Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add role for creating CSI's HMAC secret key (#872)

Browse source
This commit is contained in:
Tom Proctor 2023-04-14 12:31:41 +00:00 committed by GitHub
parent ded705d732
commit 9954df5e68
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 150 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
templates/csi-daemonset.yaml
View file

@ -54,6 +54,11 @@ spec:
args: args:
- --endpoint=/provider/vault.sock - --endpoint=/provider/vault.sock
- --debug={{ .Values.csi.debug }} - --debug={{ .Values.csi.debug }}
{{- if .Values.csi.hmacSecretName }}
- --hmac-secret-name={{ .Values.csi.hmacSecretName }}
{{- else }}
- --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
{{- if .Values.csi.extraArgs }} {{- if .Values.csi.extraArgs }}
{{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- toYaml .Values.csi.extraArgs | nindent 12 }}
{{- end }} {{- end }}

31
templates/csi-role.yaml Normal file
View file

@ -0,0 +1,31 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-role
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
resourceNames:
{{- if .Values.csi.hmacSecretName }}
- {{ .Values.csi.hmacSecretName }}
{{- else }}
- {{ include "vault.name" . }}-csi-provider-hmac-key
{{- end }}
# 'create' permissions cannot be restricted by resource name:
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
{{- end }}

24
templates/csi-rolebinding.yaml Normal file
View file

@ -0,0 +1,24 @@
{{/*
Copyright (c) HashiCorp, Inc.
SPDX-License-Identifier: MPL-2.0
*/}}
{{- template "vault.csiEnabled" . -}}
{{- if .csiEnabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "vault.fullname" . }}-csi-provider-rolebinding
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "vault.fullname" . }}-csi-provider-role
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-csi-provider
namespace: {{ .Release.Namespace }}
{{- end }}

31
test/unit/csi-daemonset.bats
View file

@ -168,6 +168,25 @@ load _helpers
[ "${actual}" = "--debug=true" ] [ "${actual}" = "--debug=true" ]
} }
# HMAC secret arg
@test "csi/daemonset: HMAC secret arg is configurable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
[ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ]
local actual=$(helm template \
--show-only templates/csi-daemonset.yaml \
--set "csi.enabled=true" \
--set "csi.hmacSecretName=foo" \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr)
[ "${actual}" = "--hmac-secret-name=foo" ]
}
# Extra args # Extra args
@test "csi/daemonset: extra args can be passed" { @test "csi/daemonset: extra args can be passed" {
cd `chart_dir` cd `chart_dir`
@ -176,7 +195,7 @@ load _helpers
--set "csi.enabled=true" \ --set "csi.enabled=true" \
. | tee /dev/stderr | . | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr)
[ "${actual}" = "2" ] [ "${actual}" = "3" ]
local object=$(helm template \ local object=$(helm template \
--show-only templates/csi-daemonset.yaml \ --show-only templates/csi-daemonset.yaml \
@ -186,15 +205,15 @@ load _helpers
yq -r '.spec.template.spec.containers[0]') yq -r '.spec.template.spec.containers[0]')
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.args | length' | tee /dev/stderr) yq -r '.args | length' | tee /dev/stderr)
[ "${actual}" = "5" ] [ "${actual}" = "6" ]
local actual=$(echo $object |
yq -r '.args[2]' | tee /dev/stderr)
[ "${actual}" = "--foo=bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.args[3]' | tee /dev/stderr) yq -r '.args[3]' | tee /dev/stderr)
[ "${actual}" = "--bar baz" ] [ "${actual}" = "--foo=bar" ]
local actual=$(echo $object | local actual=$(echo $object |
yq -r '.args[4]' | tee /dev/stderr) yq -r '.args[4]' | tee /dev/stderr)
[ "${actual}" = "--bar baz" ]
local actual=$(echo $object |
yq -r '.args[5]' | tee /dev/stderr)
[ "${actual}" = "first" ] [ "${actual}" = "first" ]
} }

39
test/unit/csi-role.bats Normal file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env bats
load _helpers
@test "csi/Role: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-role.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "csi/Role: names" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-role" ]
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
[ "${actual}" = "vault-csi-provider-hmac-key" ]
}
@test "csi/Role: HMAC secret name configurable" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-role.yaml \
--set "csi.enabled=true" \
--set 'csi.hmacSecretName=foo' \
. | tee /dev/stderr |
yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr)
[ "${actual}" = "foo" ]
}

22
test/unit/csi-rolebinding.bats Normal file
View file

@ -0,0 +1,22 @@
#!/usr/bin/env bats
load _helpers
@test "csi/RoleBinding: disabled by default" {
cd `chart_dir`
local actual=$( (helm template \
--show-only templates/csi-rolebinding.yaml \
. || echo "---") | tee /dev/stderr |
yq 'length > 0' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
@test "csi/RoleBinding: name" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/csi-rolebinding.yaml \
--set "csi.enabled=true" \
. | tee /dev/stderr |
yq -r '.metadata.name' | tee /dev/stderr)
[ "${actual}" = "release-name-vault-csi-provider-rolebinding" ]
}

4
values.yaml
View file

@ -1025,6 +1025,10 @@ csi:
# cpu: 50m # cpu: 50m
# memory: 128Mi # memory: 128Mi
# Override the default secret name for the CSI Provider's HMAC key used for
# generating secret versions.
hmacSecretName: ""
# Settings for the daemonSet used to run the provider. # Settings for the daemonSet used to run the provider.
daemonSet: daemonSet:
updateStrategy: updateStrategy: