mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-23 23:00:19 +00:00
util: allow configuring VAULT_BACKEND for Vault connection
It seems that the version of the key/value engine can not always be
detected for Hashicorp Vault. In certain cases, it is required to
configure the `VAULT_BACKEND` (or `vaultBackend`) option so that a
successful connection to the service can be made.
The `kv-v2` is the current default for development deployments of
Hashicorp Vault (what we use for automated testing). Production
deployments default to version 1 for now.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 82557e3f34)
This commit is contained in:
Niels de Vos
mergify[bot]
parent
c61e6b3f8c
commit
a5211dcf0e
@ -9,6 +9,7 @@ data:
|
|||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
"vaultAuthPath": "/v1/auth/kubernetes/login",
|
||||||
"vaultRole": "csi-kubernetes",
|
"vaultRole": "csi-kubernetes",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultPassphraseRoot": "/v1/secret",
|
"vaultPassphraseRoot": "/v1/secret",
|
||||||
"vaultPassphrasePath": "ceph-csi/",
|
"vaultPassphrasePath": "ceph-csi/",
|
||||||
"vaultCAVerify": "false"
|
"vaultCAVerify": "false"
|
||||||
@ -16,6 +17,7 @@ data:
|
|||||||
"vault-tokens-test": {
|
"vault-tokens-test": {
|
||||||
"encryptionKMSType": "vaulttokens",
|
"encryptionKMSType": "vaulttokens",
|
||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultBackendPath": "secret/",
|
"vaultBackendPath": "secret/",
|
||||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||||
"vaultCAVerify": "false",
|
"vaultCAVerify": "false",
|
||||||
|
|||||||
@ -7,6 +7,7 @@ metadata:
|
|||||||
name: ceph-csi-kms-config
|
name: ceph-csi-kms-config
|
||||||
data:
|
data:
|
||||||
vaultAddress: "http://vault.default.svc.cluster.local:8200"
|
vaultAddress: "http://vault.default.svc.cluster.local:8200"
|
||||||
|
vaultBackend: "kv-v1"
|
||||||
vaultBackendPath: "secret/"
|
vaultBackendPath: "secret/"
|
||||||
vaultTLSServerName: "vault.default.svc.cluster.local"
|
vaultTLSServerName: "vault.default.svc.cluster.local"
|
||||||
vaultCAVerify: "false"
|
vaultCAVerify: "false"
|
||||||
|
|||||||
@ -131,6 +131,16 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
|
|||||||
}
|
}
|
||||||
// default: !firstInit
|
// default: !firstInit
|
||||||
|
|
||||||
|
vaultBackend := "" // optional
|
||||||
|
err = setConfigString(&vaultBackend, config, "vaultBackend")
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
// set the option if the value was not invalid
|
||||||
|
if !errors.Is(err, errConfigOptionMissing) {
|
||||||
|
vaultConfig[vault.VaultBackendKey] = vaultBackend
|
||||||
|
}
|
||||||
|
|
||||||
vaultBackendPath := "" // optional
|
vaultBackendPath := "" // optional
|
||||||
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
|
err = setConfigString(&vaultBackendPath, config, "vaultBackendPath")
|
||||||
if errors.Is(err, errConfigOptionInvalid) {
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
|||||||
@ -56,6 +56,7 @@ const (
|
|||||||
type standardVault struct {
|
type standardVault struct {
|
||||||
KmsPROVIDER string `json:"KMS_PROVIDER"`
|
KmsPROVIDER string `json:"KMS_PROVIDER"`
|
||||||
VaultADDR string `json:"VAULT_ADDR"`
|
VaultADDR string `json:"VAULT_ADDR"`
|
||||||
|
VaultBackend string `json:"VAULT_BACKEND"`
|
||||||
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
|
VaultBackendPath string `json:"VAULT_BACKEND_PATH"`
|
||||||
VaultCACert string `json:"VAULT_CACERT"`
|
VaultCACert string `json:"VAULT_CACERT"`
|
||||||
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
|
VaultTLSServerName string `json:"VAULT_TLS_SERVER_NAME"`
|
||||||
@ -68,6 +69,7 @@ type standardVault struct {
|
|||||||
type vaultTokenConf struct {
|
type vaultTokenConf struct {
|
||||||
EncryptionKMSType string `json:"encryptionKMSType"`
|
EncryptionKMSType string `json:"encryptionKMSType"`
|
||||||
VaultAddress string `json:"vaultAddress"`
|
VaultAddress string `json:"vaultAddress"`
|
||||||
|
VaultBackend string `json:"vaultBackend"`
|
||||||
VaultBackendPath string `json:"vaultBackendPath"`
|
VaultBackendPath string `json:"vaultBackendPath"`
|
||||||
