Use an access-token if it is supplied in the Issuer Secret

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
2020-10-13 15:58:40 +01:00 · 2020-10-13 15:58:40 +01:00 · daa3b16eda
commit daa3b16eda
parent f2ce195344
2 changed files with 23 additions and 4 deletions
--- a/pkg/issuer/venafi/client/venaficlient.go
+++ b/pkg/issuer/venafi/client/venaficlient.go
@ -30,8 +30,9 @@ import (
 )

 const (
-	tppUsernameKey = "username"
-	tppPasswordKey = "password"
+	tppUsernameKey    = "username"
+	tppPasswordKey    = "password"
+	tppAccessTokenKey = "access-token"

 	defaultAPIKeyKey = "api-key"
 )
@ -101,6 +102,7 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi

 		username := string(tppSecret.Data[tppUsernameKey])
 		password := string(tppSecret.Data[tppPasswordKey])
+		accessToken := string(tppSecret.Data[tppAccessTokenKey])
 		caBundle := string(tpp.CABundle)

 		return &vcert.Config{
@ -111,8 +113,9 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
 			LogVerbose:      true,
 			ConnectionTrust: caBundle,
 			Credentials: &endpoint.Authentication{
-				User:     username,
-				Password: password,
+				User:        username,
+				Password:    password,
+				AccessToken: accessToken,
 			},
 		}, nil
 	case venCfg.Cloud != nil:
--- a/pkg/issuer/venafi/client/venaficlient_test.go
+++ b/pkg/issuer/venafi/client/venaficlient_test.go
@ -64,6 +64,7 @@ func TestConfigForIssuerT(t *testing.T) {
 	zone := "test-zone"
 	username := "test-username"
 	password := "test-password"
+	accessToken := "KT2EEVTIjWM/37L78dqJAg=="
 	apiKey := "test-api-key"
 	customKey := "test-custom-key"

@ -127,6 +128,21 @@ func TestConfigForIssuerT(t *testing.T) {
 			},
 			expectedErr: false,
 		},
+		"if TPP and secret returns access-token, should return config with those credentials": {
+			iss: tppIssuer,
+			secretsLister: generateSecretLister(&corev1.Secret{
+				Data: map[string][]byte{
+					tppAccessTokenKey: []byte(accessToken),
+				},
+			}, nil),
+			CheckFn: func(t *testing.T, cnf *vcert.Config) {
+				if actualAccessToken := cnf.Credentials.AccessToken; actualAccessToken != accessToken {
+					t.Errorf("got unexpected accessToken: %q", actualAccessToken)
+				}
+				checkZone(t, zone, cnf)
+			},
+			expectedErr: false,
+		},
 		"if Cloud but getting secret fails, should error": {
 			iss:           cloudIssuer,
 			secretsLister: generateSecretLister(nil, errors.New("this is a network error")),