Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0f6db5bd22
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
provider_test.go

provider_test.go 25 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package vault
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"errors"
    19. 

  19. 	"fmt"
    20. 

  20. 	"testing"
    21. 

  21. 

  22. 	"github.com/google/go-cmp/cmp"
    23. 

  23. 	vault "github.com/hashicorp/vault/api"
    24. 

  24. 	corev1 "k8s.io/api/core/v1"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
    27. 

  27. 	"k8s.io/utils/ptr"
    28. 

  28. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    29. 

  29. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    30. 

  30. 

  31. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    32. 

  32. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    33. 

  33. 	utilfake "github.com/external-secrets/external-secrets/pkg/provider/util/fake"
    34. 

  34. 	"github.com/external-secrets/external-secrets/pkg/provider/vault/fake"
    35. 

  35. 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	tokenSecretName  = "example-secret-token"
    40. 

  40. 	secretDataString = "some-creds"
    41. 

  41. 	tlsAuthCerts     = "tls-auth-certs"
    42. 

  42. 	tlsKey           = "tls.key"
    43. 

  43. 	tlsCrt           = "tls.crt"
    44. 

  44. 	vaultCert        = "vault-cert"
    45. 

  45. )
    46. 

  46. 

  47. var (
    48. 

  48. 	secretStorePath = "secret"
    49. 

  49. )
    50. 

  50. 

  51. func makeValidSecretStoreWithVersion(v esv1beta1.VaultKVStoreVersion) *esv1beta1.SecretStore {
    52. 

  52. 	return &esv1beta1.SecretStore{
    53. 

  53. 		ObjectMeta: metav1.ObjectMeta{
    54. 

  54. 			Name:      "vault-store",
    55. 

  55. 			Namespace: "default",
    56. 

  56. 		},
    57. 

  57. 		Spec: esv1beta1.SecretStoreSpec{
    58. 

  58. 			Provider: &esv1beta1.SecretStoreProvider{
    59. 

  59. 				Vault: &esv1beta1.VaultProvider{
    60. 

  60. 					Server:  "vault.example.com",
    61. 

  61. 					Path:    &secretStorePath,
    62. 

  62. 					Version: v,
    63. 

  63. 					Auth: esv1beta1.VaultAuth{
    64. 

  64. 						Kubernetes: &esv1beta1.VaultKubernetesAuth{
    65. 

  65. 							Path: "kubernetes",
    66. 

  66. 							Role: "kubernetes-auth-role",
    67. 

  67. 							ServiceAccountRef: &esmeta.ServiceAccountSelector{
    68. 

  68. 								Name: "example-sa",
    69. 

  69. 							},
    70. 

  70. 						},
    71. 

  71. 					},
    72. 

  72. 				},
    73. 

  73. 			},
    74. 

  74. 		},
    75. 

  75. 	}
    76. 

  76. }
    77. 

  77. 

  78. func makeValidSecretStore() *esv1beta1.SecretStore {
    79. 

  79. 	return makeValidSecretStoreWithVersion(esv1beta1.VaultKVStoreV2)
    80. 

  80. }
    81. 

  81. 

  82. func makeValidSecretStoreWithCerts() *esv1beta1.SecretStore {
    83. 

  83. 	return &esv1beta1.SecretStore{
    84. 

  84. 		ObjectMeta: metav1.ObjectMeta{
    85. 

  85. 			Name:      "vault-store",
    86. 

  86. 			Namespace: "default",
    87. 

  87. 		},
    88. 

  88. 		Spec: esv1beta1.SecretStoreSpec{
    89. 

  89. 			Provider: &esv1beta1.SecretStoreProvider{
    90. 

  90. 				Vault: &esv1beta1.VaultProvider{
    91. 

  91. 					Server:  "vault.example.com",
    92. 

  92. 					Path:    &secretStorePath,
    93. 

  93. 					Version: esv1beta1.VaultKVStoreV2,
    94. 

  94. 					Auth: esv1beta1.VaultAuth{
    95. 

  95. 						Cert: &esv1beta1.VaultCertAuth{
    96. 

  96. 							ClientCert: esmeta.SecretKeySelector{
    97. 

  97. 								Name: tlsAuthCerts,
    98. 

  98. 								Key:  tlsCrt,
    99. 

  99. 							},
    100. 

  100. 							SecretRef: esmeta.SecretKeySelector{
    101. 

  101. 								Name: tlsAuthCerts,
    102. 

  102. 								Key:  tlsKey,
    103. 

  103. 							},
    104. 

  104. 						},
    105. 

  105. 					},
    106. 

  106. 				},
    107. 

  107. 			},
    108. 

  108. 		},
    109. 

  109. 	}
    110. 

  110. }
    111. 

  111. 

  112. func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1beta1.SecretStore {
    113. 

  113. 	store := makeSecretStore()
    114. 

  114. 	caProvider := &esv1beta1.CAProvider{
    115. 

  115. 		Name: vaultCert,
    116. 

  116. 		Key:  "cert",
    117. 

  117. 	}
    118. 

  118. 

  119. 	if isSecret {
    120. 

  120. 		caProvider.Type = "Secret"
    121. 

  121. 	} else {
    122. 

  122. 		caProvider.Type = "ConfigMap"
    123. 

  123. 	}
    124. 

  124. 

  125. 	store.Spec.Provider.Vault.CAProvider = caProvider
    126. 

  126. 	return store
    127. 

  127. }
    128. 

  128. 

  129. func makeInvalidClusterSecretStoreWithK8sCerts() *esv1beta1.ClusterSecretStore {
    130. 

  130. 	return &esv1beta1.ClusterSecretStore{
    131. 

  131. 		TypeMeta: metav1.TypeMeta{
    132. 

  132. 			Kind: "ClusterSecretStore",
    133. 

  133. 		},
    134. 

  134. 		ObjectMeta: metav1.ObjectMeta{
    135. 

  135. 			Name:      "vault-store",
    136. 

  136. 			Namespace: "default",
    137. 

  137. 		},
    138. 

