1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00

leverage IBM provider's latest API to get the secret by name (#2750)

This commit is contained in:
Shanti G 2023-10-11 10:05:53 +05:30 committed by GitHub
parent 6aa1318cc5
commit 583b919cb7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 229 additions and 86 deletions

View file

@ -197,12 +197,18 @@ Below example creates a kubernetes secret based on ID of the secret in Secrets M
{% include 'ibm-external-secret.yaml' %}
```
Alternatively, secret name can be specified instead of secret ID. However, note that ESO makes an additional call to fetch the relevant secret ID for the specified secret name.
Alternatively, the secret name along with its secret group name can be specified instead of secret ID to fetch the secret.
```yaml
{% include 'ibm-external-secret-by-name.yaml' %}
```
Please note that the below mechanism to get the secret by name is deprecated and not supported.
```yaml
{% include 'ibm-external-secret-by-name-deprecated.yaml' %}
```
### Getting the Kubernetes secret
The operator will fetch the IBM Secret Manager secret and inject it as a `Kind=Secret`
```

View file

@ -0,0 +1,22 @@
# NOTE: Below way of fetching the secret by name is deprecated and not supported.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
spec:
refreshInterval: 60m
secretStoreRef:
name: ibm-store
kind: SecretStore
target:
name: database-credentials
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: username_password/<SECRET_NAME>
property: username
- secretKey: password
remoteRef:
key: username_password/<SECRET_NAME>
property: password

View file

@ -13,9 +13,9 @@ spec:
data:
- secretKey: username
remoteRef:
key: username_password/<SECRET_NAME>
key: <SECRET_GROUP_NAME>/username_password/<SECRET_NAME>
property: username
- secretKey: password
remoteRef:
key: username_password/<SECRET_NAME>
key: <SECRET_GROUP_NAME>/username_password/<SECRET_NAME>
property: password

View file

@ -69,9 +69,10 @@ const (
CallKubernetesUpdateSecret = "UpdateSecret"
CallKubernetesCreateSelfSubjectRulesReview = "CreateSelfSubjectRulesReview"
ProviderIBMSM = "IBM/SecretsManager"
CallIBMSMGetSecret = "GetSecret"
CallIBMSMListSecrets = "ListSecrets"
ProviderIBMSM = "IBM/SecretsManager"
CallIBMSMGetSecret = "GetSecret"
CallIBMSMListSecrets = "ListSecrets"
CallIBMSMGetSecretByNameType = "GetSecretByNameType"
ProviderWebhook = "Webhook"
CallWebhookHTTPReq = "HTTPRequest"

View file

@ -24,17 +24,21 @@ import (
)
type IBMMockClient struct {
getSecretWithContext func(ctx context.Context, getSecretOptions *sm.GetSecretOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
listSecretsWithContext func(ctx context.Context, listSecretsOptions *sm.ListSecretsOptions) (result *sm.SecretMetadataPaginatedCollection, response *core.DetailedResponse, err error)
getSecretWithContext func(ctx context.Context, getSecretOptions *sm.GetSecretOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
listSecretsWithContext func(ctx context.Context, listSecretsOptions *sm.ListSecretsOptions) (result *sm.SecretMetadataPaginatedCollection, response *core.DetailedResponse, err error)
getSecretByNameTypeWithContext func(ctx context.Context, getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
}
type IBMMockClientParams struct {
GetSecretOptions *sm.GetSecretOptions
GetSecretOutput sm.SecretIntf
GetSecretErr error
ListSecretsOptions *sm.ListSecretsOptions
ListSecretsOutput *sm.SecretMetadataPaginatedCollection
ListSecretsErr error
GetSecretOptions *sm.GetSecretOptions
GetSecretOutput sm.SecretIntf
GetSecretErr error
ListSecretsOptions *sm.ListSecretsOptions
ListSecretsOutput *sm.SecretMetadataPaginatedCollection
ListSecretsErr error
GetSecretByNameOptions *sm.GetSecretByNameTypeOptions
GetSecretByNameOutput sm.SecretIntf
GetSecretByNameErr error
}
func (mc *IBMMockClient) GetSecretWithContext(ctx context.Context, getSecretOptions *sm.GetSecretOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error) {
@ -45,6 +49,10 @@ func (mc *IBMMockClient) ListSecretsWithContext(ctx context.Context, listSecrets
return mc.listSecretsWithContext(ctx, listSecretsOptions)
}
func (mc *IBMMockClient) GetSecretByNameTypeWithContext(ctx context.Context, getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error) {
return mc.getSecretByNameTypeWithContext(ctx, getSecretByNameTypeOptions)
}
func (mc *IBMMockClient) WithValue(params IBMMockClientParams) {
if mc != nil {
mc.getSecretWithContext = func(ctx context.Context, paramReq *sm.GetSecretOptions) (sm.SecretIntf, *core.DetailedResponse, error) {
@ -63,5 +71,13 @@ func (mc *IBMMockClient) WithValue(params IBMMockClientParams) {
}
return params.ListSecretsOutput, nil, params.ListSecretsErr
}
mc.getSecretByNameTypeWithContext = func(ctx context.Context, paramReq *sm.GetSecretByNameTypeOptions) (sm.SecretIntf, *core.DetailedResponse, error) {
// type secretmanagerpb.AccessSecretVersionRequest contains unexported fields
// use cmpopts.IgnoreUnexported to ignore all the unexported fields in the cmp.
if !cmp.Equal(paramReq, params.GetSecretByNameOptions, cmpopts.IgnoreUnexported(sm.Secret{})) {
return nil, nil, fmt.Errorf("unexpected test argument for GetSecretByNameType: %s, %s", *paramReq.Name, *params.GetSecretByNameOptions.Name)
}
return params.GetSecretByNameOutput, nil, params.GetSecretByNameErr
}
}
}

