util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option

"VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-11-22 14:20:19 +00:00 · 2021-02-15 15:50:12 +01:00 · 2021-02-15 15:50:12 +01:00 · a42c4b5855
commit a42c4b5855
parent 8ab9189760
2 changed files with 52 additions and 3 deletions
--- a/internal/util/vault_tokens.go
+++ b/internal/util/vault_tokens.go
@ -63,7 +63,7 @@ type standardVault struct {
 	VaultClientCert    string `json:"VAULT_CLIENT_CERT"`
 	VaultClientKey     string `json:"VAULT_CLIENT_KEY"`
 	VaultNamespace     string `json:"VAULT_NAMESPACE"`
-	VaultSkipVerify    *bool  `json:"VAULT_SKIP_VERIFY"`
+	VaultSkipVerify    string `json:"VAULT_SKIP_VERIFY"`
 }

 type vaultTokenConf struct {
@ -91,8 +91,9 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
 	// by default the CA should get verified, only when VaultSkipVerify is
 	// set, verification should be disabled
 	v.VaultCAVerify = "true"
-	if s.VaultSkipVerify != nil {
-		v.VaultCAVerify = strconv.FormatBool(*s.VaultSkipVerify)
+	verify, err := strconv.ParseBool(s.VaultSkipVerify)
+	if err == nil {
+		v.VaultCAVerify = strconv.FormatBool(!verify)
 	}
 }

--- a/internal/util/vault_tokens_test.go
+++ b/internal/util/vault_tokens_test.go
@ -17,6 +17,7 @@ limitations under the License.
 package util

 import (
+	"encoding/json"
 	"errors"
 	"strings"
 	"testing"
@ -110,3 +111,50 @@ func TestInitVaultTokensKMS(t *testing.T) {
 		t.Errorf("unexpected error: %s", err)
 	}
 }
+
+// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
+// environment variables to a vaultTokenConf structure.
+func TestStdVaultToCSIConfig(t *testing.T) {
+	vaultConfigMap := `{
+		"KMS_PROVIDER":"vaulttokens",
+		"VAULT_ADDR":"https://vault.example.com",
+		"VAULT_BACKEND_PATH":"/secret",
+		"VAULT_CACERT":"",
+		"VAULT_TLS_SERVER_NAME":"vault.example.com",
+		"VAULT_CLIENT_CERT":"",
+		"VAULT_CLIENT_KEY":"",
+		"VAULT_NAMESPACE":"a-department",
+		"VAULT_SKIP_VERIFY":"true"
+	}`
+
+	sv := &standardVault{}
+	err := json.Unmarshal([]byte(vaultConfigMap), sv)
+	if err != nil {
+		t.Errorf("unexpected error: %s", err)
+		return
+	}
+
+	v := vaultTokenConf{}
+	v.convertStdVaultToCSIConfig(sv)
+
+	switch {
+	case v.EncryptionKMSType != kmsTypeVaultTokens:
+		t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
+	case v.VaultAddress != "https://vault.example.com":
+		t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
+	case v.VaultBackendPath != "/secret":
+		t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
+	case v.VaultCAFromSecret != "":
+		t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
+	case v.VaultClientCertFromSecret != "":
+		t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
+	case v.VaultClientCertKeyFromSecret != "":
+		t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
+	case v.VaultNamespace != "a-department":
+		t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
+	case v.VaultTLSServerName != "vault.example.com":
+		t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
+	case v.VaultCAVerify != "false":
+		t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
+	}
+}