mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
* fix cert auth without token fixed #3926 Signed-off-by: kaedwen <kaedwen@heinrich.blue> * refactor auth preapre, fail when nothing is given Signed-off-by: kaedwen <kaedwen@heinrich.blue> --------- Signed-off-by: kaedwen <kaedwen@heinrich.blue> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
This commit is contained in:
parent
9ecb4e45e3
commit
e9f291bd32
2 changed files with 30 additions and 42 deletions
|
@ -44,6 +44,14 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
|
||||||
return clientcmd.RESTConfigFromKubeConfig(cfg)
|
return clientcmd.RESTConfigFromKubeConfig(cfg)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.store.Server.URL == "" {
|
||||||
|
return nil, errors.New("no server URL provided")
|
||||||
|
}
|
||||||
|
|
||||||
|
cfg := &rest.Config{
|
||||||
|
Host: c.store.Server.URL,
|
||||||
|
}
|
||||||
|
|
||||||
ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
|
ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
|
||||||
CABundle: c.store.Server.CABundle,
|
CABundle: c.store.Server.CABundle,
|
||||||
CAProvider: c.store.Server.CAProvider,
|
CAProvider: c.store.Server.CAProvider,
|
||||||
|
@ -55,43 +63,39 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
var token []byte
|
cfg.TLSClientConfig = rest.TLSClientConfig{
|
||||||
if c.store.Auth.Token != nil {
|
Insecure: false,
|
||||||
token, err = c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken)
|
CAData: ca,
|
||||||
|
}
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case c.store.Auth.Token != nil:
|
||||||
|
token, err := c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err)
|
return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err)
|
||||||
}
|
}
|
||||||
} else if c.store.Auth.ServiceAccount != nil {
|
|
||||||
token, err = c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount)
|
cfg.BearerToken = string(token)
|
||||||
|
case c.store.Auth.ServiceAccount != nil:
|
||||||
|
token, err := c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
|
return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
return nil, errors.New("no auth provider given")
|
|
||||||
}
|
|
||||||
|
|
||||||
var key, cert []byte
|
cfg.BearerToken = string(token)
|
||||||
if c.store.Auth.Cert != nil {
|
case c.store.Auth.Cert != nil:
|
||||||
key, cert, err = c.getClientKeyAndCert(ctx)
|
key, cert, err := c.getClientKeyAndCert(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not fetch client key and cert: %w", err)
|
return nil, fmt.Errorf("could not fetch client key and cert: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cfg.TLSClientConfig.KeyData = key
|
||||||
|
cfg.TLSClientConfig.CertData = cert
|
||||||
|
default:
|
||||||
|
return nil, errors.New("no auth provider given")
|
||||||
}
|
}
|
||||||
|
|
||||||
if c.store.Server.URL == "" {
|
return cfg, nil
|
||||||
return nil, errors.New("no server URL provided")
|
|
||||||
}
|
|
||||||
|
|
||||||
return &rest.Config{
|
|
||||||
Host: c.store.Server.URL,
|
|
||||||
BearerToken: string(token),
|
|
||||||
TLSClientConfig: rest.TLSClientConfig{
|
|
||||||
Insecure: false,
|
|
||||||
CertData: cert,
|
|
||||||
KeyData: key,
|
|
||||||
CAData: ca,
|
|
||||||
},
|
|
||||||
}, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) {
|
func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) {
|
||||||
|
|
|
@ -250,14 +250,6 @@ func TestSetAuth(t *testing.T) {
|
||||||
"cert": []byte("my-cert"),
|
"cert": []byte("my-cert"),
|
||||||
"key": []byte("my-key"),
|
"key": []byte("my-key"),
|
||||||
},
|
},
|
||||||
}, &corev1.Secret{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
|
||||||
Name: "foobar",
|
|
||||||
Namespace: "default",
|
|
||||||
},
|
|
||||||
Data: map[string][]byte{
|
|
||||||
"token": []byte("mytoken"),
|
|
||||||
},
|
|
||||||
}).Build(),
|
}).Build(),
|
||||||
store: &esv1beta1.KubernetesProvider{
|
store: &esv1beta1.KubernetesProvider{
|
||||||
Server: esv1beta1.KubernetesServer{
|
Server: esv1beta1.KubernetesServer{
|
||||||
|
@ -265,13 +257,6 @@ func TestSetAuth(t *testing.T) {
|
||||||
CABundle: []byte(caCert),
|
CABundle: []byte(caCert),
|
||||||
},
|
},
|
||||||
Auth: esv1beta1.KubernetesAuth{
|
Auth: esv1beta1.KubernetesAuth{
|
||||||
Token: &esv1beta1.TokenAuth{
|
|
||||||
BearerToken: v1.SecretKeySelector{
|
|
||||||
Name: "foobar",
|
|
||||||
Namespace: pointer.To("shouldnotberelevant"),
|
|
||||||
Key: "token",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
Cert: &esv1beta1.CertAuth{
|
Cert: &esv1beta1.CertAuth{
|
||||||
ClientCert: v1.SecretKeySelector{
|
ClientCert: v1.SecretKeySelector{
|
||||||
Name: "mycert",
|
Name: "mycert",
|
||||||
|
@ -286,8 +271,7 @@ func TestSetAuth(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
want: &want{
|
want: &want{
|
||||||
Host: "https://my.test.tld",
|
Host: "https://my.test.tld",
|
||||||
BearerToken: "mytoken",
|
|
||||||
TLSClientConfig: rest.TLSClientConfig{
|
TLSClientConfig: rest.TLSClientConfig{
|
||||||
CAData: []byte(caCert),
|
CAData: []byte(caCert),
|
||||||
CertData: []byte("my-cert"),
|
CertData: []byte("my-cert"),
|
||||||
|
|
Loading…
Reference in a new issue