4 years ago · fb4fcb4d03
--- a/pkg/provider/kubernetes/kubernetes.go
+++ b/pkg/provider/kubernetes/kubernetes.go
@@ -269,20 +269,25 @@ func (k *ProviderKubernetes) ValidateStore(store esv1beta1.GenericStore) error {
 
				 	}
			
 
				 
			
 
				 	if k8sSpec.Auth.Cert != nil {
			
 
				-		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Cert.ClientCert); err != nil {
			
 
				-			return fmt.Errorf("invalid Auth.Cert.ClientCert: %w", err)
			
 
				+		if k8sSpec.Auth.Cert.ClientCert.Name == "" {
			
 
				+			return fmt.Errorf("ClientCert.Name cannot be empty")
			
 
				 		}
			
 
				-		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Cert.ClientKey); err != nil {
			
 
				-			return fmt.Errorf("invalid Auth.Cert.ClientKey: %w", err)
			
 
				+		if k8sSpec.Auth.Cert.ClientCert.Key == "" {
			
 
				+			return fmt.Errorf("ClientCert.Key cannot be empty")
			
 
				 		}
			
 
				 	} else if k8sSpec.Auth.Token != nil {
			
 
				-		if err := utils.ValidateSecretSelector(store, k8sSpec.Auth.Token.BearerToken); err != nil {
			
 
				-			return fmt.Errorf("invalid Auth.Token.BearerToken: %w", err)
			
 
				+		if k8sSpec.Auth.Token.BearerToken.Name == "" {
			
 
				+			return fmt.Errorf("BearerToken.Name cannot be empty")
			
 
				 		}
			
 
				+		if k8sSpec.Auth.Token.BearerToken.Key == "" {
			
 
				+			return fmt.Errorf("BearerToken.Key cannot be empty")
			
 
				+		}
			
 
				+	} else {
			
 
				+		return fmt.Errorf("an Auth type must be specified")
			
 
				 	}
			
 
				 
			
 
				 	if k8sSpec.Auth.Cert != nil && k8sSpec.Auth.Token != nil {
			
 
				-		return fmt.Errorf("Only one authentication method is allowed")
			
 
				+		return fmt.Errorf("only one authentication method is allowed")
			
 
				 	}
			
 
				 
			
 
				 	return nil
			
--- a/pkg/provider/kubernetes/kubernetes_test.go
+++ b/pkg/provider/kubernetes/kubernetes_test.go
@@ -34,6 +34,7 @@ const (
 
				 	errTestFetchCredentialsSecret = "test could not fetch Credentials secret failed"
			
 
				 	errTestAuthValue              = "test failed key didn't match expected value"
			
 
				 	errSomethingWentWrong         = "Something went wrong"
			
 
				+	errExpectedErr                = "wanted error got nil"
			
 
				 )
			
 
				 
			
 
				 type fakeClient struct {
			
@@ -261,6 +262,79 @@ func TestKubernetesSecretManagerSetAuth(t *testing.T) {
 
				 		t.Error(errTestAuthValue)
			
 
				 	}
			
 
				 }
			
 
				+func TestValidateStore(t *testing.T) {
			
 
				+	p := ProviderKubernetes{}
			
 
				+	store := &esv1beta1.SecretStore{
			
 
				+		Spec: esv1beta1.SecretStoreSpec{
			
 
				+			Provider: &esv1beta1.SecretStoreProvider{
			
 
				+				Kubernetes: &esv1beta1.KubernetesProvider{},
			
 
				+			},
			
 
				+		},
			
 
				+	}
			
 
				+	err := p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "a CABundle or CAProvider is required" {
			
 
				+		t.Errorf("service CA test failed, got %v", err.Error())
			
 
				+	}
			
 
				+
			
 
				+	bundle := []byte("ca-bundle")
			
 
				+	store.Spec.Provider.Kubernetes.Server.CABundle = bundle
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "an Auth type must be specified" {
			
 
				+		t.Errorf("empty Auth test failed")
			
 
				+	}
			
 
				+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{Cert: &esv1beta1.CertAuth{}}
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "ClientCert.Name cannot be empty" {
			
 
				+		t.Errorf("KeySelector test failed: expected clientCert name is required, got %v", err)
			
 
				+	}
			
 
				+	store.Spec.Provider.Kubernetes.Auth.Cert.ClientCert.Name = "secret-name"
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "ClientCert.Key cannot be empty" {
			
 
				+		t.Errorf("KeySelector test failed: expected clientCert Key is required, got %v", err)
			
 
				+	}
			
 
				+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{Token: &esv1beta1.TokenAuth{}}
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "BearerToken.Name cannot be empty" {
			
 
				+		t.Errorf("KeySelector test failed: expected bearer token name is required, got %v", err)
			
 
				+	}
			
 
				+	store.Spec.Provider.Kubernetes.Auth.Token.BearerToken.Name = "secret-name"
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "BearerToken.Key cannot be empty" {
			
 
				+		t.Errorf("KeySelector test failed: expected bearer token key is required, got %v", err)
			
 
				+	}
			
 
				+	store.Spec.Provider.Kubernetes.Auth = esv1beta1.KubernetesAuth{
			
 
				+		Cert: &esv1beta1.CertAuth{
			
 
				+			ClientCert: v1.SecretKeySelector{
			
 
				+				Name: "secret-name",
			
 
				+				Key:  "secret-key",
			
 
				+			},
			
 
				+		},
			
 
				+		Token: &esv1beta1.TokenAuth{
			
 
				+			BearerToken: v1.SecretKeySelector{
			
 
				+				Name: "secret-name",
			
 
				+				Key:  "secret-key",
			
 
				+			},
			
 
				+		},
			
 
				+	}
			
 
				+	err = p.ValidateStore(store)
			
 
				+	if err == nil {
			
 
				+		t.Errorf(errExpectedErr)
			
 
				+	} else if err.Error() != "only one authentication method is allowed" {
			
 
				+		t.Errorf("KeySelector test failed: expected only one auth method allowed, got %v", err)
			
 
				+	}
			
 
				+}
			
 
				 
			
 
				 func ErrorContains(out error, want string) bool {
			
 
				 	if out == nil {