From 1c5d9df4f0e889e03830f5af3b4f244f11a5c94a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 31 Jan 2023 15:19:27 +0100 Subject: [PATCH] serviceAccountRef: validation tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maƫl Valais --- .../certmanager/validation/issuer_test.go | 102 +++++++++++++++++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/internal/apis/certmanager/validation/issuer_test.go b/internal/apis/certmanager/validation/issuer_test.go index 544f759ec..668b12954 100644 --- a/internal/apis/certmanager/validation/issuer_test.go +++ b/internal/apis/certmanager/validation/issuer_test.go @@ -70,7 +70,7 @@ func TestValidateVaultIssuerConfig(t *testing.T) { clock.RealClock{}, ).CertBytes - fldPath := field.NewPath("") + fldPath := field.NewPath("spec") scenarios := map[string]struct { spec *cmapi.VaultIssuer errs []*field.Error @@ -86,6 +86,9 @@ func TestValidateVaultIssuerConfig(t *testing.T) { Name: "test-secret", }, }, + Auth: cmapi.VaultAuth{ + TokenSecretRef: &validSecretKeyRef, + }, }, errs: []*field.Error{ field.Invalid(fldPath.Child("caBundle"), "", "specified caBundle and caBundleSecretRef cannot be used together"), @@ -100,6 +103,7 @@ func TestValidateVaultIssuerConfig(t *testing.T) { errs: []*field.Error{ field.Required(fldPath.Child("server"), ""), field.Required(fldPath.Child("path"), ""), + field.Required(fldPath.Child("auth"), "please supply one of: appRole, kubernetes, tokenSecretRef"), }, }, "vault issuer with a CA bundle containing no valid certificates": { @@ -107,6 +111,9 @@ func TestValidateVaultIssuerConfig(t *testing.T) { Server: "something", Path: "a/b/c", CABundle: []byte("invalid"), + Auth: cmapi.VaultAuth{ + TokenSecretRef: &validSecretKeyRef, + }, }, errs: []*field.Error{ field.Invalid(fldPath.Child("caBundle"), "", "cert bundle didn't contain any valid certificates"), @@ -130,6 +137,99 @@ func TestValidateVaultIssuerConfig(t *testing.T) { } } +func TestValidateVaultIssuerAuth(t *testing.T) { + fldPath := field.NewPath("spec.auth") + scenarios := map[string]struct { + auth *cmapi.VaultAuth + errs []*field.Error + }{ + // For backwards compatibility, we allow the user to set all auth types. + // We have documented in the API the order of precedence. + "spec.auth accepts all three auth types for backwards compatibility": { + auth: &cmapi.VaultAuth{ + AppRole: &cmapi.VaultAppRole{ + RoleId: "role-id", + SecretRef: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"}, + Key: "key", + }, + Path: "path", + }, + TokenSecretRef: &validSecretKeyRef, + Kubernetes: &cmapi.VaultKubernetesAuth{ + Path: "path", + Role: "role", + ServiceAccountRef: &cmapi.ServiceAccountRef{ + Name: "service-account", + }, + }, + }, + }, + "valid appRole": { + auth: &cmapi.VaultAuth{ + AppRole: &cmapi.VaultAppRole{ + RoleId: "role-id", + SecretRef: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"}, + Key: "key", + }, + Path: "path", + }, + }, + }, + "valid spec.auth.kubernetes.secretRef: key, role and path can be left empty": { + auth: &cmapi.VaultAuth{ + Kubernetes: &cmapi.VaultKubernetesAuth{ + SecretRef: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"}, + }, + }, + }, + }, + "valid spec.auth.kubernetes.serviceAccountRef": { + auth: &cmapi.VaultAuth{ + Kubernetes: &cmapi.VaultKubernetesAuth{ + Path: "path", + Role: "role", + ServiceAccountRef: &cmapi.ServiceAccountRef{ + Name: "service-account", + }, + }, + }, + }, + "invalid spec.auth.kubernetes: secretRef and serviceAccountRef mutually exclusive": { + auth: &cmapi.VaultAuth{ + Kubernetes: &cmapi.VaultKubernetesAuth{ + SecretRef: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{Name: "secret"}, + }, + ServiceAccountRef: &cmapi.ServiceAccountRef{ + Name: "service-account", + }, + }, + }, + errs: []*field.Error{ + field.Forbidden(fldPath.Child("kubernetes"), "please supply one of: secretRef, serviceAccountRef"), + }, + }, + } + for n, s := range scenarios { + t.Run(n, func(t *testing.T) { + errs := ValidateVaultIssuerAuth(s.auth, fldPath) + if len(errs) != len(s.errs) { + t.Errorf("Expected %v but got %v", s.errs, errs) + return + } + for i, e := range errs { + expectedErr := s.errs[i] + if !reflect.DeepEqual(e, expectedErr) { + t.Errorf("Expected %v but got %v", expectedErr, e) + } + } + }) + } +} + func TestValidateACMEIssuerConfig(t *testing.T) { fldPath := field.NewPath("")