mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-09 16:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
d7bcb42481
ceph-csi/internal/util/vault_tokens_test.go

211 lines
6.8 KiB
Go
Raw Normal View History

util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
/*
Copyright 2020 The Ceph-CSI Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
"encoding/json"
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
"errors"
"strings"
"testing"
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
)
func TestParseConfig(t *testing.T) {
cleanup: addresses paralleltest linter The Go linter paralleltest checks that the t.Parallel gets called for the test method and for the range of test cases within the test. Updates: #2025 Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-06-02 09:55:53 +00:00
t.Parallel()
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
vtc := vaultTenantConnection{}
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
config := make(map[string]interface{})
// empty config map
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
err := vtc.parseConfig(config)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if !errors.Is(err, errConfigOptionMissing) {
t.Errorf("unexpected error (%T): %s", err, err)
}
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
// fill default options (normally done in initVaultTokensKMS)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
config["vaultAddress"] = "https://vault.default.cluster.svc"
config["tenantConfigName"] = vaultTokensDefaultConfigName
// parsing with all required options
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
err = vtc.parseConfig(config)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
switch {
case err != nil:
t.Errorf("unexpected error: %s", err)
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
case vtc.ConfigName != vaultTokensDefaultConfigName:
t.Errorf("ConfigName contains unexpected value: %s", vtc.ConfigName)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
}
// tenant "bob" uses a different kms.ConfigName
bob := make(map[string]interface{})
bob["tenantConfigName"] = "the-config-from-bob"
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
err = vtc.parseConfig(bob)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
switch {
case err != nil:
t.Errorf("unexpected error: %s", err)
util: split vaultTenantConnection from VaultTokensKMS This makes the Tenant configuration for Hashicorp Vault KMS connections more modular. Additional KMS implementations that use Hashicorp Vault with per-Tenant options can re-use the new vaultTenantConnection. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-06-11 10:17:51 +00:00
case vtc.ConfigName != "the-config-from-bob":
t.Errorf("ConfigName contains unexpected value: %s", vtc.ConfigName)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
}
}
// TestInitVaultTokensKMS verifies that passing partial and complex
// configurations get applied correctly.
//
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
// When vault.New() is called at the end of initVaultTokensKMS(), errors will
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
// mention the missing VAULT_TOKEN, and that is expected.
func TestInitVaultTokensKMS(t *testing.T) {
cleanup: addresses paralleltest linter The Go linter paralleltest checks that the t.Parallel gets called for the test method and for the range of test cases within the test. Updates: #2025 Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-06-02 09:55:53 +00:00
t.Parallel()
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if true {
// FIXME: testing only works when KUBE_CONFIG is set to a
// cluster that has a working Vault deployment
return
}
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
args := KMSInitializerArgs{
Tenant: "bob",
Config: make(map[string]interface{}),
Secrets: nil,
}
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
// empty config map
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
_, err := initVaultTokensKMS(args)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if !errors.Is(err, errConfigOptionMissing) {
t.Errorf("unexpected error (%T): %s", err, err)
}
// fill required options
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
args.Config["vaultAddress"] = "https://vault.default.cluster.svc"
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
// parsing with all required options
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
_, err = initVaultTokensKMS(args)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
t.Errorf("unexpected error: %s", err)
}
// fill tenants
tenants := make(map[string]interface{})
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
args.Config["tenants"] = tenants
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
// empty tenants list
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
_, err = initVaultTokensKMS(args)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
t.Errorf("unexpected error: %s", err)
}
// add tenant "bob"
bob := make(map[string]interface{})
bob["vaultAddress"] = "https://vault.bob.example.org"
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
args.Config["tenants"].(map[string]interface{})["bob"] = bob
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
_, err = initVaultTokensKMS(args)
util: add support for Hashicorp Vault with Tokens per Tenant Tenants (Kubernetes Namespaces) can use their own Vault Token to manage the encryption keys for PVCs. The working is documented in #1743. See-also: #1743 Closes: #1500 Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-08 10:44:04 +00:00
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
t.Errorf("unexpected error: %s", err)
}
}
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
// environment variables to a vaultTokenConf structure.