VaultCAFromSecret string `json:"vaultCAFromSecret"`
|
VaultCAFromSecret string `json:"vaultCAFromSecret"`
|
||||||
VaultTLSServerName string `json:"vaultTLSServerName"`
|
VaultTLSServerName string `json:"vaultTLSServerName"`
|
||||||
@ -80,6 +82,7 @@ type vaultTokenConf struct {
|
|||||||
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
||||||
v.EncryptionKMSType = s.KmsPROVIDER
|
v.EncryptionKMSType = s.KmsPROVIDER
|
||||||
v.VaultAddress = s.VaultADDR
|
v.VaultAddress = s.VaultADDR
|
||||||
|
v.VaultBackend = s.VaultBackend
|
||||||
v.VaultBackendPath = s.VaultBackendPath
|
v.VaultBackendPath = s.VaultBackendPath
|
||||||
v.VaultCAFromSecret = s.VaultCACert
|
v.VaultCAFromSecret = s.VaultCACert
|
||||||
v.VaultClientCertFromSecret = s.VaultClientCert
|
v.VaultClientCertFromSecret = s.VaultClientCert
|
||||||
@ -145,6 +148,7 @@ Example JSON structure in the KMS config is,
|
|||||||
"vault-with-tokens": {
|
"vault-with-tokens": {
|
||||||
"encryptionKMSType": "vaulttokens",
|
"encryptionKMSType": "vaulttokens",
|
||||||
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
"vaultAddress": "http://vault.default.svc.cluster.local:8200",
|
||||||
|
"vaultBackend": "kv-v2",
|
||||||
"vaultBackendPath": "secret/",
|
"vaultBackendPath": "secret/",
|
||||||
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
"vaultTLSServerName": "vault.default.svc.cluster.local",
|
||||||
"vaultCAFromSecret": "vault-ca",
|
"vaultCAFromSecret": "vault-ca",
|
||||||
@ -445,6 +449,7 @@ func getCertificate(tenant, secretName, key string) (string, error) {
|
|||||||
func isTenantConfigOption(opt string) bool {
|
func isTenantConfigOption(opt string) bool {
|
||||||
switch opt {
|
switch opt {
|
||||||
case "vaultAddress":
|
case "vaultAddress":
|
||||||
|
case "vaultBackend":
|
||||||
case "vaultBackendPath":
|
case "vaultBackendPath":
|
||||||
case "vaultTLSServerName":
|
case "vaultTLSServerName":
|
||||||
case "vaultCAFromSecret":
|
case "vaultCAFromSecret":
|
||||||
|
|||||||
@ -125,6 +125,7 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
|||||||
vaultConfigMap := `{
|
vaultConfigMap := `{
|
||||||
"KMS_PROVIDER":"vaulttokens",
|
"KMS_PROVIDER":"vaulttokens",
|
||||||
"VAULT_ADDR":"https://vault.example.com",
|
"VAULT_ADDR":"https://vault.example.com",
|
||||||
|
"VAULT_BACKEND":"kv-v2",
|
||||||
"VAULT_BACKEND_PATH":"/secret",
|
"VAULT_BACKEND_PATH":"/secret",
|
||||||
"VAULT_CACERT":"",
|
"VAULT_CACERT":"",
|
||||||
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
||||||
@ -149,6 +150,8 @@ func TestStdVaultToCSIConfig(t *testing.T) {
|
|||||||
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
||||||
case v.VaultAddress != "https://vault.example.com":
|
case v.VaultAddress != "https://vault.example.com":
|
||||||
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
||||||
|
case v.VaultBackend != "kv-v2":
|
||||||
|
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
|
||||||
case v.VaultBackendPath != "/secret":
|
case v.VaultBackendPath != "/secret":
|
||||||
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
||||||
case v.VaultCAFromSecret != "":
|
case v.VaultCAFromSecret != "":
|
||||||
@ -170,6 +173,7 @@ func TestTransformConfig(t *testing.T) {
|
|||||||
cm := make(map[string]interface{})
|
cm := make(map[string]interface{})
|
||||||
cm["KMS_PROVIDER"] = "vaulttokens"
|
cm["KMS_PROVIDER"] = "vaulttokens"
|
||||||
cm["VAULT_ADDR"] = "https://vault.example.com"
|
cm["VAULT_ADDR"] = "https://vault.example.com"
|
||||||
|
cm["VAULT_BACKEND"] = "kv-v2"
|
||||||
cm["VAULT_BACKEND_PATH"] = "/secret"
|
cm["VAULT_BACKEND_PATH"] = "/secret"
|
||||||
cm["VAULT_CACERT"] = ""
|
cm["VAULT_CACERT"] = ""
|
||||||
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
||||||
@ -182,6 +186,7 @@ func TestTransformConfig(t *testing.T) {
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
||||||
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
||||||
|
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
|
||||||
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
||||||
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
||||||
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user