chore: update Kubernetes output tests to include secrets handling and adjust expected counts

Author: roderik

charts/network-bootstrapper/templates/role.yaml

@@ -10,6 +10,7 @@ rules:
       - ""
     resources:
       - configmaps
+      - secrets
     verbs:
       - get
       - list

src/cli/output.test.ts

@@ -77,7 +77,9 @@ const HEX_RADIX = 16;
 const SAMPLE_VALIDATOR_INDEX = 1;
 const SAMPLE_RPC_INDEX = 2;
 const SAMPLE_FAUCET_INDEX = 99;
-const EXPECTED_CONFIGMAP_COUNT = 8;
+const EXPECTED_CONFIGMAP_COUNT = 9;
+const EXPECTED_SECRET_COUNT = 3;
+const HEX_PREFIX_PATTERN = /^0x/;
 const TEST_CHAIN_ID = 1;
 const HTTP_CONFLICT_STATUS = 409;
 const HTTP_INTERNAL_ERROR_STATUS = 500;
@@ -153,17 +155,23 @@ describe("outputResult", () => {
     await rm("out", { recursive: true, force: true });
   });
 
-  test("kubernetes output creates configmaps", async () => {
+  test("kubernetes output creates configmaps and secrets", async () => {
     const originalLoad = (KubeConfig.prototype as any).loadFromCluster;
     const originalMake = (KubeConfig.prototype as any).makeApiClient;
     const originalFile = Bun.file;
 
-    const created: Array<{
+    const createdConfigMaps: Array<{
       namespace: string;
       name: string;
       data: Record<string, string>;
     }> = [];
-    const listedNamespaces: string[] = [];
+    const createdSecrets: Array<{
+      namespace: string;
+      name: string;
+      data: Record<string, string>;
+    }> = [];
+    const listedConfigNamespaces: string[] = [];
+    const listedSecretNamespaces: string[] = [];
 
     try {
       (KubeConfig.prototype as any).loadFromCluster =
@@ -174,7 +182,11 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: ({ namespace }: { namespace: string }) => {
-            listedNamespaces.push(namespace);
+            listedConfigNamespaces.push(namespace);
+            return Promise.resolve();
+          },
+          listNamespacedSecret: ({ namespace }: { namespace: string }) => {
+            listedSecretNamespaces.push(namespace);
             return Promise.resolve();
           },
           createNamespacedConfigMap: ({
@@ -184,13 +196,27 @@ describe("outputResult", () => {
             namespace: string;
             body: any;
           }) => {
-            created.push({
+            createdConfigMaps.push({
               namespace,
               name: body?.metadata?.name ?? "",
               data: body?.data ?? {},
             });
             return Promise.resolve();
           },
+          createNamespacedSecret: ({
+            namespace,
+            body,
+          }: {
+            namespace: string;
+            body: any;
+          }) => {
+            createdSecrets.push({
+              namespace,
+              name: body?.metadata?.name ?? "",
+              data: body?.stringData ?? {},
+            });
+            return Promise.resolve();
+          },
         };
         return client as unknown as CoreV1Api;
       };
@@ -202,11 +228,26 @@ describe("outputResult", () => {
 
       await outputResult("kubernetes", samplePayload);
 
-      expect(listedNamespaces).toEqual(["test-namespace"]);
-      expect(created).toHaveLength(EXPECTED_CONFIGMAP_COUNT);
-      const names = created.map((entry) => entry.name).sort();
-      expect(names).toContain("besu-node-validator-1-address");
-      expect(names).toContain("besu-node-rpc-node-2-private-key");
+      expect(listedConfigNamespaces).toEqual(["test-namespace"]);
+      expect(listedSecretNamespaces).toEqual(["test-namespace"]);
+      expect(createdConfigMaps).toHaveLength(EXPECTED_CONFIGMAP_COUNT);
+      expect(createdSecrets).toHaveLength(EXPECTED_SECRET_COUNT);
+      const mapNames = createdConfigMaps.map((entry) => entry.name).sort();
+      expect(mapNames).toContain("besu-node-validator-1-address");
+      expect(mapNames).toContain("besu-genesis");
+      expect(mapNames).toContain("besu-faucet-address");
+      expect(mapNames).toContain("besu-faucet-pubkey");
+      expect(mapNames).not.toContain("besu-faucet-enode");
+      const secretNames = createdSecrets.map((entry) => entry.name).sort();
+      expect(secretNames).toEqual([
+        "besu-faucet-private-key",
+        "besu-node-rpc-node-2-private-key",
+        "besu-node-validator-1-private-key",
+      ]);
+      const privateKeySecret = createdSecrets.find((entry) =>
+        entry.name.endsWith("validator-1-private-key")
+      );
+      expect(privateKeySecret?.data?.privateKey).toMatch(HEX_PREFIX_PATTERN);
     } finally {
       (KubeConfig.prototype as any).loadFromCluster = originalLoad;
       (KubeConfig.prototype as any).makeApiClient = originalMake;
@@ -227,6 +268,7 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
           createNamespacedConfigMap: () => {
             const error = new Error("already exists");
             (
@@ -239,6 +281,7 @@ describe("outputResult", () => {
             };
             throw error;
           },
+          createNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };
@@ -258,6 +301,52 @@ describe("outputResult", () => {
     }
   });
 
