mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-30 10:10:21 +00:00
util: allow configuring VAULT_AUTH_MOUNT_PATH for Vault Tenant SA KMS
The VAULT_AUTH_MOUNT_PATH is a Vault configuration parameter that allows
a user to set a non default path for the Kubernetes ServiceAccount
integration. This can already be configured for the Vault KMS, and is
now added to the Vault Tenant SA KMS as well.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 4859f2dfdb
)
This commit is contained in:
parent
05c9b3b245
commit
bc24a8c8ac
@ -39,6 +39,7 @@ const (
|
|||||||
|
|
||||||
// vault configuration defaults.
|
// vault configuration defaults.
|
||||||
vaultDefaultAuthPath = "/v1/auth/kubernetes/login"
|
vaultDefaultAuthPath = "/v1/auth/kubernetes/login"
|
||||||
|
vaultDefaultAuthMountPath = "kubernetes" // main component of vaultAuthPath
|
||||||
vaultDefaultRole = "csi-kubernetes"
|
vaultDefaultRole = "csi-kubernetes"
|
||||||
vaultDefaultNamespace = ""
|
vaultDefaultNamespace = ""
|
||||||
vaultDefaultPassphrasePath = ""
|
vaultDefaultPassphrasePath = ""
|
||||||
|
@ -110,6 +110,9 @@ func initVaultTenantSA(args KMSInitializerArgs) (EncryptionKMS, error) {
|
|||||||
kms.ConfigName = vaultTokensDefaultConfigName
|
kms.ConfigName = vaultTokensDefaultConfigName
|
||||||
kms.tenantSAName = vaultTenantSAName
|
kms.tenantSAName = vaultTenantSAName
|
||||||
|
|
||||||
|
// "vaultAuthPath" is configurable per tenant
|
||||||
|
kms.vaultConfig[vault.AuthMountPath] = vaultDefaultAuthMountPath
|
||||||
|
|
||||||
// "vaultRole" is configurable per tenant
|
// "vaultRole" is configurable per tenant
|
||||||
kms.vaultConfig[vault.AuthKubernetesRole] = vaultDefaultRole
|
kms.vaultConfig[vault.AuthKubernetesRole] = vaultDefaultRole
|
||||||
|
|
||||||
@ -197,6 +200,18 @@ func (kms *VaultTenantSA) parseConfig(config map[string]interface{}) error {
|
|||||||
kms.ConfigName, kms.Tenant, err)
|
kms.ConfigName, kms.Tenant, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// default vaultAuthPath is set in initVaultTenantSA()
|
||||||
|
var vaultAuthPath string
|
||||||
|
err = setConfigString(&vaultAuthPath, config, "vaultAuthPath")
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return err
|
||||||
|
} else if err == nil {
|
||||||
|
kms.vaultConfig[vault.AuthMountPath], err = detectAuthMountPath(vaultAuthPath)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to set %s in Vault config: %w", vault.AuthMountPath, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// default vaultRole is set in initVaultTenantSA()
|
// default vaultRole is set in initVaultTenantSA()
|
||||||
var vaultRole string
|
var vaultRole string
|
||||||
err = setConfigString(&vaultRole, config, "vaultRole")
|
err = setConfigString(&vaultRole, config, "vaultRole")
|
||||||
@ -222,6 +237,7 @@ func isTenantSAConfigOption(opt string) bool {
|
|||||||
// additional options for VaultTenantSA
|
// additional options for VaultTenantSA
|
||||||
switch opt {
|
switch opt {
|
||||||
case "tenantSAName":
|
case "tenantSAName":
|
||||||
|
case "vaultAuthPath":
|
||||||
case "vaultRole":
|
case "vaultRole":
|
||||||
default:
|
default:
|
||||||
return false
|
return false
|
||||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||||||
package util
|
package util
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
@ -27,3 +28,50 @@ func TestVaultTenantSAKMSRegistered(t *testing.T) {
|
|||||||
_, ok := kmsManager.providers[kmsTypeVaultTenantSA]
|
_, ok := kmsManager.providers[kmsTypeVaultTenantSA]
|
||||||
assert.True(t, ok)
|
assert.True(t, ok)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestTenantSAParseConfig(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
vts := VaultTenantSA{}
|
||||||
|
|
||||||
|
config := make(map[string]interface{})
|
||||||
|
|
||||||
|
// empty config map
|
||||||
|
err := vts.parseConfig(config)
|
||||||
|
if !errors.Is(err, errConfigOptionMissing) {
|
||||||
|
t.Errorf("unexpected error (%T): %s", err, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// fill default options (normally done in initVaultTokensKMS)
|
||||||
|
config["vaultAddress"] = "https://vault.bob.cluster.svc"
|
||||||
|
config["vaultAuthPath"] = "/v1/auth/kube-auth/login"
|
||||||
|
|
||||||
|
// parsing with all required options
|
||||||
|
err = vts.parseConfig(config)
|
||||||
|
switch {
|
||||||
|
case err != nil:
|
||||||
|
t.Errorf("unexpected error: %s", err)
|
||||||
|
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "kube-auth":
|
||||||
|
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||||
|
}
|
||||||
|
|
||||||
|
// tenant "bob" uses a different auth mount path
|
||||||
|
bob := make(map[string]interface{})
|
||||||
|
bob["vaultAuthPath"] = "/v1/auth/bobs-cluster/login"
|
||||||
|
err = vts.parseConfig(bob)
|
||||||
|
switch {
|
||||||
|
case err != nil:
|
||||||
|
t.Errorf("unexpected error: %s", err)
|
||||||
|
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "bobs-cluster":
|
||||||
|
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||||
|
}
|
||||||
|
|
||||||
|
// auth mount path can be passed like VAULT_AUTH_MOUNT_PATH too
|
||||||
|
bob["vaultAuthPath"] = "bobs-2nd-cluster"
|
||||||
|
err = vts.parseConfig(bob)
|
||||||
|
switch {
|
||||||
|
case err != nil:
|
||||||
|
t.Errorf("unexpected error: %s", err)
|
||||||
|
case vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"] != "bobs-2nd-cluster":
|
||||||
|
t.Errorf("vaultAuthPath set to unexpected value: %s", vts.vaultConfig["VAULT_AUTH_MOUNT_PATH"])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user