diff --git a/pkg/corerp/api/v20231001preview/secretstore_conversion_test.go b/pkg/corerp/api/v20231001preview/secretstore_conversion_test.go index e1024ac0869..60357c59488 100644 --- a/pkg/corerp/api/v20231001preview/secretstore_conversion_test.go +++ b/pkg/corerp/api/v20231001preview/secretstore_conversion_test.go @@ -159,3 +159,49 @@ func TestSecretStoreConvertFromValidation(t *testing.T) { require.ErrorAs(t, tc.err, &err) } } + +func TestSecretStorefromSecretStoreDataTypeDataModel(t *testing.T) { + tests := []struct { + name string + input datamodel.SecretType + expected *SecretStoreDataType + }{ + { + name: "Generic Secret Type", + input: datamodel.SecretTypeGeneric, + expected: to.Ptr(SecretStoreDataTypeGeneric), + }, + { + name: "Certificate Secret Type", + input: datamodel.SecretTypeCert, + expected: to.Ptr(SecretStoreDataTypeCertificate), + }, + { + name: "Basic Authentication Secret Type", + input: datamodel.SecretTypeBasicAuthentication, + expected: to.Ptr(SecretStoreDataTypeBasicAuthentication), + }, + { + name: "Azure Workload Identity Secret Type", + input: datamodel.SecretTypeAzureWorkloadIdentity, + expected: to.Ptr(SecretStoreDataTypeAzureWorkloadIdentity), + }, + { + name: "AWS IRSA Secret Type", + input: datamodel.SecretTypeAWSIRSA, + expected: to.Ptr(SecretStoreDataTypeAwsIRSA), + }, + { + name: "None Secret Type", + input: datamodel.SecretTypeNone, + expected: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := fromSecretStoreDataTypeDataModel(tt.input) + require.Equal(t, tt.expected, result) + }) + } +} diff --git a/pkg/corerp/frontend/controller/secretstores/kubernetes.go b/pkg/corerp/frontend/controller/secretstores/kubernetes.go index fff7c01bbe0..62296b5ec63 100644 --- a/pkg/corerp/frontend/controller/secretstores/kubernetes.go +++ b/pkg/corerp/frontend/controller/secretstores/kubernetes.go @@ -78,17 +78,17 @@ func getOrDefaultEncoding(t datamodel.SecretType, e datamodel.SecretValueEncodin return e, err } -// Define a map of required keys for each SecretType -var requiredKeys = map[datamodel.SecretType][]string{ - datamodel.SecretTypeBasicAuthentication: {RequiredUsername, RequiredPassword}, - datamodel.SecretTypeAzureWorkloadIdentity: {RequiredClientId, RequiredTenantId}, - datamodel.SecretTypeAWSIRSA: {RequiredRoleARN}, -} - // ValidateAndMutateRequest checks the type and encoding of the secret store, and ensures that the secret store data is // valid and required keys are present for the secret type. If any of these checks fail, a BadRequestResponse is returned. func ValidateAndMutateRequest(ctx context.Context, newResource *datamodel.SecretStore, oldResource *datamodel.SecretStore, options *controller.Options) (rest.Response, error) { + // Define a map of required keys for each SecretType + var requiredKeys = map[datamodel.SecretType][]string{ + datamodel.SecretTypeBasicAuthentication: {UsernameKey, PasswordKey}, + datamodel.SecretTypeAzureWorkloadIdentity: {ClientIdKey, TenantIdKey}, + datamodel.SecretTypeAWSIRSA: {RoleARNKey}, + } var err error + newResource.Properties.Type, err = getOrDefaultType(newResource.Properties.Type) if err != nil { return rest.NewBadRequestResponse(err.Error()), nil diff --git a/pkg/corerp/frontend/controller/secretstores/types.go b/pkg/corerp/frontend/controller/secretstores/types.go index a4375f84204..34e61ffad87 100644 --- a/pkg/corerp/frontend/controller/secretstores/types.go +++ b/pkg/corerp/frontend/controller/secretstores/types.go @@ -20,10 +20,18 @@ const ( // ResourceTypeName is the resource type name for secret stores. ResourceTypeName = "Applications.Core/secretStores" - // The following are possible required keys in a SecretStore depending on it's SecretType - RequiredUsername = "username" - RequiredPassword = "password" - RequiredClientId = "clientId" - RequiredTenantId = "tenantId" - RequiredRoleARN = "roleARN" + // UsernameKey is a required key in a secret store when SecretType is Basic Authentication. + UsernameKey = "username" + + // PasswordKey is a required key in a secret store when SecretType is Basic Authentication. + PasswordKey = "password" + + // ClientIdKey is a required key in a secret store when SecretType is Azure Workload Identity. + ClientIdKey = "clientId" + + // TenantIdKey is a required key in a secret store when SecretType is Azure workload Identity. + TenantIdKey = "tenantId" + + // RoleARNKey is a required key in a secret store when SecretType is AWS IRSA. + RoleARNKey = "roleARN" ) diff --git a/typespec/Applications.Core/secretstores.tsp b/typespec/Applications.Core/secretstores.tsp index f1e4e173dc1..d3837bc9ce0 100644 --- a/typespec/Applications.Core/secretstores.tsp +++ b/typespec/Applications.Core/secretstores.tsp @@ -75,7 +75,7 @@ enum SecretStoreDataType { @doc("azureWorkloadIdentity type is used to represent registry authentication using azure federated identity and the secretstore resource is expected to have the keys 'clientId' and 'tenantId'.") azureWorkloadIdentity, - @doc("awsIRSA type is used to represent registry authentication using AWS IRSA(IAM Roles for Service accounts) and the secretstore resource is expected to have the keys 'roleARN'.") + @doc("awsIRSA type is used to represent registry authentication using AWS IRSA (IAM Roles for Service accounts) and the secretstore resource is expected to have the key 'roleARN'.") awsIRSA, }