  138. 		Spec: esv1beta1.SecretStoreSpec{
    139. 

  139. 			Provider: &esv1beta1.SecretStoreProvider{
    140. 

  140. 				Vault: &esv1beta1.VaultProvider{
    141. 

  141. 					Server:  "vault.example.com",
    142. 

  142. 					Path:    &secretStorePath,
    143. 

  143. 					Version: "v2",
    144. 

  144. 					Auth: esv1beta1.VaultAuth{
    145. 

  145. 						Kubernetes: &esv1beta1.VaultKubernetesAuth{
    146. 

  146. 							Path: "kubernetes",
    147. 

  147. 							Role: "kubernetes-auth-role",
    148. 

  148. 							ServiceAccountRef: &esmeta.ServiceAccountSelector{
    149. 

  149. 								Name: "example-sa",
    150. 

  150. 							},
    151. 

  151. 						},
    152. 

  152. 					},
    153. 

  153. 					CAProvider: &esv1beta1.CAProvider{
    154. 

  154. 						Name: vaultCert,
    155. 

  155. 						Key:  "cert",
    156. 

  156. 						Type: "Secret",
    157. 

  157. 					},
    158. 

  158. 				},
    159. 

  159. 			},
    160. 

  160. 		},
    161. 

  161. 	}
    162. 

  162. }
    163. 

  163. 

  164. func makeValidSecretStoreWithIamAuthSecret() *esv1beta1.SecretStore {
    165. 

  165. 	return &esv1beta1.SecretStore{
    166. 

  166. 		ObjectMeta: metav1.ObjectMeta{
    167. 

  167. 			Name:      "vault-store",
    168. 

  168. 			Namespace: "default",
    169. 

  169. 		},
    170. 

  170. 		Spec: esv1beta1.SecretStoreSpec{
    171. 

  171. 			Provider: &esv1beta1.SecretStoreProvider{
    172. 

  172. 				Vault: &esv1beta1.VaultProvider{
    173. 

  173. 					Server:  "https://vault.example.com:8200",
    174. 

  174. 					Path:    &secretStorePath,
    175. 

  175. 					Version: esv1beta1.VaultKVStoreV2,
    176. 

  176. 					Auth: esv1beta1.VaultAuth{
    177. 

  177. 						Iam: &esv1beta1.VaultIamAuth{
    178. 

  178. 							Path:   "aws",
    179. 

  179. 							Region: "us-east-1",
    180. 

  180. 							Role:   "vault-role",
    181. 

  181. 							SecretRef: &esv1beta1.VaultAwsAuthSecretRef{
    182. 

  182. 								AccessKeyID: esmeta.SecretKeySelector{
    183. 

  183. 									Name: "vault-iam-creds-secret",
    184. 

  184. 									Key:  "access-key",
    185. 

  185. 								},
    186. 

  186. 								SecretAccessKey: esmeta.SecretKeySelector{
    187. 

  187. 									Name: "vault-iam-creds-secret",
    188. 

  188. 									Key:  "secret-access-key",
    189. 

  189. 								},
    190. 

  190. 								SessionToken: &esmeta.SecretKeySelector{
    191. 

  191. 									Name: "vault-iam-creds-secret",
    192. 

  192. 									Key:  "secret-session-token",
    193. 

  193. 								},
    194. 

  194. 							},
    195. 

  195. 						},
    196. 

  196. 					},
    197. 

  197. 				},
    198. 

  198. 			},
    199. 

  199. 		},
    200. 

  200. 	}
    201. 

  201. }
    202. 

  202. 

  203. type secretStoreTweakFn func(s *esv1beta1.SecretStore)
    204. 

  204. 

  205. func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1beta1.SecretStore {
    206. 

  206. 	store := makeValidSecretStore()
    207. 

  207. 

  208. 	for _, fn := range tweaks {
    209. 

  209. 		fn(store)
    210. 

  210. 	}
    211. 

  211. 

  212. 	return store
    213. 

  213. }
    214. 

  214. 

  215. func makeClusterSecretStore(tweaks ...secretStoreTweakFn) *esv1beta1.ClusterSecretStore {
    216. 

  216. 	store := makeValidSecretStore()
    217. 

  217. 

  218. 	for _, fn := range tweaks {
    219. 

  219. 		fn(store)
    220. 

  220. 	}
    221. 

  221. 

  222. 	return &esv1beta1.ClusterSecretStore{
    223. 

  223. 		TypeMeta: metav1.TypeMeta{
    224. 

  224. 			Kind: esv1beta1.ClusterSecretStoreKind,
    225. 

  225. 		},
    226. 

  226. 		ObjectMeta: store.ObjectMeta,
    227. 

  227. 		Spec:       store.Spec,
    228. 

  228. 	}
    229. 

  229. }
    230. 

  230. 

  231. type args struct {
    232. 

  232. 	newClientFunc func(c *vault.Config) (util.Client, error)
    233. 

  233. 	store         esv1beta1.GenericStore
    234. 

  234. 	kube          kclient.Client
    235. 

  235. 	corev1        typedcorev1.CoreV1Interface
    236. 

  236. 	ns            string
    237. 

  237. }
    238. 

  238. 

  239. type want struct {
    240. 

  240. 	err error
    241. 

  241. }
    242. 

  242. 

  243. type testCase struct {
    244. 

  244. 	reason string
    245. 

  245. 	args   args
    246. 

  246. 	want   want
    247. 

  247. }
    248. 

  248. 

  249. func TestNewVault(t *testing.T) {
    250. 

  250. 	errBoom := errors.New("boom")
    251. 

  251. 	secretClientKey := []byte(`-----BEGIN PRIVATE KEY-----
    252. 

  252. MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCi4cG2CxHejOXaWW0Xri4PbWyuainurCZuULPLC0jJsJF0zkq778O7JleWzh7QhqVBKKIhW6LNUVS9tmGHfHC7ufaHr9YtadzVkiDzQKtA0Cgcco98CfX7bzn5pZn/yfnbRN/aTyxT5335DFhHc0/FCJn2Q/5H9UtX6LR3H3zbT9Io32T0B6OAUKKB/3uzxAECFwwSK8UqGUee8JKGBrU10XRAMGxOc1BOWYpCHWZRH2FRGIgS+bwYHOXUjPv6FH7qx+wCMzlxqd9LGvic2CpFE0BiEsOLIiY/qEqozvd2aOLVhBPjT/9LTXvRZwX/qA7h4YIsnq5N8lN4ytryb13N9fdRVgymVykGkaAmh5zA4DIg48ULWzOfdPwRQ1kVq2TRmj3IlcJsNn6MgHJTbRqvCdJMyA59FUZC9+QHfC307sV2aWPoVTwuUyD3pOFu4K0LV+OKIVQ8OTOqApbnL9dOLVx4wFVYE32lTC4tRdxUU8MKiPEoT19A+bLMPrZHnqXCIRzLwwfewICgTNYNuDHV93OmqJK4IXcF8UG00v+pRw+umqXNxNkk0x3grfX5w0sBGZbyuojYHnQQx6wZfUl3mEzJ2zlmCB1/2GKtXn6tIDmRxzeJ2bgaKTjG/uCv9OGtp1VLmn3b/3qC+he4fv/lGh/zd/i5JMVgMXM9MPRlWQIDAQABAoICAAec04fllo03Oprs6QtdSavQ6m5wactM4nLvdKe9vEYo6XNzHM0R1K0PirJyqcAHOvwDoSg79yzvay1+s6o4Z7BubZZD4pe2xep5bO7Ri+94ixdhR1F9ybBZr3T6h2sMDpBv9KJoZuL5A8s7B3k3a3gDAecfoGfOkBnot16F6zj4zxK39ijtnnelzSKURTzOoVluqFLFFu7zxYQpLD/1WkzMoElLuhQkkZFH4A1dAGY0OEEpC1sPrvnVh+xaNoCmqpPgiihEKqAkV1pURWBXPgqCbtTmmZsMGouJGwwuuCQhnNBr3t4V5BGp6mqMDRy4xxFJj+Lz+6OK+tm/aWJBUDn38JK1rQLCA5W3BxMoit4745VWxJc9PX068w6YwBRpqhfg94qZBZHxDe+nQBBEguQ5kBhoBpx60Wscrkjvr4ggb4fzuU6JxLDIDuE2HMIO+EZXl9HEwOB4ImmJhFxcxC8QTU7MnMJ05SuafZDGM2YdmvP2D/BfZf3DlWvVGOnbGh0vUSVLeS5qBBSNAoeG2UR4T3MCXLSaa9+GqIqzti+euPXXAUSYAC+y1qkqkE9rsPezMmKOJmybBIBf40hVLge8fIZPZuvMSW7Sykuex/EjIDfjohAj7GAkrzXOTKlnz7vZAv6Y3EUsoEiVKh5vot+p9xn/XEYH8+JMsVqAABH9AoIBAQDY8VwccTRzYjMoKxhWXdXKvCAAFumo8uUowpJnbbkZfTbf8+75zwi/XXHn9nm9ON/7tUrWAzwuUvtKz4AiHmwHt/IiicEC8Vlyl7N0X40pW/wtcFZJarFQAmVoRiZAzyszqggv3cwCcf8o1ugaBh1Q83RoT8Fz72yI+J70ldiGsu86aZY4V7ApzPH2OHdNbLUDTKkiMUrS6io5DzIeDx4x4riu+GAqm33nhnYdk1nwx/EATixPqwTN62n6XKhE5QysrKlO2pUEr0YXypN6ynRYiCBPsh8OvnB+2ibkgBNQRicSkOBoSMl/1BI35rwmARl/qUoypqJEUO4pgBsCBLBTAoIBAQDANMp+6rluPLGYXLf4vqT7Zlr1EgHIl0aBWzcqQlpVr6UrgHaFnw+q9T/wg+oFM7zMD02oPjGnsKyL8zaIveUCKSYQFjlznvLnFWeLMTbnrjkMrsN3aLriQ+7w6TXZVuGpA1W+DdChKl0z4BDJiMuHcZjiX4F9jFEB4xhvbH54e947Vk16GZVflSCqcBOAhH8DtGC/fQK76g1ndIHZjmUP8f2yQA7NaLhNbnZp0N2AvXOLBu+pDOaAKheENUOMRkDA+pNkEP0Krr0eW+P5o1iIuqK09ILytyECmUGd+VV6ePPsNAc/rKt0lF7Adg4Ay16hgPHHLbM7j+vsZd7KLU4jAoIBAE33SBRMtv30v8/i1QdNB+WpgJKnqWf3i1X/v1/+dfRsJMmNwEf1GP61VZd45D2V8CFlATUyynEXj4pOUo1wg4Cuog25li05kdz2Gh9rq66+iT3HTqtp9bl8cvdrppnKGouhwvl467XBRGNoANhBdE3AgQhwCWViGY6MU4wxQjT+n61NfxhWo1ASgK7tkiq4M8GwzmQkdPCiCXSiOm/FHSPuiFMRnnYRlckccNymNT+si7eBYLltC/f5cAfzPuIrs0dnch2NvtqFJ1qrih8qHXAn0/zwVesVlBZyzmF2ifpii+5HNO8loY0YKUf/24SJBqHztF/JtS16LG2rxYkPKFMCggEAT7yW1RgjXSwosQCmAbd1UiYgTdLuknzPbxKcTBfCyhFYADgG82ANa+raX7kZ+JaCGFWw7b7/coXEzzpSwV+mBcN0WvAdXW3vbxZeIkyEbpDEchJ+XKdCAGQWWDMnd8anTypnA7VPe8zLZZ3q2PC7HrFtr1vXqHHxmUrQ9EiaHvmkNBGVirXaVhDTwGFGdeaBmtPV3xrJa5Opg+W9iLeeDYNir/QLMAPlkZnl3fgcLDBsIpz6B7OmXD0aDGrcXvE2I9jQFI9HqorbQiD07rdpHy/uGAvn1zFJrH5Pzm2FnI1ZBACBkVTcvDxhIo7XOFUmKPIJW4wF8wu94BBS4KTy6QKCAQEAiG8TYUEAcCTpPzRC6oMc3uD0ukxJIYm94MbGts7j9cb+kULoxHN9BjPTeNMcq2dHFZoobLt33YmqcRbH4bRenBGAu1iGCGJsVDnwsnGrThuWwhlQQSVetGaIT7ODjuR2KA9ms/U0jpuYmcXFnQtAs9jhZ2Hx2GkWyQkcTEyQalwqAl3kCv05VYlRGOaYZA31xNyUnsjL0AMLzOAs0+t+IPM12l4FCEXV83m10J5DTFxpb12jWHRwGNmDlsk/Mknlj4uQEvmr9iopnpZnFOgi+jvRmx1CBmARXoMz5D/Hh/EVuCwJS1vIytYsHsml0x2yRxDYxD0V44p//HS/dG4SsQ==
    253. 

