Add unit tests for validating repository server secrets [PR#2] (#2124)

* add skeleton for validation repoitory server secrets * fix bugs * add licence headers * address review comments * change the secret type to v1.secrettype * initialize k8s client instead of all the clients since they are not required * move the consts to a secrets package so that they can be reused * move the consts to a secrets package so that they can be reused * refactor to use common constants * move the consts to a secrets package so that they can be reused * refactor to use the constants from secrets folder * address review comments * add headers * address review comments * move location key constants to secrets package * move location key constants to repositoryserver package * refactor use the constants from repositoryserver package * resolve merge conflicts * address review comments * add support for filestore secret * make lint happy * address comments * make lint happy * add licence headers * add comments on the constants * consistent error messages * Change name of constants for better readability * fix typo * simplify validation logic * change error message * remove unwanted comments * add comment in the validate repository password function * change function name for getLocationType to getLocationSecret * add nil checks for secrets * fix build issues * add empty secret checks * rename interface name to secret for readability * address review comments * address review comments * use cmd.Context * Add Cache Size Support in Templating Params in RepositoryServer (#2111) * Update param.go Signed-off-by: Rajat Gupta <rajat.gupta@veeam.com> * Address Comments Signed-off-by: Rajat Gupta <rajat.gupta@veeam.com> * Error Handling Signed-off-by: Rajat Gupta <rajat.gupta@veeam.com> --------- Signed-off-by: Rajat Gupta <rajat.gupta@veeam.com> * Make RepositoryServer struct consistent with RepositoryServer CRD (#2122) * Remove optional Markers, Add omitempty to fields in RepositoryServer struct as specified in repositoryserver.yaml Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Fix the indentation of repositoryserver CRD(repositoryserver.yaml) Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> --------- Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * add unit tests for repository server location credentials * make lint happy * add validation for kopia repository server controller secrets (#1940) * add skeleton for validation repoitory server secrets * fix bugs * add licence headers * address review comments * change the secret type to v1.secrettype * initialize k8s client instead of all the clients since they are not required * move the consts to a secrets package so that they can be reused * move the consts to a secrets package so that they can be reused * refactor to use common constants * move the consts to a secrets package so that they can be reused * refactor to use the constants from secrets folder * address review comments * add headers * address review comments * move location key constants to secrets package * move location key constants to repositoryserver package * refactor use the constants from repositoryserver package * resolve merge conflicts * address review comments * add support for filestore secret * make lint happy * address comments * make lint happy * add licence headers * add comments on the constants * consistent error messages * Change name of constants for better readability * fix typo * simplify validation logic * change error message * remove unwanted comments * add comment in the validate repository password function * change function name for getLocationType to getLocationSecret * add nil checks for secrets * fix build issues * add empty secret checks * rename interface name to secret for readability * address review comments * address review comments * use cmd.Context * Update MAINTAINERS.md (#2127) * support projectid in gcp provider (#2129) Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * fix delete action (#2131) * Import the general client/auth package (#2134) Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * Fix pkg/config to use standard kubeconfig machinery (#2133) Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * Fix pkg/kube to use standard kubeconfig machinery (#2132) Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * Update ubi-minimal base image to ubi-minimal:9.2-691 (#2130) Co-authored-by: Kasten Production <infra@kasten.io> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * add tests for validating repository password and repository server admin credentials * fix tests * fix lint * fix e2e volume snapshot test (#2141) * Remove unused dirs to increase free space in GH runner (#2138) * Refactoring push_images.sh to consume a single source of truth containing valid images (#2147) * Refactoring push_images.sh to take in the single source of truth Made change * Added single source of truth file * Fixing issue with image list * Update RepositoryServer CR Status field to add `metav1.Condition` (#2135) * Update RepositoryServer CR Status fields, add metav1.conditions Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Update RepositoryServer CRD Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Run 'make codegen' Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Fix Lint Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Refactor name, set ClientInitialized to ClientUserInitialized Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> --------- Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * Add: ROADMAP.md (#2126) * Add: ROADMAP.md Signed-off-by: Mark <mlavi@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Update ROADMAP.md Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> --------- Signed-off-by: Mark <mlavi@users.noreply.github.com> Co-authored-by: Mark <mlavi@users.noreply.github.com> Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * Kanister docs update to version 0.93.0 (#2149) Co-authored-by: Kasten Production <infra@kasten.io> * Refactor