Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fixing panic due to no Namespace on ServiceAccountRef

Fixes #419

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Gustavo Carvalho 4 years ago
parent
d9f30a3350
commit
d022cc31ab
2 changed files with 51 additions and 0 deletions
Split View Show Diff Stats
  1. 3 0
      pkg/provider/aws/auth/auth.go
  2. 48 0
      pkg/provider/aws/auth/auth_test.go

+ 3 - 0
pkg/provider/aws/auth/auth.go
View File 

@@ -160,6 +160,9 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 
 
 func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
 
 	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
 
+		if prov.Auth.JWTAuth.ServiceAccountRef.Namespace == nil {
 
+			return nil, fmt.Errorf("ServiceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)")
 
+		}
 
 		namespace = *prov.Auth.JWTAuth.ServiceAccountRef.Namespace
 
 	}
 
 	name := prov.Auth.JWTAuth.ServiceAccountRef.Name

+ 48 - 0
pkg/provider/aws/auth/auth_test.go
View File 

@@ -395,6 +395,54 @@ func TestNewSession(t *testing.T) {
 
 			expectedKeyID:     "3333",
 
 			expectedSecretKey: "4444",
 
 		},
 
+		{
 
+			name: "should not accept ServiceAccountRefs with nil Namespace",
 
+			sa: &v1.ServiceAccount{
 
+				ObjectMeta: metav1.ObjectMeta{
 
+					Name:      myServiceAcc,
 
+					Namespace: otherNs,
 
+					Annotations: map[string]string{
 
+						roleARNAnnotation: "my-sa-role",
 
+					},
 
+				},
 
+			},
 
+			jwtProvider: func(name, namespace, roleArn, region string) (credentials.Provider, error) {
 
+				assert.Equal(t, myServiceAcc, name)
 
+				assert.Equal(t, otherNs, namespace)
 
+				assert.Equal(t, "my-sa-role", roleArn)
 
+				return fakesess.CredentialsProvider{
 
+					RetrieveFunc: func() (credentials.Value, error) {
 
+						return credentials.Value{
 
+							AccessKeyID:     "3333",
 
+							SecretAccessKey: "4444",
 
+							SessionToken:    "1234",
 
+							ProviderName:    "fake",
 
+						}, nil
 
+					},
 
+					IsExpiredFunc: func() bool { return false },
 
+				}, nil
 
+			},
 
+			store: &esv1alpha1.ClusterSecretStore{
 
+				TypeMeta: metav1.TypeMeta{
 
+					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
 
+					Kind:       esv1alpha1.ClusterSecretStoreKind,
 
+				},
 
+				Spec: esv1alpha1.SecretStoreSpec{
 
+					Provider: &esv1alpha1.SecretStoreProvider{
 
+						AWS: &esv1alpha1.AWSProvider{
 
+							Auth: esv1alpha1.AWSAuth{
 
+								JWTAuth: &esv1alpha1.AWSJWTAuth{
 
+									ServiceAccountRef: &esmeta.ServiceAccountSelector{
 
+										Name: myServiceAcc,
 
+									},
 
+								},
 
+							},
 
+						},
 
+					},
 
+				},
 
+			},
 
+			expectErr: "ServiceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)",
 
+		},
 
 	}
 
 	for i := range rows {
 
 		row := rows[i]