Skip to content

Commit

Permalink
fix(core): names generated using non-FIPS compliant algorithm
Browse files Browse the repository at this point in the history 
The CDK8s name generator (`Names.toLabelValue()` and `Names.toDnsLabel()`) have used sha256, which cannot be used in environments that are FIPS compliant.

To fix this, we are now using the [recently introduced](aws/constructs#314) `Node.of(construct).addr` as the hash postfix of generated names.

Fixes #334

BREAKING CHANGE: CAUTION! Auto-generated resource names will change with this release. Resource names in manifests synthesized by a previous version of the CDK8s will be invalidated. Deploying new manifests will cause **resources to be replaced**. Temporarily, you can opt to use the legacy hashing mechanism by setting the environment variable `CDK8S_LEGACY_HASH=1`.
* **core:** `Names.toDnsLabel()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`.
* **core:** `Names.toLabelValue()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`.
  • Loading branch information
Elad Ben-Israel committed Nov 18, 2020
1 parent a8337e8 commit 7775244
Show file tree
Hide file tree
Showing 28 changed files with 489 additions and 249 deletions.
2 changes: 1 addition & 1 deletion packages/cdk8s-cli/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
"@types/node": "^10.17.0",
"cdk8s": "0.0.0",
"codemaker": "^1.14.1",
"constructs": "3.0.4",
"constructs": "3.2.34",
"fs-extra": "^8.1.0",
"jsii-pacmak": "^1.14.1",
"jsii-srcmak": "^0.1.36",
Expand Down
2 changes: 1 addition & 1 deletion packages/cdk8s-plus-17/API.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -627,7 +627,7 @@ addRules(...rules: IngressV1Beta1Rule[]): void

#### protected onValidate()🔹 <a id="cdk8s-plus-17-ingressv1beta1-onvalidate"></a>

Validate the current construct.
(deprecated) Validate the current construct.

This method can be implemented by derived constructs in order to perform
validation logic. It is called on all constructs before synthesis.
Expand Down
10 changes: 5 additions & 5 deletions packages/cdk8s-plus-17/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,16 @@
"@typescript-eslint/eslint-plugin": "^4.3.0",
"@typescript-eslint/parser": "^4.3.0",
"cdk8s": "^0.0.0",
"constructs": "3.0.4",
"constructs": "3.2.34",
"eslint": "^6.8.0",
"eslint-import-resolver-node": "^0.3.3",
"eslint-import-resolver-typescript": "^2.0.0",
"eslint-plugin-import": "^2.20.2",
"jest": "^26.4.2",
"jsii": "^1.9.0",
"jsii-diff": "^1.9.0",
"jsii": "^1.14.1",
"jsii-diff": "^1.14.1",
"jsii-docgen": "^1.3.2",
"jsii-pacmak": "^1.9.0",
"jsii-pacmak": "^1.14.1",
"json-schema": "^0.2.5",
"projen": "^0.3.168",
"standard-version": "^9.0.0",
Expand All @@ -56,7 +56,7 @@
},
"peerDependencies": {
"cdk8s": "^0.0.0",
"constructs": "^3.0.4"
"constructs": "^3.2.34"
},
"dependencies": {
"minimatch": "^3.0.4"
Expand Down
4 changes: 2 additions & 2 deletions packages/cdk8s-plus-17/src/deployment.ts
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import { ApiObject, ApiObjectMetadataDefinition, Lazy, Names } from 'cdk8s';
import { Construct, Node } from 'constructs';
import { Construct } from 'constructs';
import { Resource, ResourceProps } from './base';
import { Container, ContainerProps } from './container';
import * as k8s from './imports/k8s';
Expand Down Expand Up @@ -124,7 +124,7 @@ export class Deployment extends Resource implements IPodTemplate {

if (props.defaultSelector ?? true) {
const selector = 'cdk8s.deployment';
const matcher = Names.toLabelValue(Node.of(this).path);
const matcher = Names.toLabelValue(this);
this.podMetadata.addLabel(selector, matcher);
this.selectByLabel(selector, matcher);
}
Expand Down
10 changes: 5 additions & 5 deletions packages/cdk8s-plus-17/test/__snapshots__/config-map.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Array [
},
"kind": "ConfigMap",
"metadata": Object {
"name": "test-my-config-map-91419662",
"name": "test-my-config-map-c8eaefa4",
},
},
]
Expand All @@ -25,7 +25,7 @@ Array [
},
"kind": "ConfigMap",
"metadata": Object {
"name": "test-my-config-map-91419662",
"name": "test-my-config-map-c8eaefa4",
},
},
]
Expand All @@ -41,7 +41,7 @@ Array [
},
"kind": "ConfigMap",
"metadata": Object {
"name": "test-my-config-map-91419662",
"name": "test-my-config-map-c8eaefa4",
},
},
]
Expand All @@ -56,7 +56,7 @@ Array [
},
"kind": "ConfigMap",
"metadata": Object {
"name": "test-my-config-map-91419662",
"name": "test-my-config-map-c8eaefa4",
},
},
]
Expand All @@ -72,7 +72,7 @@ Array [
},
"kind": "ConfigMap",
"metadata": Object {
"name": "test-my-config-map-91419662",
"name": "test-my-config-map-c8eaefa4",
},
},
]
Expand Down
10 changes: 5 additions & 5 deletions packages/cdk8s-plus-17/test/config-map.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ test('minimal', () => {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
name: 'test-my-config-map-91419662',
name: 'test-my-config-map-c8eaefa4',
},
},
]);
Expand Down Expand Up @@ -53,7 +53,7 @@ test('with data', () => {
key2: 'bar',
},
metadata: {
name: 'test-my-config-map-91419662',
name: 'test-my-config-map-c8eaefa4',
},
},
]);
Expand Down Expand Up @@ -81,7 +81,7 @@ test('with binaryData', () => {
key2: 'bar',
},
metadata: {
name: 'test-my-config-map-91419662',
name: 'test-my-config-map-c8eaefa4',
},
},
]);
Expand Down Expand Up @@ -115,7 +115,7 @@ test('with binaryData and data', () => {
key2: 'bar',
},
metadata: {
name: 'test-my-config-map-91419662',
name: 'test-my-config-map-c8eaefa4',
},
},
]);
Expand Down Expand Up @@ -174,7 +174,7 @@ test('addData()/addBinaryDataq() can be used to add data', () => {
},
kind: 'ConfigMap',
metadata: {
name: 'test-my-config-map-91419662',
name: 'test-my-config-map-c8eaefa4',
},
},
]);
Expand Down
6 changes: 3 additions & 3 deletions packages/cdk8s-plus-17/test/deployment.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test('A label selector is automatically allocated', () => {
const deployment = new kplus.Deployment(chart, 'Deployment');
deployment.addContainer({ image: 'foobar' });

const expectedValue = 'test-Deployment-9e0110cd';
const expectedValue = 'test-Deployment-c83f5e59';
const expectedSelector = { 'cdk8s.deployment': expectedValue };

// assert the k8s spec has it.
Expand Down Expand Up @@ -94,7 +94,7 @@ test('Can be exposed as via service', () => {

const spec = Testing.synth(chart)[1].spec;
expect(spec.type).toEqual('LoadBalancer');
expect(spec.selector).toEqual({ 'cdk8s.deployment': 'test-Deployment-9e0110cd' });
expect(spec.selector).toEqual({ 'cdk8s.deployment': 'test-Deployment-c83f5e59' });
expect(spec.ports![0].port).toEqual(9200);
expect(spec.ports![0].targetPort).toEqual(9300);

Expand Down Expand Up @@ -149,7 +149,7 @@ test('Expose can set service and port details', () => {
expect(srv.metadata.name).toEqual('test-srv');
expect(spec.type).toEqual('ClusterIP');
expect(spec.selector).toEqual({
'cdk8s.deployment': 'test-Deployment-9e0110cd',
'cdk8s.deployment': 'test-Deployment-c83f5e59',
});
expect(spec.ports![0].port).toEqual(9200);
expect(spec.ports![0].targetPort).toEqual(9500);
Expand Down
38 changes: 19 additions & 19 deletions packages/cdk8s-plus-17/test/ingress-v1beta1.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ describe('IngressBackend', () => {

// THEN
expect(IngressV1Beta1Backend.fromService(service)._toKube()).toEqual({
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 8899,
});
});
Expand Down Expand Up @@ -61,7 +61,7 @@ describe('IngressBackend', () => {

// THEN
expect(IngressV1Beta1Backend.fromService(service, { port: 6011 })._toKube()).toEqual({
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 6011,
});
});
Expand All @@ -78,7 +78,7 @@ describe('IngressBackend', () => {

