|
|
@@ -279,7 +279,7 @@ func (c *connector) newClient(ctx context.Context, store esv1beta1.GenericStore,
|
|
|
|
|
|
// allow SecretStore controller validation to pass
|
|
|
// when using referent namespace.
|
|
|
- if vStore.storeKind == esv1beta1.ClusterSecretStoreKind && vStore.namespace == "" {
|
|
|
+ if vStore.storeKind == esv1beta1.ClusterSecretStoreKind && vStore.namespace == "" && isReferentSpec(vaultSpec) {
|
|
|
return vStore, nil
|
|
|
}
|
|
|
if err := vStore.setAuth(ctx, cfg); err != nil {
|
|
|
@@ -585,35 +585,40 @@ func (v *client) Close(ctx context.Context) error {
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
+func isReferentSpec(prov *esv1beta1.VaultProvider) bool {
|
|
|
+ if prov.Auth.TokenSecretRef != nil && prov.Auth.TokenSecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.AppRole != nil && prov.Auth.AppRole.SecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.SecretRef != nil && prov.Auth.Kubernetes.SecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.ServiceAccountRef != nil && prov.Auth.Kubernetes.ServiceAccountRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Ldap != nil && prov.Auth.Ldap.SecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Jwt != nil && prov.Auth.Jwt.SecretRef != nil && prov.Auth.Jwt.SecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Jwt != nil && prov.Auth.Jwt.KubernetesServiceAccountToken != nil && prov.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if prov.Auth.Cert != nil && prov.Auth.Cert.SecretRef.Namespace == nil {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ return false
|
|
|
+}
|
|
|
+
|
|
|
func (v *client) Validate() (esv1beta1.ValidationResult, error) {
|
|
|
// when using referent namespace we can not validate the token
|
|
|
// because the namespace is not known yet when Validate() is called
|
|
|
// from the SecretStore controller.
|
|
|
- if v.storeKind == esv1beta1.ClusterSecretStoreKind {
|
|
|
- if v.store.Auth.TokenSecretRef != nil && v.store.Auth.TokenSecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.AppRole != nil && v.store.Auth.AppRole.SecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Kubernetes != nil && v.store.Auth.Kubernetes.SecretRef != nil && v.store.Auth.Kubernetes.SecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Kubernetes != nil && v.store.Auth.Kubernetes.ServiceAccountRef != nil && v.store.Auth.Kubernetes.ServiceAccountRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Ldap != nil && v.store.Auth.Ldap.SecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Jwt != nil && v.store.Auth.Jwt.SecretRef != nil && v.store.Auth.Jwt.SecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Jwt != nil && v.store.Auth.Jwt.KubernetesServiceAccountToken != nil && v.store.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
- if v.store.Auth.Cert != nil && v.store.Auth.Cert.SecretRef.Namespace == nil {
|
|
|
- return esv1beta1.ValidationResultUnknown, nil
|
|
|
- }
|
|
|
+ if v.storeKind == esv1beta1.ClusterSecretStoreKind && isReferentSpec(v.store) {
|
|
|
+ return esv1beta1.ValidationResultUnknown, nil
|
|
|
}
|
|
|
_, err := checkToken(context.Background(), v)
|
|
|
if err != nil {
|
Gustavo Carvalho