From daa3b16eda44fc6c9430cbfab121e38a49bfcd71 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@jetstack.io>
Date: Tue, 13 Oct 2020 15:58:40 +0100
Subject: [PATCH] Use an access-token if it is supplied in the Issuer Secret

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
---
 pkg/issuer/venafi/client/venaficlient.go      | 11 +++++++----
 pkg/issuer/venafi/client/venaficlient_test.go | 16 ++++++++++++++++
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/pkg/issuer/venafi/client/venaficlient.go b/pkg/issuer/venafi/client/venaficlient.go
index 8d5c311e3..c454550c7 100644
--- a/pkg/issuer/venafi/client/venaficlient.go
+++ b/pkg/issuer/venafi/client/venaficlient.go
@@ -30,8 +30,9 @@ import (
 )
 
 const (
-	tppUsernameKey = "username"
-	tppPasswordKey = "password"
+	tppUsernameKey    = "username"
+	tppPasswordKey    = "password"
+	tppAccessTokenKey = "access-token"
 
 	defaultAPIKeyKey = "api-key"
 )
@@ -101,6 +102,7 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
 
 		username := string(tppSecret.Data[tppUsernameKey])
 		password := string(tppSecret.Data[tppPasswordKey])
+		accessToken := string(tppSecret.Data[tppAccessTokenKey])
 		caBundle := string(tpp.CABundle)
 
 		return &vcert.Config{
@@ -111,8 +113,9 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister corelisters.SecretLi
 			LogVerbose:      true,
 			ConnectionTrust: caBundle,
 			Credentials: &endpoint.Authentication{
-				User:     username,
-				Password: password,
+				User:        username,
+				Password:    password,
+				AccessToken: accessToken,
 			},
 		}, nil
 	case venCfg.Cloud != nil:
diff --git a/pkg/issuer/venafi/client/venaficlient_test.go b/pkg/issuer/venafi/client/venaficlient_test.go
index 189834631..e55947eb3 100644
--- a/pkg/issuer/venafi/client/venaficlient_test.go
+++ b/pkg/issuer/venafi/client/venaficlient_test.go
@@ -64,6 +64,7 @@ func TestConfigForIssuerT(t *testing.T) {
 	zone := "test-zone"
 	username := "test-username"
 	password := "test-password"
+	accessToken := "KT2EEVTIjWM/37L78dqJAg=="
 	apiKey := "test-api-key"
 	customKey := "test-custom-key"
 
@@ -127,6 +128,21 @@ func TestConfigForIssuerT(t *testing.T) {
 			},
 			expectedErr: false,
 		},
+		"if TPP and secret returns access-token, should return config with those credentials": {
+			iss: tppIssuer,
+			secretsLister: generateSecretLister(&corev1.Secret{
+				Data: map[string][]byte{
+					tppAccessTokenKey: []byte(accessToken),
+				},
+			}, nil),
+			CheckFn: func(t *testing.T, cnf *vcert.Config) {
+				if actualAccessToken := cnf.Credentials.AccessToken; actualAccessToken != accessToken {
+					t.Errorf("got unexpected accessToken: %q", actualAccessToken)
+				}
+				checkZone(t, zone, cnf)
+			},
+			expectedErr: false,
+		},
 		"if Cloud but getting secret fails, should error": {
 			iss:           cloudIssuer,
 			secretsLister: generateSecretLister(nil, errors.New("this is a network error")),