Feat/add validations to external secret data from remote ref (#3390)

* Feat: adds validations to ExternalSecretDataFromRemoteRef

Signed-off-by: Lucas Pimentel <luk.2001@hotmail.com>

* Feat: adds test cases to new validations on externalSecretDataFromRemoteRef

Signed-off-by: Lucas Pimentel <luk.2001@hotmail.com>

* Fix dataFrom validations and error messages

Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>

---------

Signed-off-by: Lucas Pimentel <luk.2001@hotmail.com>
Signed-off-by: shuheiktgw <s-kitagawa@mercari.com>
Co-authored-by: Lucas Pimentel <luk.2001@hotmail.com>

apis/externalsecrets/v1beta1/externalsecret_validator.go

@@ -58,9 +58,17 @@ func validateExternalSecret(obj runtime.Object) (admission.Warnings, error) {
 	}
 
 	for _, ref := range es.Spec.DataFrom {
-		findOrExtract := ref.Find != nil || ref.Extract != nil
-		if findOrExtract && ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil {
-			errs = errors.Join(errs, fmt.Errorf("generator can not be used with find or extract"))
+		generatorRef := ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil
+		if (ref.Find != nil && (ref.Extract != nil || generatorRef)) || (ref.Extract != nil && (ref.Find != nil || generatorRef)) || (generatorRef && (ref.Find != nil || ref.Extract != nil)) {
+			errs = errors.Join(errs, fmt.Errorf("extract, find, or generatorRef cannot be set at the same time"))
+		}
+
+		if ref.Find == nil && ref.Extract == nil && ref.SourceRef == nil {
+			errs = errors.Join(errs, fmt.Errorf("either extract, find, or sourceRef must be set to dataFrom"))
+		}
+
+		if ref.SourceRef != nil && ref.SourceRef.GeneratorRef == nil && ref.SourceRef.SecretStoreRef == nil {
+			errs = errors.Join(errs, fmt.Errorf("generatorRef or storeRef must be set when using sourceRef in dataFrom"))
 		}
 	}
 

apis/externalsecrets/v1beta1/externalsecret_validator_test.go

@@ -69,6 +69,20 @@ func TestValidateExternalSecret(t *testing.T) {
 			expectedErr: "either data or dataFrom should be specified",
 		},
 		{
+			name: "find with extract",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							Find:    &ExternalSecretFind{},
+							Extract: &ExternalSecretDataRemoteRef{},
+						},
+					},
+				},
+			},
+			expectedErr: "extract, find, or generatorRef cannot be set at the same time",
+		},
+		{
 			name: "generator with find",
 			obj: &ExternalSecret{
 				Spec: ExternalSecretSpec{
@@ -82,7 +96,7 @@ func TestValidateExternalSecret(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: "generator can not be used with find or extract",
+			expectedErr: "extract, find, or generatorRef cannot be set at the same time",
 		},
 		{
 			name: "generator with extract",
@@ -98,7 +112,31 @@ func TestValidateExternalSecret(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: "generator can not be used with find or extract",
+			expectedErr: "extract, find, or generatorRef cannot be set at the same time",
+		},
+		{
+			name: "empty dataFrom",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{},
+					},
+				},
+			},
+			expectedErr: "either extract, find, or sourceRef must be set to dataFrom",
+		},
+		{
+			name: "empty sourceRef",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							SourceRef: &StoreGeneratorSourceRef{},
+						},
+					},
+				},
+			},
+			expectedErr: "generatorRef or storeRef must be set when using sourceRef in dataFrom",
 		},
 		{
 			name: "multiple errors",
@@ -118,7 +156,11 @@ either data or dataFrom should be specified`,
 			obj: &ExternalSecret{
 				Spec: ExternalSecretSpec{
 					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{},
+						{
+							SourceRef: &StoreGeneratorSourceRef{
+								GeneratorRef: &GeneratorRef{},
+							},
+						},
 					},
 				},
 			},