diff --git a/pkg/internal/apis/certmanager/validation/issuer.go b/pkg/internal/apis/certmanager/validation/issuer.go index 8a75a30c7..ef817e300 100644 --- a/pkg/internal/apis/certmanager/validation/issuer.go +++ b/pkg/internal/apis/certmanager/validation/issuer.go @@ -216,9 +216,39 @@ func ValidateVaultIssuerConfig(iss *certmanager.VaultIssuer, fldPath *field.Path // TODO: add validation for Vault authentication types } -func ValidateVenafiIssuerConfig(iss *certmanager.VenafiIssuer, fldPath *field.Path) field.ErrorList { - //TODO: make extended validation fro fake\tpp\cloud modes - return nil +func ValidateVenafiTPP(tpp *certmanager.VenafiTPP, fldPath *field.Path) (el field.ErrorList) { + if tpp.URL == "" { + el = append(el, field.Required(fldPath.Child("url"), "")) + } + return el +} + +func ValidateVenafiCloud(c *certmanager.VenafiCloud, fldPath *field.Path) (el field.ErrorList) { + return el +} + +func ValidateVenafiIssuerConfig(iss *certmanager.VenafiIssuer, fldPath *field.Path) (el field.ErrorList) { + if iss.Zone == "" { + el = append(el, field.Required(fldPath.Child("zone"), "")) + } + unionCount := 0 + if iss.TPP != nil { + unionCount++ + el = append(el, ValidateVenafiTPP(iss.TPP, fldPath.Child("tpp"))...) + } + if iss.Cloud != nil { + unionCount++ + el = append(el, ValidateVenafiCloud(iss.Cloud, fldPath.Child("cloud"))...) + } + + if unionCount == 0 { + el = append(el, field.Required(fldPath, "please supply one of: tpp, cloud")) + } + if unionCount > 1 { + el = append(el, field.Forbidden(fldPath, "please supply one of: tpp, cloud")) + } + + return el } // This list must be kept in sync with pkg/issuer/acme/dns/rfc2136/rfc2136.go diff --git a/pkg/internal/apis/certmanager/validation/issuer_test.go b/pkg/internal/apis/certmanager/validation/issuer_test.go index d2b4c0f17..8d0b9c828 100644 --- a/pkg/internal/apis/certmanager/validation/issuer_test.go +++ b/pkg/internal/apis/certmanager/validation/issuer_test.go @@ -965,3 +965,101 @@ func TestValidateSecretKeySelector(t *testing.T) { }) } } + +func TestValidateVenafiIssuerConfig(t *testing.T) { + fldPath := field.NewPath("test") + scenarios := map[string]struct { + cfg *cmapi.VenafiIssuer + errs []*field.Error + }{ + "valid": { + cfg: &cmapi.VenafiIssuer{ + Zone: "a\\b\\c", + TPP: &cmapi.VenafiTPP{ + URL: "https://tpp.example.com/vedsdk", + }, + }, + }, + "missing zone": { + cfg: &cmapi.VenafiIssuer{ + Zone: "", + TPP: &cmapi.VenafiTPP{ + URL: "https://tpp.example.com/vedsdk", + }, + }, + errs: []*field.Error{ + field.Required(fldPath.Child("zone"), ""), + }, + }, + "missing configuration": { + cfg: &cmapi.VenafiIssuer{ + Zone: "a\\b\\c", + }, + errs: []*field.Error{ + field.Required(fldPath, "please supply one of: tpp, cloud"), + }, + }, + "multiple configuration": { + cfg: &cmapi.VenafiIssuer{ + Zone: "a\\b\\c", + TPP: &cmapi.VenafiTPP{ + URL: "https://tpp.example.com/vedsdk", + }, + Cloud: &cmapi.VenafiCloud{}, + }, + errs: []*field.Error{ + field.Forbidden(fldPath, "please supply one of: tpp, cloud"), + }, + }, + } + + for n, s := range scenarios { + t.Run(n, func(t *testing.T) { + errs := ValidateVenafiIssuerConfig(s.cfg, fldPath) + if len(errs) != len(s.errs) { + t.Fatalf("Expected %v but got %v", s.errs, errs) + } + for i, e := range errs { + expectedErr := s.errs[i] + if !reflect.DeepEqual(e, expectedErr) { + t.Errorf("Expected %v but got %v", expectedErr, e) + } + } + }) + } +} + +func TestValidateVenafiTPP(t *testing.T) { + fldPath := field.NewPath("test") + scenarios := map[string]struct { + cfg *cmapi.VenafiTPP + errs []*field.Error + }{ + "valid": { + cfg: &cmapi.VenafiTPP{ + URL: "https://tpp.example.com/vedsdk", + }, + }, + "missing url": { + cfg: &cmapi.VenafiTPP{}, + errs: []*field.Error{ + field.Required(fldPath.Child("url"), ""), + }, + }, + } + + for n, s := range scenarios { + t.Run(n, func(t *testing.T) { + errs := ValidateVenafiTPP(s.cfg, fldPath) + if len(errs) != len(s.errs) { + t.Fatalf("Expected %v but got %v", s.errs, errs) + } + for i, e := range errs { + expectedErr := s.errs[i] + if !reflect.DeepEqual(e, expectedErr) { + t.Errorf("Expected %v but got %v", expectedErr, e) + } + } + }) + } +} diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go index c454550c7..1c7d9742c 100644 --- a/pkg/issuer/venafi/client/venaficlient.go +++ b/pkg/issuer/venafi/client/venaficlient.go @@ -142,7 +142,8 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi }, }, nil } - + // API validation in webhook and in the ClusterIssuer and Issuer controller + // Sync functions should make this unreachable in production. return nil, fmt.Errorf("neither Venafi Cloud or TPP configuration found") }