feat: add env-value-from as opt-in check for #705

Author: Nexusrex18

pkg/templates/envvarvaluefrom/internal/params/params_test.go

@@ -0,0 +1,27 @@
+package params
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateParams(t *testing.T) {
+	t.Run("InvalidRegex", func(t *testing.T) {
+		p := Params{IgnoredSecrets: []string{"[invalid("}}
+		err := p.Validate()
+		// If Validate doesn't check regex, this will pass; otherwise, expect error
+		if err == nil {
+			t.Log("Warning: Validate does not check regex validity; consider adding regex validation")
+		} else {
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "invalid syntax")
+		}
+	})
+
+	t.Run("ValidParams", func(t *testing.T) {
+		p := Params{IgnoredSecrets: []string{"^valid$"}}
+		err := p.Validate()
+		assert.NoError(t, err)
+	})
+}

pkg/templates/envvarvaluefrom/template_test.go

@@ -11,6 +11,7 @@ import (
 	"golang.stackrox.io/kube-linter/pkg/templates"
 	"golang.stackrox.io/kube-linter/pkg/templates/envvarvaluefrom/internal/params"
 	coreV1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
@@ -266,3 +267,78 @@ func (s *EnVarValueFromTestSuite) TestDeploymentWithNoOptionalConfigMap() {
 		},
 	})
 }
+
+func (s *EnVarValueFromTestSuite) TestExtractRegexListInvalidPattern() {
+	p := params.Params{IgnoredSecrets: []string{"[invalid("}} // Invalid regex
+	_, err := extractRegexList(p.IgnoredSecrets)
+	s.Error(err)
+	s.Contains(err.Error(), "invalid regex [invalid(")
+}
+
+func (s *EnVarValueFromTestSuite) TestExtractRegexListEmpty() {
+	regexList, err := extractRegexList([]string{})
+	s.NoError(err)
+	s.Empty(regexList)
+}
+
+func (s *EnVarValueFromTestSuite) TestUnknownKeyInSecret() {
+	s.ctx.AddMockDeployment(s.T(), targetDeploymentName)
+	secret := &coreV1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-secret"},
+		Data:       map[string][]byte{"key": []byte("value")},
+	}
+	s.ctx.AddObject("test-secret", secret) // Fixed: Use object name as key, not s.T()
+	s.addContainerWithEnvFromSecret(envReference{
+		Name: "my-secret",
+		Kind: "secret",
+		Source: sourceReference{
+			Name:     "test-secret",
+			Key:      "unknown-key",
+			Optional: pointers.Bool(false),
+		},
+	})
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				targetDeploymentName: {{
+					Message: "The container \"container\" is referring to an unknown key \"unknown-key\" in secret \"test-secret\"",
+				}},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *EnVarValueFromTestSuite) TestIgnoredSecretWithRegex() {
+	s.ctx.AddMockDeployment(s.T(), targetDeploymentName)
+	secret := &coreV1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "ignored-secret"},
+		Data:       map[string][]byte{"key": []byte("value")},
+	}
+	s.ctx.AddObject("ignored-secret", secret) // Fixed: Use object name as key, not s.T()
+	s.addContainerWithEnvFromSecret(envReference{
+		Name: "my-secret",
+		Kind: "secret",
+		Source: sourceReference{
+			Name:     "ignored-secret",
+			Key:      "key",
+			Optional: pointers.Bool(false),
+		},
+	})
+	s.Validate(s.ctx, []templates.TestCase{
+		{
+			Param: params.Params{IgnoredSecrets: []string{"^ignored-secret$"}},
+			Diagnostics: map[string][]diagnostic.Diagnostic{
+				targetDeploymentName: {},
+			},
+			ExpectInstantiationError: false,
+		},
+	})
+}
+
+func (s *EnVarValueFromTestSuite) TestKeysEmptyMap() {
+	emptyMap := map[string]string{}
+	keys := Keys(emptyMap)
+	s.Empty(keys)
+}