feat(admission): validate labeled credentials (#4896)

czeslavo · web-flow · commit b87c0bb0b675 · 2023-10-19T16:27:05.000+02:00
diff --git a/internal/admission/validator.go b/internal/admission/validator.go
@@ -236,9 +236,8 @@ func (validator KongHTTPValidator) ValidateCredential(
 	ctx context.Context,
 	secret corev1.Secret,
 ) (bool, string, error) {
-	// If the secret doesn't contain a type key it's not a credentials secret.
-	_, ok := secret.Data[credsvalidation.TypeKey]
-	if !ok {
+	// If the secret doesn't specify a credential type (either by label or the secret's key) it's not a credentials secret.
+	if _, s := util.ExtractKongCredentialType(&secret); s == util.CredentialTypeAbsent {
 		return true, "", nil
 	}
 
diff --git a/internal/admission/validator_test.go b/internal/admission/validator_test.go
@@ -567,6 +567,35 @@ func TestKongHTTPValidator_ValidateCredential(t *testing.T) {
 		wantMessage     string
 		wantErrContains string
 	}{
+		{
+			name: "labeled valid key-auth credential with no consumers gets accepted",
+			secret: corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"konghq.com/credential": "key-auth",
+					},
+				},
+				Data: map[string][]byte{
+					"key": []byte("my-key"),
+				},
+			},
+			wantOK: true,
+		},
+		{
+			name: "labeled invalid key-auth credential with no consumers gets rejected",
+			secret: corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"konghq.com/credential": "key-auth",
+					},
+				},
+				Data: map[string][]byte{
+					// missing key
+				},
+			},
+			wantOK:      false,
+			wantMessage: fmt.Sprintf("%s: %s", ErrTextConsumerCredentialValidationFailed, "missing required field(s): key"),
+		},
 		{
 			name: "valid key-auth credential with no consumers gets accepted",
 			secret: corev1.Secret{
@@ -586,7 +615,7 @@ func TestKongHTTPValidator_ValidateCredential(t *testing.T) {
 				},
 			},
 			wantOK:      false,
-			wantMessage: fmt.Sprintf("%s: %s", ErrTextConsumerCredentialValidationFailed, "invalid credentials secret, no data present"),
+			wantMessage: fmt.Sprintf("%s: %s", ErrTextConsumerCredentialValidationFailed, "missing required field(s): key"),
 		},
 	}
 
