Inicio Explorar Axuda
Iniciar sesión
logic855
/
helm-external-secrets
réplica de https://github.com/external-secrets/external-secrets
1
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

changing review strategy

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Gustavo Carvalho %!s(int64=4) %!d(string=hai) anos
pai
83b6bdf18d
achega
5bddd78265
Modificáronse 2 ficheiros con 31 adicións e 24 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 20 14
      pkg/provider/kubernetes/kubernetes.go
  2. 11 10
      pkg/provider/kubernetes/kubernetes_test.go

+ 20 - 14
pkg/provider/kubernetes/kubernetes.go
Ver ficheiro 

@@ -50,7 +50,7 @@ type KClient interface {
 
 }
 
 
 type RClient interface {
 
-	Create(ctx context.Context, SelfSubjectAccessReview *authv1.SelfSubjectAccessReview, opts metav1.CreateOptions) (*authv1.SelfSubjectAccessReview, error)
 
+	Create(ctx context.Context, selfSubjectRulesReview *authv1.SelfSubjectRulesReview, opts metav1.CreateOptions) (*authv1.SelfSubjectRulesReview, error)
 
 }
 
 
 // ProviderKubernetes is a provider for Kubernetes.
 
@@ -116,7 +116,7 @@ func (k *ProviderKubernetes) NewClient(ctx context.Context, store esv1beta1.Gene
 
 
 	k.Client = kubeClientSet.CoreV1().Secrets(bStore.store.RemoteNamespace)
 
 	k.Namespace = bStore.store.RemoteNamespace
 
-	k.ReviewClient = kubeClientSet.AuthorizationV1().SelfSubjectAccessReviews()
 
+	k.ReviewClient = kubeClientSet.AuthorizationV1().SelfSubjectRulesReviews()
 
 
 	return k, nil
 
 }
 
@@ -241,28 +241,34 @@ func (k *BaseClient) fetchSecretKey(ctx context.Context, key esmeta.SecretKeySel
 
 	return val, nil
 
 }
 
 
+func contains(sub string, args []string) bool {
 
+	for _, k := range args {
 
+		if k == sub {
 
+			return true
 
+		}
 
+	}
 
+	return false
 
+}
 
 func (k *ProviderKubernetes) Validate() (esv1beta1.ValidationResult, error) {
 
 	ctx := context.Background()
 
-
 
-	authReview, err := k.ReviewClient.Create(ctx, &authv1.SelfSubjectAccessReview{
 
-		Spec: authv1.SelfSubjectAccessReviewSpec{
 
-			ResourceAttributes: &authv1.ResourceAttributes{
 
-				Resource:  "secrets",
 
-				Namespace: k.Namespace,
 
-				Verb:      "get",
 
-			},
 
+	t := authv1.SelfSubjectRulesReview{
 
+		Spec: authv1.SelfSubjectRulesReviewSpec{
 
+			Namespace: k.Namespace,
 
 		},
 
-	}, metav1.CreateOptions{})
 
+	}
 
+	authReview, err := k.ReviewClient.Create(ctx, &t, metav1.CreateOptions{})
 
 
 	if err != nil {
 
 		return esv1beta1.ValidationResultUnknown, fmt.Errorf("could not verify if client is valid: %w", err)
 
 	}
 
 
-	if !authReview.Status.Allowed {
 
-		return esv1beta1.ValidationResultError, fmt.Errorf("client is not allowed to get secrets")
 
+	for _, rev := range authReview.Status.ResourceRules {
 
+		if contains("secrets", rev.Resources) && contains("get", rev.Verbs) {
 
+			return esv1beta1.ValidationResultReady, nil
 
+		}
 
 	}
 
 
-	return esv1beta1.ValidationResultReady, nil
 
+	return esv1beta1.ValidationResultError, fmt.Errorf("client is not allowed to get secrets")
 
 }
 
 
 func (k *ProviderKubernetes) ValidateStore(store esv1beta1.GenericStore) error {

+ 11 - 10
pkg/provider/kubernetes/kubernetes_test.go
Ver ficheiro 

@@ -51,10 +51,10 @@ func (fk fakeClient) Get(ctx context.Context, name string, opts metav1.GetOption
 
 }
 
 
 type fakeReviewClient struct {
 
-	authReview *authv1.SelfSubjectAccessReview
 
+	authReview *authv1.SelfSubjectRulesReview
 
 }
 
 
-func (fk fakeReviewClient) Create(ctx context.Context, selfSubjectAccessReview *authv1.SelfSubjectAccessReview, opts metav1.CreateOptions) (*authv1.SelfSubjectAccessReview, error) {
 
+func (fk fakeReviewClient) Create(ctx context.Context, selfSubjectAccessReview *authv1.SelfSubjectRulesReview, opts metav1.CreateOptions) (*authv1.SelfSubjectRulesReview, error) {
 
 	if fk.authReview == nil {
 
 		return nil, errors.New(errSomethingWentWrong)
 
 	}
 
@@ -366,9 +366,14 @@ func ErrorContains(out error, want string) bool {
 
 }
 
 
 func TestValidate(t *testing.T) {
 
-	authReview := authv1.SelfSubjectAccessReview{
 
-		Status: authv1.SubjectAccessReviewStatus{
 
-			Allowed: true,
 
+	authReview := authv1.SelfSubjectRulesReview{
 
+		Status: authv1.SubjectRulesReviewStatus{
 
+			ResourceRules: []authv1.ResourceRule{
 
+				{
 
+					Verbs:     []string{"get"},
 
+					Resources: []string{"secrets"},
 
+				},
 
+			},
 
 		},
 
 	}
 
 	fakeClient := fakeReviewClient{authReview: &authReview}
 
@@ -381,11 +386,7 @@ func TestValidate(t *testing.T) {
 
 		t.Errorf("Test Failed! Wanted could not indicate validationResult is %s, got: %s", esv1beta1.ValidationResultReady, validationResult)
 
 	}
 
 
-	authReview = authv1.SelfSubjectAccessReview{
 
-		Status: authv1.SubjectAccessReviewStatus{
 
-			Allowed: false,
 
-		},
 
-	}
 
+	authReview = authv1.SelfSubjectRulesReview{}
 
 	fakeClient = fakeReviewClient{authReview: &authReview}
 
 	k = ProviderKubernetes{ReviewClient: fakeClient}
 
 	validationResult, err = k.Validate()