mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
Code Activity

make sure we check if it is referent during NewClient

Browse source 
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
This commit is contained in:
Gustavo Carvalho 2022-06-01 10:35:59 -03:00
parent e9c6e6d1a6
commit e6f050e873
1 changed files with 31 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
pkg/provider/vault/vault.go
View file

@ -279,7 +279,7 @@ func (c *connector) newClient(ctx context.Context, store esv1beta1.GenericStore,
// allow SecretStore controller validation to pass
// when using referent namespace.
if vStore.storeKind == esv1beta1.ClusterSecretStoreKind && vStore.namespace == "" {
if vStore.storeKind == esv1beta1.ClusterSecretStoreKind && vStore.namespace == "" && isReferentSpec(vaultSpec) {
return vStore, nil
}
if err := vStore.setAuth(ctx, cfg); err != nil {
@ -585,35 +585,40 @@ func (v *client) Close(ctx context.Context) error {
return nil
}
func isReferentSpec(prov *esv1beta1.VaultProvider) bool {
if prov.Auth.TokenSecretRef != nil && prov.Auth.TokenSecretRef.Namespace == nil {
return true
}
if prov.Auth.AppRole != nil && prov.Auth.AppRole.SecretRef.Namespace == nil {
return true
}
if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.SecretRef != nil && prov.Auth.Kubernetes.SecretRef.Namespace == nil {
return true
}
if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.ServiceAccountRef != nil && prov.Auth.Kubernetes.ServiceAccountRef.Namespace == nil {
return true
}
if prov.Auth.Ldap != nil && prov.Auth.Ldap.SecretRef.Namespace == nil {
return true
}
if prov.Auth.Jwt != nil && prov.Auth.Jwt.SecretRef != nil && prov.Auth.Jwt.SecretRef.Namespace == nil {
return true
}
if prov.Auth.Jwt != nil && prov.Auth.Jwt.KubernetesServiceAccountToken != nil && prov.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef.Namespace == nil {
return true
}
if prov.Auth.Cert != nil && prov.Auth.Cert.SecretRef.Namespace == nil {
return true
}
return false
}
func (v *client) Validate() (esv1beta1.ValidationResult, error) {
// when using referent namespace we can not validate the token
// because the namespace is not known yet when Validate() is called
// from the SecretStore controller.
if v.storeKind == esv1beta1.ClusterSecretStoreKind {
if v.store.Auth.TokenSecretRef != nil && v.store.Auth.TokenSecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.AppRole != nil && v.store.Auth.AppRole.SecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Kubernetes != nil && v.store.Auth.Kubernetes.SecretRef != nil && v.store.Auth.Kubernetes.SecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Kubernetes != nil && v.store.Auth.Kubernetes.ServiceAccountRef != nil && v.store.Auth.Kubernetes.ServiceAccountRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Ldap != nil && v.store.Auth.Ldap.SecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Jwt != nil && v.store.Auth.Jwt.SecretRef != nil && v.store.Auth.Jwt.SecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Jwt != nil && v.store.Auth.Jwt.KubernetesServiceAccountToken != nil && v.store.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.store.Auth.Cert != nil && v.store.Auth.Cert.SecretRef.Namespace == nil {
return esv1beta1.ValidationResultUnknown, nil
}
if v.storeKind == esv1beta1.ClusterSecretStoreKind && isReferentSpec(v.store) {
return esv1beta1.ValidationResultUnknown, nil
}
_, err := checkToken(context.Background(), v)
if err != nil {