mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-22 14:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

rbd: change key in secret for cert and tls

Browse Source 
currently, the keys for kms certificates/keys in a
secret is ca.cert, tls.cert and
tls.key, this commit changes the key from ca.cert
and tls.cert to cert and tls.key to key.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
Madhu Rajanna 2021-02-03 16:50:53 +05:30 committed by mergify[bot]
parent b370d9afb6
commit 22ae4a0b16
2 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/design/proposals/encryption-with-vault-tokens.md
View File

@ -203,7 +203,7 @@ kind: secret
metadata: metadata:
name: vault-infosec-ca name: vault-infosec-ca
stringData: stringData:
ca.cert: | cert: |
MIIC2DCCAcCgAwIBAgIBATANBgkqh... MIIC2DCCAcCgAwIBAgIBATANBgkqh...
``` ```
@ -216,7 +216,7 @@ kind: secret
metadata: metadata:
name: vault-client-cert name: vault-client-cert
stringData: stringData:
tls.cert: | cert: |
BATANBgkqcCgAwIBAgIBATANBAwI... BATANBgkqcCgAwIBAgIBATANBAwI...
``` ```
@ -229,7 +229,7 @@ kind: secret
metadata: metadata:
name: vault-client-cert-key name: vault-client-cert-key
stringData: stringData:
tls.key: | key: |
KNSC2DVVXcCgkqcCgAwIBAgIwewrvx... KNSC2DVVXcCgkqcCgAwIBAgIwewrvx...
``` ```
@ -243,10 +243,10 @@ kind: secret
metadata: metadata:
name: vault-certificates name: vault-certificates
stringData: stringData:
ca.cert: | cert: |
MIIC2DCCAcCgAwIBAgIBATANBgkqh... MIIC2DCCAcCgAwIBAgIBATANBgkqh...
tls.cert: | cert: |
BATANBgkqcCgAwIBAgIBATANBAwI... BATANBgkqcCgAwIBAgIBATANBAwI...
tls.key: | key: |
KNSC2DVVXcCgkqcCgAwIBAgIwewrvx... KNSC2DVVXcCgkqcCgAwIBAgIwewrvx...
``` ```

12
internal/util/vault_tokens.go
View File

@ -268,14 +268,14 @@ func (kms *VaultTokensKMS) initCertificates(config map[string]interface{}) error
} }
// ignore errConfigOptionMissing, no default was set // ignore errConfigOptionMissing, no default was set
if vaultCAFromSecret != "" { if vaultCAFromSecret != "" {
cert, cErr := getCertificate(kms.Tenant, vaultCAFromSecret, "ca.cert") cert, cErr := getCertificate(kms.Tenant, vaultCAFromSecret, "cert")
if cErr != nil && !apierrs.IsNotFound(err) { if cErr != nil && !apierrs.IsNotFound(err) {
return fmt.Errorf("failed to get CA certificate from secret %s: %w", vaultCAFromSecret, cErr) return fmt.Errorf("failed to get CA certificate from secret %s: %w", vaultCAFromSecret, cErr)
} }
// if the certificate is not present in tenant namespace get it from // if the certificate is not present in tenant namespace get it from
// cephcsi pod namespace // cephcsi pod namespace
if apierrs.IsNotFound(cErr) { if apierrs.IsNotFound(cErr) {
cert, cErr = getCertificate(csiNamespace, vaultCAFromSecret, "ca.cert") cert, cErr = getCertificate(csiNamespace, vaultCAFromSecret, "cert")
if cErr != nil { if cErr != nil {
return fmt.Errorf("failed to get CA certificate from secret %s: %w", vaultCAFromSecret, cErr) return fmt.Errorf("failed to get CA certificate from secret %s: %w", vaultCAFromSecret, cErr)
} }
@ -293,14 +293,14 @@ func (kms *VaultTokensKMS) initCertificates(config map[string]interface{}) error
} }
// ignore errConfigOptionMissing, no default was set // ignore errConfigOptionMissing, no default was set
if vaultClientCertFromSecret != "" { if vaultClientCertFromSecret != "" {
cert, cErr := getCertificate(kms.Tenant, vaultClientCertFromSecret, "tls.cert") cert, cErr := getCertificate(kms.Tenant, vaultClientCertFromSecret, "cert")
if cErr != nil && !apierrs.IsNotFound(cErr) { if cErr != nil && !apierrs.IsNotFound(cErr) {
return fmt.Errorf("failed to get client certificate from secret %s: %w", vaultClientCertFromSecret, cErr) return fmt.Errorf("failed to get client certificate from secret %s: %w", vaultClientCertFromSecret, cErr)
} }
// if the certificate is not present in tenant namespace get it from // if the certificate is not present in tenant namespace get it from
// cephcsi pod namespace // cephcsi pod namespace
if apierrs.IsNotFound(cErr) { if apierrs.IsNotFound(cErr) {
cert, cErr = getCertificate(csiNamespace, vaultClientCertFromSecret, "tls.cert") cert, cErr = getCertificate(csiNamespace, vaultClientCertFromSecret, "cert")
if cErr != nil { if cErr != nil {
return fmt.Errorf("failed to get client certificate from secret %s: %w", vaultCAFromSecret, cErr) return fmt.Errorf("failed to get client certificate from secret %s: %w", vaultCAFromSecret, cErr)
} }
@ -319,14 +319,14 @@ func (kms *VaultTokensKMS) initCertificates(config map[string]interface{}) error
// ignore errConfigOptionMissing, no default was set // ignore errConfigOptionMissing, no default was set
if vaultClientCertKeyFromSecret != "" { if vaultClientCertKeyFromSecret != "" {
certKey, err := getCertificate(kms.Tenant, vaultClientCertKeyFromSecret, "tls.key") certKey, err := getCertificate(kms.Tenant, vaultClientCertKeyFromSecret, "key")
if err != nil && !apierrs.IsNotFound(err) { if err != nil && !apierrs.IsNotFound(err) {
return fmt.Errorf("failed to get client certificate key from secret %s: %w", vaultClientCertKeyFromSecret, err) return fmt.Errorf("failed to get client certificate key from secret %s: %w", vaultClientCertKeyFromSecret, err)
} }
// if the certificate is not present in tenant namespace get it from // if the certificate is not present in tenant namespace get it from
// cephcsi pod namespace // cephcsi pod namespace
if apierrs.IsNotFound(err) { if apierrs.IsNotFound(err) {
certKey, err = getCertificate(csiNamespace, vaultClientCertFromSecret, "tls.key") certKey, err = getCertificate(csiNamespace, vaultClientCertFromSecret, "key")
if err != nil { if err != nil {
return fmt.Errorf("failed to get client certificate key from secret %s: %w", vaultCAFromSecret, err) return fmt.Errorf("failed to get client certificate key from secret %s: %w", vaultCAFromSecret, err)
} }