Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: helm-chart
Branches Tags
helm-externa...
/
e2e
/
suites
/
provider
/
cases
/
vault
/
vault.go

vault.go 14 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8. 	https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. package vault
    17. 

  17. 

  18. import (
    19. 

  19. 	"context"
    20. 

  20. 	"fmt"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    24. 

  24. 	"k8s.io/apimachinery/pkg/types"
    25. 

  25. 	"k8s.io/apimachinery/pkg/util/wait"
    26. 

  26. 

  27. 	// nolint
    28. 

  28. 	. "github.com/onsi/ginkgo/v2"
    29. 

  29. 	. "github.com/onsi/gomega"
    30. 

  30. 	v1 "k8s.io/api/core/v1"
    31. 

  31. 

  32. 	"github.com/external-secrets/external-secrets-e2e/framework"
    33. 

  33. 	"github.com/external-secrets/external-secrets-e2e/framework/addon"
    34. 

  34. 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
    35. 

  35. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	withTokenAuth           = "with token auth"
    40. 

  40. 	withTokenAuthAndMTLS    = "with token auth and mTLS"
    41. 

  41. 	withCertAuth            = "with cert auth"
    42. 

  42. 	withApprole             = "with approle auth"
    43. 

  43. 	withV1                  = "with v1 provider"
    44. 

  44. 	withJWT                 = "with jwt provider"
    45. 

  45. 	withJWTK8s              = "with jwt k8s provider"
    46. 

  46. 	withK8s                 = "with kubernetes provider"
    47. 

  47. 	withReferentAuth        = "with referent provider"
    48. 

  48. 	withReferentAuthAndMTLS = "with referent provider and mTLS"
    49. 

  49. )
    50. 

  50. 

  51. var _ = Describe("[vault]", Label("vault"), Ordered, func() {
    52. 

  52. 	f := framework.New("vault")
    53. 

  53. 	vault := addon.NewVault()
    54. 

  54. 	prov := newVaultProvider(f, vault)
    55. 

  55. 

  56. 	BeforeAll(func() {
    57. 

  57. 		addon.InstallGlobalAddon(vault)
    58. 

  58. 	})
    59. 

  59. 

  60. 	DescribeTable("sync secrets",
    61. 

  61. 		framework.TableFuncWithExternalSecret(f, prov),
    62. 

  62. 		// uses token auth
    63. 

  63. 		framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth(prov)),
    64. 

  64. 		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useTokenAuth(prov)),
    65. 

  65. 		framework.Compose(withTokenAuth, f, common.JSONDataFromSync, useTokenAuth(prov)),
    66. 

  66. 		framework.Compose(withTokenAuth, f, common.JSONDataFromRewrite, useTokenAuth(prov)),
    67. 

  67. 		framework.Compose(withTokenAuth, f, common.JSONDataWithProperty, useTokenAuth(prov)),
    68. 

  68. 		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplate, useTokenAuth(prov)),
    69. 

  69. 		framework.Compose(withTokenAuth, f, common.DataPropertyDockerconfigJSON, useTokenAuth(prov)),
    70. 

  70. 		framework.Compose(withTokenAuth, f, common.JSONDataWithoutTargetName, useTokenAuth(prov)),
    71. 

  71. 		framework.Compose(withTokenAuth, f, common.DecodingPolicySync, useTokenAuth(prov)),
    72. 

  72. 		framework.Compose(withTokenAuth, f, common.JSONDataWithTemplateFromLiteral, useTokenAuth(prov)),
    73. 

  73. 		framework.Compose(withTokenAuth, f, common.TemplateFromConfigmaps, useTokenAuth(prov)),
    74. 

  74. 		// use cert auth
    75. 

  75. 		framework.Compose(withCertAuth, f, common.FindByName, useCertAuth(prov)),
    76. 

  76. 		framework.Compose(withCertAuth, f, common.FindByNameAndRewrite, useCertAuth(prov)),
    77. 

  77. 		framework.Compose(withCertAuth, f, common.JSONDataFromSync, useCertAuth(prov)),
    78. 

  78. 		framework.Compose(withCertAuth, f, common.JSONDataFromRewrite, useCertAuth(prov)),
    79. 

  79. 		framework.Compose(withCertAuth, f, common.JSONDataWithProperty, useCertAuth(prov)),
    80. 

  80. 		framework.Compose(withCertAuth, f, common.JSONDataWithTemplate, useCertAuth(prov)),
    81. 

  81. 		framework.Compose(withCertAuth, f, common.DataPropertyDockerconfigJSON, useCertAuth(prov)),
    82. 

