Lint and dependencies update (#21)

* Update dependencies * update go in CI to 1.20 * lint * increase lint timeout
Ouest-France · May 5, 2023 · 2e27262 · 2e27262
1 parent 60d501b
commit 2e27262
Show file tree

Hide file tree

Showing 9 changed files with 382 additions and 160 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -13,12 +13,13 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: 1.20
 
       - name: Run Golang CI Lint
         uses: golangci/golangci-lint-action@v2
         with:
           version: latest
+          args: --timeout=3m
 
       - name: Build
         run: CGO_ENABLED=0 go build -ldflags="-extldflags '-static' -w -s" -o k8s-vault-webhook

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -21,12 +21,13 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: 1.20
 
       - name: Run Golang CI Lint
         uses: golangci/golangci-lint-action@v2
         with:
           version: latest
+          args: --timeout=3m
 
       - name: Build
         run: CGO_ENABLED=0 go build -ldflags="-extldflags '-static' -w -s -X github.com/Ouest-France/k8s-vault-webhook/cmd.version=${{ steps.get_version.outputs.VERSION }}" -o k8s-vault-webhook

diff --git a/api/admission.go b/api/admission.go
@@ -26,7 +26,7 @@ func (s *Server) sendAdmissionReviewError(w http.ResponseWriter, err error) {
 	arResp, err := json.Marshal(ar)
 	if err != nil {
 		s.Logger.Errorf("failed to marshal response: %s", err)
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
 
@@ -48,7 +48,7 @@ func (s *Server) sendAdmissionReview(w http.ResponseWriter, ar admission.Admissi
 	resp, err := json.Marshal(ar)
 	if err != nil {
 		s.Logger.Errorf("failed to marshal response: %s", err)
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
 	}
 

diff --git a/api/mutate_test.go b/api/mutate_test.go
@@ -3,6 +3,8 @@ package api
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
+	"sort"
 	"testing"
 
 	"github.com/sirupsen/logrus"
@@ -12,7 +14,8 @@ import (
 
 // Fake Vault client for testing
 type fakeVaultClient struct {
-	Value string
+	Value  string
+	Absent bool
 }
 
 // Fake Vault read method for testing
@@ -21,6 +24,10 @@ func (f fakeVaultClient) Read(path, key string) (string, error) {
 		return "", errors.New("failed to read key in vault")
 	}
 
+	if f.Absent {
+		return fmt.Sprintf("Secret %q does not exist in Vault", f.Value), nil
+	}
+
 	return f.Value, nil
 }
 
@@ -76,31 +83,31 @@ func TestServer_mutateSecretData(t *testing.T) {
 		},
 		{
 			"Test secret that doesn't exists in vault",
-			fakeVaultClient{"error"},
+			fakeVaultClient{Absent: true, Value: "absentsecret"},
 			"secret/data/{{.Secret}}",
 			`{"metadata":{"name":"test-secret","namespace":"test-namespace","creationTimestamp":null,"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"foo\":\"dmF1bHQ6Zm9vI2Jhcg==\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"test-secret\",\"namespace\":\"test-namespace\"},\"type\":\"Opaque\"}\n"}},"data":{"foo":"dmF1bHQ6Zm9vI2Jhcg=="},"type":"Opaque"}`,
-			[]patchOperation{},
-			"failed to read secret 'secret/data/foo' in vault: failed to read key in vault",
+			[]patchOperation{{Op: "replace", Path: "/data/foo", Value: "U2VjcmV0ICJhYnNlbnRzZWNyZXQiIGRvZXMgbm90IGV4aXN0IGluIFZhdWx0"}},
+			"",
 		},
 		{
 			"Test valid secret defined in vault",
-			fakeVaultClient{"bar"},
+			fakeVaultClient{Value: "bar"},
 			"secret/data/{{.Secret}}",
 			`{"metadata":{"name":"test-secret","namespace":"test-namespace","creationTimestamp":null,"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"foo\":\"dmF1bHQ6Zm9vI2Jhcg==\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"test-secret\",\"namespace\":\"test-namespace\"},\"type\":\"Opaque\"}\n"}},"data":{"foo":"dmF1bHQ6Zm9vI2Jhcg=="},"type":"Opaque"}`,
 			[]patchOperation{{Op: "replace", Path: "/data/foo", Value: "YmFy"}},
 			"",
 		},
 		{
 			"Test valid secret defined in vault + one simple secret",
-			fakeVaultClient{"bar"},
+			fakeVaultClient{Value: "bar"},
 			"secret/data/{{.Secret}}",
 			`{"metadata":{"name":"test-secret","namespace":"test-namespace","creationTimestamp":null,"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"foo\":\"dmF1bHQ6Zm9vI2Jhcg==\",\"simple\":\"test\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"test-secret\",\"namespace\":\"test-namespace\"},\"type\":\"Opaque\"}\n"}},"data":{"foo":"dmF1bHQ6Zm9vI2Jhcg==","simple":"test"},"type":"Opaque"}`,
 			[]patchOperation{{Op: "replace", Path: "/data/foo", Value: "YmFy"}},
 			"",
 		},
 		{
 			"Test multi valid secrets defined in vault + one simple secret",
-			fakeVaultClient{"bar"},
+			fakeVaultClient{Value: "bar"},
 			"secret/data/{{.Secret}}",
 			`{"metadata":{"name":"test-secret","namespace":"test-namespace","creationTimestamp":null,"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"data\":{\"foo\":\"dmF1bHQ6Zm9vI2Jhcg==\",\"simple\":\"test\",\"foo2\":\"dmF1bHQ6Zm9vI2JhcjI=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"test-secret\",\"namespace\":\"test-namespace\"},\"type\":\"Opaque\"}\n"}},"data":{"foo":"dmF1bHQ6Zm9vI2Jhcg==","simple":"test","foo2":"dmF1bHQ6Zm9vI2JhcjI="},"type":"Opaque"}`,
 			[]patchOperation{{Op: "replace", Path: "/data/foo", Value: "YmFy"}, {Op: "replace", Path: "/data/foo2", Value: "YmFy"}},
@@ -133,6 +140,14 @@ func TestServer_mutateSecretData(t *testing.T) {
 			require.EqualError(t, err, test.errorString, test.description)
 		}
 
