mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
util: set defaults for Vault config before converting
When using UPPER_CASE formatting for the HashiCorp Vault KMS configuration, a missing `VAULT_DESTROY_KEYS` will cause the option to be set to "false". The default for the option is intended for be "true". This is a difference in behaviour between the `vaultDestroyKeys` and `VAULT_DESTROY_KEYS` options. Both should use a default of "true" when the configuration does not set the option explicitly. By setting the default options in the `standardVault` struct before unmarshalling the configuration in it, the default values will be retained for the missing configuration options. Reported-by: Rachael George <rgeorge@redhat.com> Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
de57fa1804
commit
c852f487a5
@ -43,7 +43,7 @@ const (
|
|||||||
vaultDefaultRole = "csi-kubernetes"
|
vaultDefaultRole = "csi-kubernetes"
|
||||||
vaultDefaultNamespace = ""
|
vaultDefaultNamespace = ""
|
||||||
vaultDefaultPassphrasePath = ""
|
vaultDefaultPassphrasePath = ""
|
||||||
vaultDefaultCAVerify = "true"
|
vaultDefaultCAVerify = true
|
||||||
vaultDefaultDestroyKeys = "true"
|
vaultDefaultDestroyKeys = "true"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -208,7 +208,7 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
|
|||||||
keyContext[loss.KeyVaultNamespace] = vaultNamespace
|
keyContext[loss.KeyVaultNamespace] = vaultNamespace
|
||||||
}
|
}
|
||||||
|
|
||||||
verifyCA := vaultDefaultCAVerify // optional
|
verifyCA := strconv.FormatBool(vaultDefaultCAVerify) // optional
|
||||||
err = setConfigString(&verifyCA, config, "vaultCAVerify")
|
err = setConfigString(&verifyCA, config, "vaultCAVerify")
|
||||||
if errors.Is(err, errConfigOptionInvalid) {
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
return err
|
return err
|
||||||
|
@ -101,7 +101,6 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
|
|||||||
|
|
||||||
// by default the CA should get verified, only when VaultSkipVerify is
|
// by default the CA should get verified, only when VaultSkipVerify is
|
||||||
// set, verification should be disabled
|
// set, verification should be disabled
|
||||||
v.VaultCAVerify = vaultDefaultCAVerify
|
|
||||||
verify, err := strconv.ParseBool(s.VaultSkipVerify)
|
verify, err := strconv.ParseBool(s.VaultSkipVerify)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
v.VaultCAVerify = strconv.FormatBool(!verify)
|
v.VaultCAVerify = strconv.FormatBool(!verify)
|
||||||
@ -124,8 +123,14 @@ func transformConfig(svMap map[string]interface{}) (map[string]interface{}, erro
|
|||||||
return nil, fmt.Errorf("failed to convert config %T to JSON: %w", svMap, err)
|
return nil, fmt.Errorf("failed to convert config %T to JSON: %w", svMap, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// convert the JSON back to a standardVault struct
|
// convert the JSON back to a standardVault struct, default values are
|
||||||
sv := &standardVault{}
|
// set in case the configuration does not provide all options
|
||||||
|
sv := &standardVault{
|
||||||
|
VaultDestroyKeys: vaultDefaultDestroyKeys,
|
||||||
|
VaultNamespace: vaultDefaultNamespace,
|
||||||
|
VaultSkipVerify: strconv.FormatBool(!vaultDefaultCAVerify),
|
||||||
|
}
|
||||||
|
|
||||||
err = json.Unmarshal(data, sv)
|
err = json.Unmarshal(data, sv)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to Unmarshal the vault configuration: %w", err)
|
return nil, fmt.Errorf("failed to Unmarshal the vault configuration: %w", err)
|
||||||
|
@ -19,6 +19,7 @@ package kms
|
|||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
@ -208,6 +209,18 @@ func TestTransformConfig(t *testing.T) {
|
|||||||
assert.Equal(t, config["vaultCAVerify"], "false")
|
assert.Equal(t, config["vaultCAVerify"], "false")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestTransformConfigDefaults(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
cm := make(map[string]interface{})
|
||||||
|
cm["KMS_PROVIDER"] = kmsTypeVaultTokens
|
||||||
|
|
||||||
|
config, err := transformConfig(cm)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
||||||
|
assert.Equal(t, config["vaultDestroyKeys"], vaultDefaultDestroyKeys)
|
||||||
|
assert.Equal(t, config["vaultCAVerify"], strconv.FormatBool(vaultDefaultCAVerify))
|
||||||
|
}
|
||||||
|
|
||||||
func TestVaultTokensKMSRegistered(t *testing.T) {
|
func TestVaultTokensKMSRegistered(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
_, ok := kmsManager.providers[kmsTypeVaultTokens]
|
_, ok := kmsManager.providers[kmsTypeVaultTokens]
|
||||||
|
Loading…
Reference in New Issue
Block a user