Merge pull request #445 from external-secrets/fix/aws-provider-panic

Fixing panic due to no Namespace on ServiceAccountRef

pkg/provider/aws/auth/auth.go

@@ -160,6 +160,9 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 
 func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
 	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+		if prov.Auth.JWTAuth.ServiceAccountRef.Namespace == nil {
+			return nil, fmt.Errorf("serviceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)")
+		}
 		namespace = *prov.Auth.JWTAuth.ServiceAccountRef.Namespace
 	}
 	name := prov.Auth.JWTAuth.ServiceAccountRef.Name

pkg/provider/aws/auth/auth_test.go

@@ -39,6 +39,7 @@ import (
 
 const (
 	myServiceAcc = "my-service-account"
+	myRole       = "my-sa-role"
 	otherNs      = "other-ns"
 )
 
@@ -351,14 +352,14 @@ func TestNewSession(t *testing.T) {
 					Name:      myServiceAcc,
 					Namespace: otherNs,
 					Annotations: map[string]string{
-						roleARNAnnotation: "my-sa-role",
+						roleARNAnnotation: myRole,
 					},
 				},
 			},
 			jwtProvider: func(name, namespace, roleArn, region string) (credentials.Provider, error) {
 				assert.Equal(t, myServiceAcc, name)
 				assert.Equal(t, otherNs, namespace)
-				assert.Equal(t, "my-sa-role", roleArn)
+				assert.Equal(t, myRole, roleArn)
 				return fakesess.CredentialsProvider{
 					RetrieveFunc: func() (credentials.Value, error) {
 						return credentials.Value{
@@ -395,6 +396,46 @@ func TestNewSession(t *testing.T) {
 			expectedKeyID:     "3333",
 			expectedSecretKey: "4444",
 		},
+		{
+			name: "should not accept ServiceAccountRefs with nil Namespace",
+			sa: &v1.ServiceAccount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      myServiceAcc,
+					Namespace: otherNs,
+					Annotations: map[string]string{
+						roleARNAnnotation: myRole,
+					},
+				},
+			},
+			jwtProvider: func(name, namespace, roleArn, region string) (credentials.Provider, error) {
+				return fakesess.CredentialsProvider{
+					RetrieveFunc: func() (credentials.Value, error) {
+						return credentials.Value{}, nil
+					},
+					IsExpiredFunc: func() bool { return false },
+				}, nil
+			},
+			store: &esv1alpha1.ClusterSecretStore{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1alpha1.ClusterSecretStoreKind,
+				},
+				Spec: esv1alpha1.SecretStoreSpec{
+					Provider: &esv1alpha1.SecretStoreProvider{
+						AWS: &esv1alpha1.AWSProvider{
+							Auth: esv1alpha1.AWSAuth{
+								JWTAuth: &esv1alpha1.AWSJWTAuth{
+									ServiceAccountRef: &esmeta.ServiceAccountSelector{
+										Name: myServiceAcc,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectErr: "serviceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)",
+		},
 	}
 	for i := range rows {
 		row := rows[i]