mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 23:19:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

rebase: split vaultConnection from VaultKMS

Browse Source 
In order to re-use the configuration of Vault, split a new
vaultConnection type from the VaultKMS type.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-11-25 12:45:15 +01:00 committed by mergify[bot]
parent b29af806f7
commit 5565a902ac
1 changed files with 74 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
internal/util/vault.go
View File

@ -61,53 +61,35 @@ Example JSON structure in the KMS config is,
... ...
}. }.
*/ */
type VaultKMS struct {
type vaultConnection struct {
EncryptionKMSID string EncryptionKMSID string
vaultConfig map[string]interface{}
keyContext map[string]string
}
type VaultKMS struct {
vaultConnection
// vaultPassphrasePath (VPP) used to be added before the "key" of the // vaultPassphrasePath (VPP) used to be added before the "key" of the
// secret (like /v1/secret/data/<VPP>/key) // secret (like /v1/secret/data/<VPP>/key)
vaultPassphrasePath string vaultPassphrasePath string
secrets loss.Secrets secrets loss.Secrets
keyContext map[string]string
} }
// InitVaultKMS returns an interface to HashiCorp Vault KMS. func (vc *vaultConnection) initConnection(kmsID string, config, secrets map[string]string) error {
//
// nolint:gocyclo // this is a long function, as it constructs the Vault config
func InitVaultKMS(kmsID string, config, secrets map[string]string) (EncryptionKMS, error) {
var (
ok bool
err error
)
vaultConfig := make(map[string]interface{}) vaultConfig := make(map[string]interface{})
keyContext := make(map[string]string) keyContext := make(map[string]string)
kms := &VaultKMS{} vc.EncryptionKMSID = kmsID
kms.EncryptionKMSID = kmsID
vaultAddress, ok := config["vaultAddress"] vaultAddress, ok := config["vaultAddress"]
if !ok || vaultAddress == "" { if !ok || vaultAddress == "" {
return nil, fmt.Errorf("missing 'vaultAddress' for vault KMS %s", kmsID) return errors.New("missing 'vaultAddress' for Vault connection")
} }
vaultConfig[api.EnvVaultAddress] = vaultAddress vaultConfig[api.EnvVaultAddress] = vaultAddress
vaultAuthPath, ok := config["vaultAuthPath"]
if !ok || vaultAuthPath == "" {
vaultAuthPath = vaultDefaultAuthPath
}
vaultConfig[vault.AuthMountPath], err = detectAuthMountPath(vaultAuthPath)
if err != nil {
return nil, fmt.Errorf("failed to set %s in Vault config: %w", vault.AuthMountPath, err)
}
vaultRole, ok := config["vaultRole"]
if !ok || vaultRole == "" {
vaultRole = vaultDefaultRole
}
vaultConfig[vault.AuthKubernetesRole] = vaultRole
vaultNamespace, ok := config["vaultNamespace"] vaultNamespace, ok := config["vaultNamespace"]
if !ok || vaultNamespace == "" { if !ok || vaultNamespace == "" {
vaultNamespace = vaultDefaultNamespace vaultNamespace = vaultDefaultNamespace
@ -115,29 +97,12 @@ func InitVaultKMS(kmsID string, config, secrets map[string]string) (EncryptionKM
vaultConfig[api.EnvVaultNamespace] = vaultNamespace vaultConfig[api.EnvVaultNamespace] = vaultNamespace
keyContext[loss.KeyVaultNamespace] = vaultNamespace keyContext[loss.KeyVaultNamespace] = vaultNamespace
// vault.VaultBackendPathKey is "secret/" by default, use vaultPassphraseRoot if configured
vaultPassphraseRoot, ok := config["vaultPassphraseRoot"]
if ok && vaultPassphraseRoot != "" {
// the old example did have "/v1/secret/", convert that format
if strings.HasPrefix(vaultPassphraseRoot, "/v1/") {
vaultConfig[vault.VaultBackendPathKey] = strings.TrimPrefix(vaultPassphraseRoot, "/v1/")
} else {
vaultConfig[vault.VaultBackendPathKey] = vaultPassphraseRoot
}
}
kms.vaultPassphrasePath, ok = config["vaultPassphrasePath"]
if !ok || kms.vaultPassphrasePath == "" {
kms.vaultPassphrasePath = vaultDefaultPassphrasePath
}
verifyCA, ok := config["vaultCAVerify"] verifyCA, ok := config["vaultCAVerify"]
if ok { if ok {
var vaultCAVerify bool var vaultCAVerify bool
