mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 14:20:19 +00:00
util: allow configuring VAULT_BACKEND for Vault connection
It seems that the version of the key/value engine can not always be detected for Hashicorp Vault. In certain cases, it is required to configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a successful connection to the service can be made. The `kv-v2` is the current default for development deployments of Hashicorp Vault (what we use for automated testing). Production deployments default to version 1 for now. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
75b9b9fe6d
commit
82557e3f34
@ -9,6 +9,7 @@ data:
|
|||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
||||||
"vaultRole": "csi-kubernetes",
|
"vaultRole": "csi-kubernetes",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultPassphraseRoot": "/v1/secret",
|
"vaultPassphraseRoot": "/v1/secret",
|
||||||
"vaultPassphrasePath": "ceph-csi/",
|
"vaultPassphrasePath": "ceph-csi/",
|
||||||
"vaultCAVerify": "false"
|
"vaultCAVerify": "false"
|
||||||
@ -16,6 +17,7 @@ data:
|
|||||||
"vault-tokens-test": {
|
"vault-tokens-test": {
|
||||||
"encryptionKMSType": "vaulttokens",
|
"encryptionKMSType": "vaulttokens",
|
||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultBackendPath": "secret/",
|
"vaultBackendPath": "secret/",
|
||||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||||
"vaultCAVerify": "false",
|
"vaultCAVerify": "false",
|
||||||
@ -34,6 +36,7 @@ data:
|
|||||||
"vault-tenant-sa-test": {
|
"vault-tenant-sa-test": {
|
||||||
"encryptionKMSType": "vaulttenantsa",
|
"encryptionKMSType": "vaulttenantsa",
|
||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultBackendPath": "shared-secrets",
|
"vaultBackendPath": "shared-secrets",
|
||||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||||
"vaultCAVerify": "false",
|
"vaultCAVerify": "false",
|
||||||
|
@ -7,6 +7,7 @@ metadata:
|
|||||||
name: ceph-csi-kms-config
|
name: ceph-csi-kms-config
|
||||||
data:
|
data:
|
||||||
vaultAddress: "http://vault.default.svc.cluster.local:8200"
|
vaultAddress: "http://vault.default.svc.cluster.local:8200"
|
||||||
|
vaultBackend: "kv-v1"
|
||||||
vaultBackendPath: "secret/"
|
vaultBackendPath: "secret/"
|
||||||
vaultTLSServerName: "vault.default.svc.cluster.local"
|
vaultTLSServerName: "vault.default.svc.cluster.local"
|
||||||
vaultCAVerify: "false"
|
vaultCAVerify: "false"
|
||||||
|
@ -21,7 +21,7 @@ data:
|
|||||||
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
|
vault login ${VAULT_DEV_ROOT_TOKEN_ID}
|
||||||
|
|
||||||
# create a secret store for the tenant
|
# create a secret store for the tenant
|
||||||
vault secrets enable -path="tenant" kv
|
vault secrets enable -version=2 -path="tenant" kv
|
||||||
|
|
||||||
# create a policy for the tenant
|
# create a policy for the tenant
|
||||||
vault policy write "${TENANT_NAMESPACE}" - << EOS
|
vault policy write "${TENANT_NAMESPACE}" - << EOS
|
||||||
|
@ -19,5 +19,6 @@ kind: ConfigMap
|
|||||||
metadata:
|
metadata:
|
||||||
name: ceph-csi-kms-config
|
name: ceph-csi-kms-config
|
||||||
data:
|
data:
|
||||||
|
vaultBackend: kv-v2
|
||||||
vaultBackendPath: tenant
|
vaultBackendPath: tenant
|
||||||
vaultRole: ceph-csi-tenant
|
vaultRole: ceph-csi-tenant
|
||||||
|
@ -132,6 +132,16 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
|
|||||||
}
|
}
|
||||||
// default: !firstInit
|
// default: !firstInit
|
||||||
|
|
||||||
|
vaultBackend := "" // optional
|
||||||
|
err = setConfigString(&vaultBackend, config, "vaultBackend")
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
// set the option if the value was not invalid
|
||||||
|
if !errors.Is(err, errConfigOptionMissing) {
|
||||||
|
vaultConfig[vault.VaultBackendKey] = vaultBackend
|
||||||
|
}
|
||||||
|
|
||||||
vaultBackendPath := "" // optional
|
vaultBackendPath := "" // optional
|
||||||
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
|
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
|
||||||
if errors.Is(err, errConfigOptionInvalid) {
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
@ -57,6 +57,7 @@ const (
|
|||||||
type standardVault struct {
|
type standardVault struct {
|
||||||
KmsPROVIDER string `json:"KMS_PROVIDER"`
|
KmsPROVIDER string `json:"KMS_PROVIDER"`
|
||||||
VaultADDR string `json:"VAULT_ADDR"`
|
VaultADDR string `json:"VAULT_ADDR"`
|
||||||
|
VaultBackend string `json:"VAULT_BACKEND"`
|
||||||
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
|
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
|
||||||
VaultCACert string `json:"VAULT_CACERT"`
|
VaultCACert string `json:"VAULT_CACERT"`
|