  253. -----END PRIVATE KEY-----`)
    254. 

  254. 	clientCrt := []byte(`-----BEGIN CERTIFICATE-----
    255. 

  255. MIIFkTCCA3mgAwIBAgIUBEUg3m/WqAsWHG4Q/II3IePFfuowDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDERMA8GA1UEAwwIdmF1bHQtY2EwHhcNMjIwNzI5MjEyMjE4WhcNMzkwMTAxMjEyMjE4WjBYMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMREwDwYDVQQDDAh2YXVsdC1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKLhwbYLEd6M5dpZbReuLg9tbK5qKe6sJm5Qs8sLSMmwkXTOSrvvw7smV5bOHtCGpUEooiFbos1RVL22YYd8cLu59oev1i1p3NWSIPNAq0DQKBxyj3wJ9ftvOfmlmf/J+dtE39pPLFPnffkMWEdzT8UImfZD/kf1S1fotHcffNtP0ijfZPQHo4BQooH/e7PEAQIXDBIrxSoZR57wkoYGtTXRdEAwbE5zUE5ZikIdZlEfYVEYiBL5vBgc5dSM+/oUfurH7AIzOXGp30sa+JzYKkUTQGISw4siJj+oSqjO93Zo4tWEE+NP/0tNe9FnBf+oDuHhgiyerk3yU3jK2vJvXc3191FWDKZXKQaRoCaHnMDgMiDjxQtbM590/BFDWRWrZNGaPciVwmw2foyAclNtGq8J0kzIDn0VRkL35Ad8LfTuxXZpY+hVPC5TIPek4W7grQtX44ohVDw5M6oClucv104tXHjAVVgTfaVMLi1F3FRTwwqI8ShPX0D5ssw+tkeepcIhHMvDB97AgKBM1g24MdX3c6aokrghdwXxQbTS/6lHD66apc3E2STTHeCt9fnDSwEZlvK6iNgedBDHrBl9SXeYTMnbOWYIHX/YYq1efq0gOZHHN4nZuBopOMb+4K/04a2nVUuafdv/eoL6F7h+/+UaH/N3+LkkxWAxcz0w9GVZAgMBAAGjUzBRMB0GA1UdDgQWBBQuIVwmjMZvkq+jf6ViTelH5KDBVDAfBgNVHSMEGDAWgBQuIVwmjMZvkq+jf6ViTelH5KDBVDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAk4kNyFzmiKnREmi5PPj7xGAtv2aJIdMEfcZJ9e+H0Nb2aCvMvZsDodduXu6G5+1opd45v0AeTjLBkXDO6/8vnyM32VZEEKCAwMCLcOLD1z0+r+gaurDYMOGU5qr8hQadHKFsxEDYnR/9KdHhBg6A8qE2cOQa1ryu34DnWQ3m0CBApClf1YBRp/4T8BmHumfH6odD96H30HVzINrd9WM2hR9GRE3xqQyfwlvqmGn9S6snSVa+mcJ6w2wNE2LPGx0kOtBeOIUdfSsEgvSRjbowSHz9lohFZ0LxJYyizCA5vnMmYyhhkfJqm7YtjHkGWgXmqpH9BFt0D3gfORlIh787nuWfxtZ+554rDyQmPjYQG/qF4+Awehr4RxiGWTox1C67G/RzA6TOXX09xuFY+3U1ich90/KffvhoHvRVfhzxx+HUUY2qSU3HqQDzgieQQBaMuOhd1i6pua+/kPSXkuXqnIs8daao/goR5iU/lPLs7M8Dy7xZ9adzbIPuNuzHir2UuvtPlW+x/sSvOnVL9r/7TrAuWhdScglQ70EInPDVX7BgDWKrZUh86N4d7fu2f/T+6VoUSGEjq8obCj3BQ61mNEoftKVECUO4MMUdat6pY/4Xh6Dwc+FnbvR2+sX7IzI7FtgOrfO6abT+LCAR0R+UXyvnqZcjK2zkHz4DfXFbCQg==
    256. 

  256. -----END CERTIFICATE-----`)
    257. 

  257. 	secretData := []byte(secretDataString)
    258. 

  258. 

  259. 	cases := map[string]testCase{
    260. 

  260. 		"InvalidVaultStore": {
    261. 

  261. 			reason: "Should return error if given an invalid vault store.",
    262. 

  262. 			args: args{
    263. 

  263. 				store: &esv1beta1.SecretStore{},
    264. 

  264. 			},
    265. 

  265. 			want: want{
    266. 

  266. 				err: errors.New(errVaultStore),
    267. 

  267. 			},
    268. 

  268. 		},
    269. 

  269. 		"InvalidRetrySettings": {
    270. 

  270. 			reason: "Should return error if given an invalid Retry Interval.",
    271. 

