Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix(provider/kubernetes): make auth field optional (#5064)

Signed-off-by: Martin Hrabovcin <martin.hrabovcin@nutanix.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Martin Hrabovcin 8 months ago
parent
2cd7ed4d35
commit
8e953c750f
9 changed files with 36 additions and 24 deletions
Unified View Show Diff Stats
  1. 1 1
      apis/externalsecrets/v1/secretstore_kubernetes_types.go
  2. 5 1
      apis/externalsecrets/v1/zz_generated.deepcopy.go
  3. 1 1
      e2e/suites/provider/cases/kubernetes/provider.go
  4. 4 0
      pkg/provider/kubernetes/auth.go
  5. 6 6
      pkg/provider/kubernetes/auth_test.go
  6. 4 0
      pkg/provider/kubernetes/provider.go
  7. 3 3
      pkg/provider/kubernetes/provider_test.go
  8. 3 3
      pkg/provider/kubernetes/validate.go
  9. 9 9
      pkg/provider/kubernetes/validate_test.go

+ 1 - 1
apis/externalsecrets/v1/secretstore_kubernetes_types.go
View File 

@@ -42,7 +42,7 @@ type KubernetesProvider struct {
 
 
 
 	// Auth configures how secret-manager authenticates with a Kubernetes instance.
 
 	// Auth configures how secret-manager authenticates with a Kubernetes instance.
 
 	// +optional
 
 	// +optional
 
-	Auth KubernetesAuth `json:"auth"`
 
+	Auth *KubernetesAuth `json:"auth,omitempty"`
 
 
 
 	// A reference to a secret that contains the auth information.
 
 	// A reference to a secret that contains the auth information.
 
 	// +optional
 
 	// +optional

+ 5 - 1
apis/externalsecrets/v1/zz_generated.deepcopy.go
View File 

@@ -2247,7 +2247,11 @@ func (in *KubernetesAuthCredentials) DeepCopy() *KubernetesAuthCredentials {
 
 func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
 
 func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
 
 	*out = *in
 
 	*out = *in
 
 	in.Server.DeepCopyInto(&out.Server)
 
 	in.Server.DeepCopyInto(&out.Server)
 
-	in.Auth.DeepCopyInto(&out.Auth)
 
+	if in.Auth != nil {
 
+		in, out := &in.Auth, &out.Auth
 
+		*out = new(KubernetesAuth)
 
+		(*in).DeepCopyInto(*out)
 
+	}
 
 	if in.AuthRef != nil {
 
 	if in.AuthRef != nil {
 
 		in, out := &in.AuthRef, &out.AuthRef
 
 		in, out := &in.AuthRef, &out.AuthRef
 
 		*out = new(apismetav1.SecretKeySelector)
 
 		*out = new(apismetav1.SecretKeySelector)

+ 1 - 1
e2e/suites/provider/cases/kubernetes/provider.go
View File 

@@ -137,7 +137,7 @@ func makeDefaultStore(suffix, namespace string) (*rbac.Role, *rbac.RoleBinding,
 
 							Key:  "ca.crt",
 
 							Key:  "ca.crt",
 
 						},
 
 						},
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						ServiceAccount: &esmeta.ServiceAccountSelector{
 
 						ServiceAccount: &esmeta.ServiceAccountSelector{
 
 							Name: "default",
 
 							Name: "default",
 
 						},
 
 						},

+ 4 - 0
pkg/provider/kubernetes/auth.go
View File 

@@ -44,6 +44,10 @@ func (c *Client) getAuth(ctx context.Context) (*rest.Config, error) {
 
 		return clientcmd.RESTConfigFromKubeConfig(cfg)
 
 		return clientcmd.RESTConfigFromKubeConfig(cfg)
 
 	}
 
 	}
 
 
 
+	if c.store.Auth == nil {
 
+		return nil, errors.New("no auth provider given")
 
+	}
 
+
 
 	if c.store.Server.URL == "" {
 
 	if c.store.Server.URL == "" {
 
 		return nil, errors.New("no server URL provided")
 
 		return nil, errors.New("no server URL provided")
 
