util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option

"VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable
(a string) that needs to get converted to the "vaultCAVerify"
configuration option in the Ceph-CSI format.

The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify",
this part was missing in the original conversion too.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2021-02-15 15:50:12 +01:00 committed by mergify[bot]
parent 8ab9189760
commit a42c4b5855
2 changed files with 52 additions and 3 deletions

View File

@ -63,7 +63,7 @@ type standardVault struct {
VaultClientCert string `json:"VAULT_CLIENT_CERT"` VaultClientCert string `json:"VAULT_CLIENT_CERT"`
VaultClientKey string `json:"VAULT_CLIENT_KEY"` VaultClientKey string `json:"VAULT_CLIENT_KEY"`
VaultNamespace string `json:"VAULT_NAMESPACE"` VaultNamespace string `json:"VAULT_NAMESPACE"`
VaultSkipVerify *bool `json:"VAULT_SKIP_VERIFY"` VaultSkipVerify string `json:"VAULT_SKIP_VERIFY"`
} }
type vaultTokenConf struct { type vaultTokenConf struct {
@ -91,8 +91,9 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
// by default the CA should get verified, only when VaultSkipVerify is // by default the CA should get verified, only when VaultSkipVerify is
// set, verification should be disabled // set, verification should be disabled
v.VaultCAVerify = "true" v.VaultCAVerify = "true"
if s.VaultSkipVerify != nil { verify, err := strconv.ParseBool(s.VaultSkipVerify)
v.VaultCAVerify = strconv.FormatBool(*s.VaultSkipVerify) if err == nil {
v.VaultCAVerify = strconv.FormatBool(!verify)
} }
} }

View File

@ -17,6 +17,7 @@ limitations under the License.
package util package util
import ( import (
"encoding/json"
"errors" "errors"
"strings" "strings"
"testing" "testing"
@ -110,3 +111,50 @@ func TestInitVaultTokensKMS(t *testing.T) {
t.Errorf("unexpected error: %s", err) t.Errorf("unexpected error: %s", err)
} }
} }
// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
// environment variables to a vaultTokenConf structure.
func TestStdVaultToCSIConfig(t *testing.T) {
vaultConfigMap := `{
"KMS_PROVIDER":"vaulttokens",
"VAULT_ADDR":"https://vault.example.com",
"VAULT_BACKEND_PATH":"/secret",
"VAULT_CACERT":"",
"VAULT_TLS_SERVER_NAME":"vault.example.com",
"VAULT_CLIENT_CERT":"",
"VAULT_CLIENT_KEY":"",
"VAULT_NAMESPACE":"a-department",
"VAULT_SKIP_VERIFY":"true"
}`
sv := &standardVault{}
err := json.Unmarshal([]byte(vaultConfigMap), sv)
if err != nil {
t.Errorf("unexpected error: %s", err)
return
}
v := vaultTokenConf{}
v.convertStdVaultToCSIConfig(sv)
switch {
case v.EncryptionKMSType != kmsTypeVaultTokens:
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
case v.VaultAddress != "https://vault.example.com":
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
case v.VaultBackendPath != "/secret":
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
case v.VaultCAFromSecret != "":
t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
case v.VaultClientCertFromSecret != "":
t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
case v.VaultClientCertKeyFromSecret != "":
t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
case v.VaultNamespace != "a-department":
t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
case v.VaultTLSServerName != "vault.example.com":
t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
case v.VaultCAVerify != "false":
t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
}
}