feat: complete credential broker source flow

2026-06-27 00:29:53 +02:00
parent 2268a9375e
commit 673ec46e25
7 changed files with 853 additions and 52 deletions
--- a/scripts/credential-grants-validate.py
+++ b/scripts/credential-grants-validate.py
@@ -240,6 +240,38 @@ def validate_grant(
            )
        if str(local_file.get("mode")) != "0600":
            errors.append(f"{prefix}.delivery.local_token_file.mode must be 0600")
+    if "kubernetes-auth" in allowed:
+        kubernetes_auth = require_dict(
+            delivery.get("kubernetes_auth"),
+            f"{prefix}.delivery.kubernetes_auth",
+            errors,
+        )
+        require_nonempty_string(
+            kubernetes_auth.get("mount"),
+            f"{prefix}.delivery.kubernetes_auth.mount",
+            errors,
+        )
+        require_nonempty_string(
+            kubernetes_auth.get("role"),
+            f"{prefix}.delivery.kubernetes_auth.role",
+            errors,
+        )
+        if not require_list(
+            kubernetes_auth.get("service_account_names"),
+            f"{prefix}.delivery.kubernetes_auth.service_account_names",
+            errors,
+        ):
+            errors.append(
+                f"{prefix}.delivery.kubernetes_auth.service_account_names must not be empty"
+            )
+        if not require_list(
+            kubernetes_auth.get("namespaces"),
+            f"{prefix}.delivery.kubernetes_auth.namespaces",
+            errors,
+        ):
+            errors.append(
+                f"{prefix}.delivery.kubernetes_auth.namespaces must not be empty"
+            )

    audit = require_dict(grant_obj.get("audit"), f"{prefix}.audit", errors)
    if audit.get("openbao_audit_required") is not True: