Adds secrets for pushsecret

Author: siddhibhor-56

test/e2e/e2e_suite_test.go

@@ -18,20 +18,17 @@ package e2e
 
 import (
 	"fmt"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"testing"
 
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 var (
-	cfg           *rest.Config
-	k8sClientSet  *kubernetes.Clientset
-	dynamicClient dynamic.Interface
+	cfg *rest.Config
 )
 
 var _ = BeforeSuite(func() {
@@ -41,12 +38,6 @@ var _ = BeforeSuite(func() {
 
 	cfg, err = config.GetConfig() // This works both in-cluster and out-of-cluster
 	Expect(err).NotTo(HaveOccurred(), "failed to get kubeconfig")
-
-	k8sClientSet, err = kubernetes.NewForConfig(cfg)
-	Expect(err).NotTo(HaveOccurred(), "failed to create kube client")
-
-	dynamicClient, err = dynamic.NewForConfig(cfg)
-	Expect(err).NotTo(HaveOccurred(), "failed to create dynamic client")
 })
 
 // Run e2e tests using the Ginkgo runner.

test/e2e/e2e_test.go

@@ -1,37 +1,60 @@
+/*
+Copyright 2025.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package e2e
 
 import (
 	"context"
 	"embed"
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-	utils "github.com/openshift/external-secrets-operator/test/utils"
+	"encoding/base64"
+	"fmt"
+	"testing"
+	"time"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
-	"testing"
-	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/openshift/external-secrets-operator/test/utils"
 )
 
 //go:embed testdata/*
 var testassets embed.FS
 
 const (
-	operatorNamespace  = "external-secrets-operator"
-	operandNamespace   = "external-secrets"
-	secretStoreFile    = "testdata/aws_secret_store.yaml"
-	externalSecretFile = "testdata/aws_external_secret.yaml"
-	pushSecretFile     = "testdata/push_secret.yaml"
-	externalSecrets    = "testdata/external_secret.yaml"
+	operatorNamespace       = "external-secrets-operator"
+	operandNamespace        = "external-secrets"
+	secretStoreFile         = "testdata/aws_secret_store.yaml"
+	externalSecretFile      = "testdata/aws_external_secret.yaml"
+	pushSecretFile          = "testdata/push_secret.yaml"
+	externalSecrets         = "testdata/external_secret.yaml"
+	expectedSecretValueFile = "testdata/expected_value.yaml"
+	awsSecretToPushFile     = "testdata/aws_k8s_push_secret.yaml"
 )
 
-var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
+var _ = Describe("External Secrets Operator End-to-End test scenarios", Ordered, func() {
 	ctx := context.TODO()
 	var (
 		clientset     *kubernetes.Clientset
 		dynamicClient *dynamic.DynamicClient
 		loader        utils.DynamicResourceLoader
+		awsSecretName string
 	)
 
 	BeforeAll(func() {
@@ -44,20 +67,22 @@ var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
 		dynamicClient, err = dynamic.NewForConfig(cfg)
 		Expect(err).Should(BeNil())
 
+		awsSecretName = fmt.Sprintf("eso-e2e-secret-%s", utils.GetRandomString(5))
+
 		By("Waiting for external-secrets-operator controller-manager pod to be ready")
 		Expect(utils.VerifyPodsReadyByPrefix(ctx, clientset, operatorNamespace, []string{
 			"external-secrets-operator-controller-manager-",
 		})).To(Succeed())
 
-		By("Creating the ExternalSecrets Operator CR")
+		By("Creating the externalsecrets.openshift.operator.io/cluster CR")
 		loader.CreateFromFile(testassets.ReadFile, externalSecrets, operatorNamespace)
 	})
 
 	AfterAll(func() {
-		By("Deleting the ExternalSecrets Operator CR")
+		By("Deleting the externalsecrets.openshift.operator.io/cluster CR")
 		loader.DeleteFromFile(testassets.ReadFile, externalSecrets, operatorNamespace)
 
-		err := utils.DeleteAWSSecret("test/e2e", "eu-north-1")
+		err := utils.DeleteAWSSecret(awsSecretName, "ap-south-1")
 		Expect(err).NotTo(HaveOccurred(), "failed to delete AWS secret test/e2e")
 	})
 
@@ -70,7 +95,15 @@ var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
 		})).To(Succeed())
 	})
 
-	It("should create secrets from SecretStore and ExternalSecret", func() {
+	It("should create secrets mentioned in ExternalSecret using the referenced SecretStore", func() {
+		expectedSecretValue, err := utils.ReadExpectedSecretValue(expectedSecretValueFile)
+		Expect(err).To(Succeed())
+
+		By("Creating kubernetes secret to be used in PushSecret")
+		secretsAssetFunc := utils.ReplacePatternInAsset("${SECRET_VALUE}", base64.StdEncoding.EncodeToString(expectedSecretValue))
+		loader.CreateFromFile(secretsAssetFunc, awsSecretToPushFile, operandNamespace)
+		defer loader.DeleteFromFile(testassets.ReadFile, awsSecretToPushFile, operandNamespace)
+
 		By("Creating SecretStore")
 		loader.CreateFromFile(testassets.ReadFile, secretStoreFile, operandNamespace)
 		defer loader.DeleteFromFile(testassets.ReadFile, secretStoreFile, operandNamespace)
@@ -86,7 +119,8 @@ var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
 		)).To(Succeed())
 
 		By("Creating PushSecret")
-		loader.CreateFromFile(testassets.ReadFile, pushSecretFile, operandNamespace)
+		assetFunc := utils.ReplacePatternInAsset("${AWS_SECRET_KEY_NAME}", awsSecretName)
+		loader.CreateFromFile(assetFunc, pushSecretFile, operandNamespace)
 		defer loader.DeleteFromFile(testassets.ReadFile, pushSecretFile, operandNamespace)
 
 		By("Waiting for PushSecret to become Ready")
@@ -100,7 +134,7 @@ var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
 		)).To(Succeed())
 
 		By("Creating ExternalSecret")
-		loader.CreateFromFile(testassets.ReadFile, externalSecretFile, operandNamespace)
+		loader.CreateFromFile(assetFunc, externalSecretFile, operandNamespace)
 		defer loader.DeleteFromFile(testassets.ReadFile, externalSecretFile, operandNamespace)
 
 		By("Waiting for ExternalSecret to become Ready")
@@ -121,9 +155,7 @@ var _ = Describe("External Secrets Operator End-to-End", Ordered, func() {
 			val, ok := secret.Data["aws_secret_access_key"]
 			g.Expect(ok).To(BeTrue(), "aws_secret_access_key should be present in secret %s", secret.Name)
 
-			expectedValue := []byte("hqTTSYkFYgkw3OfQ9lFvQgtsReb1g1a+Po5Y/HNU")
-			g.Expect(val).To(Equal(expectedValue), "aws_secret_access_key does not match expected value")
-		}, time.Minute, 5*time.Second).Should(Succeed())
-
+			g.Expect(val).To(Equal(expectedSecretValue), "aws_secret_access_key does not match expected value")
+		}, time.Minute, 10*time.Second).Should(Succeed())
 	})
 })

test/e2e/testdata/aws_external_secret.yaml

@@ -1,6 +1,9 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
+  labels:
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
   name: aws-external-secret
   namespace: external-secrets
 spec:
@@ -14,5 +17,5 @@ spec:
   data:
     - secretKey: aws_secret_access_key  # This is the key in the Kubernetes Secret
       remoteRef:
-        key: test/e2e  # This is the name of the secret in AWS Secrets Manager
+        key: "${AWS_SECRET_KEY_NAME}"  # This is the name of the secret in AWS Secrets Manager
         property: aws_secret_access_key  # This is the key inside the AWS secret JSON

