Merge pull request #913 from rodrmartinez/feature/validate-store-kubernetes-provider

Feature/validateStore for kubernetes provider

pkg/provider/kubernetes/kubernetes.go

@@ -262,5 +262,39 @@ func (k *ProviderKubernetes) Validate() error {
 }
 
 func (k *ProviderKubernetes) ValidateStore(store esv1beta1.GenericStore) error {
+	storeSpec := store.GetSpec()
+	k8sSpec := storeSpec.Provider.Kubernetes
+	if k8sSpec.Server.CABundle == nil && k8sSpec.Server.CAProvider == nil {
+		return fmt.Errorf("a CABundle or CAProvider is required")
+	}
+
+	if k8sSpec.Auth.Cert != nil {
+		if k8sSpec.Auth.Cert.ClientCert.Name == "" {
+			return fmt.Errorf("ClientCert.Name cannot be empty")
+		}
+		if k8sSpec.Auth.Cert.ClientCert.Key == "" {
+			return fmt.Errorf("ClientCert.Key cannot be empty")
+		}
+		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Cert.ClientCert); err != nil {
+			return err
+		}
+	} else if k8sSpec.Auth.Token != nil {
+		if k8sSpec.Auth.Token.BearerToken.Name == "" {
+			return fmt.Errorf("BearerToken.Name cannot be empty")
+		}
+		if k8sSpec.Auth.Token.BearerToken.Key == "" {
+			return fmt.Errorf("BearerToken.Key cannot be empty")
+		}
+		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Token.BearerToken); err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("an Auth type must be specified")
+	}
+
+	if k8sSpec.Auth.Cert != nil && k8sSpec.Auth.Token != nil {
+		return fmt.Errorf("only one authentication method is allowed")
+	}
+
 	return nil
 }

pkg/provider/kubernetes/kubernetes_test.go

@@ -34,6 +34,7 @@ const (
 	errTestFetchCredentialsSecret = "test could not fetch Credentials secret failed"
 	errTestAuthValue              = "test failed key didn't match expected value"
 	errSomethingWentWrong         = "Something went wrong"
+	errExpectedErr                = "wanted error got nil"
 )
 
 type fakeClient struct {
@@ -261,6 +262,98 @@ func TestKubernetesSecretManagerSetAuth(t *testing.T) {
 		t.Error(errTestAuthValue)
 	}
 }
+func TestValidateStore(t *testing.T) {
+	p := ProviderKubernetes{}
+	store := &esv1beta1.SecretStore{
+		Spec: esv1beta1.SecretStoreSpec{
+			Provider: &esv1beta1.SecretStoreProvider{
+				Kubernetes: &esv1beta1.KubernetesProvider{},
+			},
+		},
+	}
+	secretName := "my-secret-name"
+	secretKey := "my-secert-key"
+	err := p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "a CABundle or CAProvider is required" {
+		t.Errorf("service CA test failed, got %v", err.Error())
+	}
+
+	bundle := []byte("ca-bundle")
+	store.Spec.Provider.Kubernetes.Server.CABundle = bundle
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "an Auth type must be specified" {
+		t.Errorf("empty Auth test failed")
+	}
+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{Cert: &esv1beta1.CertAuth{}}
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "ClientCert.Name cannot be empty" {
+		t.Errorf("KeySelector test failed: expected clientCert name is required, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth.Cert.ClientCert.Name = secretName
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "ClientCert.Key cannot be empty" {
+		t.Errorf("KeySelector test failed: expected clientCert Key is required, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth.Cert.ClientCert.Key = secretKey
+	ns := "ns-one"
+	store.Spec.Provider.Kubernetes.Auth.Cert.ClientCert.Namespace = &ns
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "namespace not allowed with namespaced SecretStore" {
+		t.Errorf("KeySelector test failed: expected namespace not allowed, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{Token: &esv1beta1.TokenAuth{}}
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "BearerToken.Name cannot be empty" {
+		t.Errorf("KeySelector test failed: expected bearer token name is required, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth.Token.BearerToken.Name = secretName
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "BearerToken.Key cannot be empty" {
+		t.Errorf("KeySelector test failed: expected bearer token key is required, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth.Token.BearerToken.Key = secretKey
+	store.Spec.Provider.Kubernetes.Auth.Token.BearerToken.Namespace = &ns
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "namespace not allowed with namespaced SecretStore" {
+		t.Errorf("KeySelector test failed: expected namespace not allowed, got %v", err)
+	}
+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{
+		Cert: &esv1beta1.CertAuth{
+			ClientCert: v1.SecretKeySelector{
+				Name: secretName,
+				Key:  secretKey,
+			},
+		},
+		Token: &esv1beta1.TokenAuth{
+			BearerToken: v1.SecretKeySelector{
+				Name: secretName,
+				Key:  secretKey,
+			},
+		},
+	}
+	err = p.ValidateStore(store)
+	if err == nil {
+		t.Errorf(errExpectedErr)
+	} else if err.Error() != "only one authentication method is allowed" {
+		t.Errorf("KeySelector test failed: expected only one auth method allowed, got %v", err)
+	}
+}
 
 func ErrorContains(out error, want string) bool {
 	if out == nil {