||||||
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
|
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
|
||||||
@ -69,6 +70,7 @@ type standardVault struct {
|
|||||||
type vaultTokenConf struct {
|
type vaultTokenConf struct {
|
||||||
EncryptionKMSType string `json:"encryptionKMSType"`
|
EncryptionKMSType string `json:"encryptionKMSType"`
|
||||||
VaultAddress string `json:"vaultAddress"`
|
VaultAddress string `json:"vaultAddress"`
|
||||||
|
VaultBackend string `json:"vaultBackend"`
|
||||||
VaultBackendPath string `json:"vaultBackendPath"`
|
VaultBackendPath string `json:"vaultBackendPath"`
|
||||||
VaultCAFromSecret string `json:"vaultCAFromSecret"`
|
VaultCAFromSecret string `json:"vaultCAFromSecret"`
|
||||||
VaultTLSServerName string `json:"vaultTLSServerName"`
|
VaultTLSServerName string `json:"vaultTLSServerName"`
|
||||||
@ -81,6 +83,7 @@ type vaultTokenConf struct {
|
|||||||
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
||||||
v.EncryptionKMSType = s.KmsPROVIDER
|
v.EncryptionKMSType = s.KmsPROVIDER
|
||||||
v.VaultAddress = s.VaultADDR
|
v.VaultAddress = s.VaultADDR
|
||||||
|
v.VaultBackend = s.VaultBackend
|
||||||
v.VaultBackendPath = s.VaultBackendPath
|
v.VaultBackendPath = s.VaultBackendPath
|
||||||
v.VaultCAFromSecret = s.VaultCACert
|
v.VaultCAFromSecret = s.VaultCACert
|
||||||
v.VaultClientCertFromSecret = s.VaultClientCert
|
v.VaultClientCertFromSecret = s.VaultClientCert
|
||||||
@ -147,6 +150,7 @@ Example JSON structure in the KMS config is,
|
|||||||
"vault-with-tokens": {
|
"vault-with-tokens": {
|
||||||
"encryptionKMSType": "vaulttokens",
|
"encryptionKMSType": "vaulttokens",
|
||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultBackendPath": "secret/",
|
"vaultBackendPath": "secret/",
|
||||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||||
"vaultCAFromSecret": "vault-ca",
|
"vaultCAFromSecret": "vault-ca",
|
||||||
@ -515,6 +519,7 @@ func (vtc *vaultTenantConnection) getCertificate(tenant, secretName, key string)
|
|||||||
func isTenantConfigOption(opt string) bool {
|
func isTenantConfigOption(opt string) bool {
|
||||||
switch opt {
|
switch opt {
|
||||||
case "vaultAddress":
|
case "vaultAddress":
|
||||||
|
case "vaultBackend":
|
||||||
case "vaultBackendPath":
|
case "vaultBackendPath":
|
||||||
case "vaultTLSServerName":
|
case "vaultTLSServerName":
|
||||||
case "vaultCAFromSecret":
|
case "vaultCAFromSecret":
|
||||||
|
@ -125,6 +125,7 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
|||||||
vaultConfigMap := `{
|
vaultConfigMap := `{
|
||||||
"KMS_PROVIDER":"vaulttokens",
|
"KMS_PROVIDER":"vaulttokens",
|
||||||
"VAULT_ADDR":"https://vault.example.com",
|
"VAULT_ADDR":"https://vault.example.com",
|
||||||
|
"VAULT_BACKEND":"kv-v2",
|
||||||
"VAULT_BACKEND_PATH":"/secret",
|
"VAULT_BACKEND_PATH":"/secret",
|
||||||
"VAULT_CACERT":"",
|
"VAULT_CACERT":"",
|
||||||
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
||||||
@ -150,6 +151,8 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
|||||||
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
||||||
case v.VaultAddress != "https://vault.example.com":
|
case v.VaultAddress != "https://vault.example.com":
|
||||||
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
||||||
|
case v.VaultBackend != "kv-v2":
|
||||||
|
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
|
||||||
case v.VaultBackendPath != "/secret":
|
case v.VaultBackendPath != "/secret":
|
||||||
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
||||||
case v.VaultCAFromSecret != "":
|
case v.VaultCAFromSecret != "":
|
||||||
@ -172,6 +175,7 @@ func TestTransformConfig(t *testing.T) {
|
|||||||
cm := make(map[string]interface{})
|
cm := make(map[string]interface{})
|
||||||
cm["KMS_PROVIDER"] = "vaulttokens"
|
cm["KMS_PROVIDER"] = "vaulttokens"
|
||||||
cm["VAULT_ADDR"] = "https://vault.example.com"
|
cm["VAULT_ADDR"] = "https://vault.example.com"
|
||||||
|
cm["VAULT_BACKEND"] = "kv-v2"
|
||||||
cm["VAULT_BACKEND_PATH"] = "/secret"
|
cm["VAULT_BACKEND_PATH"] = "/secret"
|
||||||
cm["VAULT_CACERT"] = ""
|
cm["VAULT_CACERT"] = ""
|
||||||
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
||||||
@ -184,6 +188,7 @@ func TestTransformConfig(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
||||||
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
||||||
|
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
|
||||||
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
||||||
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
||||||
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
||||||
|
Loading…
Reference in New Issue
Block a user