View file

@ -77,6 +77,7 @@ var (
type SecretManagerClient interface {
GetSecretWithContext(ctx context.Context, getSecretOptions *sm.GetSecretOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
ListSecretsWithContext(ctx context.Context, listSecretsOptions *sm.ListSecretsOptions) (result *sm.SecretMetadataPaginatedCollection, response *core.DetailedResponse, err error)
GetSecretByNameTypeWithContext(ctx context.Context, getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
}
type providerIBM struct {
@ -143,29 +144,35 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
return nil, fmt.Errorf(errUninitalizedIBMProvider)
}
var secretGroupName string
secretType := sm.Secret_SecretType_Arbitrary
secretName := ref.Key
nameSplitted := strings.Split(secretName, "/")
if len(nameSplitted) > 1 {
switch len(nameSplitted) {
case 2:
secretType = nameSplitted[0]
secretName = nameSplitted[1]
case 3:
secretGroupName = nameSplitted[0]
secretType = nameSplitted[1]
secretName = nameSplitted[2]
}
switch secretType {
case sm.Secret_SecretType_Arbitrary:
return getArbitrarySecret(ibm, &secretName)
return getArbitrarySecret(ibm, &secretName, secretGroupName)
case sm.Secret_SecretType_UsernamePassword:
if ref.Property == "" {
return nil, fmt.Errorf("remoteRef.property required for secret type username_password")
}
return getUsernamePasswordSecret(ibm, &secretName, ref)
return getUsernamePasswordSecret(ibm, &secretName, ref, secretGroupName)
case sm.Secret_SecretType_IamCredentials:
return getIamCredentialsSecret(ibm, &secretName)
return getIamCredentialsSecret(ibm, &secretName, secretGroupName)
case sm.Secret_SecretType_ImportedCert:
@ -173,7 +180,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
return nil, fmt.Errorf("remoteRef.property required for secret type imported_cert")
}
return getImportCertSecret(ibm, &secretName, ref)
return getImportCertSecret(ibm, &secretName, ref, secretGroupName)
case sm.Secret_SecretType_PublicCert:
@ -181,7 +188,7 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
return nil, fmt.Errorf("remoteRef.property required for secret type public_cert")
}
return getPublicCertSecret(ibm, &secretName, ref)
return getPublicCertSecret(ibm, &secretName, ref, secretGroupName)
case sm.Secret_SecretType_PrivateCert:
@ -189,11 +196,11 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
return nil, fmt.Errorf("remoteRef.property required for secret type private_cert")
}
return getPrivateCertSecret(ibm, &secretName, ref)
return getPrivateCertSecret(ibm, &secretName, ref, secretGroupName)
case sm.Secret_SecretType_Kv:
response, err := getSecretData(ibm, &secretName, sm.Secret_SecretType_Kv)
response, err := getSecretData(ibm, &secretName, sm.Secret_SecretType_Kv, secretGroupName)
if err != nil {
return nil, err
}
@ -208,8 +215,8 @@ func (ibm *providerIBM) GetSecret(_ context.Context, ref esv1beta1.ExternalSecre
}
}
func getArbitrarySecret(ibm *providerIBM, secretName *string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_Arbitrary)
func getArbitrarySecret(ibm *providerIBM, secretName *string, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_Arbitrary, secretGroupName)
if err != nil {
return nil, err
}
@ -223,8 +230,8 @@ func getArbitrarySecret(ibm *providerIBM, secretName *string) ([]byte, error) {
return nil, fmt.Errorf("key %s does not exist in secret %s", payloadConst, *secretName)
}
func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_ImportedCert)
func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_ImportedCert, secretGroupName)
if err != nil {
return nil, err
}
@ -244,8 +251,8 @@ func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.Ext
return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
}
func getPublicCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_PublicCert)
func getPublicCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_PublicCert, secretGroupName)
if err != nil {
return nil, err
}
@ -259,8 +266,8 @@ func getPublicCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.Ext