func TestStdVaultToCSIConfig(t *testing.T) {
cleanup: addresses paralleltest linter The Go linter paralleltest checks that the t.Parallel gets called for the test method and for the range of test cases within the test. Updates: #2025 Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-06-02 09:55:53 +00:00
t.Parallel()
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
vaultConfigMap := `{
"KMS_PROVIDER":"vaulttokens",
"VAULT_ADDR":"https://vault.example.com",
util: allow configuring VAULT_BACKEND for Vault connection It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-20 09:18:58 +00:00
"VAULT_BACKEND":"kv-v2",
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
"VAULT_BACKEND_PATH":"/secret",
"VAULT_CACERT":"",
"VAULT_TLS_SERVER_NAME":"vault.example.com",
"VAULT_CLIENT_CERT":"",
"VAULT_CLIENT_KEY":"",
util: add vaultAuthNamespace option for Vault KMS The new `vaultAuthNamespace` configuration parameter can be set to the Vault Namespace where the authentication is setup in the service. Some Hashicorp Vault deployments use sub-namespaces for their users/tenants, with a 'root' namespace where the authentication is configured. This requires passing of different Vault namespaces for different operations. Example: - the Kubernetes Auth mechanism is configured for in the Vault Namespace called 'devops' - a user/tenant has a sub-namespace called 'devops/website' where the encryption passphrases can be placed in the key-value store The configuration for this, then looks like: vaultAuthNamespace: devops vaultNamespace: devops/homepage Note that Vault Namespaces are a feature of the Hashicorp Vault Enterprise product, and not part of the Open Source version. This prevents adding e2e tests that validate the Vault Namespace configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-30 07:53:27 +00:00
"VAULT_AUTH_NAMESPACE":"devops",
"VAULT_NAMESPACE":"devops/homepage",
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
"VAULT_SKIP_VERIFY":"true"
}`
sv := &standardVault{}
err := json.Unmarshal([]byte(vaultConfigMap), sv)
if err != nil {
t.Errorf("unexpected error: %s", err)
cleanup: resolve nlreturn linter issues nlreturn linter requires a new line before return and branch statements except when the return is alone inside a statement group (such as an if statement) to increase code clarity. This commit addresses such issues. Updates: #1586 Signed-off-by: Rakshith R <rar@redhat.com>
2021-07-22 05:45:17 +00:00
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
return
}
v := vaultTokenConf{}
v.convertStdVaultToCSIConfig(sv)
switch {
case v.EncryptionKMSType != kmsTypeVaultTokens:
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
case v.VaultAddress != "https://vault.example.com":
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
util: allow configuring VAULT_BACKEND for Vault connection It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-20 09:18:58 +00:00
case v.VaultBackend != "kv-v2":
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
case v.VaultBackendPath != "/secret":
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
case v.VaultCAFromSecret != "":
t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
case v.VaultClientCertFromSecret != "":
t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
case v.VaultClientCertKeyFromSecret != "":
t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
util: add vaultAuthNamespace option for Vault KMS The new `vaultAuthNamespace` configuration parameter can be set to the Vault Namespace where the authentication is setup in the service. Some Hashicorp Vault deployments use sub-namespaces for their users/tenants, with a 'root' namespace where the authentication is configured. This requires passing of different Vault namespaces for different operations. Example: - the Kubernetes Auth mechanism is configured for in the Vault Namespace called 'devops' - a user/tenant has a sub-namespace called 'devops/website' where the encryption passphrases can be placed in the key-value store The configuration for this, then looks like: vaultAuthNamespace: devops vaultNamespace: devops/homepage Note that Vault Namespaces are a feature of the Hashicorp Vault Enterprise product, and not part of the Open Source version. This prevents adding e2e tests that validate the Vault Namespace configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-30 07:53:27 +00:00
case v.VaultAuthNamespace != "devops":
t.Errorf("unexpected value for VaultAuthNamespace: %s", v.VaultAuthNamespace)
case v.VaultNamespace != "devops/homepage":
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option "VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-02-15 14:50:12 +00:00
t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
case v.VaultTLSServerName != "vault.example.com":
t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
case v.VaultCAVerify != "false":
