CLOUD-789 - adding password leak check in demand-backup, init-deploy, monitoring-2-0 (#1282)

ptankov · tplavcic · web-flow · commit 2494706fa68f · 2023-08-07T10:01:31.000+02:00
* adding password leak check in demand-backup, init-deploy, monitoring-2-0

* CLOUD-789 - Add password leak check into demand-backup-sharded test

* Remove bash to lowercase conversion so it works on older bash

---------

Co-authored-by: Tomislav Plavcic &lt;tomislav.plavcic@percona.com&gt;
diff --git a/e2e-tests/demand-backup-sharded/run b/e2e-tests/demand-backup-sharded/run
@@ -176,5 +176,8 @@ if [ -z "$SKIP_BACKUPS_TO_AWS_GCP_AZURE" ]; then
 	check_backup_deletion "https://engk8soperators.blob.core.windows.net/operator-testing/${backup_dest_azure}" "azure-blob"
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 kubectl_bin delete -f "$conf_dir/container-rc.yaml"
 destroy "$namespace"
diff --git a/e2e-tests/demand-backup/run b/e2e-tests/demand-backup/run
@@ -180,6 +180,9 @@ if [ -z "$SKIP_BACKUPS_TO_AWS_GCP_AZURE" ]; then
 	check_backup_deletion "https://engk8soperators.blob.core.windows.net/operator-testing/${backup_dest_azure}" "azure-blob"
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 destroy $namespace
 
 desc 'test passed'
diff --git a/e2e-tests/functions b/e2e-tests/functions
@@ -1217,3 +1217,45 @@ function get_mongod_ver_from_image() {
 	fi
 	echo ${version_info}
 }
+
+check_passwords_leak() {
+	secrets=$(kubectl_bin get secrets -o json | jq -r '.items[].data | to_entries | .[] | select(.key | (contains("_PASSWORD"))) | .value')
+	echo secrets=$secrets
+
+	passwords="$(for i in $secrets; do base64 -d <<< $i; echo; done) $secrets"
+	echo passwords=$passwords
+
+	pods=$(kubectl_bin get pods -o name | awk -F "/" '{print $2}')
+	echo pods=$pods
+
+	TEMP_DIR=$(mktemp -d)
+
+	collect_logs() {
+		NS=$1
+		for p in $pods; do
+			containers=$(kubectl_bin -n "$NS" get pod $p -o jsonpath='{.spec.containers[*].name}')
+			for c in $containers; do
+				# temporary, because of: https://jira.percona.com/browse/PMM-8357
+				if [[ ${c} =~ "pmm" ]]; then
+					continue
+				fi
+				kubectl_bin -n "$NS" logs $p -c $c > ${TEMP_DIR}/logs_output-$p-$c.txt
+				echo logs saved in: ${TEMP_DIR}/logs_output-$p-$c.txt
+				for pass in $passwords; do
+					count=$(grep -c --fixed-strings -- "$pass" ${TEMP_DIR}/logs_output-$p-$c.txt || :)
+					if [[ $count != 0 ]]; then
+						echo leaked passwords are found in log ${TEMP_DIR}/logs_output-$p-$c.txt
+						false
+					fi
+				done
+			done
+			echo
+		done
+	}
+
+	collect_logs $namespace
+	if [ -n "$OPERATOR_NS" ]; then
+		pods=$(kubectl_bin -n "${OPERATOR_NS}" get pods -o name | awk -F "/" '{print $2}')
+		collect_logs $OPERATOR_NS
+	fi
+}
diff --git a/e2e-tests/init-deploy/run b/e2e-tests/init-deploy/run
@@ -97,6 +97,9 @@ compare_mongo_cmd "find" "myApp:myPass@$cluster2-0.$cluster2.$namespace" "-3rd"
 compare_mongo_cmd "find" "myApp:myPass@$cluster2-1.$cluster2.$namespace" "-3rd"
 compare_mongo_cmd "find" "myApp:myPass@$cluster2-2.$cluster2.$namespace" "-3rd"
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 desc 'delete custom RuntimeClass'
 kubectl_bin delete -f "$conf_dir/container-rc.yaml"
 destroy $namespace
diff --git a/e2e-tests/monitoring-2-0/run b/e2e-tests/monitoring-2-0/run
@@ -91,6 +91,9 @@ if [[ -n ${OPENSHIFT} ]]; then
 	oc adm policy remove-scc-from-user privileged -z percona-server-mongodb-operator
 fi
 
+desc 'check for passwords leak'
+check_passwords_leak
+
 helm uninstall monitoring
 destroy $namespace
 