  82. 		framework.Compose(withCertAuth, f, common.JSONDataWithoutTargetName, useCertAuth(prov)),
    83. 

  83. 		// use approle auth
    84. 

  84. 		framework.Compose(withApprole, f, common.FindByName, useApproleAuth(prov)),
    85. 

  85. 		framework.Compose(withApprole, f, common.FindByNameAndRewrite, useApproleAuth(prov)),
    86. 

  86. 		framework.Compose(withApprole, f, common.JSONDataFromSync, useApproleAuth(prov)),
    87. 

  87. 		framework.Compose(withApprole, f, common.JSONDataFromRewrite, useApproleAuth(prov)),
    88. 

  88. 		framework.Compose(withApprole, f, common.JSONDataWithProperty, useApproleAuth(prov)),
    89. 

  89. 		framework.Compose(withApprole, f, common.JSONDataWithTemplate, useApproleAuth(prov)),
    90. 

  90. 		framework.Compose(withApprole, f, common.DataPropertyDockerconfigJSON, useApproleAuth(prov)),
    91. 

  91. 		framework.Compose(withApprole, f, common.JSONDataWithoutTargetName, useApproleAuth(prov)),
    92. 

  92. 		// use v1 provider
    93. 

  93. 		framework.Compose(withV1, f, common.FindByName, useV1Provider(prov)),
    94. 

  94. 		framework.Compose(withV1, f, common.FindByNameAndRewrite, useV1Provider(prov)),
    95. 

  95. 		framework.Compose(withV1, f, common.JSONDataFromSync, useV1Provider(prov)),
    96. 

  96. 		framework.Compose(withV1, f, common.JSONDataFromRewrite, useV1Provider(prov)),
    97. 

  97. 		framework.Compose(withV1, f, common.JSONDataWithProperty, useV1Provider(prov)),
    98. 

  98. 		framework.Compose(withV1, f, common.JSONDataWithTemplate, useV1Provider(prov)),
    99. 

  99. 		framework.Compose(withV1, f, common.DataPropertyDockerconfigJSON, useV1Provider(prov)),
    100. 

  100. 		framework.Compose(withV1, f, common.JSONDataWithoutTargetName, useV1Provider(prov)),
    101. 

  101. 		// use jwt provider
    102. 

  102. 		framework.Compose(withJWT, f, common.FindByName, useJWTProvider(prov)),
    103. 

  103. 		framework.Compose(withJWT, f, common.FindByNameAndRewrite, useJWTProvider(prov)),
    104. 

  104. 		framework.Compose(withJWT, f, common.JSONDataFromSync, useJWTProvider(prov)),
    105. 

  105. 		framework.Compose(withJWT, f, common.JSONDataFromRewrite, useJWTProvider(prov)),
    106. 

  106. 		framework.Compose(withJWT, f, common.JSONDataWithProperty, useJWTProvider(prov)),
    107. 

  107. 		framework.Compose(withJWT, f, common.JSONDataWithTemplate, useJWTProvider(prov)),
    108. 

  108. 		framework.Compose(withJWT, f, common.DataPropertyDockerconfigJSON, useJWTProvider(prov)),
    109. 

  109. 		framework.Compose(withJWT, f, common.JSONDataWithoutTargetName, useJWTProvider(prov)),
    110. 

  110. 		// use jwt k8s provider
    111. 

  111. 		framework.Compose(withJWTK8s, f, common.JSONDataFromSync, useJWTK8sProvider(prov)),
    112. 

  112. 		framework.Compose(withJWTK8s, f, common.JSONDataFromRewrite, useJWTK8sProvider(prov)),
    113. 

  113. 		framework.Compose(withJWTK8s, f, common.JSONDataWithProperty, useJWTK8sProvider(prov)),
    114. 

  114. 		framework.Compose(withJWTK8s, f, common.JSONDataWithTemplate, useJWTK8sProvider(prov)),
    115. 

  115. 		framework.Compose(withJWTK8s, f, common.DataPropertyDockerconfigJSON, useJWTK8sProvider(prov)),
    116. 

  116. 		framework.Compose(withJWTK8s, f, common.JSONDataWithoutTargetName, useJWTK8sProvider(prov)),
    117. 

  117. 		// use kubernetes provider
    118. 

  118. 		framework.Compose(withK8s, f, common.FindByName, useKubernetesProvider(prov)),
    119. 

  119. 		framework.Compose(withK8s, f, common.FindByNameAndRewrite, useKubernetesProvider(prov)),
    120. 

