Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: fcb2564a2f
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
validate.go

validate.go 8.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package vault
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 

  24. 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
    25. 

  25. 

  26. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/esutils"
    28. 

  28. )
    29. 

  29. 

  30. const (
    31. 

  31. 	errInvalidCredentials     = "invalid vault credentials: %w"
    32. 

  32. 	errInvalidStore           = "invalid store"
    33. 

  33. 	errInvalidStoreSpec       = "invalid store spec"
    34. 

  34. 	errInvalidStoreProv       = "invalid store provider"
    35. 

  35. 	errInvalidVaultProv       = "invalid vault provider"
    36. 

  36. 	errInvalidAppRoleRef      = "invalid Auth.AppRole.RoleRef: %w"
    37. 

  37. 	errInvalidAppRoleSec      = "invalid Auth.AppRole.SecretRef: %w"
    38. 

  38. 	errInvalidClientCert      = "invalid Auth.Cert.ClientCert: %w"
    39. 

  39. 	errInvalidCertSec         = "invalid Auth.Cert.SecretRef: %w"
    40. 

  40. 	errInvalidJwtSec          = "invalid Auth.Jwt.SecretRef: %w"
    41. 

  41. 	errInvalidJwtK8sSA        = "invalid Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef: %w"
    42. 

  42. 	errInvalidKubeSA          = "invalid Auth.Kubernetes.ServiceAccountRef: %w"
    43. 

  43. 	errInvalidKubeSec         = "invalid Auth.Kubernetes.SecretRef: %w"
    44. 

  44. 	errInvalidLdapSec         = "invalid Auth.Ldap.SecretRef: %w"
    45. 

  45. 	errInvalidTokenRef        = "invalid Auth.TokenSecretRef: %w"
    46. 

  46. 	errInvalidUserPassSec     = "invalid Auth.UserPass.SecretRef: %w"
    47. 

  47. 	errInvalidClientTLSCert   = "invalid ClientTLS.ClientCert: %w"
    48. 

  48. 	errInvalidClientTLSSecret = "invalid ClientTLS.SecretRef: %w"
    49. 

  49. 	errInvalidClientTLS       = "when provided, both ClientTLS.ClientCert and ClientTLS.SecretRef should be provided"
    50. 

  50. 	errCASNotSupportedInKVv1  = "checkAndSet is not supported with Vault KV version v1"
    51. 

  51. )
    52. 

  52. 

  53. // ValidateStore validates the Vault provider configuration in the SecretStore.
    54. 

  54. func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
    55. 

  55. 	if store == nil {
    56. 

  56. 		return nil, errors.New(errInvalidStore)
    57. 

  57. 	}
    58. 

  58. 	spc := store.GetSpec()
    59. 

  59. 	if spc == nil {
    60. 

  60. 		return nil, errors.New(errInvalidStoreSpec)
    61. 

  61. 	}
    62. 

  62. 	if spc.Provider == nil {
    63. 

  63. 		return nil, errors.New(errInvalidStoreProv)
    64. 

  64. 	}
    65. 

  65. 	vaultProvider := spc.Provider.Vault
    66. 

  66. 	if vaultProvider == nil {
    67. 

  67. 		return nil, errors.New(errInvalidVaultProv)
    68. 

  68. 	}
    69. 

  69. 	if vaultProvider.Auth != nil {
    70. 

  70. 		if vaultProvider.Auth.AppRole != nil {
    71. 

  71. 			// check SecretRef for valid configuration
    72. 

  72. 			if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.AppRole.SecretRef); err != nil {
    73. 

  73. 				return nil, fmt.Errorf(errInvalidAppRoleSec, err)
    74. 

  74. 			}
    75. 

  75. 

  76. 			// prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
    77. 

  77. 			if vaultProvider.Auth.AppRole.RoleID == "" { // prevents further RoleID tests if .auth.appRole.roleId is given
    78. 

  78. 				if vaultProvider.Auth.AppRole.RoleRef != nil { // check RoleRef for valid configuration
    79. 

  79. 					if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.AppRole.RoleRef); err != nil {
    80. 

  80. 						return nil, fmt.Errorf(errInvalidAppRoleRef, err)
    81. 

  81. 					}
    82. 

  82. 				} else { // we ran out of ways to get RoleID. return an appropriate error
    83. 

  83. 					return nil, errors.New(errInvalidAppRoleID)
    84. 

  84. 				}
    85. 

  85. 			}
    86. 

  86. 		}
    87. 

  87. 		if vaultProvider.Auth.Cert != nil {
    88. 

  88. 			if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.ClientCert); err != nil {
    89. 

  89. 				return nil, fmt.Errorf(errInvalidClientCert, err)
    90. 

  90. 			}
    91. 

  91. 			if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Cert.SecretRef); err != nil {
    92. 

  92. 				return nil, fmt.Errorf(errInvalidCertSec, err)
    93. 

  93. 			}
    94. 

  94. 		}
    95. 

  95. 		if vaultProvider.Auth.Jwt != nil {
    96. 

  96. 			if vaultProvider.Auth.Jwt.SecretRef != nil {
    97. 

  97. 				if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Jwt.SecretRef); err != nil {
    98. 

  98. 					return nil, fmt.Errorf(errInvalidJwtSec, err)
    99. 

  99. 				}
    100. 

  100. 			} else if vaultProvider.Auth.Jwt.KubernetesServiceAccountToken != nil {
    101. 

  101. 				if err := esutils.ValidateReferentServiceAccountSelector(store, vaultProvider.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef); err != nil {
    102. 

  102. 					return nil, fmt.Errorf(errInvalidJwtK8sSA, err)
    103. 

  103. 				}
    104. 

  104. 			} else {
    105. 

  105. 				return nil, errors.New(errJwtNoTokenSource)
    106. 

  106. 			}
    107. 

  107. 		}
    108. 

  108. 		if vaultProvider.Auth.Kubernetes != nil {
    109. 

  109. 			if vaultProvider.Auth.Kubernetes.ServiceAccountRef != nil {
    110. 

  110. 				if err := esutils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Kubernetes.ServiceAccountRef); err != nil {
    111. 

  111. 					return nil, fmt.Errorf(errInvalidKubeSA, err)
    112. 

  112. 				}
    113. 

  113. 			}
    114. 

  114. 			if vaultProvider.Auth.Kubernetes.SecretRef != nil {
    115. 

  115. 				if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Kubernetes.SecretRef); err != nil {
    116. 

  116. 					return nil, fmt.Errorf(errInvalidKubeSec, err)
    117. 

  117. 				}
    118. 

  118. 			}
    119. 

  119. 		}
    120. 

  120. 		if vaultProvider.Auth.Ldap != nil {
    121. 

  121. 			if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Ldap.SecretRef); err != nil {
    122. 

  122. 				return nil, fmt.Errorf(errInvalidLdapSec, err)
    123. 

  123. 			}
    124. 

  124. 		}
    125. 

  125. 		if vaultProvider.Auth.UserPass != nil {
    126. 

  126. 			if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.UserPass.SecretRef); err != nil {
    127. 

  127. 				return nil, fmt.Errorf(errInvalidUserPassSec, err)
    128. 

  128. 			}
    129. 

  129. 		}
    130. 

  130. 		if vaultProvider.Auth.TokenSecretRef != nil {
    131. 

  131. 			if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.TokenSecretRef); err != nil {
    132. 

  132. 				return nil, fmt.Errorf(errInvalidTokenRef, err)
    133. 

  133. 			}
    134. 

  134. 		}
    135. 

  135. 		if vaultProvider.Auth.Iam != nil {
    136. 

  136. 			if vaultProvider.Auth.Iam.JWTAuth != nil {
    137. 

  137. 				if vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef != nil {
    138. 

  138. 					if err := esutils.ValidateReferentServiceAccountSelector(store, *vaultProvider.Auth.Iam.JWTAuth.ServiceAccountRef); err != nil {
    139. 

  139. 						return nil, fmt.Errorf(errInvalidTokenRef, err)
    140. 

  140. 					}
    141. 

  141. 				}
    142. 

  142. 			}
    143. 

  143. 

  144. 			if vaultProvider.Auth.Iam.SecretRef != nil {
    145. 

  145. 				if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.AccessKeyID); err != nil {
    146. 

  146. 					return nil, fmt.Errorf(errInvalidTokenRef, err)
    147. 

  147. 				}
    148. 

  148. 				if err := esutils.ValidateReferentSecretSelector(store, vaultProvider.Auth.Iam.SecretRef.SecretAccessKey); err != nil {
    149. 

  149. 					return nil, fmt.Errorf(errInvalidTokenRef, err)
    150. 

  150. 				}
    151. 

  151. 				if vaultProvider.Auth.Iam.SecretRef.SessionToken != nil {
    152. 

  152. 					if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.Auth.Iam.SecretRef.SessionToken); err != nil {
    153. 

  153. 						return nil, fmt.Errorf(errInvalidTokenRef, err)
    154. 

  154. 					}
    155. 

  155. 				}
    156. 

  156. 			}
    157. 

  157. 		}
    158. 

  158. 	}
    159. 

  159. 	if vaultProvider.ClientTLS.CertSecretRef != nil && vaultProvider.ClientTLS.KeySecretRef != nil {
    160. 

  160. 		if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.ClientTLS.CertSecretRef); err != nil {
    161. 

  161. 			return nil, fmt.Errorf(errInvalidClientTLSCert, err)
    162. 

  162. 		}
    163. 

  163. 		if err := esutils.ValidateReferentSecretSelector(store, *vaultProvider.ClientTLS.KeySecretRef); err != nil {
    164. 

  164. 			return nil, fmt.Errorf(errInvalidClientTLSSecret, err)
    165. 

  165. 		}
    166. 

  166. 	} else if vaultProvider.ClientTLS.CertSecretRef != nil || vaultProvider.ClientTLS.KeySecretRef != nil {
    167. 

  167. 		return nil, errors.New(errInvalidClientTLS)
    168. 

  168. 	}
    169. 

  169. 

  170. 	// Validate CAS configuration
    171. 

  171. 	if vaultProvider.CheckAndSet != nil && vaultProvider.CheckAndSet.Required {
    172. 

  172. 		if vaultProvider.Version == esv1.VaultKVStoreV1 {
    173. 

  173. 			return nil, errors.New(errCASNotSupportedInKVv1)
    174. 

  174. 		}
    175. 

  175. 	}
    176. 

  176. 

  177. 	return nil, nil
    178. 

  178. }
    179. 

  179. 

  180. func (c *client) Validate() (esv1.ValidationResult, error) {
    181. 

  181. 	// when using referent namespace we can not validate the token
    182. 

  182. 	// because the namespace is not known yet when Validate() is called
    183. 

  183. 	// from the SecretStore controller.
    184. 

  184. 	if c.storeKind == esv1.ClusterSecretStoreKind && isReferentSpec(c.store) {
    185. 

  185. 		return esv1.ValidationResultUnknown, nil
    186. 

  186. 	}
    187. 

  187. 	_, err := checkToken(context.Background(), c.token)
    188. 

  188. 	if err != nil {
    189. 

  189. 		return esv1.ValidationResultError, fmt.Errorf(errInvalidCredentials, err)
    190. 

  190. 	}
    191. 

  191. 	return esv1.ValidationResultReady, nil
    192. 

  192. }
    193.