return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
}
func getPrivateCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_PrivateCert)
func getPrivateCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_PrivateCert, secretGroupName)
if err != nil {
return nil, err
}
@ -274,8 +281,8 @@ func getPrivateCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.Ex
return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
}
func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_IamCredentials)
func getIamCredentialsSecret(ibm *providerIBM, secretName *string, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_IamCredentials, secretGroupName)
if err != nil {
return nil, err
}
@ -289,8 +296,8 @@ func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, erro
return nil, fmt.Errorf("key %s does not exist in secret %s", smAPIKeyConst, *secretName)
}
func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_UsernamePassword)
func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef, secretGroupName string) ([]byte, error) {
response, err := getSecretData(ibm, secretName, sm.Secret_SecretType_UsernamePassword, secretGroupName)
if err != nil {
return nil, err
}
@ -348,26 +355,46 @@ func getKVSecret(ref esv1beta1.ExternalSecretDataRemoteRef, secret *sm.KVSecret)
return nil, fmt.Errorf("no property provided for secret %s", ref.Key)
}
func getSecretData(ibm *providerIBM, secretName *string, secretType string) (sm.SecretIntf, error) {
func getSecretData(ibm *providerIBM, secretName *string, secretType, secretGroupName string) (sm.SecretIntf, error) {
var givenName *string
var cachedKey string
// parse given secretName for a uuid or a secret name
_, err := uuid.Parse(*secretName)
if err != nil {
givenName = secretName
cachedKey = fmt.Sprintf("%s/%s", secretType, *givenName)
isCached, cacheData := ibm.cache.GetData(cachedKey)
tmp := string(cacheData)
cachedName := &tmp
if isCached && *cachedName != "" {
secretName = cachedName
// secret name has been provided instead of id
if secretGroupName == "" {
// secret group name is not provided, follow the existing mechanism
// once this mechanism is deprecated, this flow will not be supported, and error will be thrown instead
givenName = secretName
cachedKey = fmt.Sprintf("%s/%s", secretType, *givenName)
isCached, cacheData := ibm.cache.GetData(cachedKey)
tmp := string(cacheData)
cachedName := &tmp
if isCached && *cachedName != "" {
secretName = cachedName
} else {
secretName, err = findSecretByName(ibm, givenName, secretType)
if err != nil {
return nil, err
}
ibm.cache.PutData(cachedKey, []byte(*secretName))
}
} else {
secretName, err = findSecretByName(ibm, givenName, secretType)
// secret group name is provided along with secret name, follow the new mechanism by calling GetSecretByNameTypeWithContext
ctx, cancel := context.WithTimeout(context.Background(), contextTimeout)
defer cancel()
response, _, err := ibm.IBMClient.GetSecretByNameTypeWithContext(
ctx,
&sm.GetSecretByNameTypeOptions{
Name: secretName,
SecretGroupName: &secretGroupName,
SecretType: &secretType,
})
metrics.ObserveAPICall(constants.ProviderIBMSM, constants.CallIBMSMGetSecretByNameType, err)
if err != nil {
return nil, err
}
ibm.cache.PutData(cachedKey, []byte(*secretName))
return response, nil
}
}
@ -421,19 +448,23 @@ func (ibm *providerIBM) GetSecretMap(_ context.Context, ref esv1beta1.ExternalSe
if utils.IsNil(ibm.IBMClient) {
return nil, fmt.Errorf(errUninitalizedIBMProvider)
}
var secretGroupName string
secretType := sm.Secret_SecretType_Arbitrary
secretName := ref.Key
nameSplitted := strings.Split(secretName, "/")
if len(nameSplitted) > 1 {
switch len(nameSplitted) {
case 2:
secretType = nameSplitted[0]
secretName = nameSplitted[1]
case 3:
secretGroupName = nameSplitted[0]
secretType = nameSplitted[1]
secretName = nameSplitted[2]
}
secretMap := make(map[string][]byte)
secMapBytes := make(map[string][]byte)
response, err := getSecretData(ibm, &secretName, secretType)
response, err := getSecretData(ibm, &secretName, secretType, secretGroupName)
if err != nil {
return nil, err
}