t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
}
}
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
func TestTransformConfig(t *testing.T) {
cleanup: addresses paralleltest linter The Go linter paralleltest checks that the t.Parallel gets called for the test method and for the range of test cases within the test. Updates: #2025 Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-06-02 09:55:53 +00:00
t.Parallel()
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
cm := make(map[string]interface{})
cm["KMS_PROVIDER"] = "vaulttokens"
cm["VAULT_ADDR"] = "https://vault.example.com"
util: allow configuring VAULT_BACKEND for Vault connection It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-20 09:18:58 +00:00
cm["VAULT_BACKEND"] = "kv-v2"
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
cm["VAULT_BACKEND_PATH"] = "/secret"
cm["VAULT_CACERT"] = ""
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
cm["VAULT_CLIENT_CERT"] = ""
cm["VAULT_CLIENT_KEY"] = ""
util: add vaultAuthNamespace option for Vault KMS The new `vaultAuthNamespace` configuration parameter can be set to the Vault Namespace where the authentication is setup in the service. Some Hashicorp Vault deployments use sub-namespaces for their users/tenants, with a 'root' namespace where the authentication is configured. This requires passing of different Vault namespaces for different operations. Example: - the Kubernetes Auth mechanism is configured for in the Vault Namespace called 'devops' - a user/tenant has a sub-namespace called 'devops/website' where the encryption passphrases can be placed in the key-value store The configuration for this, then looks like: vaultAuthNamespace: devops vaultNamespace: devops/homepage Note that Vault Namespaces are a feature of the Hashicorp Vault Enterprise product, and not part of the Open Source version. This prevents adding e2e tests that validate the Vault Namespace configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-30 07:53:27 +00:00
cm["VAULT_AUTH_NAMESPACE"] = "devops"
cm["VAULT_NAMESPACE"] = "devops/homepage"
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
cm["VAULT_SKIP_VERIFY"] = "true" // inverse of "vaultCAVerify"
config, err := transformConfig(cm)
require.NoError(t, err)
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
util: allow configuring VAULT_BACKEND for Vault connection It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-20 09:18:58 +00:00
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
assert.Equal(t, config["vaultClientCertFromSecret"], cm["VAULT_CLIENT_CERT"])
assert.Equal(t, config["vaultClientCertKeyFromSecret"], cm["VAULT_CLIENT_KEY"])
util: add vaultAuthNamespace option for Vault KMS The new `vaultAuthNamespace` configuration parameter can be set to the Vault Namespace where the authentication is setup in the service. Some Hashicorp Vault deployments use sub-namespaces for their users/tenants, with a 'root' namespace where the authentication is configured. This requires passing of different Vault namespaces for different operations. Example: - the Kubernetes Auth mechanism is configured for in the Vault Namespace called 'devops' - a user/tenant has a sub-namespace called 'devops/website' where the encryption passphrases can be placed in the key-value store The configuration for this, then looks like: vaultAuthNamespace: devops vaultNamespace: devops/homepage Note that Vault Namespaces are a feature of the Hashicorp Vault Enterprise product, and not part of the Open Source version. This prevents adding e2e tests that validate the Vault Namespace configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-30 07:53:27 +00:00
assert.Equal(t, config["vaultAuthNamespace"], cm["VAULT_AUTH_NAMESPACE"])
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
assert.Equal(t, config["vaultNamespace"], cm["VAULT_NAMESPACE"])
assert.Equal(t, config["vaultCAVerify"], "false")
}
func TestVaultTokensKMSRegistered(t *testing.T) {
cleanup: addresses paralleltest linter The Go linter paralleltest checks that the t.Parallel gets called for the test method and for the range of test cases within the test. Updates: #2025 Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-06-02 09:55:53 +00:00
t.Parallel()
util: rewrite GetKMS() to use KMS provider plugin API GetKMS() is the public API that initilizes the KMS providers on demand. Each provider identifies itself with a KMS-Type, and adds its own initialization function to a switch/case construct. This is not well maintainable. The new GetKMS() can be used the same way, but uses the new kmsManager interface to create and configure the KMS provider instances. All existing KMS providers are converted to use the new kmsManager plugins API. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-03-18 12:50:38 +00:00
_, ok := kmsManager.providers[kmsTypeVaultTokens]
assert.True(t, ok)
}
Reference in New Issue Copy Permalink