  271. 			args: args{
    272. 

  272. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    273. 

  273. 					s.Spec.RetrySettings = &esv1beta1.SecretStoreRetrySettings{
    274. 

  274. 						MaxRetries:    ptr.To(int32(3)),
    275. 

  275. 						RetryInterval: ptr.To("not-an-interval"),
    276. 

  276. 					}
    277. 

  277. 				}),
    278. 

  278. 			},
    279. 

  279. 			want: want{
    280. 

  280. 				err: errors.New("time: invalid duration \"not-an-interval\""),
    281. 

  281. 			},
    282. 

  282. 		},
    283. 

  283. 		"ValidRetrySettings": {
    284. 

  284. 			reason: "Should return a Vault provider with custom retry settings",
    285. 

  285. 			args: args{
    286. 

  286. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    287. 

  287. 					s.Spec.RetrySettings = &esv1beta1.SecretStoreRetrySettings{
    288. 

  288. 						MaxRetries:    ptr.To(int32(3)),
    289. 

  289. 						RetryInterval: ptr.To("10m"),
    290. 

  290. 					}
    291. 

  291. 				}),
    292. 

  292. 				ns:            "default",
    293. 

  293. 				kube:          clientfake.NewClientBuilder().Build(),
    294. 

  294. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    295. 

  295. 				newClientFunc: fake.ClientWithLoginMock,
    296. 

  296. 			},
    297. 

  297. 			want: want{
    298. 

  298. 				err: nil,
    299. 

  299. 			},
    300. 

  300. 		},
    301. 

  301. 		"AddVaultStoreCertsError": {
    302. 

  302. 			reason: "Should return error if given an invalid CA certificate.",
    303. 

  303. 			args: args{
    304. 

  304. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    305. 

  305. 					s.Spec.Provider.Vault.CABundle = []byte("badcertdata")
    306. 

  306. 				}),
    307. 

  307. 			},
    308. 

  308. 			want: want{
    309. 

  309. 				err: fmt.Errorf(errVaultCert, errors.New("failed to parse certificates from CertPool")),
    310. 

  310. 			},
    311. 

  311. 		},
    312. 

  312. 		"VaultAuthFormatError": {
    313. 

  313. 			reason: "Should return error if no valid authentication method is given.",
    314. 

  314. 			args: args{
    315. 

  315. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    316. 

  316. 					s.Spec.Provider.Vault.Auth = esv1beta1.VaultAuth{}
    317. 

  317. 				}),
    318. 

  318. 			},
    319. 

  319. 			want: want{
    320. 

  320. 				err: errors.New(errAuthFormat),
    321. 

  321. 			},
    322. 

  322. 		},
    323. 

  323. 		"GetKubeServiceAccountError": {
    324. 

  324. 			reason: "Should return error if fetching kubernetes secret fails.",
    325. 

  325. 			args: args{
    326. 

  326. 				newClientFunc: fake.ClientWithLoginMock,
    327. 

  327. 				ns:            "default",
    328. 

  328. 				kube:          clientfake.NewClientBuilder().Build(),
    329. 

  329. 				store:         makeSecretStore(),
    330. 

  330. 				corev1:        utilfake.NewCreateTokenMock().WithError(errBoom),
    331. 

  331. 			},
    332. 

  332. 			want: want{
    333. 

  333. 				err: fmt.Errorf(errGetKubeSATokenRequest, "example-sa", errBoom),
    334. 

  334. 			},
    335. 

  335. 		},
    336. 

  336. 		"GetKubeSecretError": {
    337. 

  337. 			reason: "Should return error if fetching kubernetes secret fails.",
    338. 

  338. 			args: args{
    339. 

  339. 				ns: "default",
    340. 

  340. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    341. 

  341. 					s.Spec.Provider.Vault.Auth.Kubernetes.ServiceAccountRef = nil
    342. 

  342. 					s.Spec.Provider.Vault.Auth.Kubernetes.SecretRef = &esmeta.SecretKeySelector{
    343. 

  343. 						Name: "vault-secret",
    344. 

  344. 						Key:  "key",
    345. 

  345. 					}
    346. 

  346. 				}),
    347. 

  347. 				kube: clientfake.NewClientBuilder().Build(),
    348. 

  348. 			},
    349. 

  349. 			want: want{
    350. 

  350. 				err: fmt.Errorf(`cannot get Kubernetes secret "vault-secret": %w`, errors.New(`secrets "vault-secret" not found`)),
    351. 

  351. 			},
    352. 

  352. 		},
    353. 

  353. 		"SuccessfulVaultStoreWithCertAuth": {
    354. 

  354. 			reason: "Should return a Vault provider successfully",
    355. 

  355. 			args: args{
    356. 

  356. 				store: makeValidSecretStoreWithCerts(),
    357. 

  357. 				ns:    "default",
    358. 

  358. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    359. 

  359. 					ObjectMeta: metav1.ObjectMeta{
    360. 

  360. 						Name:      tlsAuthCerts,
    361. 

  361. 						Namespace: "default",
    362. 

  362. 					},
    363. 

  363. 					Data: map[string][]byte{
    364. 

  364. 						tlsKey: secretClientKey,
    365. 

  365. 						tlsCrt: clientCrt,
    366. 

  366. 					},
    367. 

  367. 				}).Build(),
    368. 

  368. 				newClientFunc: fake.ClientWithLoginMock,
    369. 

  369. 			},
    370. 

  370. 			want: want{
    371. 

  371. 				err: nil,
    372. 

  372. 			},
    373. 

  373. 		},
    374. 

  374. 		"SuccessfulVaultStoreWithK8sCertSecret": {
    375. 

  375. 			reason: "Should return a Vault provider with the cert from k8s",
    376. 

  376. 			args: args{
    377. 

  377. 				store: makeValidSecretStoreWithK8sCerts(true),
    378. 

  378. 				ns:    "default",
    379. 

  379. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    380. 