+		// Sort patch and test.patch to avoid random order
+		sort.Slice(patch, func(i, j int) bool {
+			return patch[i].Path < patch[j].Path
+		})
+		sort.Slice(test.patch, func(i, j int) bool {
+			return test.patch[i].Path < test.patch[j].Path
+		})
+
 		require.Equal(t, patch, test.patch, test.description)
 	}
 }
diff --git a/api/secretHandler.go b/api/secretHandler.go
@@ -25,7 +25,7 @@ func (s *Server) secretHandler(w http.ResponseWriter, r *http.Request) {
 	body, err := ioutil.ReadAll(r.Body)
 	if err != nil {
 		logger.WithError(err).Error("failed to read request body")
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		secretFailed.Inc()
 		return
 	}
@@ -36,7 +36,7 @@ func (s *Server) secretHandler(w http.ResponseWriter, r *http.Request) {
 	err = json.Unmarshal(body, &admissionReview)
 	if err != nil {
 		logger.WithError(err).Error("failed to unmarshal request")
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		secretFailed.Inc()
 		return
 	}
@@ -76,7 +76,7 @@ func (s *Server) secretHandler(w http.ResponseWriter, r *http.Request) {
 	err = json.Unmarshal(admissionReview.Request.Object.Raw, &secret)
 	if err != nil {
 		logger.WithError(err).Error("failed to unmarshal secret")
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		secretFailed.Inc()
 		return
 	}
@@ -98,7 +98,7 @@ func (s *Server) secretHandler(w http.ResponseWriter, r *http.Request) {
 	patchBytes, err := json.Marshal(patch)
 	if err != nil {
 		logger.WithError(err).Error("failed to marshal patches")
-		http.Error(w, http.StatusText(500), 500)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		secretFailed.Inc()
 		return
 	}

diff --git a/api/server.go b/api/server.go
@@ -103,7 +103,7 @@ func (s *Server) RequestAuth(next http.Handler) http.Handler {
 			reqUser, reqPass, ok := r.BasicAuth()
 			if !ok {
 				s.Logger.Error("authentification failed, missing credentials")
-				http.Error(w, http.StatusText(403), 403)
+				http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 				return
 			}
 
@@ -126,7 +126,7 @@ func (s *Server) RequestAuth(next http.Handler) http.Handler {
 			}()
 			if !valid {
 				s.Logger.Error("authentication failed, invalid credentials")
-				http.Error(w, http.StatusText(403), 403)
+				http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 				return
 			}
 		}

diff --git a/go.mod b/go.mod
@@ -6,15 +6,14 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/go-chi/chi v1.5.4
 	github.com/go-chi/render v1.0.2
-	github.com/hashicorp/vault/api v1.8.2
-	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
-	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
-	github.com/prometheus/client_golang v1.14.0
+	github.com/hashicorp/vault/api v1.9.1
+	github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef
+	github.com/prometheus/client_golang v1.15.1
 	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.14.0
+	github.com/spf13/cobra v1.7.0
+	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.1
-	golang.org/x/crypto v0.5.0
-	k8s.io/api v0.26.0
-	k8s.io/apimachinery v0.26.0
+	golang.org/x/crypto v0.8.0
+	k8s.io/api v0.27.1
+	k8s.io/apimachinery v0.27.1
 )