1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

fix cert auth without token fixed #3926 (#3952)

* fix cert auth without token fixed #3926

Signed-off-by: kaedwen <kaedwen@heinrich.blue>

* refactor auth preapre, fail when nothing is given

Signed-off-by: kaedwen <kaedwen@heinrich.blue>

---------

Signed-off-by: kaedwen <kaedwen@heinrich.blue>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
This commit is contained in:
kaedwen 2024-10-08 19:58:39 +02:00 committed by GitHub
parent 9ecb4e45e3
commit e9f291bd32
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 30 additions and 42 deletions

View file

@ -44,6 +44,14 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
return clientcmd.RESTConfigFromKubeConfig(cfg) return clientcmd.RESTConfigFromKubeConfig(cfg)
} }
if c.store.Server.URL == "" {
return nil, errors.New("no server URL provided")
}
cfg := &rest.Config{
Host: c.store.Server.URL,
}
ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{ ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
CABundle: c.store.Server.CABundle, CABundle: c.store.Server.CABundle,
CAProvider: c.store.Server.CAProvider, CAProvider: c.store.Server.CAProvider,
@ -55,43 +63,39 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
return nil, err return nil, err
} }
var token []byte cfg.TLSClientConfig = rest.TLSClientConfig{
if c.store.Auth.Token != nil { Insecure: false,
token, err = c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken) CAData: ca,
}
switch {
case c.store.Auth.Token != nil:
token, err := c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err) return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err)
} }
} else if c.store.Auth.ServiceAccount != nil {
token, err = c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount) cfg.BearerToken = string(token)
case c.store.Auth.ServiceAccount != nil:
token, err := c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err) return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
} }
} else {
return nil, errors.New("no auth provider given")
}
var key, cert []byte cfg.BearerToken = string(token)
if c.store.Auth.Cert != nil { case c.store.Auth.Cert != nil:
key, cert, err = c.getClientKeyAndCert(ctx) key, cert, err := c.getClientKeyAndCert(ctx)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not fetch client key and cert: %w", err) return nil, fmt.Errorf("could not fetch client key and cert: %w", err)
} }
cfg.TLSClientConfig.KeyData = key
cfg.TLSClientConfig.CertData = cert
default:
return nil, errors.New("no auth provider given")
} }
if c.store.Server.URL == "" { return cfg, nil
return nil, errors.New("no server URL provided")
}
return &rest.Config{
Host: c.store.Server.URL,
BearerToken: string(token),
TLSClientConfig: rest.TLSClientConfig{
Insecure: false,
CertData: cert,
KeyData: key,
CAData: ca,
},
}, nil
} }
func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) { func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) {

View file

@ -250,14 +250,6 @@ func TestSetAuth(t *testing.T) {
"cert": []byte("my-cert"), "cert": []byte("my-cert"),
"key": []byte("my-key"), "key": []byte("my-key"),
}, },
}, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "foobar",
Namespace: "default",
},
Data: map[string][]byte{
"token": []byte("mytoken"),
},
}).Build(), }).Build(),
store: &esv1beta1.KubernetesProvider{ store: &esv1beta1.KubernetesProvider{
Server: esv1beta1.KubernetesServer{ Server: esv1beta1.KubernetesServer{
@ -265,13 +257,6 @@ func TestSetAuth(t *testing.T) {
CABundle: []byte(caCert), CABundle: []byte(caCert),
}, },
Auth: esv1beta1.KubernetesAuth{ Auth: esv1beta1.KubernetesAuth{
Token: &esv1beta1.TokenAuth{
BearerToken: v1.SecretKeySelector{
Name: "foobar",
Namespace: pointer.To("shouldnotberelevant"),
Key: "token",
},
},
Cert: &esv1beta1.CertAuth{ Cert: &esv1beta1.CertAuth{
ClientCert: v1.SecretKeySelector{ ClientCert: v1.SecretKeySelector{
Name: "mycert", Name: "mycert",
@ -286,8 +271,7 @@ func TestSetAuth(t *testing.T) {
}, },
}, },
want: &want{ want: &want{
Host: "https://my.test.tld", Host: "https://my.test.tld",
BearerToken: "mytoken",
TLSClientConfig: rest.TLSClientConfig{ TLSClientConfig: rest.TLSClientConfig{
CAData: []byte(caCert), CAData: []byte(caCert),
CertData: []byte("my-cert"), CertData: []byte("my-cert"),