 	}
 
 	}

+ 6 - 6
pkg/provider/kubernetes/auth_test.go
View File 

@@ -130,7 +130,7 @@ func TestSetAuth(t *testing.T) {
 
 							Key:  "cert",
 
 							Key:  "cert",
 
 						},
 
 						},
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						Token: &esv1.TokenAuth{
 
 						Token: &esv1.TokenAuth{
 
 							BearerToken: v1.SecretKeySelector{
 
 							BearerToken: v1.SecretKeySelector{
 
 								Name:      "foobar",
 
 								Name:      "foobar",
 
@@ -180,7 +180,7 @@ func TestSetAuth(t *testing.T) {
 
 							Key:  "cert",
 
 							Key:  "cert",
 
 						},
 
 						},
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						Token: &esv1.TokenAuth{
 
 						Token: &esv1.TokenAuth{
 
 							BearerToken: v1.SecretKeySelector{
 
 							BearerToken: v1.SecretKeySelector{
 
 								Name:      "foobar",
 
 								Name:      "foobar",
 
@@ -218,7 +218,7 @@ func TestSetAuth(t *testing.T) {
 
 						URL:      serverURL,
 
 						URL:      serverURL,
 
 						CABundle: []byte(caCert),
 
 						CABundle: []byte(caCert),
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						Token: &esv1.TokenAuth{
 
 						Token: &esv1.TokenAuth{
 
 							BearerToken: v1.SecretKeySelector{
 
 							BearerToken: v1.SecretKeySelector{
 
 								Name:      "foobar",
 
 								Name:      "foobar",
 
@@ -257,7 +257,7 @@ func TestSetAuth(t *testing.T) {
 
 						URL:      serverURL,
 
 						URL:      serverURL,
 
 						CABundle: []byte(caCert),
 
 						CABundle: []byte(caCert),
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						Cert: &esv1.CertAuth{
 
 						Cert: &esv1.CertAuth{
 
 							ClientCert: v1.SecretKeySelector{
 
 							ClientCert: v1.SecretKeySelector{
 
 								Name: "mycert",
 
 								Name: "mycert",
 
@@ -297,7 +297,7 @@ func TestSetAuth(t *testing.T) {
 
 						URL:      serverURL,
 
 						URL:      serverURL,
 
 						CABundle: []byte(caCert),
 
 						CABundle: []byte(caCert),
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 							Name:      "my-sa",
 
 							Name:      "my-sa",
 
 							Namespace: pointer.To("shouldnotberelevant"),
 
 							Namespace: pointer.To("shouldnotberelevant"),
 
@@ -329,7 +329,7 @@ func TestSetAuth(t *testing.T) {
 
 					Server: esv1.KubernetesServer{
 
 					Server: esv1.KubernetesServer{
 
 						CABundle: []byte(caCert),
 
 						CABundle: []byte(caCert),
 
 					},
 
 					},
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 							Name:      "my-sa",
 
 							Name:      "my-sa",
 
 							Namespace: pointer.To("shouldnotberelevant"),
 
 							Namespace: pointer.To("shouldnotberelevant"),

+ 4 - 0
pkg/provider/kubernetes/provider.go
View File 

@@ -142,6 +142,10 @@ func (p *Provider) newClient(ctx context.Context, store esv1.GenericStore, ctrlC
 
 }
 
 }
 
 
 
