Merge pull request #530 from ADustyOldMuffin/add-docs-and-fix-ca-vault

Add documentation for CAProvider namespace and fix issue with SecretStore
2024-12-14 11:57:59 +00:00 · 2021-12-16 19:44:24 +00:00 · 2021-12-16 19:44:24 +00:00 · 78d046b712
commit 78d046b712
parent c351efcc15 f468868b5b
8 changed files with 82 additions and 14 deletions
--- a/apis/externalsecrets/v1alpha1/secretstore_vault_types.go
+++ b/apis/externalsecrets/v1alpha1/secretstore_vault_types.go
@ -46,8 +46,8 @@ type CAProvider struct {
 	Key string `json:"key,omitempty"`

 	// The namespace the Provider type is in.
-	// +kubebuilder:default:="Default"
-	Namespace string `json:"namespace"`
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
 }

 // Configures an store to sync secrets using a HashiCorp Vault
--- a/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go
@ -282,6 +282,11 @@ func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CAProvider) DeepCopyInto(out *CAProvider) {
 	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
@ -1230,7 +1235,7 @@ func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
 	if in.CAProvider != nil {
 		in, out := &in.CAProvider, &out.CAProvider
 		*out = new(CAProvider)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 }

--- a/deploy/crds/external-secrets.io_clustersecretstores.yaml
+++ b/deploy/crds/external-secrets.io_clustersecretstores.yaml
@ -846,7 +846,6 @@ spec:
                              type.
                            type: string
                          namespace:
-                            default: Default
                            description: The namespace the Provider type is in.
                            type: string
                          type:
@ -858,7 +857,6 @@ spec:
                            type: string
                        required:
                        - name
-                        - namespace
                        - type
                        type: object
                      namespace:
--- a/deploy/crds/external-secrets.io_secretstores.yaml
+++ b/deploy/crds/external-secrets.io_secretstores.yaml
@ -846,7 +846,6 @@ spec:
                              type.
                            type: string
                          namespace:
-                            default: Default
                            description: The namespace the Provider type is in.
                            type: string
                          type:
@ -858,7 +857,6 @@ spec:
                            type: string
                        required:
                        - name
-                        - namespace
                        - type
                        type: object
                      namespace:
--- a/docs/snippets/full-cluster-secret-store.yaml
+++ b/docs/snippets/full-cluster-secret-store.yaml
@ -42,7 +42,17 @@ spec:
      version: "v2"
      # vault enterprise namespace: https://www.vaultproject.io/docs/enterprise/namespaces
      namespace: "a-team"
+      # base64 encoded string of certificate
      caBundle: "..."
+      # Instead of caBundle you can also specify a caProvider
+      # this will retrieve the cert from a Secret or ConfigMap
+      caProvider:
+        # Can be Secret or ConfigMap
+        type: "Secret"
+        # This is mandatory for ClusterSecretStore and not relevant for SecretStore
+        namespace: "my-cert-secret-namespace"
+        name: "my-cert-secret"
+        key: "cert-key"
      auth:
        # static token: https://www.vaultproject.io/docs/auth/token
        tokenSecretRef:
--- a/docs/snippets/full-secret-store.yaml
+++ b/docs/snippets/full-secret-store.yaml
@ -58,8 +58,6 @@ spec:
      caProvider:
        # Can be Secret or ConfigMap
        type: "Secret"
-        # This is optional, if not specified will be 'Default'
-        namespace: "my-cert-secret-namespace"
        name: "my-cert-secret"
        key: "cert-key"

--- a/pkg/provider/vault/vault.go
+++ b/pkg/provider/vault/vault.go
@ -73,6 +73,7 @@ const (
 	errVaultRevokeToken = "error while revoking token: %w"

 	errUnknownCAProvider = "unknown caProvider type given"
+	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
 )

 type Client interface {
@ -251,6 +252,10 @@ func (v *client) newConfig() (*vault.Config, error) {
 		}
 	}

+	if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
+		return nil, errors.New(errCANamespace)
+	}
+
 	if v.store.CAProvider != nil {
 		var cert []byte
 		var err error
@ -283,10 +288,14 @@ func (v *client) newConfig() (*vault.Config, error) {

 func getCertFromSecret(v *client) ([]byte, error) {
 	secretRef := esmeta.SecretKeySelector{
-		Name:      v.store.CAProvider.Name,
-		Namespace: &v.store.CAProvider.Namespace,
-		Key:       v.store.CAProvider.Key,
+		Name: v.store.CAProvider.Name,
+		Key:  v.store.CAProvider.Key,
 	}
+
+	if v.store.CAProvider.Namespace != nil {
+		secretRef.Namespace = v.store.CAProvider.Namespace
+	}
+
 	ctx := context.Background()
 	res, err := v.secretKeyRef(ctx, &secretRef)
 	if err != nil {
@ -298,8 +307,11 @@ func getCertFromSecret(v *client) ([]byte, error) {

 func getCertFromConfigMap(v *client) ([]byte, error) {
 	objKey := types.NamespacedName{
-		Namespace: v.store.CAProvider.Namespace,
-		Name:      v.store.CAProvider.Name,
+		Name: v.store.CAProvider.Name,
+	}
+
+	if v.store.CAProvider.Namespace != nil {
+		objKey.Namespace = *v.store.CAProvider.Namespace
 	}

 	configMapRef := &corev1.ConfigMap{}
--- a/pkg/provider/vault/vault_test.go
+++ b/pkg/provider/vault/vault_test.go
@ -119,6 +119,41 @@ func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
 	return store
 }

+func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore {
+	return &esv1alpha1.ClusterSecretStore{
+		TypeMeta: metav1.TypeMeta{
+			Kind: "ClusterSecretStore",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "vault-store",
+			Namespace: "default",
+		},
+		Spec: esv1alpha1.SecretStoreSpec{
+			Provider: &esv1alpha1.SecretStoreProvider{
+				Vault: &esv1alpha1.VaultProvider{
+					Server:  "vault.example.com",
+					Path:    "secret",
+					Version: "v2",
+					Auth: esv1alpha1.VaultAuth{
+						Kubernetes: &esv1alpha1.VaultKubernetesAuth{
+							Path: "kubernetes",
+							Role: "kubernetes-auth-role",
+							ServiceAccountRef: &esmeta.ServiceAccountSelector{
+								Name: "example-sa",
+							},
+						},
+					},
+					CAProvider: &esv1alpha1.CAProvider{
+						Name: "vault-cert",
+						Key:  "cert",
+						Type: "Secret",
+					},
+				},
+			},
+		},
+	}
+}
+
 type secretStoreTweakFn func(s *esv1alpha1.SecretStore)

 func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1alpha1.SecretStore {
@ -352,6 +387,18 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 				err: nil,
 			},
 		},
+		"GetCertNamespaceMissingError": {
+			reason: "Should return an error if namespace is missing and is a ClusterSecretStore",
+			args: args{
+				store: makeInvalidClusterSecretStoreWithK8sCerts(),
+				kube: &test.MockClient{
+					MockGet: test.NewMockGetFn(nil, kubeMockWithSecretTokenAndServiceAcc),
+				},
+			},
+			want: want{
+				err: errors.New(errCANamespace),
+			},
+		},
 		"GetCertSecretKeyMissingError": {
 			reason: "Should return an error if the secret key is missing",
 			args: args{