util: allow configuring VAULT_BACKEND for Vault connection

It seems that the version of the key/value engine can not always be
detected for Hashicorp Vault. In certain cases, it is required to
configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a
successful connection to the service can be made.

The `kv-v2` is the current default for development deployments of
Hashicorp Vault (what we use for automated testing). Production
deployments default to version 1 for now.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-07-20 11:18:58 +02:00 committed by mergify[bot]
parent 75b9b9fe6d
commit 82557e3f34
7 changed files with 26 additions and 1 deletions

View File

@ -9,6 +9,7 @@ data:
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultAuthPath": "/v1/auth/kubernetes/login",
"vaultRole": "csi-kubernetes",
"vaultBackend": "kv-v2",
"vaultPassphraseRoot": "/v1/secret",
"vaultPassphrasePath": "ceph-csi/",
"vaultCAVerify": "false"
@ -16,6 +17,7 @@ data:
"vault-tokens-test": {
"encryptionKMSType": "vaulttokens",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultBackend": "kv-v2",
"vaultBackendPath": "secret/",
"vaultTLSServerName": "vault.default.svc.cluster.local",
"vaultCAVerify": "false",
@ -34,6 +36,7 @@ data:
"vault-tenant-sa-test": {
"encryptionKMSType": "vaulttenantsa",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultBackend": "kv-v2",
"vaultBackendPath": "shared-secrets",
"vaultTLSServerName": "vault.default.svc.cluster.local",
"vaultCAVerify": "false",

View File

@ -7,6 +7,7 @@ metadata:
name: ceph-csi-kms-config
data:
vaultAddress: "http://vault.default.svc.cluster.local:8200"
vaultBackend: "kv-v1"
vaultBackendPath: "secret/"
vaultTLSServerName: "vault.default.svc.cluster.local"
vaultCAVerify: "false"

View File

@ -21,7 +21,7 @@ data:
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
# create a secret store for the tenant
vault secrets enable -path="tenant" kv
vault secrets enable -version=2 -path="tenant" kv
# create a policy for the tenant
vault policy write "${TENANT_NAMESPACE}" - << EOS

View File

@ -19,5 +19,6 @@ kind: ConfigMap
metadata:
name: ceph-csi-kms-config
data:
vaultBackend: kv-v2
vaultBackendPath: tenant
vaultRole: ceph-csi-tenant

View File

@ -132,6 +132,16 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
}
// default: !firstInit
vaultBackend := "" // optional
err = setConfigString(&vaultBackend, config, "vaultBackend")
if errors.Is(err, errConfigOptionInvalid) {
return err
}
// set the option if the value was not invalid
if !errors.Is(err, errConfigOptionMissing) {
vaultConfig[vault.VaultBackendKey] = vaultBackend
}
vaultBackendPath := "" // optional
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
if errors.Is(err, errConfigOptionInvalid) {

View File

@ -57,6 +57,7 @@ const (
type standardVault struct {
KmsPROVIDER string `json:"KMS_PROVIDER"`
VaultADDR string `json:"VAULT_ADDR"`
VaultBackend string `json:"VAULT_BACKEND"`
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
VaultCACert string `json:"VAULT_CACERT"`
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
@ -69,6 +70,7 @@ type standardVault struct {
type vaultTokenConf struct {
EncryptionKMSType string `json:"encryptionKMSType"`
VaultAddress string `json:"vaultAddress"`
VaultBackend string `json:"vaultBackend"`
VaultBackendPath string `json:"vaultBackendPath"`
VaultCAFromSecret string `json:"vaultCAFromSecret"`
VaultTLSServerName string `json:"vaultTLSServerName"`
@ -81,6 +83,7 @@ type vaultTokenConf struct {
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
v.EncryptionKMSType = s.KmsPROVIDER
v.VaultAddress = s.VaultADDR
v.VaultBackend = s.VaultBackend
v.VaultBackendPath = s.VaultBackendPath
v.VaultCAFromSecret = s.VaultCACert
v.VaultClientCertFromSecret = s.VaultClientCert
@ -147,6 +150,7 @@ Example JSON structure in the KMS config is,
"vault-with-tokens": {
"encryptionKMSType": "vaulttokens",
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
"vaultBackend": "kv-v2",
"vaultBackendPath": "secret/",
"vaultTLSServerName": "vault.default.svc.cluster.local",
"vaultCAFromSecret": "vault-ca",
@ -515,6 +519,7 @@ func (vtc *vaultTenantConnection) getCertificate(tenant, secretName, key string)
func isTenantConfigOption(opt string) bool {
switch opt {
case "vaultAddress":
case "vaultBackend":
case "vaultBackendPath":
case "vaultTLSServerName":
case "vaultCAFromSecret":

View File

@ -125,6 +125,7 @@ func TestStdVaultToCSIConfig(t *testing.T) {
vaultConfigMap := `{
"KMS_PROVIDER":"vaulttokens",
"VAULT_ADDR":"https://vault.example.com",
"VAULT_BACKEND":"kv-v2",
"VAULT_BACKEND_PATH":"/secret",
"VAULT_CACERT":"",
"VAULT_TLS_SERVER_NAME":"vault.example.com",
@ -150,6 +151,8 @@ func TestStdVaultToCSIConfig(t *testing.T) {
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
case v.VaultAddress != "https://vault.example.com":
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
case v.VaultBackend != "kv-v2":
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
case v.VaultBackendPath != "/secret":
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
case v.VaultCAFromSecret != "":
@ -172,6 +175,7 @@ func TestTransformConfig(t *testing.T) {
cm := make(map[string]interface{})
cm["KMS_PROVIDER"] = "vaulttokens"
cm["VAULT_ADDR"] = "https://vault.example.com"
cm["VAULT_BACKEND"] = "kv-v2"
cm["VAULT_BACKEND_PATH"] = "/secret"
cm["VAULT_CACERT"] = ""
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
@ -184,6 +188,7 @@ func TestTransformConfig(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])