mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-23 21:40:20 +00:00
util: allow configuring VAULT_BACKEND for Vault connection
It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
75b9b9fe6d
commit
82557e3f34
@ -9,6 +9,7 @@ data:
|
||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
||||
"vaultRole": "csi-kubernetes",
|
||||
"vaultBackend": "kv-v2",
|
||||
"vaultPassphraseRoot": "/v1/secret",
|
||||
"vaultPassphrasePath": "ceph-csi/",
|
||||
"vaultCAVerify": "false"
|
||||
@ -16,6 +17,7 @@ data:
|
||||
"vault-tokens-test": {
|
||||
"encryptionKMSType": "vaulttokens",
|
||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||
"vaultBackend": "kv-v2",
|
||||
"vaultBackendPath": "secret/",
|
||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||
"vaultCAVerify": "false",
|
||||
@ -34,6 +36,7 @@ data:
|
||||
"vault-tenant-sa-test": {
|
||||
"encryptionKMSType": "vaulttenantsa",
|
||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||
"vaultBackend": "kv-v2",
|
||||
"vaultBackendPath": "shared-secrets",
|
||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||
"vaultCAVerify": "false",
|
||||
|
@ -7,6 +7,7 @@ metadata:
|
||||
name: ceph-csi-kms-config
|
||||
data:
|
||||
vaultAddress: "http://vault.default.svc.cluster.local:8200"
|
||||
vaultBackend: "kv-v1"
|
||||
vaultBackendPath: "secret/"
|
||||
vaultTLSServerName: "vault.default.svc.cluster.local"
|
||||
vaultCAVerify: "false"
|
||||
|
@ -21,7 +21,7 @@ data:
|
||||
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
|
||||
|
||||
# create a secret store for the tenant
|
||||
vault secrets enable -path="tenant" kv
|
||||
vault secrets enable -version=2 -path="tenant" kv
|
||||
|
||||
# create a policy for the tenant
|
||||
vault policy write "${TENANT_NAMESPACE}" - << EOS
|
||||
|
@ -19,5 +19,6 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: ceph-csi-kms-config
|
||||
data:
|
||||
vaultBackend: kv-v2
|
||||
vaultBackendPath: tenant
|
||||
vaultRole: ceph-csi-tenant
|
||||
|
@ -132,6 +132,16 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
|
||||
}
|
||||
// default: !firstInit
|
||||
|
||||
vaultBackend := "" // optional
|
||||
err = setConfigString(&vaultBackend, config, "vaultBackend")
|
||||
if errors.Is(err, errConfigOptionInvalid) {
|
||||
return err
|
||||
}
|
||||
// set the option if the value was not invalid
|
||||
if !errors.Is(err, errConfigOptionMissing) {
|
||||
vaultConfig[vault.VaultBackendKey] = vaultBackend
|
||||
}
|
||||
|
||||
vaultBackendPath := "" // optional
|
||||
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
|
||||
if errors.Is(err, errConfigOptionInvalid) {
|
||||
|
@ -57,6 +57,7 @@ const (
|
||||
type standardVault struct {
|
||||
KmsPROVIDER string `json:"KMS_PROVIDER"`
|
||||
VaultADDR string `json:"VAULT_ADDR"`
|
||||
VaultBackend string `json:"VAULT_BACKEND"`
|
||||
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
|
||||
VaultCACert string `json:"VAULT_CACERT"`
|
||||
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
|
||||
@ -69,6 +70,7 @@ type standardVault struct {
|
||||
type vaultTokenConf struct {
|
||||
EncryptionKMSType string `json:"encryptionKMSType"`
|
||||
VaultAddress string `json:"vaultAddress"`
|
||||
VaultBackend string `json:"vaultBackend"`
|
||||
VaultBackendPath string `json:"vaultBackendPath"`
|
||||
VaultCAFromSecret string `json:"vaultCAFromSecret"`
|
||||
VaultTLSServerName string `json:"vaultTLSServerName"`
|
||||
@ -81,6 +83,7 @@ type vaultTokenConf struct {
|
||||
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
||||
v.EncryptionKMSType = s.KmsPROVIDER
|
||||
v.VaultAddress = s.VaultADDR
|
||||
v.VaultBackend = s.VaultBackend
|
||||
v.VaultBackendPath = s.VaultBackendPath
|
||||
v.VaultCAFromSecret = s.VaultCACert
|
||||
v.VaultClientCertFromSecret = s.VaultClientCert
|
||||
@ -147,6 +150,7 @@ Example JSON structure in the KMS config is,
|
||||
"vault-with-tokens": {
|
||||
"encryptionKMSType": "vaulttokens",
|
||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||
"vaultBackend": "kv-v2",
|
||||
"vaultBackendPath": "secret/",
|
||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||
"vaultCAFromSecret": "vault-ca",
|
||||
@ -515,6 +519,7 @@ func (vtc *vaultTenantConnection) getCertificate(tenant, secretName, key string)
|
||||
func isTenantConfigOption(opt string) bool {
|
||||
switch opt {
|
||||
case "vaultAddress":
|
||||
case "vaultBackend":
|
||||
case "vaultBackendPath":
|
||||
case "vaultTLSServerName":
|
||||
case "vaultCAFromSecret":
|
||||
|
@ -125,6 +125,7 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
||||
vaultConfigMap := `{
|
||||
"KMS_PROVIDER":"vaulttokens",
|
||||
"VAULT_ADDR":"https://vault.example.com",
|
||||
"VAULT_BACKEND":"kv-v2",
|
||||
"VAULT_BACKEND_PATH":"/secret",
|
||||
"VAULT_CACERT":"",
|
||||
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
||||
@ -150,6 +151,8 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
||||
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
||||
case v.VaultAddress != "https://vault.example.com":
|
||||
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
||||
case v.VaultBackend != "kv-v2":
|
||||
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
|
||||
case v.VaultBackendPath != "/secret":
|
||||
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
||||
case v.VaultCAFromSecret != "":
|
||||
@ -172,6 +175,7 @@ func TestTransformConfig(t *testing.T) {
|
||||
cm := make(map[string]interface{})
|
||||
cm["KMS_PROVIDER"] = "vaulttokens"
|
||||
cm["VAULT_ADDR"] = "https://vault.example.com"
|
||||
cm["VAULT_BACKEND"] = "kv-v2"
|
||||
cm["VAULT_BACKEND_PATH"] = "/secret"
|
||||
cm["VAULT_CACERT"] = ""
|
||||
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
||||
@ -184,6 +188,7 @@ func TestTransformConfig(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
||||
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
||||
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
|
||||
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
||||
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
||||
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
||||
|
Loading…
Reference in New Issue
Block a user