  120. 		framework.Compose(withK8s, f, common.JSONDataFromSync, useKubernetesProvider(prov)),
    121. 

  121. 		framework.Compose(withK8s, f, common.JSONDataFromRewrite, useKubernetesProvider(prov)),
    122. 

  122. 		framework.Compose(withK8s, f, common.JSONDataWithProperty, useKubernetesProvider(prov)),
    123. 

  123. 		framework.Compose(withK8s, f, common.JSONDataWithTemplate, useKubernetesProvider(prov)),
    124. 

  124. 		framework.Compose(withK8s, f, common.DataPropertyDockerconfigJSON, useKubernetesProvider(prov)),
    125. 

  125. 		framework.Compose(withK8s, f, common.JSONDataWithoutTargetName, useKubernetesProvider(prov)),
    126. 

  126. 		// use referent auth
    127. 

  127. 		framework.Compose(withReferentAuth, f, common.JSONDataFromSync, useReferentAuth(prov)),
    128. 

  128. 		// vault-specific test cases
    129. 

  129. 		Entry("secret value via data without property should return json-encoded string", Label("json"), testJSONWithoutProperty(prov)),
    130. 

  130. 		Entry("secret value via data with property should return json-encoded string", Label("json"), testJSONWithProperty(prov)),
    131. 

  131. 		Entry("dataFrom without property should extract key/value pairs", Label("json"), testDataFromJSONWithoutProperty(prov)),
    132. 

  132. 		Entry("dataFrom with property should extract key/value pairs", Label("json"), testDataFromJSONWithProperty(prov)),
    133. 

  133. 		// mTLS
    134. 

  134. 		framework.Compose(withTokenAuthAndMTLS, f, common.FindByName, useMTLSAndTokenAuth(prov)),
    135. 

  135. 		framework.Compose(withReferentAuthAndMTLS, f, common.JSONDataFromSync, useMTLSAndReferentAuth(prov)),
    136. 

  136. 		Entry("store without clientTLS configuration should not be valid", Label("vault-invalid-store"), testInvalidMtlsStore(prov)),
    137. 

  137. 	)
    138. 

  138. })
    139. 

  139. 

  140. func useTokenAuth(prov *vaultProvider) func(*framework.TestCase) {
    141. 

  141. 	return func(tc *framework.TestCase) {
    142. 

  142. 		prov.CreateTokenStore()
    143. 

  143. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name
    144. 

  144. 	}
    145. 

  145. }
    146. 

  146. 

  147. func useMTLSAndTokenAuth(prov *vaultProvider) func(*framework.TestCase) {
    148. 

  148. 	return func(tc *framework.TestCase) {
    149. 

  149. 		prov.CreateTokenStore(WithMTLS)
    150. 

  150. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = tc.Framework.Namespace.Name + mtlsSuffix
    151. 

  151. 	}
    152. 

  152. }
    153. 

  153. 

  154. func useCertAuth(prov *vaultProvider) func(*framework.TestCase) {
    155. 

  155. 	return func(tc *framework.TestCase) {
    156. 

  156. 		prov.CreateCertStore()
    157. 

  157. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = certAuthProviderName
    158. 

  158. 	}
    159. 

  159. }
    160. 

  160. 

  161. func useApproleAuth(prov *vaultProvider) func(*framework.TestCase) {
    162. 

  162. 	return func(tc *framework.TestCase) {
    163. 

  163. 		prov.CreateAppRoleStore()
    164. 

  164. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = appRoleAuthProviderName
    165. 

  165. 	}
    166. 

  166. }
    167. 

  167. 

  168. func useV1Provider(prov *vaultProvider) func(*framework.TestCase) {
    169. 

  169. 	return func(tc *framework.TestCase) {
    170. 

  170. 		prov.CreateV1Store()
    171. 

  171. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = kvv1ProviderName
    172. 

  172. 	}
    173. 

  173. }
    174. 

  174. 

  175. func useJWTProvider(prov *vaultProvider) func(*framework.TestCase) {
    176. 

  176. 	return func(tc *framework.TestCase) {
    177. 

  177. 		prov.CreateJWTStore()
    178. 

  178. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtProviderName
    179. 

  179. 	}
    180. 

  180. }
    181. 

  181. 

  182. func useJWTK8sProvider(prov *vaultProvider) func(*framework.TestCase) {
    183. 

  183. 	return func(tc *framework.TestCase) {
    184. 

  184. 		prov.CreateJWTK8sStore()
    185. 