  380. 					ObjectMeta: metav1.ObjectMeta{
    381. 

  381. 						Name:      vaultCert,
    382. 

  382. 						Namespace: "default",
    383. 

  383. 					},
    384. 

  384. 					Data: map[string][]byte{
    385. 

  385. 						"cert":  clientCrt,
    386. 

  386. 						"token": secretData,
    387. 

  387. 					},
    388. 

  388. 				}).Build(),
    389. 

  389. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    390. 

  390. 				newClientFunc: fake.ClientWithLoginMock,
    391. 

  391. 			},
    392. 

  392. 			want: want{
    393. 

  393. 				err: nil,
    394. 

  394. 			},
    395. 

  395. 		},
    396. 

  396. 		"GetCertNamespaceMissingError": {
    397. 

  397. 			reason: "Should return an error if namespace is missing and is a ClusterSecretStore",
    398. 

  398. 			args: args{
    399. 

  399. 				store: makeInvalidClusterSecretStoreWithK8sCerts(),
    400. 

  400. 				ns:    "default",
    401. 

  401. 				kube:  clientfake.NewClientBuilder().Build(),
    402. 

  402. 			},
    403. 

  403. 			want: want{
    404. 

  404. 				err: errors.New(errCANamespace),
    405. 

  405. 			},
    406. 

  406. 		},
    407. 

  407. 		"GetCertSecretKeyMissingError": {
    408. 

  408. 			reason: "Should return an error if the secret key is missing",
    409. 

  409. 			args: args{
    410. 

  410. 				store: makeValidSecretStoreWithK8sCerts(true),
    411. 

  411. 				ns:    "default",
    412. 

  412. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    413. 

  413. 					ObjectMeta: metav1.ObjectMeta{
    414. 

  414. 						Name:      vaultCert,
    415. 

  415. 						Namespace: "default",
    416. 

  416. 					},
    417. 

  417. 					Data: map[string][]byte{},
    418. 

  418. 				}).Build(),
    419. 

  419. 				newClientFunc: fake.ClientWithLoginMock,
    420. 

  420. 			},
    421. 

  421. 			want: want{
    422. 

  422. 				err: fmt.Errorf(errVaultCert, errors.New(`cannot find secret data for key: "cert"`)),
    423. 

  423. 			},
    424. 

  424. 		},
    425. 

  425. 		"SuccessfulVaultStoreWithIamAuthSecret": {
    426. 

  426. 			reason: "Should return a Vault provider successfully",
    427. 

  427. 			args: args{
    428. 

  428. 				store: makeValidSecretStoreWithIamAuthSecret(),
    429. 

  429. 				ns:    "default",
    430. 

  430. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    431. 

  431. 					ObjectMeta: metav1.ObjectMeta{
    432. 

  432. 						Name:      "vault-iam-creds-secret",
    433. 

  433. 						Namespace: "default",
    434. 

  434. 					},
    435. 

  435. 					Data: map[string][]byte{
    436. 

  436. 						"access-key":           []byte("TESTING"),
    437. 

  437. 						"secret-access-key":    []byte("ABCDEF"),
    438. 

  438. 						"secret-session-token": []byte("c2VjcmV0LXNlc3Npb24tdG9rZW4K"),
    439. 

  439. 					},
    440. 

  440. 				}).Build(),
    441. 

  441. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    442. 

  442. 				newClientFunc: fake.ClientWithLoginMock,
    443. 

  443. 			},
    444. 

  444. 			want: want{
    445. 

  445. 				err: nil,
    446. 

  446. 			},
    447. 

  447. 		},
    448. 

  448. 		"SuccessfulVaultStoreWithK8sCertConfigMap": {
    449. 

  449. 			reason: "Should return a Vault prodvider with the cert from k8s",
    450. 

  450. 			args: args{
    451. 

  451. 				store: makeValidSecretStoreWithK8sCerts(false),
    452. 

  452. 				ns:    "default",
    453. 

  453. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.ConfigMap{
    454. 

  454. 					ObjectMeta: metav1.ObjectMeta{
    455. 

  455. 						Name:      vaultCert,
    456. 

  456. 						Namespace: "default",
    457. 

  457. 					},
    458. 

  458. 					Data: map[string]string{
    459. 

  459. 						"cert": string(clientCrt),
    460. 

  460. 					},
    461. 

  461. 				}).Build(),
    462. 

  462. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    463. 

  463. 				newClientFunc: fake.ClientWithLoginMock,
    464. 

  464. 			},
    465. 

  465. 			want: want{
    466. 

  466. 				err: nil,
    467. 

  467. 			},
    468. 

  468. 		},
    469. 

  469. 		"GetCertConfigMapMissingError": {
    470. 

  470. 			reason: "Should return an error if the config map key is missing",
    471. 

  471. 			args: args{
    472. 

  472. 				store: makeValidSecretStoreWithK8sCerts(false),
    473. 

  473. 				ns:    "default",
    474. 

  474. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.ServiceAccount{
    475. 

  475. 					ObjectMeta: metav1.ObjectMeta{
    476. 

  476. 						Name:      "example-sa",
    477. 

  477. 						Namespace: "default",
    478. 

  478. 					},
    479. 

  479. 					Secrets: []corev1.ObjectReference{
    480. 

  480. 						{
    481. 

  481. 							Name: tokenSecretName,
    482. 

  482. 						},
    483. 

  483. 					},
    484. 

  484. 				}, &corev1.ConfigMap{
    485. 

  485. 					ObjectMeta: metav1.ObjectMeta{
    486. 

  486. 						Name:      vaultCert,
    487. 

  487. 						Namespace: "default",
    488. 

  488. 					},
    489. 

  489. 					Data: map[string]string{},
    490. 

  490. 				}).Build(),
    491. 

  491. 				newClientFunc: fake.ClientWithLoginMock,
    492. 

  492. 			},
    493. 

  493. 			want: want{
    494. 

  494. 				err: fmt.Errorf(errConfigMapFmt, "cert"),
    495. 

  495. 			},
    496. 

  496. 		},
    497. 

  497. 		"GetCertificateFormatError": {
    498. 

  498. 			reason: "Should return error if client certificate is in wrong format.",
    499. 

  499. 			args: args{
    500. 

  500. 				store: makeValidSecretStoreWithCerts(),
    501. 

  501. 				ns:    "default",
    502. 

  502. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    503. 

  503. 					ObjectMeta: metav1.ObjectMeta{
    504. 

  504. 						Name:      tlsAuthCerts,
    505. 

  505. 						Namespace: "default",
    506. 

  506. 					},
    507. 

  507. 					Data: map[string][]byte{
    508. 

  508. 						tlsKey: secretClientKey,
    509. 

  509. 						tlsCrt: []byte("cert with mistak"),
    510. 

  510. 					},
    511. 

  511. 				}).Build(),
    512. 

  512. 				newClientFunc: fake.ClientWithLoginMock,
    513. 

  513. 			},
    514. 

  514. 			want: want{
    515. 

  515. 				err: fmt.Errorf(errClientTLSAuth, "tls: failed to find any PEM data in certificate input"),
    516. 

  516. 			},
    517. 

  517. 		},
    518. 

  518. 		"GetKeyFormatError": {
    519. 

  519. 			reason: "Should return error if client key is in wrong format.",
    520. 

  520. 			args: args{
    521. 

  521. 				store: makeValidSecretStoreWithCerts(),
    522. 

  522. 				ns:    "default",
    523. 

  523. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    524. 

  524. 					ObjectMeta: metav1.ObjectMeta{
    525. 

  525. 						Name:      tlsAuthCerts,
    526. 

  526. 						Namespace: "default",
    527. 

  527. 					},
    528. 

  528. 					Data: map[string][]byte{
    529. 

  529. 						tlsKey: []byte("key with mistake"),
    530. 

  530. 						tlsCrt: clientCrt,
    531. 

  531. 					},
    532. 

  532. 				}).Build(),
    533. 

  533. 				newClientFunc: fake.ClientWithLoginMock,
    534. 

  534. 			},
    535. 

  535. 			want: want{
    536. 

  536. 				err: fmt.Errorf(errClientTLSAuth, "tls: failed to find any PEM data in key input"),
    537. 

  537. 			},
    538. 

  538. 		},
    539. 

  539. 		"ClientTlsInvalidCertificatesError": {
    540. 

  540. 			reason: "Should return error if client key is in wrong format.",
    541. 

  541. 			args: args{
    542. 

  542. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    543. 

  543. 					s.Spec.Provider.Vault.ClientTLS = esv1beta1.VaultClientTLS{
    544. 

  544. 						CertSecretRef: &esmeta.SecretKeySelector{
    545. 

  545. 							Name: tlsAuthCerts,
    546. 

  546. 						},
    547. 

  547. 						KeySecretRef: &esmeta.SecretKeySelector{
    548. 

  548. 							Name: tlsAuthCerts,
    549. 

  549. 						},
    550. 

  550. 					}
    551. 

  551. 				}),
    552. 

  552. 				ns: "default",
    553. 

  553. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    554. 

  554. 					ObjectMeta: metav1.ObjectMeta{
    555. 

  555. 						Name:      tlsAuthCerts,
    556. 

  556. 						Namespace: "default",
    557. 

  557. 					},
    558. 

  558. 					Data: map[string][]byte{
    559. 

  559. 						tlsKey: []byte("key with mistake"),
    560. 

  560. 						tlsCrt: clientCrt,
    561. 

  561. 					},
    562. 

  562. 				}).Build(),
    563. 

  563. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    564. 

  564. 				newClientFunc: fake.ClientWithLoginMock,
    565. 

  565. 			},
    566. 

  566. 			want: want{
    567. 

  567. 				err: fmt.Errorf(errClientTLSAuth, "tls: failed to find any PEM data in key input"),
    568. 

  568. 			},
    569. 

  569. 		},
    570. 

  570. 		"SuccessfulVaultStoreValidClientTls": {
    571. 

  571. 			reason: "Should return a Vault provider with the cert from k8s",
    572. 

  572. 			args: args{
    573. 

  573. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    574. 

  574. 					s.Spec.Provider.Vault.ClientTLS = esv1beta1.VaultClientTLS{
    575. 

  575. 						CertSecretRef: &esmeta.SecretKeySelector{
    576. 

  576. 							Name: tlsAuthCerts,
    577. 

  577. 						},
    578. 

  578. 						KeySecretRef: &esmeta.SecretKeySelector{
    579. 

  579. 							Name: tlsAuthCerts,
    580. 

  580. 						},
    581. 

  581. 					}
    582. 

  582. 				}),
    583. 

  583. 				ns: "default",
    584. 

  584. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    585. 

  585. 					ObjectMeta: metav1.ObjectMeta{
    586. 

  586. 						Name:      tlsAuthCerts,
    587. 

  587. 						Namespace: "default",
    588. 

  588. 					},
    589. 

  589. 					Data: map[string][]byte{
    590. 

  590. 						tlsKey: secretClientKey,
    591. 

  591. 						tlsCrt: clientCrt,
    592. 

  592. 					},
    593. 

  593. 				}).Build(),
    594. 

  594. 				corev1:        utilfake.NewCreateTokenMock().WithToken("ok"),
    595. 

  595. 				newClientFunc: fake.ClientWithLoginMock,
    596. 

  596. 			},
    597. 

  597. 			want: want{
    598. 

  598. 				err: nil,
    599. 

  599. 			},
    600. 

  600. 		},
    601. 

  601. 		"SuccessfulVaultStoreWithSecretRef": {
    602. 

  602. 			reason: "Should return a Vault provider with secret ref auth",
    603. 

  603. 			args: args{
    604. 

  604. 				store: makeClusterSecretStore(func(s *esv1beta1.SecretStore) {
    605. 

  605. 					s.Spec.Provider.Vault.Auth.Kubernetes = nil
    606. 

  606. 					s.Spec.Provider.Vault.Auth.TokenSecretRef = &esmeta.SecretKeySelector{
    607. 

  607. 						Name:      "vault-token",
    608. 

  608. 						Namespace: ptr.To("default"),
    609. 

  609. 						Key:       "token",
    610. 

  610. 					}
    611. 

  611. 				}),
    612. 

  612. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    613. 

  613. 					ObjectMeta: metav1.ObjectMeta{
    614. 

  614. 						Name:      "vault-token",
    615. 

  615. 						Namespace: "default",
    616. 

  616. 					},
    617. 

  617. 					Data: map[string][]byte{
    618. 

  618. 						"token": []byte("token"),
    619. 

  619. 					},
    620. 

  620. 				}).Build(),
    621. 

  621. 				// no need to mock the secret as it is not used
    622. 

  622. 				newClientFunc: fake.ClientWithLoginMock,
    623. 

  623. 			},
    624. 

  624. 			want: want{},
    625. 

  625. 		},
    626. 

  626. 		"SuccessfulVaultStoreWithApproleRef": {
    627. 

  627. 			reason: "Should return a Vault provider with approle auth",
    628. 

  628. 			args: args{
    629. 

  629. 				store: makeSecretStore(func(s *esv1beta1.SecretStore) {
    630. 

  630. 					s.Spec.Provider.Vault.Auth.Kubernetes = nil
    631. 

  631. 					s.Spec.Provider.Vault.Auth.AppRole = &esv1beta1.VaultAppRole{
    632. 

  632. 						SecretRef: esmeta.SecretKeySelector{
    633. 

  633. 							Name: "vault-secret-id",
    634. 

  634. 							Key:  "secret-id",
    635. 

  635. 						},
    636. 

  636. 						RoleRef: &esmeta.SecretKeySelector{
    637. 

  637. 							Name: "vault-secret-id",
    638. 

  638. 							Key:  "approle",
    639. 

  639. 						},
    640. 

  640. 					}
    641. 

  641. 				}),
    642. 

  642. 				ns: "default",
    643. 

  643. 				kube: clientfake.NewClientBuilder().WithObjects(&corev1.Secret{
    644. 

  644. 					ObjectMeta: metav1.ObjectMeta{
    645. 

  645. 						Name:      "vault-secret-id",
    646. 

  646. 						Namespace: "default",
    647. 

  647. 					},
    648. 

  648. 					Data: map[string][]byte{
    649. 

  649. 						"secret-id": []byte("myid"),
    650. 

  650. 						"approle":   []byte("myrole"),
    651. 

  651. 					},
    652. 

  652. 				}).Build(),
    653. 

  653. 				// no need to mock the secret as it is not used
    654. 

  654. 				newClientFunc: fake.ClientWithLoginMock,
    655. 

  655. 			},
    656. 

  656. 			want: want{},
    657. 

  657. 		},
    658. 

  658. 		"SuccessfulVaultStoreWithSecretRefAndReferentSpec": {
    659. 

  659. 			reason: "Should return a Vault provider with secret ref auth",
    660. 

  660. 			args: args{
    661. 

  661. 				store: makeClusterSecretStore(func(s *esv1beta1.SecretStore) {
    662. 

  662. 					s.Spec.Provider.Vault.Auth.TokenSecretRef = &esmeta.SecretKeySelector{
    663. 

  663. 						Name: "vault-token",
    664. 

  664. 						Key:  "token",
    665. 

  665. 					}
    666. 

  666. 				}),
    667. 

  667. 				// no need to mock the secret as it is not used
    668. 

  668. 				newClientFunc: fake.ClientWithLoginMock,
    669. 

  669. 			},
    670. 

  670. 			want: want{},
    671. 

  671. 		},
    672. 

  672. 		"SuccessfulVaultStoreWithJwtAuthAndReferentSpec": {
    673. 

  673. 			reason: "Should return a Vault provider with jwt auth",
    674. 

  674. 			args: args{
    675. 

  675. 				store: makeClusterSecretStore(func(s *esv1beta1.SecretStore) {
    676. 

  676. 					s.Spec.Provider.Vault.Auth.Kubernetes = nil
    677. 

  677. 					s.Spec.Provider.Vault.Auth.Jwt = &esv1beta1.VaultJwtAuth{
    678. 

  678. 						Role: "test-role",
    679. 

  679. 						SecretRef: &esmeta.SecretKeySelector{
    680. 

  680. 							Name: "vault-token",
    681. 

  681. 						},
    682. 

  682. 					}
    683. 

  683. 				}),
    684. 

  684. 				// no need to mock the secret as it is not used
    685. 

  685. 				newClientFunc: fake.ClientWithLoginMock,
    686. 

  686. 			},
    687. 

  687. 			want: want{},
    688. 

  688. 		},
    689. 

  689. 	}
    690. 

  690. 

  691. 	for name, tc := range cases {
    692. 

  692. 		t.Run(name, func(t *testing.T) {
    693. 

  693. 			vaultTest(t, name, tc)
    694. 

  694. 		})
    695. 

  695. 	}
    696. 

  696. }
    697. 

  697. 

  698. func vaultTest(t *testing.T, _ string, tc testCase) {
    699. 

  699. 	prov := &Provider{
    700. 

  700. 		NewVaultClient: tc.args.newClientFunc,
    701. 

  701. 	}
    702. 

  702. 	if tc.args.newClientFunc == nil {
    703. 

  703. 		prov.NewVaultClient = NewVaultClient
    704. 

  704. 	}
    705. 

  705. 	_, err := prov.newClient(context.Background(), tc.args.store, tc.args.kube, tc.args.corev1, tc.args.ns)
    706. 

  706. 	if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
    707. 

  707. 		t.Errorf("\n%s\nvault.New(...): -want error, +got error:\n%s", tc.reason, diff)
    708. 

  708. 	}
    709. 

  709. }
    710.