RepositoryServer controller (#2136) * Update RepositoryServer CR Status fields, add metav1.conditions Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Update RepositoryServer CRD Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Run 'make codegen' Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Fix Lint Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Refactor name, set ClientInitialized to ClientUserInitialized Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Refactor RepositoryServer Controller Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Run gofmt Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * add error handling in refreshServer function Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> * Add function to update Progress in RepositoryServerStatus Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> --------- Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> Co-authored-by: kale-amruta <41624751+kale-amruta@users.noreply.github.com> * Revert "Refactor RepositoryServer controller (#2136)" (#2150) This reverts commit fb4bd07. * Add base unit test suite for repository server controller(#PR1) (#2100) * add base suite for repository server controller * use constants for location secret keys * make the constants local to the package * add licence headers * fix licence headers * fix lint issues * remove unused functions and move to next PR * fix build issues * move secret creation utils under test suite * add base suite for repository server controller * use constants for location secret keys * make the constants local to the package * add licence headers * fix licence headers * fix lint issues * remove unused functions and move to next PR * fix build issues * move secret creation utils under test suite * address review comments * move test utilities to pkg/testutil/testutil.go * rename kopia repository path constant name * move constants to const.go * move constants to const.go * initialize reconciler in a better way * Run PostgreSQL integration tests on 12.6.0 chart (#2156) Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com> * Adjust ref apps for OCP 4.13 (#2152) Kanister test automation config for OCP 4.13 version Co-authored-by: Vladislav Naumov <vladislav.naumov@PRG10457-MacBook-Pro.local> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> * deps(go): bump google.golang.org/api from 0.120.0 to 0.130.0 (#2157) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.120.0 to 0.130.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.120.0...v0.130.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * deps(go): bump golang.org/x/oauth2 from 0.7.0 to 0.10.0 (#2158) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.10.0. - [Commits](golang/oauth2@v0.7.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * remove unwanted declaration of context variable --------- Signed-off-by: Rajat Gupta <rajat.gupta@veeam.com> Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> Signed-off-by: Mark <mlavi@users.noreply.github.com> Signed-off-by: Prasad Ghangal <prasad.ghangal@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Rajat Gupta <37516416+r4rajat@users.noreply.github.com> Co-authored-by: Akanksha kumari <akankshakumari393@gmail.com> Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> Co-authored-by: alexy.bee <alexey.blokhin@kasten.io> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Mark Severson <mark@kasten.io> Co-authored-by: Infra Bot <63741182+infraq@users.noreply.github.com> Co-authored-by: Kasten Production <infra@kasten.io> Co-authored-by: Nishant Ravi Shankar <23146332+mellon-collie@users.noreply.github.com> Co-authored-by: Mark Lavi <5642075+mlavi@users.noreply.github.com> Co-authored-by: Mark <mlavi@users.noreply.github.com> Co-authored-by: Prasad Ghangal <prasad.ghangal@gmail.com> Co-authored-by: Vladislav Naumov <vladislav.naumov@kasten.io> Co-authored-by: Vladislav Naumov <vladislav.naumov@PRG10457-MacBook-Pro.local> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
kanisterio · Jul 7, 2023 · 9d38168 · 9d38168
1 parent 48eee5d
commit 9d38168
Show file tree

Hide file tree

Showing 6 changed files with 518 additions and 0 deletions.
diff --git a/pkg/secrets/repositoryserver/aws_secrets_test.go b/pkg/secrets/repositoryserver/aws_secrets_test.go
@@ -0,0 +1,101 @@
+// Copyright 2023 The Kanister Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package repositoryserver
+
+import (
+	"github.com/pkg/errors"
+	. "gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	secerrors "github.com/kanisterio/kanister/pkg/secrets/errors"
+)
+
+type AWSSecretCredsSuite struct{}
+
+var _ = Suite(&AWSSecretCredsSuite{})
+
+func (s *AWSSecretCredsSuite) TestValidateRepoServerAWSCredentials(c *C) {
+	for i, tc := range []struct {
+		secret        Secret
+		errChecker    Checker
+		expectedError error
+	}{
+		{ // Valid AWS Secret
+			secret: NewAWSLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeS3),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey: []byte("bucket"),
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker: IsNil,
+		},
+		{ // Missing required field - Region Key
+			secret: NewAWSLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeS3),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey: []byte("bucket"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.MissingRequiredFieldErrorMsg, RegionKey, "ns", "sec"),
+		},
+		{ // Missing required field - Bucket Key
+			secret: NewAWSLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeS3),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.MissingRequiredFieldErrorMsg, BucketKey, "ns", "sec"),
+		},
+		{ // Empty Secret
+			secret: NewAWSLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeS3),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.EmptySecretErrorMessage, "ns", "sec"),
+		},
+		{ // Nil Secret
+			secret:        NewAWSLocation(nil),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.NilSecretErrorMessage),
+		},
+	} {
+		err := tc.secret.Validate()
+		c.Check(err, tc.errChecker)
+		if err != nil {
+			c.Check(err.Error(), Equals, tc.expectedError.Error(), Commentf("test number: %d", i))
+		}
+	}
+}
diff --git a/pkg/secrets/repositoryserver/azure_secrets_test.go b/pkg/secrets/repositoryserver/azure_secrets_test.go
@@ -0,0 +1,88 @@
+// Copyright 2023 The Kanister Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package repositoryserver
+
+import (
+	"github.com/pkg/errors"
+	. "gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	secerrors "github.com/kanisterio/kanister/pkg/secrets/errors"
+)
+
+type AzureSecretCredsSuite struct{}
+
+var _ = Suite(&AzureSecretCredsSuite{})
+
+func (s *AzureSecretCredsSuite) TestValidateRepoServerAzureCredentials(c *C) {
+	for i, tc := range []struct {
+		secret        Secret
+		errChecker    Checker
+		expectedError error
+	}{
+		{ // Valid Azure Secret
+			secret: NewAzureLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeAzure),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey: []byte("bucket"),
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker: IsNil,
+		},
+		{ // Missing required field - Bucket Key
+			secret: NewAzureLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeAzure),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.MissingRequiredFieldErrorMsg, BucketKey, "ns", "sec"),
+		},
+		{ // Empty Secret
+			secret: NewAzureLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeAzure),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.EmptySecretErrorMessage, "ns", "sec"),
+		},
+		{ // Nil Secret
+			secret:        NewAzureLocation(nil),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.NilSecretErrorMessage),
+		},
+	} {
+		err := tc.secret.Validate()
+		c.Check(err, tc.errChecker)
+
+		if err != nil {
+			c.Check(err.Error(), Equals, tc.expectedError.Error(), Commentf("test number: %d", i))
+		}
+	}
+}
diff --git a/pkg/secrets/repositoryserver/gcp_secrets_test.go b/pkg/secrets/repositoryserver/gcp_secrets_test.go
@@ -0,0 +1,87 @@
+// Copyright 2023 The Kanister Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package repositoryserver
+
+import (
+	"github.com/pkg/errors"
+	. "gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	secerrors "github.com/kanisterio/kanister/pkg/secrets/errors"
+)
+
+type GCPSecretCredsSuite struct{}
+
+var _ = Suite(&GCPSecretCredsSuite{})
+
+func (s *GCPSecretCredsSuite) TestValidateRepoServerGCPCredentials(c *C) {
+	for i, tc := range []struct {
+		secret        Secret
+		errChecker    Checker
+		expectedError error
+	}{
+		{ // Valid GCP Secret
+			secret: NewGCPLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeGCS),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey: []byte("bucket"),
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker: IsNil,
+		},
+		{ // Missing required field - Bucket Key
+			secret: NewGCPLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeGCS),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					RegionKey: []byte("region"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.MissingRequiredFieldErrorMsg, BucketKey, "ns", "sec"),
+		},
+		{ // Empty Secret
+			secret: NewGCPLocation(&v1.Secret{
+				Type: v1.SecretType(LocTypeGCS),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.EmptySecretErrorMessage, "ns", "sec"),
+		},
+		{ // Nil Secret
+			secret:        NewGCPLocation(nil),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.NilSecretErrorMessage),
+		},
+	} {
+		err := tc.secret.Validate()
+		c.Check(err, tc.errChecker)
+		if err != nil {
+			c.Check(err.Error(), Equals, tc.expectedError.Error(), Commentf("test number: %d", i))
+		}
+	}
+}
diff --git a/pkg/secrets/repositoryserver/repository_password_test.go b/pkg/secrets/repositoryserver/repository_password_test.go
@@ -0,0 +1,101 @@
+// Copyright 2023 The Kanister Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package repositoryserver
+
+import (
+	"github.com/pkg/errors"
+	. "gopkg.in/check.v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	secerrors "github.com/kanisterio/kanister/pkg/secrets/errors"
+)
+
+type RepositoryPasswordSecretSuite struct{}
+
+var _ = Suite(&RepositoryPasswordSecretSuite{})
+
+func (s *GCPSecretCredsSuite) TestValidateRepositoryPassword(c *C) {
+	for i, tc := range []struct {
+		secret        Secret
+		errChecker    Checker
+		expectedError error
+	}{
+		{ // Valid Repository Password Secret
+			secret: NewRepoPassword(&v1.Secret{
+				Type: v1.SecretType(RepositoryPasswordSecret),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					RepoPasswordKey: []byte("repopassword"),
+				},
+			}),
+			errChecker: IsNil,
+		},
+		{ // Missing required field - Repo Password Key
+			secret: NewRepoPassword(&v1.Secret{
+				Type: v1.SecretType(RepositoryPasswordSecret),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey: []byte("bucketkey"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.MissingRequiredFieldErrorMsg, RepoPasswordKey, "ns", "sec"),
+		},
+		{ // Secret should contain only 1 key value pair
+			secret: NewRepoPassword(&v1.Secret{
+				Type: v1.SecretType(RepositoryPasswordSecret),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+				Data: map[string][]byte{
+					BucketKey:       []byte("bucketkey"),
+					RepoPasswordKey: []byte("repopassword"),
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.UnknownFieldErrorMsg, "ns", "sec"),
+		},
+		{ // Empty Secret
+			secret: NewRepoPassword(&v1.Secret{
+				Type: v1.SecretType(RepositoryPasswordSecret),
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "sec",
+					Namespace: "ns",
+				},
+			}),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.EmptySecretErrorMessage, "ns", "sec"),
+		},
+		{ // Nil Secret
+			secret:        NewRepoPassword(nil),
+			errChecker:    NotNil,
+			expectedError: errors.Wrapf(secerrors.ErrValidate, secerrors.NilSecretErrorMessage),
+		},
+	} {
+		err := tc.secret.Validate()
+		c.Check(err, tc.errChecker)
+		if err != nil {
+			c.Check(err.Error(), Equals, tc.expectedError.Error(), Commentf("test number: %d", i))
+		}
+	}
+}