit e8b7b080bf25 · 2022-01-26T16:54:55.000Z
diff --git a/decoder/schema.yaml b/decoder/schema.yaml
@@ -142,36 +142,74 @@ definitions:
     type: array
     items:
       anyOf:
-      - $ref: '#/definitions/environment-value-from-api-token'
+      - $ref: '#/definitions/environment-value-from'
 
-  # An Image environment from an 'api-token'.
-  # Roles is an optional list of API token realm roles where, for now,
-  # we limit the number in the list to a maximum 1.
-  environment-value-from-api-token:
+  # An Image environment from something else.
+  environment-value-from:
     type: object
     additionalProperties: false
     properties:
       name:
         $ref: '#/definitions/env-var-name'
       value-from:
+        oneOf:
+        - $ref: '#/definitions/environment-value-from-api-token'
+        - $ref: '#/definitions/environment-value-from-secret'
+    required:
+    - name
+    - value-from
+
+  # Declaration for value-from 'api-token'.
+  # User provides a list of roles (which can be empty).
+  # Here, we limit the number of roles to 1.
+  environment-value-from-api-token:
+    type: object
+    additionalProperties: false
+    properties:
+      api-token:
         type: object
         properties:
-          api-token:
-            type: object
-            properties:
-              roles:
-                type: array
-                items:
-                  type: string
-                  pattern: '^[a-z]{1,}[a-z-_]{0,}$'
-                minItems: 0
-                maxItems: 1
-                uniqueItems: true
+          roles:
+            type: array
+            items:
+              type: string
+              pattern: '^[a-z]{1,}[a-z-_]{0,}$'
+            minItems: 0
+            maxItems: 1
+            uniqueItems: true
         required:
-        - api-token
+        - roles
     required:
-    - name
-    - value-from
+    - api-token
+
+  # An Image environment from a Kubernetes 'secret'.
+  # At the moment we expect the secret to be unencrypted,
+  # just 'opaque', so it can be read by the DM without special actions.
+  environment-value-from-secret:
+    type: object
+    additionalProperties: false
+    properties:
+      secret:
+        type: object
+        properties:
+          # The name of the secret object,
+          # i.e. its metadata->name.
+          name:
+            $ref: '#/definitions/rfc-1035-name'
+          # The name of the key in the secret.
+          # - Begins with lowercase letter
+          # - Then lower-case alphanumeric including '-', '_' and '.'
+          # - Ends begins with lower-case alphanumeric
+          key:
+            type: string
+            minLength: 1
+            maxLength: 63
+            pattern: '^[a-z]([a-z0-9-_.]*[a-z0-9])?$'
+        required:
+        - name
+        - key
+    required:
+    - secret
 
   # The pattern for Image environment names.
   # Classic linux/shell,
diff --git a/tests/test_validate_job_schema.py b/tests/test_validate_job_schema.py
@@ -1,15 +1,15 @@
 # Tests for the schema validator.
 from typing import Any, Dict
+from copy import deepcopy
 
 import pytest
 pytestmark = pytest.mark.unit
 
 from decoder import decoder
 
-
-def test_validate_minimal():
-    # Arrange
-    text: Dict[str, Any] = {
+# A minimal Job Definition.
+# Tests can use this and adjust accordingly.
+_MINIMAL: Dict[str, Any] = {
         'kind': 'DataManagerJobDefinition',
         'kind-version': '2021.1',
         'collection': 'test',
@@ -22,6 +22,45 @@ def test_validate_minimal():
                                     'project-directory': '/data'},
                           'command': 'sys.exit(1)'}}}
 
+
+def test_validate_minimal():
+    # Arrange
+
+    # Act
+    error = decoder.validate_job_schema(_MINIMAL)
+
+    # Assert
+    assert error is None
+
+
+def test_validate_image_env_from_api_token():
+    # Arrange
+    text: Dict[str, Any] = deepcopy(_MINIMAL)
+    demo_job: Dict[str, Any] = text['jobs']['demo']
+    demo_job['image']['environment'] = \
+        [{'name': 'ENV_VAR',
+          'value-from': {
+              'api-token': {
+                  'roles': ['abc']}}}]
+
+    # Act
+    error = decoder.validate_job_schema(text)
+
+    # Assert
+    assert error is None
+
+
+def test_validate_image_env_from_secret():
+    # Arrange
+    text: Dict[str, Any] = deepcopy(_MINIMAL)
+    demo_job: Dict[str, Any] = text['jobs']['demo']
+    demo_job['image']['environment'] = \
+        [{'name': 'ENV_VAR',
+          'value-from': {
+              'secret': {
+                  'name': 'secret-a',
+                  'key': 'secret'}}}]
+
     # Act
     error = decoder.validate_job_schema(text)
 
