check that ClientCredentialsSecret is set in appreg and validate secret

cd65891b · Chrysoula Dikonimaki · 411ac25e · cd65891b
Commit cd65891b authored 3 months ago by Chrysoula Dikonimaki
--- a/controllers/operator_methods.go
+++ b/controllers/operator_methods.go
@@ -3,7 +3,6 @@ package controllers
 import (
 	"context"
 	"fmt"
-	"reflect"
 	routev1 "github.com/openshift/api/route/v1"
 	authzalpha1 "gitlab.cern.ch/paas-tools/operators/authz-operator/api/v1alpha1"
@@ -39,7 +38,7 @@ func (r *GitlabPagesSiteReconciler) getOidcSecret(ctx context.Context, gitlabPag
 	// Ensure we have a valid ApplicationRegistration registration, this only happens when we have exactly one ApplicationRegistration
 	// with a status set by the authz-operator and this status says provisioning succeeded
-	if !reflect.DeepEqual(appReg.Status, authzalpha1.ApplicationRegistrationStatus{}) && appReg.Status.ClientCredentialsSecret != "oidc-client-secret" {
+	if appReg.Status.ClientCredentialsSecret == "" {
 		meta.SetStatusCondition(&gitlabPagesSite.Status.Conditions, metav1.Condition{
 			Type:    webservicescernchv1alpha1.ConditionTypeGitlabPagesSiteCreated,
 			Status:  metav1.ConditionFalse,
@@ -56,6 +55,7 @@ func (r *GitlabPagesSiteReconciler) getOidcSecret(ctx context.Context, gitlabPag
 		return nil, err
 	}
+	// Retrieve OIDC secret
 	oidcSecret := &v1.Secret{}
 	namespacedName := types.NamespacedName{
 		Name:      appReg.Status.ClientCredentialsSecret,
@@ -67,6 +67,14 @@ func (r *GitlabPagesSiteReconciler) getOidcSecret(ctx context.Context, gitlabPag
 		return nil, err
 	}
+	// Validate that the secret contains the required data
+	requiredFields := []string{"clientID", "clientSecret", "issuerURL"}
+	for _, field := range requiredFields {
+		if value, exists := oidcSecret.Data[field]; !exists || len(value) == 0 {
+			return nil, fmt.Errorf("secret '%s' in namespace '%s' is missing required field or has empty value: %s", appReg.Status.ClientCredentialsSecret, gitlabPagesSite.Namespace, field)
+		}
+	}
 	return oidcSecret, nil
 }