  185. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = jwtK8sProviderName
    186. 

  186. 	}
    187. 

  187. }
    188. 

  188. 

  189. func useKubernetesProvider(prov *vaultProvider) func(*framework.TestCase) {
    190. 

  190. 	return func(tc *framework.TestCase) {
    191. 

  191. 		prov.CreateKubernetesAuthStore()
    192. 

  192. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = kubernetesProviderName
    193. 

  193. 	}
    194. 

  194. }
    195. 

  195. 

  196. func useReferentAuth(prov *vaultProvider) func(*framework.TestCase) {
    197. 

  197. 	return func(tc *framework.TestCase) {
    198. 

  198. 		prov.CreateReferentTokenStore()
    199. 

  199. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework)
    200. 

  200. 		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
    201. 

  201. 	}
    202. 

  202. }
    203. 

  203. 

  204. func useMTLSAndReferentAuth(prov *vaultProvider) func(*framework.TestCase) {
    205. 

  205. 	return func(tc *framework.TestCase) {
    206. 

  206. 		prov.CreateReferentTokenStore(WithMTLS)
    207. 

  207. 		tc.ExternalSecret.Spec.SecretStoreRef.Name = referentSecretStoreName(tc.Framework) + mtlsSuffix
    208. 

  208. 		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esapi.ClusterSecretStoreKind
    209. 

  209. 	}
    210. 

  210. }
    211. 

  211. 

  212. const jsonVal = `{"foo":{"nested":{"bar":"mysecret","baz":"bang"}}}`
    213. 

  213. 

  214. // when no property is set it should return the json-encoded at path.
    215. 

  215. func testJSONWithoutProperty(prov *vaultProvider) func(*framework.TestCase) {
    216. 

  216. 	return func(tc *framework.TestCase) {
    217. 

  217. 		prov.CreateTokenStore()
    218. 

  218. 		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
    219. 

  219. 		tc.Secrets = map[string]framework.SecretEntry{
    220. 

  220. 			secretKey: {Value: jsonVal},
    221. 

  221. 		}
    222. 

  222. 		tc.ExpectedSecret = &v1.Secret{
    223. 

  223. 			Type: v1.SecretTypeOpaque,
    224. 

  224. 			Data: map[string][]byte{
    225. 

  225. 				secretKey: []byte(jsonVal),
    226. 

  226. 			},
    227. 

  227. 		}
    228. 

  228. 		tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
    229. 

  229. 			{
    230. 

  230. 				SecretKey: secretKey,
    231. 

  231. 				RemoteRef: esapi.ExternalSecretDataRemoteRef{
    232. 

  232. 					Key: secretKey,
    233. 

  233. 				},
    234. 

  234. 			},
    235. 

  235. 		}
    236. 

  236. 	}
    237. 

  237. }
    238. 

  238. 

  239. // when property is set it should return the json-encoded at path.
    240. 

  240. func testJSONWithProperty(prov *vaultProvider) func(*framework.TestCase) {
    241. 

  241. 	return func(tc *framework.TestCase) {
    242. 

  242. 		prov.CreateTokenStore()
    243. 

  243. 		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
    244. 

  244. 		expectedVal := `{"bar":"mysecret","baz":"bang"}`
    245. 

  245. 		tc.Secrets = map[string]framework.SecretEntry{
    246. 

  246. 			secretKey: {Value: jsonVal},
    247. 

  247. 		}
    248. 

  248. 		tc.ExpectedSecret = &v1.Secret{
    249. 

  249. 			Type: v1.SecretTypeOpaque,
    250. 

  250. 			Data: map[string][]byte{
    251. 

  251. 				secretKey: []byte(expectedVal),
    252. 

  252. 			},
    253. 

  253. 		}
    254. 

  254. 		tc.ExternalSecret.Spec.Data = []esapi.ExternalSecretData{
    255. 

  255. 			{
    256. 

  256. 				SecretKey: secretKey,
    257. 

  257. 				RemoteRef: esapi.ExternalSecretDataRemoteRef{
    258. 

  258. 					Key:      secretKey,
    259. 

  259. 					Property: "foo.nested",
    260. 

  260. 				},
    261. 

  261. 			},
    262. 

  262. 		}
    263. 

  263. 	}
    264. 

  264. }
    265. 

  265. 

  266. // when no property is set it should extract the key/value pairs at the given path
    267. 

  267. // note: it should json-encode if a value contains nested data
    268. 

  268. func testDataFromJSONWithoutProperty(prov *vaultProvider) func(*framework.TestCase) {
    269. 

