diff --git a/pkg/sharing/secret_exports.go b/pkg/sharing/secret_exports.go index b8d8058b8..32fe641ba 100644 --- a/pkg/sharing/secret_exports.go +++ b/pkg/sharing/secret_exports.go @@ -155,11 +155,11 @@ func (nm NamespacesMatcher) MatchNamespace(matcher SecretMatcher, log logr.Logge } } case sg2v1alpha1.SelectorOperatorExists: - if value != "" { + if value == "" { return false } case sg2v1alpha1.SelectorOperatorDoesNotExist: - if value == "" { + if value != "" { return false } } diff --git a/test/e2e/secret_exports_test.go b/test/e2e/secret_exports_test.go index bc6d962f5..5eb46516f 100644 --- a/test/e2e/secret_exports_test.go +++ b/test/e2e/secret_exports_test.go @@ -44,6 +44,25 @@ metadata: field.cattle.io/projectId: "cluster1:project1" --- apiVersion: v1 +kind: Namespace +metadata: + name: sg-test5 + annotations: + field.cattle.io/projectId: "cluster2:project3" +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sg-test6 + annotations: + field.cattle.io/projectId: "whatever:whatever" +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sg-test7 +--- +apiVersion: v1 kind: Secret metadata: name: secret @@ -54,6 +73,39 @@ stringData: key2: val2 key3: val3 --- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test5 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1 + key2: val2 + key3: val3 +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test6 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1 + key2: val2 + key3: val3 +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test7 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1 + key2: val2 + key3: val3 +--- apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretExport metadata: @@ -70,6 +122,38 @@ spec: - "cluster1:project1" --- apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretExport +metadata: + name: secret-test5 + namespace: sg-test1 +spec: + dangerousToNamespacesSelector: + - key: "metadata.annotations['field\\.cattle\\.io/projectId']" + operator: NotIn + values: + - "cluster1:project1" +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretExport +metadata: + name: secret-test6 + namespace: sg-test1 +spec: + dangerousToNamespacesSelector: + - key: "metadata.annotations['field\\.cattle\\.io/projectId']" + operator: Exists +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretExport +metadata: + name: secret-test7 + namespace: sg-test1 +spec: + dangerousToNamespacesSelector: + - key: "metadata.annotations['field\\.cattle\\.io/projectId']" + operator: DoesNotExist +--- +apiVersion: secretgen.carvel.dev/v1alpha1 kind: SecretImport metadata: name: secret @@ -92,6 +176,30 @@ metadata: namespace: sg-test4 spec: fromNamespace: sg-test1 +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretImport +metadata: + name: secret-test5 + namespace: sg-test5 +spec: + fromNamespace: sg-test1 +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretImport +metadata: + name: secret-test6 + namespace: sg-test6 +spec: + fromNamespace: sg-test1 +--- +apiVersion: secretgen.carvel.dev/v1alpha1 +kind: SecretImport +metadata: + name: secret-test7 + namespace: sg-test7 +spec: + fromNamespace: sg-test1 ` yaml2 := ` @@ -107,6 +215,39 @@ stringData: # key2 deleted key3: val3 # keep key4: val4 # new +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test5 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1.1 + key3: val3 + key4: val4 +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test6 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1.1 + key3: val3 + key4: val4 +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-test7 + namespace: sg-test1 +type: Opaque +stringData: + key1: val1.1 + key3: val3 + key4: val4 ` name := "test-export-successful" @@ -117,14 +258,27 @@ stringData: cleanUp() defer cleanUp() + getSecretName := func(ns string) string { + switch ns { + case "sg-test5": + return "secret-test5" + case "sg-test6": + return "secret-test6" + case "sg-test7": + return "secret-test7" + default: + return "secret" + } + } + logger.Section("Deploy", func() { kapp.RunWithOpts([]string{"deploy", "-f", "-", "-a", name}, RunOpts{StdinReader: strings.NewReader(yaml1)}) }) logger.Section("Check imported secrets were created", func() { - for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4"} { - out := waitForSecretInNs(t, kubectl, ns, "secret") + for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4", "sg-test5", "sg-test6", "sg-test7"} { + out := waitForSecretInNs(t, kubectl, ns, getSecretName(ns)) var secret corev1.Secret @@ -156,8 +310,8 @@ stringData: // TODO proper waiting time.Sleep(5 * time.Second) - for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4"} { - out := waitForSecretInNs(t, kubectl, ns, "secret") + for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4", "sg-test5", "sg-test6", "sg-test7"} { + out := waitForSecretInNs(t, kubectl, ns, getSecretName(ns)) var secret corev1.Secret @@ -181,14 +335,16 @@ stringData: }) logger.Section("Delete export to see exported secrets deleted", func() { - kubectl.RunWithOpts([]string{"delete", "secretexport.secretgen.carvel.dev", "secret", "-n", "sg-test1"}, - RunOpts{NoNamespace: true}) + for _, secretName := range []string{"secret", "secret-test5", "secret-test6", "secret-test7"} { + kubectl.RunWithOpts([]string{"delete", "secretexport.secretgen.carvel.dev", secretName, "-n", "sg-test1"}, + RunOpts{NoNamespace: true}) + } // TODO proper waiting time.Sleep(5 * time.Second) - for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4"} { - _, err := kubectl.RunWithOpts([]string{"get", "secret", "secret", "-n", ns}, + for _, ns := range []string{"sg-test2", "sg-test3", "sg-test4", "sg-test5", "sg-test6", "sg-test7"} { + _, err := kubectl.RunWithOpts([]string{"get", "secret", getSecretName(ns), "-n", ns}, RunOpts{AllowError: true, NoNamespace: true}) require.Error(t, err)