Setting LdapAuthEngineConfig.spec.bindCredentials.vaultSecret makes operator crash #255
Description
- I created a Secret in Vault in a kv-v2 secretengine with something like:
path "/my/path"
userDN = "cn=user,dc=example,dc=com"
password = "mypassword"
- I configured the spec of LdapAuthEngineConfig with:
bindCredentials:
passwordKey: password
usernameKey: userDN
vaultSecret:
path: /kv/data/my/path
- Vault-config-operator crashes with:
panic: interface conversion: interface {} is nil, not string [recovered]
panic: interface conversion: interface {} is nil, not string
goroutine 1007 [running]:
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile.func1()
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:115 +0x1e5
panic({0x18c1a80?, 0xc0017cbad0?})
/opt/hostedtoolcache/go/1.21.11/x64/src/runtime/panic.go:914 +0x21f
github.com/redhat-cop/vault-config-operator/api/v1alpha1.(*LDAPAuthEngineConfig).setInternalCredentials(0xc0006bec00, {0x1da5758, 0xc0018738f0})
/home/runner/work/vault-config-operator/vault-config-operator/api/v1alpha1/ldapauthengineconfig_types.go:159 +0xe54
github.com/redhat-cop/vault-config-operator/api/v1alpha1.(*LDAPAuthEngineConfig).PrepareInternalValues(0x1da5758?, {0x1da5758?, 0xc0018738f0?}, {0x0?, 0x0?})
/home/runner/work/vault-config-operator/vault-config-operator/api/v1alpha1/ldapauthengineconfig_types.go:89 +0x1d
github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller.(*VaultResource).manageReconcileLogic(0xc001b07bd0, {0x1da5758, 0xc0018738f0}, {0x1dba5f0?, 0xc0006bec00?})
/home/runner/work/vault-config-operator/vault-config-operator/controllers/vaultresourcecontroller/vaultresourcereconciler.go:98 +0xae
github.com/redhat-cop/vault-config-operator/controllers/vaultresourcecontroller.(*VaultResource).Reconcile(0xc001b07bd0, {0x1da5758, 0xc0018738f0}, {0x1dba5f0, 0xc0006bec00})
/home/runner/work/vault-config-operator/vault-config-operator/controllers/vaultresourcecontroller/vaultresourcereconciler.go:65 +0x238
github.com/redhat-cop/vault-config-operator/controllers.(*LDAPAuthEngineConfigReconciler).Reconcile(0xc000261880, {0x1da5758, 0xc001872780}, {{{0xc001a8cc40?, 0x0?}, {0xc001759c80?, 0x412685?}}})
/home/runner/work/vault-config-operator/vault-config-operator/controllers/ldapauthengineconfig_controller.go:80 +0x3d1
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0x1da5758?, {0x1da5758?, 0xc001872780?}, {{{0xc001a8cc40?, 0x17f5b80?}, {0xc001759c80?, 0x1d97248?}}})
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:118 +0xb7
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0004079a0, {0x1da5790, 0xc000035e00}, {0x1936e20?, 0xc00309c900?})
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:314 +0x368
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0004079a0, {0x1da5790, 0xc000035e00})
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:265 +0x1c9
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2()
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:226 +0x79
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2 in goroutine 292
/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222 +0x565
My analysis tells me that there are missing input validation checks in the setInternalCredentials function:
- https://github.com/redhat-cop/vault-config-operator/blob/main/api/v1alpha1/utils/vaultutils.go#L79 shows that the
ReadSecretfunction can returnnil, false, nil(thus no error, but no data either), which will makesetInternalCredentialsnull-pointer dereference on line 159 (but the error message should be different than mine) - There is no checking to see if the
UsernameKeyorPasswordKeyexist before getting them fromsecret.Data, in my case they should exist but apparently this seems to be what is causing the crash, and without logs I cannot tell what are the values it is using.