+  test("kubernetes output surfaces secret conflict errors", async () => {
+    const originalLoad = (KubeConfig.prototype as any).loadFromCluster;
+    const originalMake = (KubeConfig.prototype as any).makeApiClient;
+    const originalFile = Bun.file;
+
+    try {
+      (KubeConfig.prototype as any).loadFromCluster =
+        function loadFromCluster(): void {
+          /* no-op for tests */
+        };
+      (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
+        const client = {
+          listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
+          createNamespacedConfigMap: () => Promise.resolve(),
+          createNamespacedSecret: () => {
+            const error = new Error("already exists");
+            (
+              error as {
+                response?: { statusCode: number; body: { message: string } };
+              }
+            ).response = {
+              statusCode: HTTP_CONFLICT_STATUS,
+              body: { message: "already exists" },
+            };
+            throw error;
+          },
+        };
+        return client as unknown as CoreV1Api;
+      };
+
+      (Bun as any).file = () =>
+        ({
+          text: () => Promise.resolve("secret-conflict-namespace"),
+        }) as unknown as ReturnType<typeof Bun.file>;
+
+      await expect(outputResult("kubernetes", samplePayload)).rejects.toThrow(
+        "Secret besu-node-validator-1-private-key already exists. Delete it or choose a different output target."
+      );
+    } finally {
+      (KubeConfig.prototype as any).loadFromCluster = originalLoad;
+      (KubeConfig.prototype as any).makeApiClient = originalMake;
+      (Bun as any).file = originalFile;
+    }
+  });
+
   test("kubernetes output fails without cluster credentials", async () => {
     const originalLoad = (KubeConfig.prototype as any).loadFromCluster;
     const originalFile = Bun.file;
@@ -346,6 +435,7 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.reject(new Error("forbidden")),
+          listNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };
@@ -377,9 +467,11 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
           createNamespacedConfigMap: () => {
             throw new Error("boom");
           },
+          createNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };
@@ -411,12 +503,14 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
           createNamespacedConfigMap: () => {
             const error = new Error("failed");
             (error as { statusCode?: number }).statusCode =
               HTTP_INTERNAL_ERROR_STATUS;
             throw error;
           },
+          createNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };
@@ -448,6 +542,7 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
           createNamespacedConfigMap: () => {
             const error = new Error("response error");
             Object.defineProperty(error, "message", { value: undefined });
@@ -456,6 +551,7 @@ describe("outputResult", () => {
             };
             throw error;
           },
+          createNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };
@@ -487,6 +583,7 @@ describe("outputResult", () => {
       (KubeConfig.prototype as any).makeApiClient = function makeApiClient() {
         const client = {
           listNamespacedConfigMap: () => Promise.resolve(),
+          listNamespacedSecret: () => Promise.resolve(),
           createNamespacedConfigMap: () => {
             const error = new Error("body error");
             Object.defineProperty(error, "message", { value: undefined });
@@ -495,6 +592,7 @@ describe("outputResult", () => {
             };
             throw error;
           },
+          createNamespacedSecret: () => Promise.resolve(),
         };
         return client as unknown as CoreV1Api;
       };

src/cli/output.ts

@@ -1,6 +1,6 @@
 import { mkdir } from "node:fs/promises";
 import { join } from "node:path";
-import type { V1ConfigMap } from "@kubernetes/client-node";
+import type { V1ConfigMap, V1Secret } from "@kubernetes/client-node";
 import { CoreV1Api, KubeConfig } from "@kubernetes/client-node";
 
 import type { GeneratedNodeKey } from "../keys/node-key-factory.ts";
@@ -23,6 +23,8 @@ type ConfigMapSpec = {
   value: string;
 };
 
+type SecretSpec = ConfigMapSpec;
+
 const OUTPUT_DIR = "out";
 const NAMESPACE_PATH =
   "/var/run/secrets/kubernetes.io/serviceaccount/namespace";
@@ -133,13 +135,27 @@ const outputToKubernetes = async (payload: OutputPayload): Promise<void> => {
   const validatorSpecs = createSpecsForGroup("validator", payload.validators);
   const rpcSpecs = createSpecsForGroup("rpc-node", payload.rpcNodes);
   const allSpecs = [...validatorSpecs, ...rpcSpecs];
+  const configMapSpecs = [
+    ...allSpecs.filter((spec) => spec.key !== "privateKey"),
+    ...createFaucetConfigSpecs(payload.faucet),
+    {
+      name: "besu-genesis",
+      key: "genesis.json",
+      value: JSON.stringify(payload.genesis, null, 2),
+    },
+  ];
+  const secretSpecs = [
+    ...allSpecs.filter((spec) => spec.key === "privateKey"),
+    ...createFaucetSecretSpecs(payload.faucet),
+  ];
 
-  await Promise.all(
-    allSpecs.map((spec) => upsertConfigMap(client, namespace, spec))
-  );
+  await Promise.all([
+    ...configMapSpecs.map((spec) => upsertConfigMap(client, namespace, spec)),
+    ...secretSpecs.map((spec) => upsertSecret(client, namespace, spec)),
+  ]);
 
   process.stdout.write(
-    `Applied ${allSpecs.length} ConfigMaps in namespace ${namespace}.\n`
+    `Applied ${configMapSpecs.length} ConfigMaps and ${secretSpecs.length} Secrets in namespace ${namespace}.\n`
   );
 };
 
@@ -165,6 +181,19 @@ const createSpecsForGroup = (
   });
 };
 
+const createFaucetConfigSpecs = (faucet: GeneratedNodeKey): ConfigMapSpec[] => [
+  { name: "besu-faucet-address", key: "address", value: faucet.address },
+  { name: "besu-faucet-pubkey", key: "publicKey", value: faucet.publicKey },
+];
+
+const createFaucetSecretSpecs = (faucet: GeneratedNodeKey): SecretSpec[] => [
+  {
+    name: "besu-faucet-private-key",
+    key: "privateKey",
+    value: faucet.privateKey,
+  },
+];
+
 const createKubernetesClient = async (): Promise<{
   client: CoreV1Api;
   namespace: string;
@@ -195,7 +224,10 @@ const createKubernetesClient = async (): Promise<{
 
   const client = kubeConfig.makeApiClient(CoreV1Api);
   try {
-    await client.listNamespacedConfigMap({ namespace, limit: 1 });
+    await Promise.all([
+      client.listNamespacedConfigMap({ namespace, limit: 1 }),
+      client.listNamespacedSecret({ namespace, limit: 1 }),
+    ]);
   } catch (error) {
     throw new Error(
       `Kubernetes permissions check failed: ${extractKubernetesError(error)}`
@@ -230,6 +262,32 @@ const upsertConfigMap = async (
   }
 };
 
+const upsertSecret = async (
+  client: CoreV1Api,
+  namespace: string,
+  spec: SecretSpec
+): Promise<void> => {
+  const body: V1Secret = {
+    metadata: { name: spec.name },
+    stringData: { [spec.key]: spec.value },
+    type: "Opaque",
+  };
+
+  try {
+    await client.createNamespacedSecret({ namespace, body });
+  } catch (error) {
+    if (getStatusCode(error) === HTTP_CONFLICT_STATUS) {
+      throw new Error(
+        `Secret ${spec.name} already exists. Delete it or choose a different output target.`
+      );
+    }
+
+    throw new Error(
+      `Failed to create Secret ${spec.name}: ${extractKubernetesError(error)}`
+    );
+  }
+};
+
 const extractKubernetesError = (error: unknown): string => {
   if (typeof error === "string") {
     return error;