mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-27 08:40:23 +00:00
util: allow configuring VAULT_AUTH_MOUNT_PATH for Vault Tenant SA KMS
The VAULT_AUTH_MOUNT_PATH is a Vault configuration parameter that allows
a user to set a non default path for the Kubernetes ServiceAccount
integration. This can already be configured for the Vault KMS, and is
now added to the Vault Tenant SA KMS as well.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 4859f2dfdb
)
This commit is contained in:
parent
05c9b3b245
commit
bc24a8c8ac
@ -39,6 +39,7 @@ const (
|
||||
|
||||
// vault configuration defaults.
|
||||
vaultDefaultAuthPath = "/v1/auth/kubernetes/login"
|
||||
vaultDefaultAuthMountPath = "kubernetes" // main component of vaultAuthPath
|
||||
vaultDefaultRole = "csi-kubernetes"
|
||||
vaultDefaultNamespace = ""
|
||||
vaultDefaultPassphrasePath = ""
|
||||
|
@ -110,6 +110,9 @@ func initVaultTenantSA(args KMSInitializerArgs) (EncryptionKMS, error) {
|
||||
kms.ConfigName = vaultTokensDefaultConfigName
|
||||
kms.tenantSAName = vaultTenantSAName
|
||||
|
||||
// "vaultAuthPath" is configurable per tenant
|
||||
kms.vaultConfig[vault.AuthMountPath] = vaultDefaultAuthMountPath
|
||||
|
||||
// "vaultRole" is configurable per tenant
|
||||
kms.vaultConfig[vault.AuthKubernetesRole] = vaultDefaultRole
|
||||
|
||||
@ -197,6 +200,18 @@ func (kms *VaultTenantSA) parseConfig(config map[string]interface{}) error {
|
||||
kms.ConfigName, kms.Tenant, err)
|
||||
}
|
||||
|
||||
// default vaultAuthPath is set in initVaultTenantSA()
|
||||
var vaultAuthPath string
|
||||
err = setConfigString(&vaultAuthPath, config, "vaultAuthPath")
|
||||
if errors.Is(err, errConfigOptionInvalid) {
|
||||
return err
|
||||
} else if err == nil {
|
||||
kms.vaultConfig[vault.AuthMountPath], err = detectAuthMountPath(vaultAuthPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to set %s in Vault config: %w", vault.AuthMountPath, err)
|
||||
}
|
||||
}
|
||||
|
||||
// default vaultRole is set in initVaultTenantSA()
|
||||
var vaultRole string
|
||||
err = setConfigString(&vaultRole, config, "vaultRole")
|
||||
@ -222,6 +237,7 @@ func isTenantSAConfigOption(opt string) bool {
|
||||
// additional options for VaultTenantSA
|
||||
switch opt {
|
||||
case "tenantSAName":
|
||||
case "vaultAuthPath":
|
||||
case "vaultRole":
|
||||
default:
|
||||
return false
|
||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
||||
package util
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -27,3 +28,50 @@ func TestVaultTenantSAKMSRegistered(t *testing.T) {
|
||||
_, ok := kmsManager.providers[kmsTypeVaultTenantSA]
|
||||
assert.True(t, ok)
|
||||
}
|
||||
|
||||
func TestTenantSAParseConfig(t *testing.T) {
|
||||
t.Parallel()
|
||||
vts := VaultTenantSA{}
|
||||
|
||||
config := make(map[string]interface{})
|
||||
|
||||
// empty config map
|
||||
err := vts.parseConfig(config)
|
||||
if !errors.Is(err, errConfigOptionMissing) {
|
||||
t.Errorf("unexpected error (%T): %s", err, err)
|
||||
}
|
||||
|
||||
// fill default options (normally done in initVaultTokensKMS)
|
||||
config["vaultAddress"] = "https://vault.bob.cluster.svc"
|
||||
config["vaultAuthPath"] = "/v1/auth/kube-auth/login"
|
||||
|
||||
// parsing with all required options
|
||||
err = vts.parseConfig(config)
|
||||
switch {
|
||||
case err != nil:
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "kube-auth":
|
||||
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||
}
|
||||
|
||||
// tenant "bob" uses a different auth mount path
|
||||
bob := make(map[string]interface{})
|
||||
bob["vaultAuthPath"] = "/v1/auth/bobs-cluster/login"
|
||||
err = vts.parseConfig(bob)
|
||||
switch {
|
||||
case err != nil:
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "bobs-cluster":
|
||||
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||
}
|
||||
|
||||
// auth mount path can be passed like VAULT_AUTH_MOUNT_PATH too
|
||||
bob["vaultAuthPath"] = "bobs-2nd-cluster"
|
||||
err = vts.parseConfig(bob)
|
||||
switch {
|
||||
case err != nil:
|
||||
t.Errorf("unexpected error: %s", err)
|
||||
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "bobs-2nd-cluster":
|
||||
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user