fix cert auth without token fixed #3926 (#3952)

* fix cert auth without token fixed #3926

Signed-off-by: kaedwen <kaedwen@heinrich.blue>

* refactor auth preapre, fail when nothing is given

Signed-off-by: kaedwen <kaedwen@heinrich.blue>

---------

Signed-off-by: kaedwen <kaedwen@heinrich.blue>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

pkg/provider/kubernetes/auth.go

@@ -44,6 +44,14 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
 		return clientcmd.RESTConfigFromKubeConfig(cfg)
 	}
 
+	if c.store.Server.URL == "" {
+		return nil, errors.New("no server URL provided")
+	}
+
+	cfg := &rest.Config{
+		Host: c.store.Server.URL,
+	}
+
 	ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
 		CABundle:   c.store.Server.CABundle,
 		CAProvider: c.store.Server.CAProvider,
@@ -55,43 +63,39 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
 		return nil, err
 	}
 
-	var token []byte
-	if c.store.Auth.Token != nil {
-		token, err = c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken)
+	cfg.TLSClientConfig = rest.TLSClientConfig{
+		Insecure: false,
+		CAData:   ca,
+	}
+
+	switch {
+	case c.store.Auth.Token != nil:
+		token, err := c.fetchSecretKey(ctx, c.store.Auth.Token.BearerToken)
 		if err != nil {
 			return nil, fmt.Errorf("could not fetch Auth.Token.BearerToken: %w", err)
 		}
-	} else if c.store.Auth.ServiceAccount != nil {
-		token, err = c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount)
+
+		cfg.BearerToken = string(token)
+	case c.store.Auth.ServiceAccount != nil:
+		token, err := c.serviceAccountToken(ctx, c.store.Auth.ServiceAccount)
 		if err != nil {
 			return nil, fmt.Errorf("could not fetch Auth.ServiceAccount: %w", err)
 		}
-	} else {
-		return nil, errors.New("no auth provider given")
-	}
 
-	var key, cert []byte
-	if c.store.Auth.Cert != nil {
-		key, cert, err = c.getClientKeyAndCert(ctx)
+		cfg.BearerToken = string(token)
+	case c.store.Auth.Cert != nil:
+		key, cert, err := c.getClientKeyAndCert(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("could not fetch client key and cert: %w", err)
 		}
+
+		cfg.TLSClientConfig.KeyData = key
+		cfg.TLSClientConfig.CertData = cert
+	default:
+		return nil, errors.New("no auth provider given")
 	}
 
-	if c.store.Server.URL == "" {
-		return nil, errors.New("no server URL provided")
-	}
-
-	return &rest.Config{
-		Host:        c.store.Server.URL,
-		BearerToken: string(token),
-		TLSClientConfig: rest.TLSClientConfig{
-			Insecure: false,
-			CertData: cert,
-			KeyData:  key,
-			CAData:   ca,
-		},
-	}, nil
+	return cfg, nil
 }
 
 func (c *Client) getClientKeyAndCert(ctx context.Context) ([]byte, []byte, error) {

pkg/provider/kubernetes/auth_test.go

@@ -250,14 +250,6 @@ func TestSetAuth(t *testing.T) {
 						"cert": []byte("my-cert"),
 						"key":  []byte("my-key"),
 					},
-				}, &corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "foobar",
-						Namespace: "default",
-					},
-					Data: map[string][]byte{
-						"token": []byte("mytoken"),
-					},
 				}).Build(),
 				store: &esv1beta1.KubernetesProvider{
 					Server: esv1beta1.KubernetesServer{
@@ -265,13 +257,6 @@ func TestSetAuth(t *testing.T) {
 						CABundle: []byte(caCert),
 					},
 					Auth: esv1beta1.KubernetesAuth{
-						Token: &esv1beta1.TokenAuth{
-							BearerToken: v1.SecretKeySelector{
-								Name:      "foobar",
-								Namespace: pointer.To("shouldnotberelevant"),
-								Key:       "token",
-							},
-						},
 						Cert: &esv1beta1.CertAuth{
 							ClientCert: v1.SecretKeySelector{
 								Name: "mycert",
@@ -286,8 +271,7 @@ func TestSetAuth(t *testing.T) {
 				},
 			},
 			want: &want{
-				Host:        "https://my.test.tld",
-				BearerToken: "mytoken",
+				Host: "https://my.test.tld",
 				TLSClientConfig: rest.TLSClientConfig{
 					CAData:   []byte(caCert),
 					CertData: []byte("my-cert"),