Merge pull request #279 from zeonin/main

Fix Openshift 4.7 issues
2024-12-14 11:57:59 +00:00 · 2021-07-25 13:01:17 +00:00 · 2021-07-25 13:01:17 +00:00 · bd6e868474
commit bd6e868474
parent 25f04b506e 3a4dfadb68
2 changed files with 15 additions and 6 deletions
--- a/deploy/charts/external-secrets/templates/rbac.yaml
+++ b/deploy/charts/external-secrets/templates/rbac.yaml
@ -21,6 +21,7 @@ rules:
    resources:
    - "externalsecrets"
    - "externalsecrets/status"
+    - "externalsecrets/finalizers"
    verbs:
    - "update"
    - "patch"
--- a/pkg/provider/vault/vault.go
+++ b/pkg/provider/vault/vault.go
@ -59,6 +59,7 @@ const (

 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
+	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"

 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
 	errSecretKeyFmt  = "cannot find secret data for key: %q"
@ -301,13 +302,20 @@ func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccou
 	if len(serviceAccount.Secrets) == 0 {
 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
 	}
-	tokenRef := serviceAccount.Secrets[0]
+	for _, tokenRef := range serviceAccount.Secrets {
+		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
+			Name:      tokenRef.Name,
+			Namespace: &ref.Namespace,
+			Key:       "token",
+		})

-	return v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
-		Name:      tokenRef.Name,
-		Namespace: &ref.Namespace,
-		Key:       "token",
-	})
+		if err != nil {
+			continue
+		}
+
+		return retval, nil
+	}
+	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
 }

 func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {