You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by lb...@apache.org on 2020/02/11 14:57:13 UTC
[camel-k] branch master updated: Allow to inject data from
externally crafted secrets #1261 (camel-k bits)
This is an automated email from the ASF dual-hosted git repository.
lburgazzoli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/master by this push:
new ddcc1b6 Allow to inject data from externally crafted secrets #1261 (camel-k bits)
ddcc1b6 is described below
commit ddcc1b66a5a8cfc51d099a7a5a7e65f70b10ec41
Author: lburgazzoli <lb...@gmail.com>
AuthorDate: Tue Feb 11 13:20:48 2020 +0100
Allow to inject data from externally crafted secrets #1261 (camel-k bits)
---
pkg/trait/environment.go | 11 +++++++++++
pkg/trait/environment_test.go | 10 ++++++++++
pkg/trait/trait_test.go | 5 +++--
pkg/trait/trait_types.go | 38 +++++++++++++++++++++++++++++---------
4 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/pkg/trait/environment.go b/pkg/trait/environment.go
index aca2bee..a0670ca 100644
--- a/pkg/trait/environment.go
+++ b/pkg/trait/environment.go
@@ -37,6 +37,15 @@ const (
envVarPodName = "POD_NAME"
envVarCamelKVersion = "CAMEL_K_VERSION"
envVarCamelKRuntimeVersion = "CAMEL_K_RUNTIME_VERSION"
+ envVarMountPathConfigMaps = "CAMEL_K_MOUNT_PATH_CONFIGMAPS"
+
+ // Disabling gosec linter as it may triggers:
+ //
+ // pkg/trait/environment.go:41: G101: Potential hardcoded credentials (gosec)
+ // envVarMountPathSecrets = "CAMEL_K_MOUNT_PATH_SECRETS"
+ //
+ // nolint: gosec
+ envVarMountPathSecrets = "CAMEL_K_MOUNT_PATH_SECRETS"
)
func newEnvironmentTrait() *environmentTrait {
@@ -58,6 +67,8 @@ func (t *environmentTrait) Configure(e *Environment) (bool, error) {
func (t *environmentTrait) Apply(e *Environment) error {
envvar.SetVal(&e.EnvVars, envVarCamelKVersion, defaults.Version)
envvar.SetVal(&e.EnvVars, envVarCamelKRuntimeVersion, e.RuntimeVersion)
+ envvar.SetVal(&e.EnvVars, envVarMountPathConfigMaps, ConfigMapsMountPath)
+ envvar.SetVal(&e.EnvVars, envVarMountPathSecrets, SecretsMountPath)
if t.ContainerMeta {
envvar.SetValFrom(&e.EnvVars, envVarNamespace, "metadata.namespace")
diff --git a/pkg/trait/environment_test.go b/pkg/trait/environment_test.go
index fbcbfc9..016fb60 100644
--- a/pkg/trait/environment_test.go
+++ b/pkg/trait/environment_test.go
@@ -73,6 +73,8 @@ func TestDefaultEnvironment(t *testing.T) {
ns := false
name := false
ck := false
+ cms := false
+ secrets := false
env.Resources.VisitDeployment(func(deployment *appsv1.Deployment) {
for _, e := range deployment.Spec.Template.Spec.Containers[0].Env {
@@ -85,12 +87,20 @@ func TestDefaultEnvironment(t *testing.T) {
if e.Name == envVarCamelKVersion {
ck = true
}
+ if e.Name == envVarMountPathConfigMaps {
+ cms = true
+ }
+ if e.Name == envVarMountPathSecrets {
+ secrets = true
+ }
}
})
assert.True(t, ns)
assert.True(t, name)
assert.True(t, ck)
+ assert.True(t, cms)
+ assert.True(t, secrets)
}
func TestEnabledContainerMetaDataEnvVars(t *testing.T) {
diff --git a/pkg/trait/trait_test.go b/pkg/trait/trait_test.go
index 72a8da0..d1ba501 100644
--- a/pkg/trait/trait_test.go
+++ b/pkg/trait/trait_test.go
@@ -19,6 +19,7 @@ package trait
import (
"context"
+ "path"
"testing"
"github.com/stretchr/testify/assert"
@@ -339,7 +340,7 @@ func TestConfigureVolumesAndMounts(t *testing.T) {
m = findVVolumeMount(mnts, func(m corev1.VolumeMount) bool { return m.Name == "test-configmap" })
assert.NotNil(t, m)
- assert.Equal(t, "/etc/camel/conf.d/integration-cm-test-configmap", m.MountPath)
+ assert.Equal(t, path.Join(ConfigMapsMountPath, "test-configmap"), m.MountPath)
v = findVolume(vols, func(v corev1.Volume) bool { return v.Name == "test-secret" })
assert.NotNil(t, v)
@@ -348,7 +349,7 @@ func TestConfigureVolumesAndMounts(t *testing.T) {
m = findVVolumeMount(mnts, func(m corev1.VolumeMount) bool { return m.Name == "test-secret" })
assert.NotNil(t, m)
- assert.Equal(t, "/etc/camel/conf.d/integration-secret-test-secret", m.MountPath)
+ assert.Equal(t, path.Join(SecretsMountPath, "test-secret"), m.MountPath)
v = findVolume(vols, func(v corev1.Volume) bool { return v.Name == "testvolume-data" })
assert.NotNil(t, v)
diff --git a/pkg/trait/trait_types.go b/pkg/trait/trait_types.go
index 1664214..f52e46e 100644
--- a/pkg/trait/trait_types.go
+++ b/pkg/trait/trait_types.go
@@ -42,6 +42,29 @@ import (
// True --
const True = "true"
+var (
+ // BasePath --
+ BasePath = "/etc/camel"
+
+ // ConfPath --
+ ConfPath = path.Join(BasePath, "conf")
+
+ // ConfdPath --
+ ConfdPath = path.Join(BasePath, "conf.d")
+
+ // SourcesMountPath --
+ SourcesMountPath = path.Join(BasePath, "sources")
+
+ // ResourcesMountPath --
+ ResourcesMountPath = path.Join(BasePath, "resources")
+
+ // ConfigMapsMountPath --
+ ConfigMapsMountPath = path.Join(ConfdPath, "_configmaps")
+
+ // SecretsMountPath --
+ SecretsMountPath = path.Join(ConfdPath, "_secrets")
+)
+
// Identifiable represent an identifiable type
type Identifiable interface {
ID() ID
@@ -389,8 +412,7 @@ func (e *Environment) ComputeSourcesURI() []string {
paths := make([]string, 0, len(sources))
for i, s := range sources {
- root := "/etc/camel/sources"
- root = path.Join(root, fmt.Sprintf("i-source-%03d", i))
+ root := path.Join(SourcesMountPath, fmt.Sprintf("i-source-%03d", i))
srcName := strings.TrimPrefix(s.Name, "/")
src := path.Join(root, srcName)
@@ -427,7 +449,7 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
cmName := fmt.Sprintf("%s-source-%03d", e.Integration.Name, i)
refName := fmt.Sprintf("i-source-%03d", i)
resName := strings.TrimPrefix(s.Name, "/")
- resPath := path.Join("/etc/camel/sources", refName)
+ resPath := path.Join(SourcesMountPath, refName)
if s.ContentRef != "" {
cmName = s.ContentRef
@@ -465,7 +487,7 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
refName := fmt.Sprintf("i-resource-%03d", i)
resName := strings.TrimPrefix(r.Name, "/")
cmKey := "content"
- resPath := path.Join("/etc/camel/resources", refName)
+ resPath := path.Join(ResourcesMountPath, refName)
if r.ContentRef != "" {
cmName = r.ContentRef
@@ -523,7 +545,7 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
*mnts = append(*mnts, corev1.VolumeMount{
Name: "integration-properties",
- MountPath: "/etc/camel/conf",
+ MountPath: ConfPath,
})
//
@@ -532,7 +554,6 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
for _, cmName := range e.CollectConfigurationValues("configmap") {
refName := kubernetes.SanitizeLabel(cmName)
- fileName := "integration-cm-" + strings.ToLower(cmName)
*vols = append(*vols, corev1.Volume{
Name: refName,
@@ -547,7 +568,7 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
*mnts = append(*mnts, corev1.VolumeMount{
Name: refName,
- MountPath: path.Join("/etc/camel/conf.d", fileName),
+ MountPath: path.Join(ConfigMapsMountPath, strings.ToLower(cmName)),
})
}
@@ -557,7 +578,6 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
for _, secretName := range e.CollectConfigurationValues("secret") {
refName := kubernetes.SanitizeLabel(secretName)
- fileName := "integration-secret-" + strings.ToLower(secretName)
*vols = append(*vols, corev1.Volume{
Name: refName,
@@ -570,7 +590,7 @@ func (e *Environment) ConfigureVolumesAndMounts(vols *[]corev1.Volume, mnts *[]c
*mnts = append(*mnts, corev1.VolumeMount{
Name: refName,
- MountPath: path.Join("/etc/camel/conf.d", fileName),
+ MountPath: path.Join(SecretsMountPath, strings.ToLower(secretName)),
})
}