Prevent secrets from leaking to Kubernetes API Server logs (#5305)

2025-11-23 21:44:44 +02:00 · 2025-07-14 17:45:13 +03:00
parent b382287170
commit 5c00b9d74b
9 changed files with 369 additions and 15 deletions
--- a/pipeline/backend/kubernetes/pod_test.go
+++ b/pipeline/backend/kubernetes/pod_test.go
@@ -177,6 +177,7 @@ func TestTinyPod(t *testing.T) {
 	pod, err := mkPod(&types.Step{
 		Name:        "build-via-gradle",
 		Image:       "gradle:8.4.0-jdk21",
+		UUID:        "01he8bebctabr3kgk0qj36d2me-0",
 		WorkingDir:  "/woodpecker/src",
 		Pull:        false,
 		Privileged:  false,
@@ -415,6 +416,7 @@ func TestPodPrivilege(t *testing.T) {
 		return mkPod(&types.Step{
 			Name:       "go-test",
 			Image:      "golang:1.16",
+			UUID:       "01he8bebctabr3kgk0qj36d2me-0",
 			Privileged: stepPrivileged,
 		}, &config{
 			Namespace:       "woodpecker",
@@ -525,6 +527,7 @@ func TestScratchPod(t *testing.T) {
 	pod, err := mkPod(&types.Step{
 		Name:       "curl-google",
 		Image:      "quay.io/curl/curl",
+		UUID:       "01he8bebctabr3kgk0qj36d2me-0",
 		Entrypoint: []string{"/usr/bin/curl", "-v", "google.com"},
 	}, &config{
 		Namespace: "woodpecker",
@@ -623,6 +626,7 @@ func TestSecrets(t *testing.T) {
 	pod, err := mkPod(&types.Step{
 		Name:        "test-secrets",
 		Image:       "alpine",
+		UUID:        "01he8bebctabr3kgk0qj36d2me-0",
 		Environment: map[string]string{"CGO": "0"},
 		Volumes:     []string{"workspace:/woodpecker/src"},
 	}, &config{
@@ -657,3 +661,35 @@ func TestSecrets(t *testing.T) {
 	ja := jsonassert.New(t)
 	ja.Assertf(string(podJSON), expected)
 }
+
+func TestStepSecret(t *testing.T) {
+	const expected = `{
+		"metadata": {
+			"name": "wp-01he8bebctabr3kgk0qj36d2me-0-step-secret",
+			"namespace": "woodpecker",
+			"creationTimestamp": null
+		},
+		"type": "Opaque",
+		"stringData": {
+			"VERY_SECRET": "secret_value"
+		}
+	}`
+
+	secret, err := mkStepSecret(&types.Step{
+		UUID:  "01he8bebctabr3kgk0qj36d2me-0",
+		Name:  "go-test",
+		Image: "meltwater/drone-cache",
+		SecretMapping: map[string]string{
+			"VERY_SECRET": "secret_value",
+		},
+	}, &config{
+		Namespace: "woodpecker",
+	})
+	assert.NoError(t, err)
+
+	secretJSON, err := json.Marshal(secret)
+	assert.NoError(t, err)
+
+	ja := jsonassert.New(t)
+	ja.Assertf(string(secretJSON), expected)
+}