mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-22 14:20:19 +00:00
util: convert VAULT_SKIP_VERIFY to "vaultCAVerify" KMS option
"VAULT_SKIP_VERIFY" is a standard Hashicorp Vault environment variable (a string) that needs to get converted to the "vaultCAVerify" configuration option in the Ceph-CSI format. The value of "VAULT_SKIP_VERIFY" means the reverse of "vaultCAVerify", this part was missing in the original conversion too. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
8ab9189760
commit
a42c4b5855
@ -63,7 +63,7 @@ type standardVault struct {
|
||||
VaultClientCert string `json:"VAULT_CLIENT_CERT"`
|
||||
VaultClientKey string `json:"VAULT_CLIENT_KEY"`
|
||||
VaultNamespace string `json:"VAULT_NAMESPACE"`
|
||||
VaultSkipVerify *bool `json:"VAULT_SKIP_VERIFY"`
|
||||
VaultSkipVerify string `json:"VAULT_SKIP_VERIFY"`
|
||||
}
|
||||
|
||||
type vaultTokenConf struct {
|
||||
@ -91,8 +91,9 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
||||
// by default the CA should get verified, only when VaultSkipVerify is
|
||||
// set, verification should be disabled
|
||||
v.VaultCAVerify = "true"
|
||||
if s.VaultSkipVerify != nil {
|
||||
v.VaultCAVerify = strconv.FormatBool(*s.VaultSkipVerify)
|
||||
verify, err := strconv.ParseBool(s.VaultSkipVerify)
|
||||
if err == nil {
|
||||
v.VaultCAVerify = strconv.FormatBool(!verify)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
||||
package util
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"strings"
|
||||
"testing"
|
||||
@ -110,3 +111,50 @@ func TestInitVaultTokensKMS(t *testing.T) {
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
}
|
||||
}
|
||||
|
||||
// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
|
||||
// environment variables to a vaultTokenConf structure.
|
||||
func TestStdVaultToCSIConfig(t *testing.T) {
|
||||
vaultConfigMap := `{
|
||||
"KMS_PROVIDER":"vaulttokens",
|
||||
"VAULT_ADDR":"https://vault.example.com",
|
||||
"VAULT_BACKEND_PATH":"/secret",
|
||||
"VAULT_CACERT":"",
|
||||
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
||||
"VAULT_CLIENT_CERT":"",
|
||||
"VAULT_CLIENT_KEY":"",
|
||||
"VAULT_NAMESPACE":"a-department",
|
||||
"VAULT_SKIP_VERIFY":"true"
|
||||
}`
|
||||
|
||||
sv := &standardVault{}
|
||||
err := json.Unmarshal([]byte(vaultConfigMap), sv)
|
||||
if err != nil {
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
return
|
||||
}
|
||||
|
||||
v := vaultTokenConf{}
|
||||
v.convertStdVaultToCSIConfig(sv)
|
||||
|
||||
switch {
|
||||
case v.EncryptionKMSType != kmsTypeVaultTokens:
|
||||
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
||||
case v.VaultAddress != "https://vault.example.com":
|
||||
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
||||
case v.VaultBackendPath != "/secret":
|
||||
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
||||
case v.VaultCAFromSecret != "":
|
||||
t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
|
||||
case v.VaultClientCertFromSecret != "":
|
||||
t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
|
||||
case v.VaultClientCertKeyFromSecret != "":
|
||||
t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
|
||||
case v.VaultNamespace != "a-department":
|
||||
t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
|
||||
case v.VaultTLSServerName != "vault.example.com":
|
||||
t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
|
||||
case v.VaultCAVerify != "false":
|
||||
t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user