Почетна Преглед Помоћ
Пријавите се
logic855
/
helm-external-secrets
огледало од https://github.com/external-secrets/external-secrets
1
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: 5f1680c32e
Гране Ознаке
helm-externa...
/
pkg
/
provider
/
vault
/
validate.go

validate.go 7.9 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package vault
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 

  24. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    25. 

  25. 

  26. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/utils"
    28. 

  28. )
    29. 

  29. 

  30. const (
    31. 

  31. 	errInvalidCredentials     = "invalid vault credentials: %w"
    32. 

  32. 	errInvalidStore           = "invalid store"
    33. 

  33. 	errInvalidStoreSpec       = "invalid store spec"
    34. 

  34. 	errInvalidStoreProv       = "invalid store provider"
    35. 

  35. 	errInvalidVaultProv       = "invalid vault provider"
    36. 

  36. 	errInvalidAppRoleRef      = "invalid Auth.AppRole.RoleRef: %w"
    37. 

  37. 	errInvalidAppRoleSec      = "invalid Auth.AppRole.SecretRef: %w"
    38. 

  38. 	errInvalidClientCert      = "invalid Auth.Cert.ClientCert: %w"
    39. 

  39. 	errInvalidCertSec         = "invalid Auth.Cert.SecretRef: %w"
    40. 

  40. 	errInvalidJwtSec          = "invalid Auth.Jwt.SecretRef: %w"
    41. 

  41. 	errInvalidJwtK8sSA        = "invalid Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef: %w"
    42. 

  42. 	errInvalidKubeSA          = "invalid Auth.Kubernetes.ServiceAccountRef: %w"
    43. 

  43. 	errInvalidKubeSec         = "invalid Auth.Kubernetes.SecretRef: %w"
    44. 

  44. 	errInvalidLdapSec         = "invalid Auth.Ldap.SecretRef: %w"
    45. 

  45. 	errInvalidTokenRef        = "invalid Auth.TokenSecretRef: %w"
    46. 

  46. 	errInvalidUserPassSec     = "invalid Auth.UserPass.SecretRef: %w"
    47. 

  47. 	errInvalidClientTLSCert   = "invalid ClientTLS.ClientCert: %w"
    48. 

  48. 	errInvalidClientTLSSecret = "invalid ClientTLS.SecretRef: %w"
    49. 

  49. 	errInvalidClientTLS       = "when provided, both ClientTLS.ClientCert and ClientTLS.SecretRef should be provided"
    50. 

  50. 	errCASNotSupportedInKVv1  = "checkAndSet is not supported with Vault KV version v1"
    51. 

  51. )
    52. 

  52. 

  53. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    54. 

  54. 	if store == nil {
    55. 

  55. 		return nil, errors.New(errInvalidStore)
    56. 

  56. 	}
    57. 

  57. 	spc := store.GetSpec()
    58. 

  58. 	if spc == nil {
    59. 

  59. 		return nil, errors.New(errInvalidStoreSpec)
    60. 

  60. 	}
    61. 

  61. 	if spc.Provider == nil {
    62. 

  62. 		return nil, errors.New(errInvalidStoreProv)
    63. 

  63. 	}
    64. 

  64. 	vaultProvider := spc.Provider.Vault
    65. 

  65. 	if vaultProvider == nil {
    66. 

  66. 		return nil, errors.New(errInvalidVaultProv)
    67. 

  67. 	}
    68. 

  68. 	if vaultProvider.Auth != nil {
    69. 

  69. 		if vaultProvider.Auth.AppRole != nil {
    70. 

  70. 			// check SecretRef for valid configuration
    71. 

  71. 			if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.AppRole.SecretRef); err != nil {
    72. 

  72. 				return nil, fmt.Errorf(errInvalidAppRoleSec, err)
    73. 

  73. 			}
    74. 

  74. 

  75. 			// prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
    76. 

  76. 			if vaultProvider.Auth.AppRole.RoleID == "" { // prevents further RoleID tests if .auth.appRole.roleId is given
    77. 

  77. 				if vaultProvider.Auth.AppRole.RoleRef != nil { // check RoleRef for valid configuration
    78. 

  78. 					if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.AppRole.RoleRef); err != nil {
    79. 

  79. 						return nil, fmt.Errorf(errInvalidAppRoleRef, err)
    80. 

  80. 					}
    81. 

  81. 				} else { // we ran out of ways to get RoleID. return an appropriate error
    82. 

  82. 					return nil, errors.New(errInvalidAppRoleID)
    83. 

  83. 				}
    84. 

  84. 			}
    85. 

  85. 		}
    86. 

  86. 		if vaultProvider.Auth.Cert != nil {
    87. 

  87. 			if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.ClientCert); err != nil {
    88. 

  88. 				return nil, fmt.Errorf(errInvalidClientCert, err)
    89. 

  89. 			}
    90. 

  90. 			if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.SecretRef); err != nil {
    91. 

  91. 				return nil, fmt.Errorf(errInvalidCertSec, err)
    92. 

  92. 			}
    93. 

  93. 		}
    94. 

  94. 		if vaultProvider.Auth.Jwt != nil {
    95. 

  95. 			if vaultProvider.Auth.Jwt.SecretRef != nil {
    96. 

  96. 				if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Jwt.SecretRef); err != nil {
    97. 

  97. 					return nil, fmt.Errorf(errInvalidJwtSec, err)
    98. 

  98. 				}
    99. 

  99. 			} else if vaultProvider.Auth.Jwt.KubernetesServiceAccountToken != nil {
    100. 

  100. 				if err := utils.ValidateReferentServiceAccountSelector(store, vaultProvider.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef); err != nil {
    101. 

  101. 					return nil, fmt.Errorf(errInvalidJwtK8sSA, err)
    102. 

  102. 				}
    103. 

  103. 			} else {
    104. 

  104. 				return nil, errors.New(errJwtNoTokenSource)
    105. 

  105. 			}
    106. 

  106. 		}
    107. 

  107. 		if vaultProvider.Auth.Kubernetes != nil {
    108. 

  108. 			if vaultProvider.Auth.Kubernetes.ServiceAccountRef != nil {
    109. 

  109. 				if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Kubernetes.ServiceAccountRef); err != nil {
    110. 

  110. 					return nil, fmt.Errorf(errInvalidKubeSA, err)
    111. 

  111. 				}
    112. 

  112. 			}
    113. 

  113. 			if vaultProvider.Auth.Kubernetes.SecretRef != nil {
    114. 

  114. 				if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Kubernetes.SecretRef); err != nil {
    115. 

  115. 					return nil, fmt.Errorf(errInvalidKubeSec, err)
    116. 

  116. 				}
    117. 

  117. 			}
    118. 

  118. 		}
    119. 

  119. 		if vaultProvider.Auth.Ldap != nil {
    120. 

  120. 			if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Ldap.SecretRef); err != nil {
    121. 

  121. 				return nil, fmt.Errorf(errInvalidLdapSec, err)
    122. 

  122. 			}
    123. 

  123. 		}
    124. 

  124. 		if vaultProvider.Auth.UserPass != nil {
    125. 

  125. 			if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.UserPass.SecretRef); err != nil {
    126. 

  126. 				return nil, fmt.Errorf(errInvalidUserPassSec, err)
    127. 

  127. 			}
    128. 

  128. 		}
    129. 

  129. 		if vaultProvider.Auth.TokenSecretRef != nil {
    130. 

  130. 			if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.TokenSecretRef); err != nil {
    131. 

  131. 				return nil, fmt.Errorf(errInvalidTokenRef, err)
    132. 

  132. 			}
    133. 

  133. 		}
    134. 

  134. 		if vaultProvider.Auth.Iam != nil {
    135. 

  135. 			if vaultProvider.Auth.Iam.JWTAuth != nil {
    136. 

  136. 				if vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef != nil {
    137. 

  137. 					if err := utils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef); err != nil {
    138. 

  138. 						return nil, fmt.Errorf(errInvalidTokenRef, err)
    139. 

  139. 					}
    140. 

  140. 				}
    141. 

  141. 			}
    142. 

  142. 

  143. 			if vaultProvider.Auth.Iam.SecretRef != nil {
    144. 

  144. 				if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.AccessKeyID); err != nil {
    145. 

  145. 					return nil, fmt.Errorf(errInvalidTokenRef, err)
    146. 

  146. 				}
    147. 

  147. 				if err := utils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.SecretAccessKey); err != nil {
    148. 

  148. 					return nil, fmt.Errorf(errInvalidTokenRef, err)
    149. 

  149. 				}
    150. 

  150. 				if vaultProvider.Auth.Iam.SecretRef.SessionToken != nil {
    151. 

  151. 					if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Iam.SecretRef.SessionToken); err != nil {
    152. 

  152. 						return nil, fmt.Errorf(errInvalidTokenRef, err)
    153. 

  153. 					}
    154. 

  154. 				}
    155. 

  155. 			}
    156. 

  156. 		}
    157. 

  157. 	}
    158. 

  158. 	if vaultProvider.ClientTLS.CertSecretRef != nil && vaultProvider.ClientTLS.KeySecretRef != nil {
    159. 

  159. 		if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.ClientTLS.CertSecretRef); err != nil {
    160. 

  160. 			return nil, fmt.Errorf(errInvalidClientTLSCert, err)
    161. 

  161. 		}
    162. 

  162. 		if err := utils.ValidateReferentSecretSelector(store, *vaultProvider.ClientTLS.KeySecretRef); err != nil {
    163. 

  163. 			return nil, fmt.Errorf(errInvalidClientTLSSecret, err)
    164. 

  164. 		}
    165. 

  165. 	} else if vaultProvider.ClientTLS.CertSecretRef != nil || vaultProvider.ClientTLS.KeySecretRef != nil {
    166. 

  166. 		return nil, errors.New(errInvalidClientTLS)
    167. 

  167. 	}
    168. 

  168. 

  169. 	// Validate CAS configuration
    170. 

  170. 	if vaultProvider.CheckAndSet != nil && vaultProvider.CheckAndSet.Required {
    171. 

  171. 		if vaultProvider.Version == esv1.VaultKVStoreV1 {
    172. 

  172. 			return nil, errors.New(errCASNotSupportedInKVv1)
    173. 

  173. 		}
    174. 

  174. 	}
    175. 

  175. 

  176. 	return nil, nil
    177. 

  177. }
    178. 

  178. 

  179. func (c *client) Validate() (esv1.ValidationResult, error) {
    180. 

  180. 	// when using referent namespace we can not validate the token
    181. 

  181. 	// because the namespace is not known yet when Validate() is called
    182. 

  182. 	// from the SecretStore controller.
    183. 

  183. 	if c.storeKind == esv1.ClusterSecretStoreKind && isReferentSpec(c.store) {
    184. 

  184. 		return esv1.ValidationResultUnknown, nil
    185. 

  185. 	}
    186. 

  186. 	_, err := checkToken(context.Background(), c.token)
    187. 

  187. 	if err != nil {
    188. 

  188. 		return esv1.ValidationResultError, fmt.Errorf(errInvalidCredentials, err)
    189. 

  189. 	}
    190. 

  190. 	return esv1.ValidationResultReady, nil
    191. 

  191. }
    192.