mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-10 00:10:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: move Secrets to vaultConnection

Browse Source 
The Secrets is the main object to connect to Vault. This should be part
of the vaultConnection type.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-02 08:53:17 +01:00 committed by mergify[bot]
parent d28a5a5f23
commit 5bbab25a9f
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
internal/util/vault.go
View File

@ -70,6 +70,7 @@ Example JSON structure in the KMS config is,
type vaultConnection struct { type vaultConnection struct {
EncryptionKMSID string EncryptionKMSID string
secrets loss.Secrets
vaultConfig map[string]interface{} vaultConfig map[string]interface{}
keyContext map[string]string keyContext map[string]string
} }
@ -80,8 +81,6 @@ type VaultKMS struct {
// vaultPassphrasePath (VPP) used to be added before the "key" of the // vaultPassphrasePath (VPP) used to be added before the "key" of the
// secret (like /v1/secret/data/<VPP>/key) // secret (like /v1/secret/data/<VPP>/key)
vaultPassphrasePath string vaultPassphrasePath string
secrets loss.Secrets
} }
// setConfigString fetches a value from a configuration map and converts it to // setConfigString fetches a value from a configuration map and converts it to
@ -148,7 +147,6 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret) return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret)
} }
var err error
vaultConfig[api.EnvVaultCACert], err = createTempFile("vault-ca-cert", []byte(caPEM)) vaultConfig[api.EnvVaultCACert], err = createTempFile("vault-ca-cert", []byte(caPEM))
if err != nil { if err != nil {
return fmt.Errorf("failed to create temporary file for Vault CA: %w", err) return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
@ -164,6 +162,18 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
return nil return nil
} }
// connectVault creates a new connection to Vault. This should be called after
// filling vc.vaultConfig.
func (vc *vaultConnection) connectVault() error {
v, err := vault.New(vc.vaultConfig)
if err != nil {
return fmt.Errorf("failed creating new Vault Secrets: %w", err)
}
vc.secrets = v
return nil
}
// InitVaultKMS returns an interface to HashiCorp Vault KMS. // InitVaultKMS returns an interface to HashiCorp Vault KMS.
func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) { func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[string]string) (EncryptionKMS, error) {
kms := &VaultKMS{} kms := &VaultKMS{}
@ -214,11 +224,10 @@ func InitVaultKMS(kmsID string, config map[string]interface{}, secrets map[strin
kms.vaultConfig[vault.AuthMethod] = vault.AuthMethodKubernetes kms.vaultConfig[vault.AuthMethod] = vault.AuthMethodKubernetes
kms.vaultConfig[vault.AuthKubernetesTokenPath] = serviceAccountTokenPath kms.vaultConfig[vault.AuthKubernetesTokenPath] = serviceAccountTokenPath
v, err := vault.New(kms.vaultConfig) err = kms.connectVault()
if err != nil { if err != nil {
return nil, fmt.Errorf("failed creating new Vault Secrets: %w", err) return nil, err
} }
kms.secrets = v
return kms, nil return kms, nil
} }