Add tests for env var secrets in init containers

2020-12-21 21:17:01 +00:00 · 2020-12-21 21:17:01 +00:00 · 964b011a20
parent b97f94519a
commit 964b011a20
2 changed files with 53 additions and 1 deletions
--- a/checks/basic/unused_secrets.go
+++ b/checks/basic/unused_secrets.go
@ -112,7 +112,7 @@ func checkReferences(objects *kube.Objects) (map[kube.Identifier]struct{}, error
 				mu.Unlock()
 			}
 			identifiers := envVarsSecretRefs(pod.Spec.Containers, namespace)
-			identifiers = append(identifiers, checkEnvVars(pod.Spec.InitContainers, namespace)...)
+			identifiers = append(identifiers, envVarsSecretRefs(pod.Spec.InitContainers, namespace)...)
 			mu.Lock()
 			for _, i := range identifiers {
 				used[i] = empty
--- a/checks/basic/unused_secrets_test.go
+++ b/checks/basic/unused_secrets_test.go
@ -68,6 +68,16 @@ func TestUnusedSecretWarning(t *testing.T) {
 			objs:     secretEnvVarValueFromSource(),
 			expected: nil,
 		},
+		{
+			name:     "init container environment variable references secret",
+			objs:     initContainerSecretEnvSource(),
+			expected: nil,
+		},
+		{
+			name:     "init container environment variable value from references secret",
+			objs:     initContainerSecretEnvVarValueFromSource(),
+			expected: nil,
+		},
 		{
 			name:     "pod with image pull secrets",
 			objs:     imagePullSecrets(),
@ -183,6 +193,25 @@ func secretEnvSource() *kube.Objects {
 	return objs
 }

+func initContainerSecretEnvSource() *kube.Objects {
+	objs := initSecret()
+	objs.Pods.Items[0].Spec = corev1.PodSpec{
+		InitContainers: []corev1.Container{
+			{
+				Name:  "test-container",
+				Image: "docker.io/nginx",
+				EnvFrom: []corev1.EnvFromSource{
+					{
+						SecretRef: &corev1.SecretEnvSource{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
+						},
+					},
+				},
+			}},
+	}
+	return objs
+}
+
 func secretEnvVarValueFromSource() *kube.Objects {
 	objs := initSecret()
 	objs.Pods.Items[0].Spec = corev1.PodSpec{
@ -206,6 +235,29 @@ func secretEnvVarValueFromSource() *kube.Objects {
 	return objs
 }

+func initContainerSecretEnvVarValueFromSource() *kube.Objects {
+	objs := initSecret()
+	objs.Pods.Items[0].Spec = corev1.PodSpec{
+		InitContainers: []corev1.Container{
+			{
+				Name:  "test-container",
+				Image: "docker.io/nginx",
+				Env: []corev1.EnvVar{
+					{
+						Name: "special_env_var",
+						ValueFrom: &corev1.EnvVarSource{
+							SecretKeyRef: &corev1.SecretKeySelector{
+								LocalObjectReference: corev1.LocalObjectReference{Name: "secret_foo"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	return objs
+}
+
 func imagePullSecrets() *kube.Objects {
 	objs := initSecret()
 	objs.Pods.Items[0].Spec = corev1.PodSpec{