Add role for creating CSI's HMAC secret key (#872)

2023-04-14 12:31:41 +00:00 · 2023-04-14 12:31:41 +00:00 · 9954df5e68
commit 9954df5e68
parent ded705d732
7 changed files with 150 additions and 6 deletions
--- a/templates/csi-daemonset.yaml
+++ b/templates/csi-daemonset.yaml
@ -54,6 +54,11 @@ spec:
          args:
            - --endpoint=/provider/vault.sock
            - --debug={{ .Values.csi.debug }}
+            {{- if .Values.csi.hmacSecretName }}
+            - --hmac-secret-name={{ .Values.csi.hmacSecretName }}
+            {{- else }}
+            - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
+            {{- end }}
            {{- if .Values.csi.extraArgs }}
            {{- toYaml .Values.csi.extraArgs | nindent 12 }}
            {{- end }}
--- a/templates/csi-role.yaml
+++ b/templates/csi-role.yaml
@ -0,0 +1,31 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  resourceNames:
+    {{- if .Values.csi.hmacSecretName }}
+    - {{ .Values.csi.hmacSecretName }}
+    {{- else }}
+    - {{ include "vault.name" . }}-csi-provider-hmac-key
+    {{- end }}
+# 'create' permissions cannot be restricted by resource name:
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+{{- end }}
--- a/templates/csi-rolebinding.yaml
+++ b/templates/csi-rolebinding.yaml
@ -0,0 +1,24 @@
+{{/*
+Copyright (c) HashiCorp, Inc.
+SPDX-License-Identifier: MPL-2.0
+*/}}
+
+{{- template "vault.csiEnabled" . -}}
+{{- if .csiEnabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
+  labels:
+    app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "vault.fullname" . }}-csi-provider-role
+subjects:
+- kind: ServiceAccount
+  name: {{ template "vault.fullname" . }}-csi-provider
+  namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/test/unit/csi-daemonset.bats
+++ b/test/unit/csi-daemonset.bats
@ -168,6 +168,25 @@ load _helpers
  [ "${actual}" = "--debug=true" ]
 }

+# HMAC secret arg
+@test "csi/daemonset: HMAC secret arg is configurable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-daemonset.yaml \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
+  [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ]
+
+  local actual=$(helm template \
+      --show-only templates/csi-daemonset.yaml \
+      --set "csi.enabled=true" \
+      --set "csi.hmacSecretName=foo" \
+      . | tee /dev/stderr |
+      yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
+  [ "${actual}" = "--hmac-secret-name=foo" ]
+}
+
 # Extra args
@test "csi/daemonset: extra args can be passed" {
  cd `chart_dir`
@ -176,7 +195,7 @@ load _helpers
      --set "csi.enabled=true" \
      . | tee /dev/stderr |
      yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr)
-  [ "${actual}" = "2" ]
+  [ "${actual}" = "3" ]

  local object=$(helm template \
      --show-only templates/csi-daemonset.yaml \
@ -186,15 +205,15 @@ load _helpers
      yq -r '.spec.template.spec.containers[0]')
  local actual=$(echo $object |
      yq -r '.args | length' | tee /dev/stderr)
-  [ "${actual}" = "5" ]
-  local actual=$(echo $object |
-      yq -r '.args[2]' | tee /dev/stderr)
-  [ "${actual}" = "--foo=bar" ]
+  [ "${actual}" = "6" ]
  local actual=$(echo $object |
      yq -r '.args[3]' | tee /dev/stderr)
-  [ "${actual}" = "--bar baz" ]
+  [ "${actual}" = "--foo=bar" ]
  local actual=$(echo $object |
      yq -r '.args[4]' | tee /dev/stderr)
+  [ "${actual}" = "--bar baz" ]
+  local actual=$(echo $object |
+      yq -r '.args[5]' | tee /dev/stderr)
  [ "${actual}" = "first" ]
 }

--- a/test/unit/csi-role.bats
+++ b/test/unit/csi-role.bats
@ -0,0 +1,39 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "csi/Role: disabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/csi-role.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "csi/Role: names" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-role.yaml \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq -r '.metadata.name' | tee /dev/stderr)
+  [ "${actual}" = "release-name-vault-csi-provider-role" ]
+  local actual=$(helm template \
+      --show-only templates/csi-role.yaml \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
+  [ "${actual}" = "vault-csi-provider-hmac-key" ]
+}
+
+@test "csi/Role: HMAC secret name configurable" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-role.yaml \
+      --set "csi.enabled=true" \
+      --set 'csi.hmacSecretName=foo' \
+      . | tee /dev/stderr |
+      yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
+  [ "${actual}" = "foo" ]
+}
--- a/test/unit/csi-rolebinding.bats
+++ b/test/unit/csi-rolebinding.bats
@ -0,0 +1,22 @@
+#!/usr/bin/env bats
+
+load _helpers
+
+@test "csi/RoleBinding: disabled by default" {
+  cd `chart_dir`
+  local actual=$( (helm template \
+      --show-only templates/csi-rolebinding.yaml  \
+      . || echo "---") | tee /dev/stderr |
+      yq 'length > 0' | tee /dev/stderr)
+  [ "${actual}" = "false" ]
+}
+
+@test "csi/RoleBinding: name" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      --show-only templates/csi-rolebinding.yaml \
+      --set "csi.enabled=true" \
+      . | tee /dev/stderr |
+      yq -r '.metadata.name' | tee /dev/stderr)
+  [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ]
+}
--- a/values.yaml
+++ b/values.yaml
@ -1025,6 +1025,10 @@ csi:
  #     cpu: 50m
  #     memory: 128Mi

+  # Override the default secret name for the CSI Provider's HMAC key used for
+  # generating secret versions.
+  hmacSecretName: ""
+
  # Settings for the daemonSet used to run the provider.
  daemonSet:
    updateStrategy: