def test_secrets_in_environments(self, deployment, app_spec):
        app_spec = app_spec._replace(secrets_in_environment=True)
        ks = KubernetesSecrets()
        ks.apply(deployment, app_spec)

        secret_env_from = deployment.spec.template.spec.containers[0].envFrom[
            -1]
        assert secret_env_from.secretRef.name == app_spec.name
    def test_volumes(self, deployment, app_spec):
        kubernetes_secret = KubernetesSecrets()
        kubernetes_secret.apply(deployment, app_spec)

        secret_volume = deployment.spec.template.spec.volumes[-1]
        assert secret_volume.secret.secretName == app_spec.name

        secret_mount = deployment.spec.template.spec.containers[
            0].volumeMounts[-1]
        assert secret_mount.name == secret_volume.name
        assert secret_mount.mountPath == "/var/run/secrets/fiaas/"
        assert secret_mount.readOnly is True
    def test_legacy_strongbox_secrets(self, deployment, app_spec):
        config = mock.create_autospec(Configuration([]), spec_set=True)
        config.strongbox_init_container_image = STRONGBOX_IMAGE

        app_spec = app_spec._replace(
            strongbox=StrongboxSpec(enabled=True,
                                    iam_role="iam_role",
                                    aws_region="eu-west-1",
                                    groups=["group1", "group2"]))

        generic_init_secrets = mock.create_autospec(GenericInitSecrets(config),
                                                    spec_set=True,
                                                    instance=True)
        generic_init_secrets.supports.side_effect = lambda _type: _type == 'strongbox'

        secrets = Secrets(
            config,
            mock.create_autospec(KubernetesSecrets(),
                                 spec_set=True,
                                 instance=True), generic_init_secrets)

        expected_spec = SecretsSpec(
            type="strongbox",
            parameters={
                "AWS_REGION": "eu-west-1",
                "SECRET_GROUPS": "group1,group2"
            },
            annotations={"iam.amazonaws.com/role": "iam_role"})

        secrets.apply(deployment, app_spec)

        generic_init_secrets.apply.assert_called_once_with(
            deployment, app_spec, expected_spec)
    def test_app_spec_secrets(self, deployment, app_spec):
        config = mock.create_autospec(Configuration([]), spec_set=True)
        app_spec = app_spec._replace(secrets=APP_SPEC_SECRETS)
        generic_init_secrets = mock.create_autospec(GenericInitSecrets(config),
                                                    spec_set=True,
                                                    instance=True)
        secrets = Secrets(
            config,
            mock.create_autospec(KubernetesSecrets(),
                                 spec_set=True,
                                 instance=True), generic_init_secrets)
        expected_spec = APP_SPEC_SECRETS[0]

        secrets.apply(deployment, app_spec)

        generic_init_secrets.apply.assert_called_once_with(
            deployment, app_spec, expected_spec)
    def test_default_secrets(self, deployment, app_spec):
        config = mock.create_autospec(Configuration([]), spec_set=True)
        config.secret_init_containers = {"default": DEFAULT_IMAGE}

        generic_init_secrets = mock.create_autospec(GenericInitSecrets(config),
                                                    spec_set=True,
                                                    instance=True)
        generic_init_secrets.supports.side_effect = lambda _type: _type == 'default'

        secrets = Secrets(
            config,
            mock.create_autospec(KubernetesSecrets(),
                                 spec_set=True,
                                 instance=True), generic_init_secrets)

        expected_spec = SecretsSpec(type="default",
                                    parameters={},
                                    annotations={})

        secrets.apply(deployment, app_spec)

        generic_init_secrets.apply.assert_called_once_with(
            deployment, app_spec, expected_spec)
 def kubernetes_secrets(self):
     return mock.create_autospec(KubernetesSecrets(),
                                 spec_set=True,
                                 instance=True)