mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-30 18:20:19 +00:00
b866bd491c
The new `vaultAuthNamespace` configuration parameter can be set to the
Vault Namespace where the authentication is setup in the service. Some
Hashicorp Vault deployments use sub-namespaces for their users/tenants,
with a 'root' namespace where the authentication is configured. This
requires passing of different Vault namespaces for different operations.
Example:
- the Kubernetes Auth mechanism is configured for in the Vault
Namespace called 'devops'
- a user/tenant has a sub-namespace called 'devops/website' where the
encryption passphrases can be placed in the key-value store
The configuration for this, then looks like:
vaultAuthNamespace: devops
vaultNamespace: devops/homepage
Note that Vault Namespaces are a feature of the Hashicorp Vault
Enterprise product, and not part of the Open Source version. This
prevents adding e2e tests that validate the Vault Namespace
configuration.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit f2d5c2e0df
)
211 lines
6.8 KiB
Go
211 lines
6.8 KiB
Go
/*
|
|
Copyright 2020 The Ceph-CSI Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package util
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestParseConfig(t *testing.T) {
|
|
t.Parallel()
|
|
vtc := vaultTenantConnection{}
|
|
|
|
config := make(map[string]interface{})
|
|
|
|
// empty config map
|
|
err := vtc.parseConfig(config)
|
|
if !errors.Is(err, errConfigOptionMissing) {
|
|
t.Errorf("unexpected error (%T): %s", err, err)
|
|
}
|
|
|
|
// fill default options (normally done in initVaultTokensKMS)
|
|
config["vaultAddress"] = "https://vault.default.cluster.svc"
|
|
config["tenantConfigName"] = vaultTokensDefaultConfigName
|
|
|
|
// parsing with all required options
|
|
err = vtc.parseConfig(config)
|
|
switch {
|
|
case err != nil:
|
|
t.Errorf("unexpected error: %s", err)
|
|
case vtc.ConfigName != vaultTokensDefaultConfigName:
|
|
t.Errorf("ConfigName contains unexpected value: %s", vtc.ConfigName)
|
|
}
|
|
|
|
// tenant "bob" uses a different kms.ConfigName
|
|
bob := make(map[string]interface{})
|
|
bob["tenantConfigName"] = "the-config-from-bob"
|
|
err = vtc.parseConfig(bob)
|
|
switch {
|
|
case err != nil:
|
|
t.Errorf("unexpected error: %s", err)
|
|
case vtc.ConfigName != "the-config-from-bob":
|
|
t.Errorf("ConfigName contains unexpected value: %s", vtc.ConfigName)
|
|
}
|
|
}
|
|
|
|
// TestInitVaultTokensKMS verifies that passing partial and complex
|
|
// configurations get applied correctly.
|
|
//
|
|
// When vault.New() is called at the end of initVaultTokensKMS(), errors will
|
|
// mention the missing VAULT_TOKEN, and that is expected.
|
|
func TestInitVaultTokensKMS(t *testing.T) {
|
|
t.Parallel()
|
|
if true {
|
|
// FIXME: testing only works when KUBE_CONFIG is set to a
|
|
// cluster that has a working Vault deployment
|
|
return
|
|
}
|
|
|
|
args := KMSInitializerArgs{
|
|
Tenant: "bob",
|
|
Config: make(map[string]interface{}),
|
|
Secrets: nil,
|
|
}
|
|
|
|
// empty config map
|
|
_, err := initVaultTokensKMS(args)
|
|
if !errors.Is(err, errConfigOptionMissing) {
|
|
t.Errorf("unexpected error (%T): %s", err, err)
|
|
}
|
|
|
|
// fill required options
|
|
args.Config["vaultAddress"] = "https://vault.default.cluster.svc"
|
|
|
|
// parsing with all required options
|
|
_, err = initVaultTokensKMS(args)
|
|
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
|
|
t.Errorf("unexpected error: %s", err)
|
|
}
|
|
|
|
// fill tenants
|
|
tenants := make(map[string]interface{})
|
|
args.Config["tenants"] = tenants
|
|
|
|
// empty tenants list
|
|
_, err = initVaultTokensKMS(args)
|
|
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
|
|
t.Errorf("unexpected error: %s", err)
|
|
}
|
|
|
|
// add tenant "bob"
|
|
bob := make(map[string]interface{})
|
|
bob["vaultAddress"] = "https://vault.bob.example.org"
|
|
args.Config["tenants"].(map[string]interface{})["bob"] = bob
|
|
|
|
_, err = initVaultTokensKMS(args)
|
|
if err != nil && !strings.Contains(err.Error(), "VAULT_TOKEN") {
|
|
t.Errorf("unexpected error: %s", err)
|
|
}
|
|
}
|
|
|
|
// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
|
|
// environment variables to a vaultTokenConf structure.
