Enable SP to retrieve and provide German umlaut chars

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.5.0] - 2023-02-13
+
+### Added
+- Adds support for binary secret values and values with special characters.
+ [cyberark/secrets-provider-for-k8s#500](https://github.com/cyberark/secrets-provider-for-k8s/pull/500)
+
 ## [1.4.6] - 2023-01-26
 
 ### Security

deploy/config/k8s/k8s-secret.yml

@@ -8,4 +8,5 @@ stringData:
  secret: secrets/test_secret
  var_with_spaces: secrets/var with spaces
  var_with_pluses: secrets/var+with+pluses
+ var_with_umlaut: secrets/umlaut
  non-conjur-key: some-value

deploy/config/k8s/test-env-k8s-rotation.sh.yml

@@ -64,6 +64,11 @@ spec:
  secretKeyRef:
  name: test-k8s-secret
  key: var_with_pluses
+ - name: VARIABLE_WITH_UMLAUT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: test-k8s-secret
+ key: var_with_umlaut
  - name: NON_CONJUR_SECRET
  valueFrom:
  secretKeyRef:

deploy/config/k8s/test-env.sh.yml

@@ -51,6 +51,11 @@ spec:
  secretKeyRef:
  name: test-k8s-secret
  key: var_with_pluses
+ - name: VARIABLE_WITH_UMLAUT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: test-k8s-secret
+ key: var_with_umlaut
  - name: NON_CONJUR_SECRET
  valueFrom:
  secretKeyRef:

deploy/config/openshift/k8s-secret.yml

@@ -8,4 +8,5 @@ stringData:
  secret: secrets/test_secret
  var_with_spaces: secrets/var with spaces
  var_with_pluses: secrets/var+with+pluses
+ var_with_umlaut: secrets/umlaut
  non-conjur-key: some-value

deploy/config/openshift/test-env.sh.yml

@@ -50,6 +50,11 @@ spec:
  secretKeyRef:
  name: test-k8s-secret
  key: var_with_pluses
+ - name: VARIABLE_WITH_UMLAUT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: test-k8s-secret
+ key: var_with_umlaut
  - name: NON_CONJUR_SECRET
  valueFrom:
  secretKeyRef:

deploy/dev/config/k8s/secrets-provider-init-container.sh.yml

@@ -41,6 +41,11 @@ spec:
  secretKeyRef:
  name: test-k8s-secret
  key: var_with_pluses
+ - name: VARIABLE_WITH_UMLAUT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: test-k8s-secret
+ key: var_with_umlaut
  - name: NON_CONJUR_SECRET
  valueFrom:
  secretKeyRef:

deploy/dev/config/k8s/secrets-provider-k8s-rotation.sh.yml

@@ -64,6 +64,11 @@ spec:
  secretKeyRef:
  name: test-k8s-secret
  key: var_with_pluses
+ - name: VARIABLE_WITH_UMLAUT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: test-k8s-secret
+ key: var_with_umlaut
  - name: NON_CONJUR_SECRET
  valueFrom:
  secretKeyRef:

deploy/policy/load_policies.sh

@@ -35,6 +35,7 @@ done
 conjur variable values add secrets/test_secret "some-secret"
 conjur variable values add "secrets/var with spaces" "some-secret"
 conjur variable values add "secrets/var+with+pluses" "some-secret"
+conjur variable values add "secrets/umlaut" "some-secret"
 conjur variable values add secrets/url "postgresql://test-app-backend.app-test.svc.cluster.local:5432"
 conjur variable values add secrets/username "some-user"
 conjur variable values add secrets/password "7H1SiSmYp@5Sw0rd"

deploy/policy/templates/conjur-secrets.template.sh.yml

@@ -11,6 +11,7 @@ cat << EOL
  - !variable another_test_secret
  - !variable var with spaces
  - !variable var+with+pluses
+ - !variable umlaut
  - !variable url
  - !variable username
  - !variable password

deploy/test/test_cases/TEST_ID_1.5_providing_variables_with_german_umlaut_successfully.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+test_secret_is_provided "ÄäÖöÜü" "secrets/umlaut" "VARIABLE_WITH_UMLAUT_SECRET"

pkg/secrets/clients/conjur/conjur_client.go

@@ -8,13 +8,13 @@ import (
 )
 
 /*
- Client for communication with Conjur. In this project it is used only for
- batch secrets retrieval so we expose only this method of the client.
+Client for communication with Conjur. In this project it is used only for
+batch secrets retrieval so we expose only this method of the client.
 
- The name ConjurClient also improves readability as Client can be ambiguous.
+The name ConjurClient also improves readability as Client can be ambiguous.
 */
 type ConjurClient interface {
- RetrieveBatchSecrets([]string) (map[string][]byte, error)
+ RetrieveBatchSecretsSafe([]string) (map[string][]byte, error)
 }
 
 func NewConjurClient(tokenData []byte) (ConjurClient, error) {

pkg/secrets/clients/conjur/conjur_secrets_retriever.go

@@ -83,7 +83,7 @@ func retrieveConjurSecrets(accessToken []byte, variableIDs []string) (map[string
  return nil, log.RecordedError(messages.CSPFK033E)
  }
 
- retrievedSecretsByFullIDs, err := conjurClient.RetrieveBatchSecrets(variableIDs)
+ retrievedSecretsByFullIDs, err := conjurClient.RetrieveBatchSecretsSafe(variableIDs)
  if err != nil {
  return nil, err
  }

pkg/secrets/k8s_secrets_storage/provide_conjur_secrets_test.go

@@ -18,6 +18,8 @@ var testConjurSecrets = map[string]string{
  "conjur/var/path2": "secret-value2",
  "conjur/var/path3": "secret-value3",
  "conjur/var/path4": "secret-value4",
+ "conjur/var/umlaut": "ÄäÖöÜü",
+ "conjur/var/binary": "\xf0\xff\x4a\xc3",
  "conjur/var/empty-secret": "",
 }
 
@@ -287,6 +289,42 @@ func TestProvide(t *testing.T) {
  ),
  },
  },
+ {
+ desc: "Happy path, secret with umlaut characters",
+ k8sSecrets: k8sStorageMocks.K8sSecrets{
+ "k8s-secret1": {
+ "conjur-map": {"secret1": "conjur/var/umlaut"},
+ },
+ },
+ requiredSecrets: []string{"k8s-secret1"},
+ asserts: []assertFunc{
+ assertSecretsUpdated(
+ expectedK8sSecrets{
+ "k8s-secret1": {"secret1": "ÄäÖöÜü"},
+ },
+ expectedMissingValues{},
+ false,
+ ),
+ },
+ },
+ {
+ desc: "Happy path, binary secret",
+ k8sSecrets: k8sStorageMocks.K8sSecrets{
+ "k8s-secret1": {
+ "conjur-map": {"secret1": "conjur/var/binary"},
+ },
+ },
+ requiredSecrets: []string{"k8s-secret1"},
+ asserts: []assertFunc{
+ assertSecretsUpdated(
+ expectedK8sSecrets{
+ "k8s-secret1": {"secret1": "\xf0\xff\x4a\xc3"},
+ },
+ expectedMissingValues{},
+ false,
+ ),
+ },
+ },
  {
  desc: "K8s Secrets maps to a non-existent Conjur secret",
  k8sSecrets: k8sStorageMocks.K8sSecrets{