func()

in pkg/api/vlabs/validate.go [926:959]

• 31 lines of code
• 17 McCabe index (conditional complexity)

func (a *Properties) validateServicePrincipalProfile() error {
	useManagedIdentityDisabled := a.OrchestratorProfile.KubernetesConfig != nil &&
		a.OrchestratorProfile.KubernetesConfig.UseManagedIdentity != nil && !to.Bool(a.OrchestratorProfile.KubernetesConfig.UseManagedIdentity)

	if useManagedIdentityDisabled {
		if a.ServicePrincipalProfile == nil {
			return errors.Errorf("ServicePrincipalProfile must be specified")
		}
		if e := validate.Var(a.ServicePrincipalProfile.ClientID, "required"); e != nil {
			return errors.Errorf("the service principal client ID must be specified")
		}
		if (len(a.ServicePrincipalProfile.Secret) == 0 && a.ServicePrincipalProfile.KeyvaultSecretRef == nil) ||
			(len(a.ServicePrincipalProfile.Secret) != 0 && a.ServicePrincipalProfile.KeyvaultSecretRef != nil) {
			return errors.Errorf("either the service principal client secret or keyvault secret reference must be specified")
		}

		if a.OrchestratorProfile.KubernetesConfig != nil && to.Bool(a.OrchestratorProfile.KubernetesConfig.EnableEncryptionWithExternalKms) && len(a.ServicePrincipalProfile.ObjectID) == 0 {
			return errors.Errorf("the service principal object ID must be specified when enableEncryptionWithExternalKms is true")
		}

		if a.ServicePrincipalProfile.KeyvaultSecretRef != nil {
			if e := validate.Var(a.ServicePrincipalProfile.KeyvaultSecretRef.VaultID, "required"); e != nil {
				return errors.Errorf("the Keyvault ID must be specified for the Service Principle")
			}
			if e := validate.Var(a.ServicePrincipalProfile.KeyvaultSecretRef.SecretName, "required"); e != nil {
				return errors.Errorf("the Keyvault Secret must be specified for the Service Principle")
			}
			if !keyvaultIDRegex.MatchString(a.ServicePrincipalProfile.KeyvaultSecretRef.VaultID) {
				return errors.Errorf("service principal client keyvault secret reference is of incorrect format")
			}
		}
	}
	return nil
}