From 964b011a20d5bc0827f92e12b65b09ada94d1bf2 Mon Sep 17 00:00:00 2001
From: Stephen Paulger <stephen.paulger@newspeak.org.uk>
Date: Mon, 21 Dec 2020 21:17:01 +0000
Subject: [PATCH] Add tests for env var secrets in init containers

---
 checks/basic/unused_secrets.go      |  2 +-
 checks/basic/unused_secrets_test.go | 52 +++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/checks/basic/unused_secrets.go b/checks/basic/unused_secrets.go
index 18315f5..63c5efd 100644
--- a/checks/basic/unused_secrets.go
+++ b/checks/basic/unused_secrets.go
@@ -112,7 +112,7 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
 				mu.Unlock()
 			}
 			identifiers := envVarsSecretRefs(pod.Spec.Containers, namespace)
-			identifiers = append(identifiers, checkEnvVars(pod.Spec.InitContainers, namespace)...)
+			identifiers = append(identifiers, envVarsSecretRefs(pod.Spec.InitContainers, namespace)...)
 			mu.Lock()
 			for _, i := range identifiers {
 				used[i] = empty
diff --git a/checks/basic/unused_secrets_test.go b/checks/basic/unused_secrets_test.go
index 737e33a..335ed57 100644
--- a/checks/basic/unused_secrets_test.go
+++ b/checks/basic/unused_secrets_test.go
@@ -68,6 +68,16 @@ func TestUnusedSecretWarning(t *testing.T) {
 			objs:     secretEnvVarValueFromSource(),
 			expected: nil,
 		},
+		{
+			name:     "init container environment variable references secret",
+			objs:     initContainerSecretEnvSource(),
+			expected: nil,
+		},
+		{
+			name:     "init container environment variable value from references secret",
+			objs:     initContainerSecretEnvVarValueFromSource(),
+			expected: nil,
+		},
 		{
 			name:     "pod with image pull secrets",
 			objs:     imagePullSecrets(),
@@ -183,6 +193,25 @@ func secretEnvSource() *kube.Objects {
 	return objs
 }
 
+func initContainerSecretEnvSource() *kube.Objects {
+	objs := initSecret()
+	objs.Pods.Items[0].Spec = corev1.PodSpec{
+		InitContainers: []corev1.Container{
+			{
+				Name:  "test-container",
+				Image: "docker.io/nginx",
+				EnvFrom: []corev1.EnvFromSource{
+					{
+						SecretRef: &corev1.SecretEnvSource{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
+						},
+					},
+				},
+			}},
+	}
+	return objs
+}
+
 func secretEnvVarValueFromSource() *kube.Objects {
 	objs := initSecret()
 	objs.Pods.Items[0].Spec = corev1.PodSpec{
@@ -206,6 +235,29 @@ func secretEnvVarValueFromSource() *kube.Objects {
 	return objs
 }
 
+func initContainerSecretEnvVarValueFromSource() *kube.Objects {
+	objs := initSecret()
+	objs.Pods.Items[0].Spec = corev1.PodSpec{
+		InitContainers: []corev1.Container{
+			{
+				Name:  "test-container",
+				Image: "docker.io/nginx",
+				Env: []corev1.EnvVar{
+					{
+						Name: "special_env_var",
+						ValueFrom: &corev1.EnvVarSource{
+							SecretKeyRef: &corev1.SecretKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	return objs
+}
+
 func imagePullSecrets() *kube.Objects {
 	objs := initSecret()
 	objs.Pods.Items[0].Spec = corev1.PodSpec{