1
0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2025-11-23 21:44:44 +02:00

Prevent secrets from leaking to Kubernetes API Server logs (#5305)

This commit is contained in:
Harri Avellan
2025-07-14 17:45:13 +03:00
committed by GitHub
parent b382287170
commit 5c00b9d74b
9 changed files with 369 additions and 15 deletions

View File

@@ -177,6 +177,7 @@ func TestTinyPod(t *testing.T) {
pod, err := mkPod(&types.Step{
Name: "build-via-gradle",
Image: "gradle:8.4.0-jdk21",
UUID: "01he8bebctabr3kgk0qj36d2me-0",
WorkingDir: "/woodpecker/src",
Pull: false,
Privileged: false,
@@ -415,6 +416,7 @@ func TestPodPrivilege(t *testing.T) {
return mkPod(&types.Step{
Name: "go-test",
Image: "golang:1.16",
UUID: "01he8bebctabr3kgk0qj36d2me-0",
Privileged: stepPrivileged,
}, &config{
Namespace: "woodpecker",
@@ -525,6 +527,7 @@ func TestScratchPod(t *testing.T) {
pod, err := mkPod(&types.Step{
Name: "curl-google",
Image: "quay.io/curl/curl",
UUID: "01he8bebctabr3kgk0qj36d2me-0",
Entrypoint: []string{"/usr/bin/curl", "-v", "google.com"},
}, &config{
Namespace: "woodpecker",
@@ -623,6 +626,7 @@ func TestSecrets(t *testing.T) {
pod, err := mkPod(&types.Step{
Name: "test-secrets",
Image: "alpine",
UUID: "01he8bebctabr3kgk0qj36d2me-0",
Environment: map[string]string{"CGO": "0"},
Volumes: []string{"workspace:/woodpecker/src"},
}, &config{
@@ -657,3 +661,35 @@ func TestSecrets(t *testing.T) {
ja := jsonassert.New(t)
ja.Assertf(string(podJSON), expected)
}
func TestStepSecret(t *testing.T) {
const expected = `{
"metadata": {
"name": "wp-01he8bebctabr3kgk0qj36d2me-0-step-secret",
"namespace": "woodpecker",
"creationTimestamp": null
},
"type": "Opaque",
"stringData": {
"VERY_SECRET": "secret_value"
}
}`
secret, err := mkStepSecret(&types.Step{
UUID: "01he8bebctabr3kgk0qj36d2me-0",
Name: "go-test",
Image: "meltwater/drone-cache",
SecretMapping: map[string]string{
"VERY_SECRET": "secret_value",
},
}, &config{
Namespace: "woodpecker",
})
assert.NoError(t, err)
secretJSON, err := json.Marshal(secret)
assert.NoError(t, err)
ja := jsonassert.New(t)
ja.Assertf(string(secretJSON), expected)
}