Add API validation for Venafi Issuer config
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
This commit is contained in:
Richard Wall
parent
0b113c6861
commit
885755630c
@ -216,9 +216,39 @@ func ValidateVaultIssuerConfig(iss *certmanager.VaultIssuer, fldPath *field.Path
|
||||
// TODO: add validation for Vault authentication types
|
||||
}
|
||||
|
||||
func ValidateVenafiIssuerConfig(iss *certmanager.VenafiIssuer, fldPath *field.Path) field.ErrorList {
|
||||
//TODO: make extended validation fro fake\tpp\cloud modes
|
||||
return nil
|
||||
func ValidateVenafiTPP(tpp *certmanager.VenafiTPP, fldPath *field.Path) (el field.ErrorList) {
|
||||
if tpp.URL == "" {
|
||||
el = append(el, field.Required(fldPath.Child("url"), ""))
|
||||
}
|
||||
return el
|
||||
}
|
||||
|
||||
func ValidateVenafiCloud(c *certmanager.VenafiCloud, fldPath *field.Path) (el field.ErrorList) {
|
||||
return el
|
||||
}
|
||||
|
||||
func ValidateVenafiIssuerConfig(iss *certmanager.VenafiIssuer, fldPath *field.Path) (el field.ErrorList) {
|
||||
if iss.Zone == "" {
|
||||
el = append(el, field.Required(fldPath.Child("zone"), ""))
|
||||
}
|
||||
unionCount := 0
|
||||
if iss.TPP != nil {
|
||||
unionCount++
|
||||
el = append(el, ValidateVenafiTPP(iss.TPP, fldPath.Child("tpp"))...)
|
||||
}
|
||||
if iss.Cloud != nil {
|
||||
unionCount++
|
||||
el = append(el, ValidateVenafiCloud(iss.Cloud, fldPath.Child("cloud"))...)
|
||||
}
|
||||
|
||||
if unionCount == 0 {
|
||||
el = append(el, field.Required(fldPath, "please supply one of: tpp, cloud"))
|
||||
}
|
||||
if unionCount > 1 {
|
||||
el = append(el, field.Forbidden(fldPath, "please supply one of: tpp, cloud"))
|
||||
}
|
||||
|
||||
return el
|
||||
}
|
||||
|
||||
// This list must be kept in sync with pkg/issuer/acme/dns/rfc2136/rfc2136.go
|
||||
|
||||
@ -965,3 +965,101 @@ func TestValidateSecretKeySelector(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateVenafiIssuerConfig(t *testing.T) {
|
||||
fldPath := field.NewPath("test")
|
||||
scenarios := map[string]struct {
|
||||
cfg *cmapi.VenafiIssuer
|
||||
errs []*field.Error
|
||||
}{
|
||||
"valid": {
|
||||
cfg: &cmapi.VenafiIssuer{
|
||||
Zone: "a\\b\\c",
|
||||
TPP: &cmapi.VenafiTPP{
|
||||
URL: "https://tpp.example.com/vedsdk",
|
||||
},
|
||||
},
|
||||
},
|
||||
"missing zone": {
|
||||
cfg: &cmapi.VenafiIssuer{
|
||||
Zone: "",
|
||||
TPP: &cmapi.VenafiTPP{
|
||||
URL: "https://tpp.example.com/vedsdk",
|
||||
},
|
||||
},
|
||||
errs: []*field.Error{
|
||||
field.Required(fldPath.Child("zone"), ""),
|
||||
},
|
||||
},
|
||||
"missing configuration": {
|
||||
cfg: &cmapi.VenafiIssuer{
|
||||
Zone: "a\\b\\c",
|
||||
},
|
||||
errs: []*field.Error{
|
||||
field.Required(fldPath, "please supply one of: tpp, cloud"),
|
||||
},
|
||||
},
|
||||
"multiple configuration": {
|
||||
cfg: &cmapi.VenafiIssuer{
|
||||
Zone: "a\\b\\c",
|
||||
TPP: &cmapi.VenafiTPP{
|
||||
URL: "https://tpp.example.com/vedsdk",
|
||||
},
|
||||
Cloud: &cmapi.VenafiCloud{},
|
||||
},
|
||||
errs: []*field.Error{
|
||||
field.Forbidden(fldPath, "please supply one of: tpp, cloud"),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for n, s := range scenarios {
|
||||
t.Run(n, func(t *testing.T) {
|
||||
errs := ValidateVenafiIssuerConfig(s.cfg, fldPath)
|
||||
if len(errs) != len(s.errs) {
|
||||
t.Fatalf("Expected %v but got %v", s.errs, errs)
|
||||
}
|
||||
for i, e := range errs {
|
||||
expectedErr := s.errs[i]
|
||||
if !reflect.DeepEqual(e, expectedErr) {
|
||||
t.Errorf("Expected %v but got %v", expectedErr, e)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateVenafiTPP(t *testing.T) {
|
||||
fldPath := field.NewPath("test")
|
||||
scenarios := map[string]struct {
|
||||
cfg *cmapi.VenafiTPP
|
||||
errs []*field.Error
|
||||
}{
|
||||
"valid": {
|
||||
cfg: &cmapi.VenafiTPP{
|
||||
URL: "https://tpp.example.com/vedsdk",
|
||||
},
|
||||
},
|
||||
"missing url": {
|
||||
cfg: &cmapi.VenafiTPP{},
|
||||
errs: []*field.Error{
|
||||
field.Required(fldPath.Child("url"), ""),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for n, s := range scenarios {
|
||||
t.Run(n, func(t *testing.T) {
|
||||
errs := ValidateVenafiTPP(s.cfg, fldPath)
|
||||
if len(errs) != len(s.errs) {
|
||||
t.Fatalf("Expected %v but got %v", s.errs, errs)
|
||||
}
|
||||
for i, e := range errs {
|
||||
expectedErr := s.errs[i]
|
||||
if !reflect.DeepEqual(e, expectedErr) {
|
||||
t.Errorf("Expected %v but got %v", expectedErr, e)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@ -142,7 +142,8 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
// API validation in webhook and in the ClusterIssuer and Issuer controller
|
||||
// Sync functions should make this unreachable in production.
|
||||
return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration found")
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user