  269. 	return func(tc *framework.TestCase) {
    270. 

  270. 		prov.CreateTokenStore()
    271. 

  271. 		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
    272. 

  272. 		tc.Secrets = map[string]framework.SecretEntry{
    273. 

  273. 			secretKey: {Value: jsonVal},
    274. 

  274. 		}
    275. 

  275. 		tc.ExpectedSecret = &v1.Secret{
    276. 

  276. 			Type: v1.SecretTypeOpaque,
    277. 

  277. 			Data: map[string][]byte{
    278. 

  278. 				"foo": []byte(`{"nested":{"bar":"mysecret","baz":"bang"}}`),
    279. 

  279. 			},
    280. 

  280. 		}
    281. 

  281. 		tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
    282. 

  282. 			{
    283. 

  283. 				Extract: &esapi.ExternalSecretDataRemoteRef{
    284. 

  284. 					Key: secretKey,
    285. 

  285. 				},
    286. 

  286. 			},
    287. 

  287. 		}
    288. 

  288. 	}
    289. 

  289. }
    290. 

  290. 

  291. // when property is set it should extract values with dataFrom at the given path.
    292. 

  292. func testDataFromJSONWithProperty(prov *vaultProvider) func(*framework.TestCase) {
    293. 

  293. 	return func(tc *framework.TestCase) {
    294. 

  294. 		prov.CreateTokenStore()
    295. 

  295. 		secretKey := fmt.Sprintf("%s-%s", tc.Framework.Namespace.Name, "json")
    296. 

  296. 		tc.Secrets = map[string]framework.SecretEntry{
    297. 

  297. 			secretKey: {Value: jsonVal},
    298. 

  298. 		}
    299. 

  299. 		tc.ExpectedSecret = &v1.Secret{
    300. 

  300. 			Type: v1.SecretTypeOpaque,
    301. 

  301. 			Data: map[string][]byte{
    302. 

  302. 				"bar": []byte(`mysecret`),
    303. 

  303. 				"baz": []byte(`bang`),
    304. 

  304. 			},
    305. 

  305. 		}
    306. 

  306. 		tc.ExternalSecret.Spec.DataFrom = []esapi.ExternalSecretDataFromRemoteRef{
    307. 

  307. 			{
    308. 

  308. 				Extract: &esapi.ExternalSecretDataRemoteRef{
    309. 

  309. 					Key:      secretKey,
    310. 

  310. 					Property: "foo.nested",
    311. 

  311. 				},
    312. 

  312. 			},
    313. 

  313. 		}
    314. 

  314. 	}
    315. 

  315. }
    316. 

  316. 

  317. func testInvalidMtlsStore(prov *vaultProvider) func(*framework.TestCase) {
    318. 

  318. 	return func(tc *framework.TestCase) {
    319. 

  319. 		prov.CreateTokenStore(WithInvalidMTLS)
    320. 

  320. 		tc.ExternalSecret = nil
    321. 

  321. 		tc.ExpectedSecret = nil
    322. 

  322. 

  323. 		err := wait.PollUntilContextTimeout(GinkgoT().Context(), time.Second*10, time.Minute, true, func(ctx context.Context) (bool, error) {
    324. 

  324. 			var ss esapi.SecretStore
    325. 

  325. 			err := tc.Framework.CRClient.Get(ctx, types.NamespacedName{
    326. 

  326. 				Namespace: tc.Framework.Namespace.Name,
    327. 

  327. 				Name:      tc.Framework.Namespace.Name + invalidMtlSuffix,
    328. 

  328. 			}, &ss)
    329. 

  329. 			if apierrors.IsNotFound(err) {
    330. 

  330. 				return false, nil
    331. 

  331. 			}
    332. 

  332. 			if len(ss.Status.Conditions) == 0 {
    333. 

  333. 				return false, nil
    334. 

  334. 			}
    335. 

  335. 			Expect(string(ss.Status.Conditions[0].Type)).Should(Equal("Ready"))
    336. 

  336. 			Expect(string(ss.Status.Conditions[0].Status)).Should(Equal("False"))
    337. 

  337. 			Expect(ss.Status.Conditions[0].Reason).Should(Equal("InvalidProviderConfig"))
    338. 

  338. 			Expect(ss.Status.Conditions[0].Message).Should(ContainSubstring("unable to validate store"))
    339. 

  339. 			return true, nil
    340. 

  340. 		})
    341. 

  341. 		Expect(err).ToNot(HaveOccurred())
    342. 

  342. 	}
    343. 

  343. }
    344.