mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
util: allow updating settings of vaultConnection
Make it possible to calle initConnection() multiple times. This enables the VaultTokensKMS type to override global settings with options from a per-tenant configuration. Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
parent
f08182e2fc
commit
eb1ef69cfb
@ -112,36 +112,52 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
|
|||||||
|
|
||||||
vc.EncryptionKMSID = kmsID
|
vc.EncryptionKMSID = kmsID
|
||||||
|
|
||||||
vaultAddress := ""
|
firstInit := (vc.vaultConfig == nil)
|
||||||
err := setConfigString(&vaultAddress, config, "vaultAddress")
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
vaultConfig[api.EnvVaultAddress] = vaultAddress
|
|
||||||
|
|
||||||
vaultNamespace := vaultDefaultNamespace
|
vaultAddress := "" // required
|
||||||
|
err := setConfigString(&vaultAddress, config, "vaultAddress")
|
||||||
|
switch {
|
||||||
|
case errors.Is(err, errConfigOptionInvalid):
|
||||||
|
return err
|
||||||
|
case firstInit && errors.Is(err, errConfigOptionMissing):
|
||||||
|
return err
|
||||||
|
case !errors.Is(err, errConfigOptionMissing):
|
||||||
|
vaultConfig[api.EnvVaultAddress] = vaultAddress
|
||||||
|
}
|
||||||
|
// default: !firstInit
|
||||||
|
|
||||||
|
vaultNamespace := vaultDefaultNamespace // optional
|
||||||
err = setConfigString(&vaultNamespace, config, "vaultNamespace")
|
err = setConfigString(&vaultNamespace, config, "vaultNamespace")
|
||||||
if err != nil {
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
// set the option if the value was not invalid
|
||||||
|
if firstInit || !errors.Is(err, errConfigOptionMissing) {
|
||||||
vaultConfig[api.EnvVaultNamespace] = vaultNamespace
|
vaultConfig[api.EnvVaultNamespace] = vaultNamespace
|
||||||
keyContext[loss.KeyVaultNamespace] = vaultNamespace
|
keyContext[loss.KeyVaultNamespace] = vaultNamespace
|
||||||
|
|
||||||
verifyCA := vaultDefaultCAVerify
|
|
||||||
err = setConfigString(&verifyCA, config, "vaultCAVerify")
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
vaultCAVerify, err := strconv.ParseBool(verifyCA)
|
verifyCA := vaultDefaultCAVerify // optional
|
||||||
|
err = setConfigString(&verifyCA, config, "vaultCAVerify")
|
||||||
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if firstInit || !errors.Is(err, errConfigOptionMissing) {
|
||||||
|
vaultCAVerify := false
|
||||||
|
vaultCAVerify, err = strconv.ParseBool(verifyCA)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to parse 'vaultCAVerify': %w", err)
|
return fmt.Errorf("failed to parse 'vaultCAVerify': %w", err)
|
||||||
}
|
}
|
||||||
vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify
|
vaultConfig[api.EnvVaultInsecure] = !vaultCAVerify
|
||||||
|
}
|
||||||
|
|
||||||
vaultCAFromSecret := ""
|
vaultCAFromSecret := "" // optional
|
||||||
err = setConfigString(&vaultCAFromSecret, config, "vaultCAFromSecret")
|
err = setConfigString(&vaultCAFromSecret, config, "vaultCAFromSecret")
|
||||||
if err == nil && vaultCAFromSecret != "" {
|
if errors.Is(err, errConfigOptionInvalid) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
// ignore errConfigOptionMissing, no default was set
|
||||||
|
if vaultCAFromSecret != "" {
|
||||||
caPEM, ok := secrets[vaultCAFromSecret]
|
caPEM, ok := secrets[vaultCAFromSecret]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret)
|
return fmt.Errorf("missing vault CA in secret %s", vaultCAFromSecret)
|
||||||
@ -152,12 +168,23 @@ func (vc *vaultConnection) initConnection(kmsID string, config map[string]interf
|
|||||||
return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
|
return fmt.Errorf("failed to create temporary file for Vault CA: %w", err)
|
||||||
}
|
}
|
||||||
// TODO: delete f.Name() when vaultConnection is destroyed
|
// TODO: delete f.Name() when vaultConnection is destroyed
|
||||||
} else if !errors.Is(err, errConfigOptionMissing) {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// update the existing config only if no config is available yet
|
||||||
|
if vc.keyContext != nil {
|
||||||
|
for key, value := range keyContext {
|
||||||
|
vc.keyContext[key] = value
|
||||||
|
}
|
||||||
|
} else {
|
||||||
vc.keyContext = keyContext
|
vc.keyContext = keyContext
|
||||||
|
}
|
||||||
|
if vc.vaultConfig != nil {
|
||||||
|
for key, value := range vaultConfig {
|
||||||
|
vc.vaultConfig[key] = value
|
||||||
|
}
|
||||||
|
} else {
|
||||||
vc.vaultConfig = vaultConfig
|
vc.vaultConfig = vaultConfig
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user