test/e2e/testdata/aws_k8s_push_secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/name: aws-k8s-push-secret
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
+  name: aws-k8s-push-secret
+  namespace: external-secrets
+data:
+  aws_secret_access_key: ${SECRET_VALUE}
+type: Opaque

test/e2e/testdata/aws_secret_store.yaml

@@ -1,12 +1,15 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
+  labels:
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
   name: aws-secret-store
 spec:
   provider:
     aws:
       service: SecretsManager
-      region: eu-north-1
+      region: ap-south-1
       auth:
         secretRef:
           accessKeyIDSecretRef:
@@ -17,4 +20,3 @@ spec:
             name: aws-creds
             key: aws_secret_access_key
             namespace: kube-system
-

test/e2e/testdata/expected_value.yaml

@@ -1 +1 @@
-hqTTSYkFYgkw3OfQ9lFvQgtsReb1g1a+Po5Y/HNU
+eso-e2e-sample-value

test/e2e/testdata/external_secret.yaml

@@ -2,7 +2,7 @@ apiVersion: operator.openshift.io/v1alpha1
 kind: ExternalSecrets
 metadata:
   labels:
-    app.kubernetes.io/name: external-secrets-operator
-    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
   name: cluster
-spec: {}
+spec: {}

test/e2e/testdata/push_secret.yaml

@@ -1,6 +1,9 @@
 apiVersion: external-secrets.io/v1alpha1
 kind: PushSecret
 metadata:
+  labels:
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
   name: aws-push-secret
   namespace: external-secrets
 spec:
@@ -10,16 +13,14 @@ spec:
       kind: ClusterSecretStore
   selector:
     secret:
-      name: aws-creds  # The source Kubernetes secret
+      name: aws-k8s-push-secret  # The source Kubernetes secret
   data:
     - match:
         secretKey: aws_secret_access_key      # The key inside the Kubernetes secret
         remoteRef:
-          remoteKey: test/e2e            # AWS Secrets Manager secret name
+          remoteKey: "${AWS_SECRET_KEY_NAME}" # AWS Secrets Manager secret name
           property: aws_secret_access_key     # Key inside the AWS secret JSON
   template:
     metadata:
       labels:
         pushed-by: eso
-  target:
-    creationPolicy: Owner

test/utils/conditions.go

@@ -3,21 +3,26 @@ package utils
 import (
 	"context"
 	"fmt"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	"math/rand"
+	"os"
 	"strings"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/aws/session"
-	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/secretsmanager"
 )
 
+type AssetFunc func(string) ([]byte, error)
+
 // VerifyPodsReadyByPrefix checks if all pods matching the given prefixes are Ready and ContainersReady.
 func VerifyPodsReadyByPrefix(ctx context.Context, clientset kubernetes.Interface, namespace string, prefixes []string) error {
 	return wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
@@ -123,3 +128,32 @@ func DeleteAWSSecret(secretName, region string) error {
 	}
 	return nil
 }
+
+func ReadExpectedSecretValue(assetName string) ([]byte, error) {
+	expectedSecretValue, err := os.ReadFile(assetName)
+	return expectedSecretValue, err
+}
+
+// GetRandomString to create random string
+func GetRandomString(strLen int) string {
+	chars := "abcdefghijklmnopqrstuvwxyz0123456789"
+	seed := rand.New(rand.NewSource(time.Now().UnixNano()))
+	buffer := make([]byte, strLen)
+	for index := range buffer {
+		buffer[index] = chars[seed.Intn(len(chars))]
+	}
+	return string(buffer)
+}
+
+func ReplacePatternInAsset(replacePatternString ...string) AssetFunc {
+	return func(assetName string) ([]byte, error) {
+		fileContent, err := os.ReadFile(assetName)
+		if err != nil {
+			return nil, err
+		}
+
+		replacer := strings.NewReplacer(replacePatternString...)
+		replacedFileContent := replacer.Replace(string(fileContent))
+		return []byte(replacedFileContent), nil
+	}
+}