disable validate when certURL is used, add notes

bakito · May 13, 2023 · 5b888fe · 5b888fe
1 parent ff54841
commit 5b888fe
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -91,7 +91,7 @@ curl -request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/raw' \
 ```
 
 ### Validate sealed secret
-
+> **_NOTE:_**  Validate is only available when using cluster internal api (e.g. certURL not set) see [bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets/issues/1208)
 ```bash
 curl --request POST 'https://<SEALED_SECRETS_WEB_BASE_URL>/api/validate' \
   --header 'Accept: application/x-yaml' \

diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
@@ -28,6 +28,13 @@ sealedSecrets:
   # -- Name of the sealed secrets service
   serviceName: sealed-secrets
   # -- URL sealed secrets certificate (required if sealed secrets is not reachable with in cluster service)
-  certURL: ""
+  certURL: "" # this will disable validate api
 ---------------------------------------------
 {{- end }}
+
+{{- if .Values.sealedSecrets.certURL not "" }}
+*************************************
+**          ATTENTION!!            **
+*************************************
+- Using sealedSecrets.certURL will disable the validate functionality, as it is only available via cluster internal api
+{{- end }}
diff --git a/pkg/seal/seal.go b/pkg/seal/seal.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/rsa"
+	"fmt"
 	"io"
 	"log"
 	"os"
@@ -102,6 +103,10 @@ func (a *apiSealer) Raw(data Raw) ([]byte, error) {
 }
 
 func (a *apiSealer) Validate(ctx context.Context, secret io.Reader) error {
+	if a.ss.CertURL != "" {
+		return fmt.Errorf("Validate can't be used with CertURL (%s)\n", a.ss.CertURL)
+	}
+
 	return kubeseal.ValidateSealedSecret(
 		ctx,
 		a.clientConfig,