View file

@ -44,44 +44,53 @@ const (
)
type secretManagerTestCase struct {
name string
mockClient *fakesm.IBMMockClient
apiInput *sm.GetSecretOptions
apiOutput sm.SecretIntf
listInput *sm.ListSecretsOptions
listOutput *sm.SecretMetadataPaginatedCollection
listError error
ref *esv1beta1.ExternalSecretDataRemoteRef
serviceURL *string
apiErr error
expectError string
expectedSecret string
name string
mockClient *fakesm.IBMMockClient
apiInput *sm.GetSecretOptions
apiOutput sm.SecretIntf
listInput *sm.ListSecretsOptions
listOutput *sm.SecretMetadataPaginatedCollection
listError error
getByNameInput *sm.GetSecretByNameTypeOptions
getByNameOutput sm.SecretIntf
getByNameError error
ref *esv1beta1.ExternalSecretDataRemoteRef
serviceURL *string
apiErr error
expectError string
expectedSecret string
// for testing secretmap
expectedData map[string][]byte
}
func makeValidSecretManagerTestCase() *secretManagerTestCase {
smtc := secretManagerTestCase{
mockClient: &fakesm.IBMMockClient{},
apiInput: makeValidAPIInput(),
ref: makeValidRef(),
apiOutput: makeValidAPIOutput(),
listInput: makeValidListInput(),
listOutput: makeValidListSecretsOutput(),
listError: nil,
serviceURL: nil,
apiErr: nil,
expectError: "",
expectedSecret: "",
expectedData: map[string][]byte{},
mockClient: &fakesm.IBMMockClient{},
apiInput: makeValidAPIInput(),
ref: makeValidRef(),
apiOutput: makeValidAPIOutput(),
listInput: makeValidListInput(),
listOutput: makeValidListSecretsOutput(),
listError: nil,
getByNameInput: makeValidGetByNameInput(),
getByNameOutput: makeValidGetByNameOutput(),
getByNameError: nil,
serviceURL: nil,
apiErr: nil,
expectError: "",
expectedSecret: "",
expectedData: map[string][]byte{},
}
mcParams := fakesm.IBMMockClientParams{
GetSecretOptions: smtc.apiInput,
GetSecretOutput: smtc.apiOutput,
GetSecretErr: smtc.apiErr,
ListSecretsOptions: smtc.listInput,
ListSecretsOutput: smtc.listOutput,
ListSecretsErr: smtc.listError,
GetSecretOptions: smtc.apiInput,
GetSecretOutput: smtc.apiOutput,
GetSecretErr: smtc.apiErr,
ListSecretsOptions: smtc.listInput,
ListSecretsOutput: smtc.listOutput,
ListSecretsErr: smtc.listError,
GetSecretByNameOptions: smtc.getByNameInput,
GetSecretByNameOutput: smtc.getByNameOutput,
GetSecretByNameErr: smtc.getByNameError,
}
smtc.mockClient.WithValue(mcParams)
return &smtc
@ -110,6 +119,20 @@ func makeValidAPIOutput() sm.SecretIntf {
return i
}
func makeValidGetByNameInput() *sm.GetSecretByNameTypeOptions {
return &sm.GetSecretByNameTypeOptions{}
}
func makeValidGetByNameOutput() sm.SecretIntf {
secret := &sm.Secret{
SecretType: utilpointer.To(sm.Secret_SecretType_Arbitrary),
Name: utilpointer.To("testyname"),
ID: utilpointer.To(secretUUID),
}
var i sm.SecretIntf = secret
return i
}
func makeValidListSecretsOutput() *sm.SecretMetadataPaginatedCollection {
list := sm.SecretMetadataPaginatedCollection{}
return &list
@ -126,12 +149,15 @@ func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTest
fn(smtc)
}
mcParams := fakesm.IBMMockClientParams{
GetSecretOptions: smtc.apiInput,
GetSecretOutput: smtc.apiOutput,
GetSecretErr: smtc.apiErr,
ListSecretsOptions: smtc.listInput,
ListSecretsOutput: smtc.listOutput,
ListSecretsErr: smtc.listError,
GetSecretOptions: smtc.apiInput,
GetSecretOutput: smtc.apiOutput,
GetSecretErr: smtc.apiErr,
ListSecretsOptions: smtc.listInput,
ListSecretsOutput: smtc.listOutput,
ListSecretsErr: smtc.listError,
GetSecretByNameOptions: smtc.getByNameInput,
GetSecretByNameOutput: smtc.getByNameOutput,
GetSecretByNameErr: smtc.apiErr,
}
smtc.mockClient.WithValue(mcParams)
return smtc
@ -341,6 +367,26 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
setSecretIamByID := funcSetSecretIam(secretUUID, "good case: iam_credenatials type - get API Key by ID")
setSecretIamByName := funcSetSecretIam("testyname", "good case: iam_credenatials type - get API Key by name")
funcSetSecretIamNew := func(secretName, groupName, name string) func(*secretManagerTestCase) {
return func(smtc *secretManagerTestCase) {
secret := &sm.IAMCredentialsSecret{
SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
Name: utilpointer.To("testyname"),
ID: utilpointer.To(secretUUID),
ApiKey: utilpointer.To(secretAPIKey),
}
smtc.getByNameInput.Name = &secretName
smtc.getByNameInput.SecretGroupName = &groupName
smtc.getByNameInput.SecretType = utilpointer.To(sm.Secret_SecretType_IamCredentials)
smtc.name = name
smtc.getByNameOutput = secret
smtc.ref.Key = groupName + "/" + iamCredentialsSecret + secretName
smtc.expectedSecret = secretAPIKey
}
}
setSecretIamByNameNew := funcSetSecretIamNew("testyname", "testGroup", "good case: iam_credenatials type - get API Key by name - new mechanism")
funcSetCertSecretTest := func(secret sm.SecretIntf, name, certType string, good bool) func(*secretManagerTestCase) {
return func(smtc *secretManagerTestCase) {
smtc.name = name
@ -542,6 +588,7 @@ func TestIBMSecretManagerGetSecret(t *testing.T) {
makeValidSecretManagerTestCaseCustom(badSecretPublicCert),
makeValidSecretManagerTestCaseCustom(setSecretPrivateCert),
makeValidSecretManagerTestCaseCustom(badSecretPrivateCert),
makeValidSecretManagerTestCaseCustom(setSecretIamByNameNew),
}
sm := providerIBM{}
@ -629,6 +676,25 @@ func TestGetSecretMap(t *testing.T) {
smtc.expectedData["apikey"] = []byte(secretAPIKey)
}
// good case: iam_credentials by name using new mechanism
setSecretIamByName := func(smtc *secretManagerTestCase) {
secret := &sm.IAMCredentialsSecret{
Name: utilpointer.To("testyname"),
ID: utilpointer.To(secretUUID),
SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
ApiKey: utilpointer.To(secretAPIKey),
}
smtc.name = "good case: iam_credentials by name using new mechanism"
smtc.getByNameInput.Name = utilpointer.To("testyname")
smtc.getByNameInput.SecretGroupName = utilpointer.To("groupName")
smtc.getByNameInput.SecretType = utilpointer.To(sm.Secret_SecretType_IamCredentials)
smtc.getByNameOutput = secret
smtc.apiOutput = secret
smtc.ref.Key = "groupName/" + iamCredentialsSecret + "testyname"
smtc.expectedData["apikey"] = []byte(secretAPIKey)
}
// bad case: iam_credentials of a destroyed secret
badSecretIam := func(smtc *secretManagerTestCase) {
secret := &sm.IAMCredentialsSecret{
@ -636,7 +702,7 @@ func TestGetSecretMap(t *testing.T) {
ID: utilpointer.To(secretUUID),
SecretType: utilpointer.To(sm.Secret_SecretType_IamCredentials),
}
smtc.name = "good case: iam_credentials"
smtc.name = "bad case: iam_credentials of a destroyed secret"
smtc.apiInput.ID = utilpointer.To(secretUUID)
smtc.apiOutput = secret
smtc.ref.Key = iamCredentialsSecret + secretUUID
@ -1086,6 +1152,7 @@ func TestGetSecretMap(t *testing.T) {
makeValidSecretManagerTestCaseCustom(setPrivateCertWithMetadata),
makeValidSecretManagerTestCaseCustom(setSecretKVWithMetadata),
makeValidSecretManagerTestCaseCustom(setSecretIamWithoutMetadata),
makeValidSecretManagerTestCaseCustom(setSecretIamByName),
}
sm := providerIBM{}