fix CSI driver integration

Signed-off-by: Jan Martens <jan@martens.eu.org>

charts/openbao/values.yaml

@@ -1100,7 +1100,7 @@ csi:
     # -- image repo to use for csi image
     repository: "hashicorp/vault-csi-provider"
     # -- image tag to use for csi image
-    tag: "1.4.1"
+    tag: "1.4.0"
     # -- image pull policy to use for csi image. if tag is "latest", set to "Always"
     pullPolicy: IfNotPresent
 

test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml

@@ -5,9 +5,9 @@
 apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
-  name: openbao-kv
+  name: vault-kv
 spec:
-  provider: openbao
+  provider: vault
   parameters:
     roleName: "kv-role"
     objects: |

test/acceptance/csi.bats

@@ -2,73 +2,73 @@
 
 load _helpers
 
-# @test "csi: testing deployment" {
+@test "csi: testing deployment" {
-#   cd `chart_dir`
+  cd `chart_dir`
 
-#   kubectl delete namespace acceptance --ignore-not-found=true
+  kubectl delete namespace acceptance --ignore-not-found=true
-#   kubectl create namespace acceptance
+  kubectl create namespace acceptance
 
-#   # Install Secrets Store CSI driver
+  # Install Secrets Store CSI driver
-#   # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
+  # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
-#   # so we can see Agent's cache working.
+  # so we can see Agent's cache working.
-#   CSI_DRIVER_VERSION=1.3.2
+  CSI_DRIVER_VERSION=1.3.2
-#   helm install secrets-store-csi-driver secrets-store-csi-driver \
+  helm install secrets-store-csi-driver secrets-store-csi-driver \
-#     --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
+    --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
-#     --version=$CSI_DRIVER_VERSION \
+    --version=$CSI_DRIVER_VERSION \
-#     --wait --timeout=5m \
+    --wait --timeout=5m \
-#     --namespace=acceptance \
+    --namespace=acceptance \
-#     --set linux.image.pullPolicy="IfNotPresent" \
+    --set linux.image.pullPolicy="IfNotPresent" \
-#     --set tokenRequests[0].audience="openbao" \
+    --set tokenRequests[0].audience="openbao" \
-#     --set enableSecretRotation=true \
+    --set enableSecretRotation=true \
-#     --set rotationPollInterval=5s
+    --set rotationPollInterval=5s
-#   # Install OpenBao and OpenBao provider
+  # Install OpenBao and OpenBao provider
-#   helm install openbao \
+  helm install openbao \
-#     --wait --timeout=5m \
+    --wait --timeout=5m \
-#     --namespace=acceptance \
+    --namespace=acceptance \
-#     --set="server.dev.enabled=true" \
+    --set="server.dev.enabled=true" \
-#     --set="csi.enabled=true" \
+    --set="csi.enabled=true" \
-#     --set="csi.debug=true" \
+    --set="csi.debug=true" \
-#     --set="csi.agent.logLevel=debug" \
+    --set="csi.agent.logLevel=debug" \
-#     --set="injector.enabled=false" \
+    --set="injector.enabled=false" \
-#     .
+    .
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider
 
-#   # Set up k8s auth and a kv secret.
+  # Set up k8s auth and a kv secret.
-#   cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
+  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
-#   kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
+  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
-#   kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
+  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
-#     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
+    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
-#   kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
+  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
-#     bound_service_account_names=nginx \
+    bound_service_account_names=nginx \
-#     bound_service_account_namespaces=acceptance \
+    bound_service_account_namespaces=acceptance \
-#     policies=kv-policy \
+    policies=kv-policy \
-#     ttl=20m
+    ttl=20m
-#   kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
+  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1
 
-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
-#   kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
+  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
-#   kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
+  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
 
-#   result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
+  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
-#   [[ "$result" == "hello1" ]]
+  [[ "$result" == "hello1" ]]
 
-#   for i in $(seq 10); do
+  for i in $(seq 10); do
-#     sleep 2
+    sleep 2
-#     if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
+    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
-#         echo "Agent returned a cached login response"
+        echo "Agent returned a cached login response"
-#         return
+        return
-#     fi
+    fi
 
-#     echo "Waiting to confirm the Agent is renewing CSI's auth token..."
+    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
-#   done
+  done
 
-#   # Print the logs and fail the test
+  # Print the logs and fail the test
-#   echo "Failed to find a log for the Agent renewing CSI's auth token"
+  echo "Failed to find a log for the Agent renewing CSI's auth token"
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
-#   kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
+  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
-#   exit 1
+  exit 1
-# }
+}
 
 # Clean up
 teardown() {

test/unit/csi-daemonset.bats

@@ -107,7 +107,7 @@ load _helpers
   [ "${actual}" = "PullPolicy1" ]
   local actual=$(echo $object |
       yq -r '.[1].image' | tee /dev/stderr)
-  [ "${actual}" = "Image2:0.0.2" ]
+  [ "${actual}" = "quay.io/Image2:0.0.2" ]
   local actual=$(echo $object |
       yq -r '.[1].imagePullPolicy' | tee /dev/stderr)
   [ "${actual}" = "PullPolicy2" ]
@@ -796,7 +796,7 @@ load _helpers
       yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
 
   local value=$(echo $object |
-      yq -r 'map(select(.name=="VAULT_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="BAO_LOG_LEVEL")) | .[] .value' | tee /dev/stderr)
   [ "${value}" = "error" ]
 }
 
@@ -810,7 +810,7 @@ load _helpers
       yq -r '.spec.template.spec.containers[1].env' | tee /dev/stderr)
 
   local value=$(echo $object |
-      yq -r 'map(select(.name=="VAULT_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
+      yq -r 'map(select(.name=="BAO_LOG_FORMAT")) | .[] .value' | tee /dev/stderr)
   [ "${value}" = "json" ]
 }