serviceAccountRef: validation tests

Signed-off-by: Maël Valais <mael@vls.dev>
2023-01-31 15:19:27 +01:00 · 2023-01-31 15:19:27 +01:00 · 1c5d9df4f0
commit 1c5d9df4f0
parent d54f18d0c0
1 changed files with 101 additions and 1 deletions
--- a/internal/apis/certmanager/validation/issuer_test.go
+++ b/internal/apis/certmanager/validation/issuer_test.go
@ -70,7 +70,7 @@ func TestValidateVaultIssuerConfig(t *testing.T) {
 		clock.RealClock{},
 	).CertBytes

-	fldPath := field.NewPath("")
+	fldPath := field.NewPath("spec")
 	scenarios := map[string]struct {
 		spec *cmapi.VaultIssuer
 		errs []*field.Error
@ -86,6 +86,9 @@ func TestValidateVaultIssuerConfig(t *testing.T) {
 						Name: "test-secret",
 					},
 				},
+				Auth: cmapi.VaultAuth{
+					TokenSecretRef: &validSecretKeyRef,
+				},
 			},
 			errs: []*field.Error{
 				field.Invalid(fldPath.Child("caBundle"), "<snip>", "specified caBundle and caBundleSecretRef cannot be used together"),
@ -100,6 +103,7 @@ func TestValidateVaultIssuerConfig(t *testing.T) {
 			errs: []*field.Error{
 				field.Required(fldPath.Child("server"), ""),
 				field.Required(fldPath.Child("path"), ""),
+				field.Required(fldPath.Child("auth"), "please supply one of: appRole, kubernetes, tokenSecretRef"),
 			},
 		},
 		"vault issuer with a CA bundle containing no valid certificates": {
@ -107,6 +111,9 @@ func TestValidateVaultIssuerConfig(t *testing.T) {
 				Server:   "something",
 				Path:     "a/b/c",
 				CABundle: []byte("invalid"),
+				Auth: cmapi.VaultAuth{
+					TokenSecretRef: &validSecretKeyRef,
+				},
 			},
 			errs: []*field.Error{
 				field.Invalid(fldPath.Child("caBundle"), "<snip>", "cert bundle didn't contain any valid certificates"),
@ -130,6 +137,99 @@ func TestValidateVaultIssuerConfig(t *testing.T) {
 	}
 }

+func TestValidateVaultIssuerAuth(t *testing.T) {
+	fldPath := field.NewPath("spec.auth")
+	scenarios := map[string]struct {
+		auth *cmapi.VaultAuth
+		errs []*field.Error
+	}{
+		// For backwards compatibility, we allow the user to set all auth types.
+		// We have documented in the API the order of precedence.
+		"spec.auth accepts all three auth types for backwards compatibility": {
+			auth: &cmapi.VaultAuth{
+				AppRole: &cmapi.VaultAppRole{
+					RoleId: "role-id",
+					SecretRef: cmmeta.SecretKeySelector{
+						LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"},
+						Key:                  "key",
+					},
+					Path: "path",
+				},
+				TokenSecretRef: &validSecretKeyRef,
+				Kubernetes: &cmapi.VaultKubernetesAuth{
+					Path: "path",
+					Role: "role",
+					ServiceAccountRef: &cmapi.ServiceAccountRef{
+						Name: "service-account",
+					},
+				},
+			},
+		},
+		"valid appRole": {
+			auth: &cmapi.VaultAuth{
+				AppRole: &cmapi.VaultAppRole{
+					RoleId: "role-id",
+					SecretRef: cmmeta.SecretKeySelector{
+						LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"},
+						Key:                  "key",
+					},
+					Path: "path",
+				},
+			},
+		},
+		"valid spec.auth.kubernetes.secretRef: key, role and path can be left empty": {
+			auth: &cmapi.VaultAuth{
+				Kubernetes: &cmapi.VaultKubernetesAuth{
+					SecretRef: cmmeta.SecretKeySelector{
+						LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"},
+					},
+				},
+			},
+		},
+		"valid spec.auth.kubernetes.serviceAccountRef": {
+			auth: &cmapi.VaultAuth{
+				Kubernetes: &cmapi.VaultKubernetesAuth{
+					Path: "path",
+					Role: "role",
+					ServiceAccountRef: &cmapi.ServiceAccountRef{
+						Name: "service-account",
+					},
+				},
+			},
+		},
+		"invalid spec.auth.kubernetes: secretRef and serviceAccountRef mutually exclusive": {
+			auth: &cmapi.VaultAuth{
+				Kubernetes: &cmapi.VaultKubernetesAuth{
+					SecretRef: cmmeta.SecretKeySelector{
+						LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"},
+					},
+					ServiceAccountRef: &cmapi.ServiceAccountRef{
+						Name: "service-account",
+					},
+				},
+			},
+			errs: []*field.Error{
+				field.Forbidden(fldPath.Child("kubernetes"), "please supply one of: secretRef, serviceAccountRef"),
+			},
+		},
+	}
+	for n, s := range scenarios {
+		t.Run(n, func(t *testing.T) {
+			errs := ValidateVaultIssuerAuth(s.auth, fldPath)
+			if len(errs) != len(s.errs) {
+				t.Errorf("Expected %v but got %v", s.errs, errs)
+				return
+			}
+			for i, e := range errs {
+				expectedErr := s.errs[i]
+				if !reflect.DeepEqual(e, expectedErr) {
+					t.Errorf("Expected %v but got %v", expectedErr, e)
+				}
+			}
+		})
+	}
+}
+
 func TestValidateACMEIssuerConfig(t *testing.T) {
 	fldPath := field.NewPath("")