 func isReferentSpec(prov *esv1.KubernetesProvider) bool {
 
 func isReferentSpec(prov *esv1.KubernetesProvider) bool {
 
+	if prov.Auth == nil {
 
+		return false
 
+	}
 
+
 
 	if prov.Auth.Cert != nil {
 
 	if prov.Auth.Cert != nil {
 
 		if prov.Auth.Cert.ClientCert.Namespace == nil {
 
 		if prov.Auth.Cert.ClientCert.Namespace == nil {
 
 			return true
 
 			return true

+ 3 - 3
pkg/provider/kubernetes/provider_test.go
View File 

@@ -155,7 +155,7 @@ func TestNewClient(t *testing.T) {
 
 									URL:      "https://my.test.tld",
 
 									URL:      "https://my.test.tld",
 
 									CABundle: []byte(testCertificate),
 
 									CABundle: []byte(testCertificate),
 
 								},
 
 								},
 
-								Auth: esv1.KubernetesAuth{
 
+								Auth: &esv1.KubernetesAuth{
 
 									Token: &esv1.TokenAuth{
 
 									Token: &esv1.TokenAuth{
 
 										BearerToken: v1.SecretKeySelector{
 
 										BearerToken: v1.SecretKeySelector{
 
 											Name: "foo",
 
 											Name: "foo",
 
@@ -189,7 +189,7 @@ func TestNewClient(t *testing.T) {
 
 									CABundle: []byte(testCertificate),
 
 									CABundle: []byte(testCertificate),
 
 								},
 
 								},
 
 								RemoteNamespace: "remote",
 
 								RemoteNamespace: "remote",
 
-								Auth: esv1.KubernetesAuth{
 
+								Auth: &esv1.KubernetesAuth{
 
 									Token: &esv1.TokenAuth{
 
 									Token: &esv1.TokenAuth{
 
 										BearerToken: v1.SecretKeySelector{
 
 										BearerToken: v1.SecretKeySelector{
 
 											Name:      "foo",
 
 											Name:      "foo",
 
@@ -224,7 +224,7 @@ func TestNewClient(t *testing.T) {
 
 									CABundle: []byte(testCertificate),
 
 									CABundle: []byte(testCertificate),
 
 								},
 
 								},
 
 								RemoteNamespace: "remote",
 
 								RemoteNamespace: "remote",
 
-								Auth: esv1.KubernetesAuth{
 
+								Auth: &esv1.KubernetesAuth{
 
 									Token: &esv1.TokenAuth{
 
 									Token: &esv1.TokenAuth{
 
 										BearerToken: v1.SecretKeySelector{
 
 										BearerToken: v1.SecretKeySelector{
 
 											Name:      "foo",
 
 											Name:      "foo",

+ 3 - 3
pkg/provider/kubernetes/validate.go
View File 

@@ -46,7 +46,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 		k8sSpec.Server.CAProvider.Namespace != nil {
 
 		k8sSpec.Server.CAProvider.Namespace != nil {
 
 		return nil, errors.New("CAProvider.namespace must be empty with SecretStore")
 
 		return nil, errors.New("CAProvider.namespace must be empty with SecretStore")
 
 	}
 
 	}
 
-	if k8sSpec.Auth.Cert != nil {
 
+	if k8sSpec.Auth != nil && k8sSpec.Auth.Cert != nil {
 
 		if k8sSpec.Auth.Cert.ClientCert.Name == "" {
 
 		if k8sSpec.Auth.Cert.ClientCert.Name == "" {
 
 			return nil, errors.New("ClientCert.Name cannot be empty")
 
 			return nil, errors.New("ClientCert.Name cannot be empty")
 
 		}
 
 		}
 
@@ -57,7 +57,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 			return nil, err
 
 			return nil, err
 
 		}
 
 		}
 
 	}
 
 	}
 
-	if k8sSpec.Auth.Token != nil {
 
+	if k8sSpec.Auth != nil && k8sSpec.Auth.Token != nil {
 
 		if k8sSpec.Auth.Token.BearerToken.Name == "" {
 
 		if k8sSpec.Auth.Token.BearerToken.Name == "" {
 
 			return nil, errors.New("BearerToken.Name cannot be empty")
 
 			return nil, errors.New("BearerToken.Name cannot be empty")
 
 		}
 
 		}
 
@@ -68,7 +68,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 
 			return nil, err
 
 			return nil, err
 
 		}
 
 		}
 
 	}
 
 	}
 
-	if k8sSpec.Auth.ServiceAccount != nil {
 
+	if k8sSpec.Auth != nil && k8sSpec.Auth.ServiceAccount != nil {
 
 		if err := utils.ValidateReferentServiceAccountSelector(store, *k8sSpec.Auth.ServiceAccount); err != nil {
 
 		if err := utils.ValidateReferentServiceAccountSelector(store, *k8sSpec.Auth.ServiceAccount); err != nil {
 
 			return nil, err
 
 			return nil, err
 
 		}
 
 		}

+ 9 - 9
pkg/provider/kubernetes/validate_test.go
View File 

@@ -83,7 +83,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Cert: &esv1.CertAuth{
 
 								Cert: &esv1.CertAuth{
 
 									ClientCert: v1.SecretKeySelector{
 
 									ClientCert: v1.SecretKeySelector{
 
 										Name: "",
 
 										Name: "",
 
@@ -146,7 +146,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Cert: &esv1.CertAuth{
 
 								Cert: &esv1.CertAuth{
 
 									ClientCert: v1.SecretKeySelector{
 
 									ClientCert: v1.SecretKeySelector{
 
 										Name: "foobar",
 
 										Name: "foobar",
 
@@ -169,7 +169,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Cert: &esv1.CertAuth{
 
 								Cert: &esv1.CertAuth{
 
 									ClientCert: v1.SecretKeySelector{
 
 									ClientCert: v1.SecretKeySelector{
 
 										Name:      "foobar",
 
 										Name:      "foobar",
 
@@ -193,7 +193,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Token: &esv1.TokenAuth{
 
 								Token: &esv1.TokenAuth{
 
 									BearerToken: v1.SecretKeySelector{
 
 									BearerToken: v1.SecretKeySelector{
 
 										Name: "",
 
 										Name: "",
 
@@ -215,7 +215,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Token: &esv1.TokenAuth{
 
 								Token: &esv1.TokenAuth{
 
 									BearerToken: v1.SecretKeySelector{
 
 									BearerToken: v1.SecretKeySelector{
 
 										Name: "foobar",
 
 										Name: "foobar",
 
@@ -238,7 +238,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								Token: &esv1.TokenAuth{
 
 								Token: &esv1.TokenAuth{
 
 									BearerToken: v1.SecretKeySelector{
 
 									BearerToken: v1.SecretKeySelector{
 
 										Name:      "foobar",
 
 										Name:      "foobar",
 
@@ -262,7 +262,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								ServiceAccount: &v1.ServiceAccountSelector{
 
 								ServiceAccount: &v1.ServiceAccountSelector{
 
 									Name:      "foobar",
 
 									Name:      "foobar",
 
 									Namespace: pointer.To("foobar"),
 
 									Namespace: pointer.To("foobar"),
 
@@ -283,7 +283,7 @@ func TestValidateStore(t *testing.T) {
 
 							Server: esv1.KubernetesServer{
 
 							Server: esv1.KubernetesServer{
 
 								CABundle: []byte("1234"),
 
 								CABundle: []byte("1234"),
 
 							},
 
 							},
 
-							Auth: esv1.KubernetesAuth{
 
+							Auth: &esv1.KubernetesAuth{
 
 								ServiceAccount: &v1.ServiceAccountSelector{
 
 								ServiceAccount: &v1.ServiceAccountSelector{
 
 									Name: "foobar",
 
 									Name: "foobar",
 
 								},
 
 								},
 
@@ -367,7 +367,7 @@ func TestValidate(t *testing.T) {
 
 			fields: fields{
 
 			fields: fields{
 
 				storeKind: esv1.ClusterSecretStoreKind,
 
 				storeKind: esv1.ClusterSecretStoreKind,
 
 				store: &esv1.KubernetesProvider{
 
 				store: &esv1.KubernetesProvider{
 
-					Auth: esv1.KubernetesAuth{
 
+					Auth: &esv1.KubernetesAuth{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 						ServiceAccount: &v1.ServiceAccountSelector{
 
 							Name: "foobar",
 
 							Name: "foobar",
 
 						},
 
 						},