|
|
@@ -62,91 +62,93 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
|
|
|
if vaultProvider == nil {
|
|
|
return nil, errors.New(errInvalidVaultProv)
|
|
|
}
|
|
|
- if vaultProvider.Auth.AppRole != nil {
|
|
|
- // check SecretRef for valid configuration
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.AppRole.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidAppRoleSec, err)
|
|
|
- }
|
|
|
+ if vaultProvider.Auth != nil {
|
|
|
+ if vaultProvider.Auth.AppRole != nil {
|
|
|
+ // check SecretRef for valid configuration
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.AppRole.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidAppRoleSec, err)
|
|
|
+ }
|
|
|
|
|
|
- // prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
|
|
|
- if vaultProvider.Auth.AppRole.RoleID == "" { // prevents further RoleID tests if .auth.appRole.roleId is given
|
|
|
- if vaultProvider.Auth.AppRole.RoleRef != nil { // check RoleRef for valid configuration
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.AppRole.RoleRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidAppRoleRef, err)
|
|
|
+ // prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
|
|
|
+ if vaultProvider.Auth.AppRole.RoleID == "" { // prevents further RoleID tests if .auth.appRole.roleId is given
|
|
|
+ if vaultProvider.Auth.AppRole.RoleRef != nil { // check RoleRef for valid configuration
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.AppRole.RoleRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidAppRoleRef, err)
|
|
|
+ }
|
|
|
+ } else { // we ran out of ways to get RoleID. return an appropriate error
|
|
|
+ return nil, errors.New(errInvalidAppRoleID)
|
|
|
}
|
|
|
- } else { // we ran out of ways to get RoleID. return an appropriate error
|
|
|
- return nil, errors.New(errInvalidAppRoleID)
|
|
|
}
|
|
|
}
|
|
|
- }
|
|
|
- if vaultProvider.Auth.Cert != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.ClientCert); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidClientCert, err)
|
|
|
- }
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidCertSec, err)
|
|
|
- }
|
|
|
- }
|
|
|
- if vaultProvider.Auth.Jwt != nil {
|
|
|
- if vaultProvider.Auth.Jwt.SecretRef != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Jwt.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidJwtSec, err)
|
|
|
+ if vaultProvider.Auth.Cert != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.ClientCert); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidClientCert, err)
|
|
|
}
|
|
|
- } else if vaultProvider.Auth.Jwt.KubernetesServiceAccountToken != nil {
|
|
|
- if err := utils.ValidateReferentServiceAccountSelector(store, vaultProvider.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidJwtK8sSA, err)
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidCertSec, err)
|
|
|
}
|
|
|
- } else {
|
|
|
- return nil, errors.New(errJwtNoTokenSource)
|
|
|
}
|
|
|
- }
|
|
|
- if vaultProvider.Auth.Kubernetes != nil {
|
|
|
- if vaultProvider.Auth.Kubernetes.ServiceAccountRef != nil {
|
|
|
- if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Kubernetes.ServiceAccountRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidKubeSA, err)
|
|
|
+ if vaultProvider.Auth.Jwt != nil {
|
|
|
+ if vaultProvider.Auth.Jwt.SecretRef != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Jwt.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidJwtSec, err)
|
|
|
+ }
|
|
|
+ } else if vaultProvider.Auth.Jwt.KubernetesServiceAccountToken != nil {
|
|
|
+ if err := utils.ValidateReferentServiceAccountSelector(store, vaultProvider.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidJwtK8sSA, err)
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ return nil, errors.New(errJwtNoTokenSource)
|
|
|
}
|
|
|
}
|
|
|
- if vaultProvider.Auth.Kubernetes.SecretRef != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Kubernetes.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidKubeSec, err)
|
|
|
+ if vaultProvider.Auth.Kubernetes != nil {
|
|
|
+ if vaultProvider.Auth.Kubernetes.ServiceAccountRef != nil {
|
|
|
+ if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Kubernetes.ServiceAccountRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidKubeSA, err)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if vaultProvider.Auth.Kubernetes.SecretRef != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Kubernetes.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidKubeSec, err)
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
- }
|
|
|
- if vaultProvider.Auth.Ldap != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Ldap.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidLdapSec, err)
|
|
|
- }
|
|
|
- }
|
|
|
- if vaultProvider.Auth.UserPass != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.UserPass.SecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidUserPassSec, err)
|
|
|
- }
|
|
|
- }
|
|
|
- if vaultProvider.Auth.TokenSecretRef != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.TokenSecretRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
+ if vaultProvider.Auth.Ldap != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Ldap.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidLdapSec, err)
|
|
|
+ }
|
|
|
}
|
|
|
- }
|
|
|
- if vaultProvider.Auth.Iam != nil {
|
|
|
- if vaultProvider.Auth.Iam.JWTAuth != nil {
|
|
|
- if vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef != nil {
|
|
|
- if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
- }
|
|
|
+ if vaultProvider.Auth.UserPass != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.UserPass.SecretRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidUserPassSec, err)
|
|
|
}
|
|
|
}
|
|
|
-
|
|
|
- if vaultProvider.Auth.Iam.SecretRef != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.AccessKeyID); err != nil {
|
|
|
+ if vaultProvider.Auth.TokenSecretRef != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.TokenSecretRef); err != nil {
|
|
|
return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
}
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.SecretAccessKey); err != nil {
|
|
|
- return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
+ }
|
|
|
+ if vaultProvider.Auth.Iam != nil {
|
|
|
+ if vaultProvider.Auth.Iam.JWTAuth != nil {
|
|
|
+ if vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef != nil {
|
|
|
+ if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
+ }
|
|
|
+ }
|
|
|
}
|
|
|
- if vaultProvider.Auth.Iam.SecretRef.SessionToken != nil {
|
|
|
- if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Iam.SecretRef.SessionToken); err != nil {
|
|
|
+
|
|
|
+ if vaultProvider.Auth.Iam.SecretRef != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.AccessKeyID); err != nil {
|
|
|
return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
}
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.SecretAccessKey); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
+ }
|
|
|
+ if vaultProvider.Auth.Iam.SecretRef.SessionToken != nil {
|
|
|
+ if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Iam.SecretRef.SessionToken); err != nil {
|
|
|
+ return nil, fmt.Errorf(errInvalidTokenRef, err)
|
|
|
+ }
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
}
|
Gergely Brautigam