// THEN
expect(IngressV1Beta1Backend.fromService(service, { port: 8899 })._toKube()).toEqual({
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 8899,
});
});
Expand Down Expand Up @@ -130,10 +130,10 @@ describe('Ingress', () => {
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: { name: 'test-my-ingress-e859c4c6' },
metadata: { name: 'test-my-ingress-c8135042' },
spec: {
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand All @@ -155,10 +155,10 @@ describe('Ingress', () => {
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: { name: 'test-my-ingress-e859c4c6' },
metadata: { name: 'test-my-ingress-c8135042' },
spec: {
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand All @@ -182,15 +182,15 @@ describe('Ingress', () => {
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: { name: 'test-my-ingress-e859c4c6' },
metadata: { name: 'test-my-ingress-c8135042' },
spec: {
rules: [{
host: 'my.host',
http: {
paths: [
{
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand Down Expand Up @@ -219,7 +219,7 @@ describe('Ingress', () => {
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: { name: 'test-my-ingress-e859c4c6' },
metadata: { name: 'test-my-ingress-c8135042' },
spec: {
rules: [
{
Expand All @@ -229,14 +229,14 @@ describe('Ingress', () => {
{
path: '/bar',
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
{
path: '/foo',
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand All @@ -249,14 +249,14 @@ describe('Ingress', () => {
paths: [
{
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
{
path: '/',
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand Down Expand Up @@ -284,7 +284,7 @@ describe('Ingress', () => {
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: { name: 'test-my-ingress-e859c4c6' },
metadata: { name: 'test-my-ingress-c8135042' },
spec: {
rules: [
{
Expand All @@ -293,14 +293,14 @@ describe('Ingress', () => {
{
path: '/foo',
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
{
path: '/foo/bar',
backend: {
serviceName: 'test-my-service-72ba846b',
serviceName: 'test-my-service-c8493104',
servicePort: 80,
},
},
Expand Down Expand Up @@ -331,13 +331,13 @@ describe('Ingress', () => {
});

// THEN
const expectedBackend = { serviceName: 'test-my-service-72ba846b', servicePort: 4000 };
const expectedBackend = { serviceName: 'test-my-service-c8493104', servicePort: 4000 };
expect(Testing.synth(chart).filter(x => x.kind === 'Ingress')).toEqual([
{
apiVersion: 'networking.k8s.io/v1beta1',
kind: 'Ingress',
metadata: {
name: 'test-my-ingress-e859c4c6',
name: 'test-my-ingress-c8135042',
},
spec: {
backend: expectedBackend,
Expand Down
28 changes: 14 additions & 14 deletions packages/cdk8s-plus-17/test/secret.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,35 @@
import { Testing, ApiObject } from 'cdk8s';
import { Node } from 'constructs';
import * as kplus from '../src';
import { Testing, ApiObject } from "cdk8s";
import { Node } from "constructs";
import * as kplus from "../src";

test('defaultChild', () => {
test("defaultChild", () => {
const chart = Testing.chart();

const defaultChild = Node.of(new kplus.Secret(chart, 'Secret')).defaultChild as ApiObject;

expect(defaultChild.kind).toEqual('Secret');
const defaultChild = Node.of(new kplus.Secret(chart, "Secret"))
.defaultChild as ApiObject;

expect(defaultChild.kind).toEqual("Secret");
});

test('Can be imported from secret name', () => {
const secret = kplus.Secret.fromSecretName('secret');
test("Can be imported from secret name", () => {
const secret = kplus.Secret.fromSecretName("secret");

expect(secret.name).toEqual('secret');
expect(secret.name).toEqual("secret");
});

test('Can add data to new secrets', () => {
test("Can add data to new secrets", () => {
const chart = Testing.chart();

const secret = new kplus.Secret(chart, 'Secret');
secret.addStringData('key', 'value');
const secret = new kplus.Secret(chart, "Secret");
secret.addStringData("key", "value");

expect(Testing.synth(chart)).toMatchInlineSnapshot(`
Array [
Object {
"apiVersion": "v1",
"kind": "Secret",
"metadata": Object {
"name": "test-secret-17f996fa",
"name": "test-secret-c837fa76",
},
"stringData": Object {
"key": "value",
Expand Down
Loading

0 comments on commit 7775244

Please sign in to comment.