|
|
func TestStdVaultToCSIConfig(t *testing.T) {
|
|
t.Parallel()
|
|
vaultConfigMap := `{
|
|
"KMS_PROVIDER":"vaulttokens",
|
|
"VAULT_ADDR":"https://vault.example.com",
|
|
"VAULT_BACKEND":"kv-v2",
|
|
"VAULT_BACKEND_PATH":"/secret",
|
|
"VAULT_CACERT":"",
|
|
"VAULT_TLS_SERVER_NAME":"vault.example.com",
|
|
"VAULT_CLIENT_CERT":"",
|
|
"VAULT_CLIENT_KEY":"",
|
|
"VAULT_AUTH_NAMESPACE":"devops",
|
|
"VAULT_NAMESPACE":"devops/homepage",
|
|
"VAULT_SKIP_VERIFY":"true"
|
|
}`
|
|
|
|
sv := &standardVault{}
|
|
err := json.Unmarshal([]byte(vaultConfigMap), sv)
|
|
if err != nil {
|
|
t.Errorf("unexpected error: %s", err)
|
|
|
|
return
|
|
}
|
|
|
|
v := vaultTokenConf{}
|
|
v.convertStdVaultToCSIConfig(sv)
|
|
|
|
switch {
|
|
case v.EncryptionKMSType != kmsTypeVaultTokens:
|
|
t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
|
|
case v.VaultAddress != "https://vault.example.com":
|
|
t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
|
|
case v.VaultBackend != "kv-v2":
|
|
t.Errorf("unexpected value for VaultBackend: %s", v.VaultBackend)
|
|
case v.VaultBackendPath != "/secret":
|
|
t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
|
|
case v.VaultCAFromSecret != "":
|
|
t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
|
|
case v.VaultClientCertFromSecret != "":
|
|
t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
|
|
case v.VaultClientCertKeyFromSecret != "":
|
|
t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
|
|
case v.VaultAuthNamespace != "devops":
|
|
t.Errorf("unexpected value for VaultAuthNamespace: %s", v.VaultAuthNamespace)
|
|
case v.VaultNamespace != "devops/homepage":
|
|
t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
|
|
case v.VaultTLSServerName != "vault.example.com":
|
|
t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
|
|
case v.VaultCAVerify != "false":
|
|
t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
|
|
}
|
|
}
|
|
|
|
func TestTransformConfig(t *testing.T) {
|
|
t.Parallel()
|
|
cm := make(map[string]interface{})
|
|
cm["KMS_PROVIDER"] = "vaulttokens"
|
|
cm["VAULT_ADDR"] = "https://vault.example.com"
|
|
cm["VAULT_BACKEND"] = "kv-v2"
|
|
cm["VAULT_BACKEND_PATH"] = "/secret"
|
|
cm["VAULT_CACERT"] = ""
|
|
cm["VAULT_TLS_SERVER_NAME"] = "vault.example.com"
|
|
cm["VAULT_CLIENT_CERT"] = ""
|
|
cm["VAULT_CLIENT_KEY"] = ""
|
|
cm["VAULT_AUTH_NAMESPACE"] = "devops"
|
|
cm["VAULT_NAMESPACE"] = "devops/homepage"
|
|
cm["VAULT_SKIP_VERIFY"] = "true" // inverse of "vaultCAVerify"
|
|
|
|
config, err := transformConfig(cm)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, config["encryptionKMSType"], cm["KMS_PROVIDER"])
|
|
assert.Equal(t, config["vaultAddress"], cm["VAULT_ADDR"])
|
|
assert.Equal(t, config["vaultBackend"], cm["VAULT_BACKEND"])
|
|
assert.Equal(t, config["vaultBackendPath"], cm["VAULT_BACKEND_PATH"])
|
|
assert.Equal(t, config["vaultCAFromSecret"], cm["VAULT_CACERT"])
|
|
assert.Equal(t, config["vaultTLSServerName"], cm["VAULT_TLS_SERVER_NAME"])
|
|
assert.Equal(t, config["vaultClientCertFromSecret"], cm["VAULT_CLIENT_CERT"])
|
|
assert.Equal(t, config["vaultClientCertKeyFromSecret"], cm["VAULT_CLIENT_KEY"])
|
|
assert.Equal(t, config["vaultAuthNamespace"], cm["VAULT_AUTH_NAMESPACE"])
|
|
assert.Equal(t, config["vaultNamespace"], cm["VAULT_NAMESPACE"])
|
|
assert.Equal(t, config["vaultCAVerify"], "false")
|
|
}
|
|
|
|
func TestVaultTokensKMSRegistered(t *testing.T) {
|
|
t.Parallel()
|
|
_, ok := kmsManager.providers[kmsTypeVaultTokens]
|
|
assert.True(t, ok)
|
|
}
|