vaultCAVerify, err = strconv.ParseBool(verifyCA) vaultCAVerify, err := strconv.ParseBool(verifyCA)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse 'vaultCAVerify' for vault <%s> kms config: %w", return fmt.Errorf("failed to parse 'vaultCAVerify': %w", err)
kmsID, err)
} }
vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify
} }
@ -146,33 +111,83 @@ func InitVaultKMS(kmsID string, config, secrets map[string]string) (EncryptionKM
if ok && vaultCAFromSecret != "" { if ok && vaultCAFromSecret != "" {
caPEM, ok := secrets[vaultCAFromSecret] caPEM, ok := secrets[vaultCAFromSecret]
if !ok { if !ok {
return nil, fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret) return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret)
} }
var err error
vaultConfig[api.EnvVaultCACert], err = createTempFile("vault-ca-cert", []byte(caPEM)) vaultConfig[api.EnvVaultCACert], err = createTempFile("vault-ca-cert", []byte(caPEM))
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create temporary file for Vault CA: %w", err) return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
} }
// TODO: delete f.Name() when VaultKMS is destroyed // TODO: delete f.Name() when vaultConnection is destroyed
}
vc.keyContext = keyContext
vc.vaultConfig = vaultConfig
return nil
}
// InitVaultKMS returns an interface to HashiCorp Vault KMS.
func InitVaultKMS(kmsID string, config, secrets map[string]string) (EncryptionKMS, error) {
var (
ok bool
err error
)
kms := &VaultKMS{}
err = kms.initConnection(kmsID, config, secrets)
if err != nil {
return nil, fmt.Errorf("failed to initialize Vault connection: %w", err)
}
vaultAuthPath, ok := config["vaultAuthPath"]
if !ok || vaultAuthPath == "" {
vaultAuthPath = vaultDefaultAuthPath
}
kms.vaultConfig[vault.AuthMountPath], err = detectAuthMountPath(vaultAuthPath)
if err != nil {
return nil, fmt.Errorf("failed to set %s in Vault config: %w", vault.AuthMountPath, err)
}
vaultRole, ok := config["vaultRole"]
if !ok || vaultRole == "" {
vaultRole = vaultDefaultRole
}
kms.vaultConfig[vault.AuthKubernetesRole] = vaultRole
// vault.VaultBackendPathKey is "secret/" by default, use vaultPassphraseRoot if configured
vaultPassphraseRoot, ok := config["vaultPassphraseRoot"]
if ok && vaultPassphraseRoot != "" {
// the old example did have "/v1/secret/", convert that format
if strings.HasPrefix(vaultPassphraseRoot, "/v1/") {
kms.vaultConfig[vault.VaultBackendPathKey] = strings.TrimPrefix(vaultPassphraseRoot, "/v1/")
} else {
kms.vaultConfig[vault.VaultBackendPathKey] = vaultPassphraseRoot
}
}
kms.vaultPassphrasePath, ok = config["vaultPassphrasePath"]
if !ok || kms.vaultPassphrasePath == "" {
kms.vaultPassphrasePath = vaultDefaultPassphrasePath
} }
// FIXME: vault.AuthKubernetesTokenPath is not enough? EnvVaultToken needs to be set? // FIXME: vault.AuthKubernetesTokenPath is not enough? EnvVaultToken needs to be set?
vaultConfig[vault.AuthMethod] = vault.AuthMethodKubernetes kms.vaultConfig[vault.AuthMethod] = vault.AuthMethodKubernetes
vaultConfig[vault.AuthKubernetesTokenPath] = serviceAccountTokenPath kms.vaultConfig[vault.AuthKubernetesTokenPath] = serviceAccountTokenPath
v, err := vault.New(vaultConfig) v, err := vault.New(kms.vaultConfig)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed creating new Vault Secrets: %w", err) return nil, fmt.Errorf("failed creating new Vault Secrets: %w", err)
} }
kms.secrets = v kms.secrets = v
kms.keyContext = keyContext
return kms, nil return kms, nil
} }
// GetID is returning correlation ID to KMS configuration. // GetID is returning correlation ID to KMS configuration.
func (kms *VaultKMS) GetID() string { func (vc *vaultConnection) GetID() string {
return kms.EncryptionKMSID return vc.EncryptionKMSID
} }
// GetPassphrase returns passphrase from Vault. The passphrase is stored in a // GetPassphrase returns passphrase from Vault. The passphrase is stored in a