Support multiple vaults for authorization v2 (#656)

* updates for multiple vaults * update unit test samples * add unit tests * update storage crd * update manifests * use id in mount path * fix args * update sample * update cert comments * add ut for multiple vaults * add multiple vault e2e scenario * fix linting * fix linting * update storage sample --------- Co-authored-by: Aaron Tye <tyeaaron@gmail.com>
dell · Oct 15, 2024 · 9be5133 · 9be5133
1 parent 203d27e
commit 9be5133
Show file tree

Hide file tree

Showing 27 changed files with 1,306 additions and 357 deletions.
diff --git a/api/v1/types.go b/api/v1/types.go
@@ -387,22 +387,14 @@ type ContainerTemplate struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Proxy Server Redis storage class"
 	RedisStorageClass string `json:"storageclass,omitempty" yaml:"storageclass,omitempty"`
 
-	// VaultAddress is the address of the vault
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Address"
-	VaultAddress string `json:"vaultAddress,omitempty" yaml:"vaultAddress,omitempty"`
-
-	// VaultRole is the role for the vault
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Vault Role"
-	VaultRole string `json:"vaultRole,omitempty" yaml:"vaultRole,omitempty"`
+	// Vaults are the vault configurations
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Configurations"
+	Vaults []Vault `json:"vaultConfigurations,omitempty" yaml:"vaultConfigurations,omitempty"`
 
 	// skipCertificateValidation is the flag to skip certificate validation
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization Skip Certificate Validation"
 	SkipCertificateValidation bool `json:"skipCertificateValidation,omitempty" yaml:"skipCertificateValidation,omitempty"`
 
-	// kvEnginePath is the Authorization vault secret path
-	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization KV Engine Path"
-	KvEnginePath string `json:"kvEnginePath,omitempty" yaml:"kvEnginePath,omitempty"`
-
 	// RedisName is the name of the redis statefulset
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redis StatefulSet Name"
 	RedisName string `json:"redisName,omitempty" yaml:"redisName,omitempty"`
@@ -516,3 +508,34 @@ type Credkey struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="AccessKey"
 	AccessKey string `json:"aws_secret_access_key,omitempty" yaml:"aws_secret_access_key,omitempty"`
 }
+
+// Vault is the configuration for a vault instance struct
+type Vault struct {
+	// Identifier is the identifier for this vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Identifier"
+	Identifier string `json:"identifier,omitempty" yaml:"identifier,omitempty"`
+
+	// Address is the address for this vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Address"
+	Address string `json:"address,omitempty" yaml:"address,omitempty"`
+
+	// Role is the role for this vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Role"
+	Role string `json:"role,omitempty" yaml:"role,omitempty"`
+
+	// SkipCertificateValidation validates the vault server certificate or not
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Skip Certificate Validation"
+	SkipCertificateValidation bool `json:"skipCertificateValidation,omitempty" yaml:"skipCertificateValidation,omitempty"`
+
+	// ClientCertificate is the base64-encoded certificate for connecting to vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault CLient Certificate"
+	ClientCertificate string `json:"clientCertificate,omitempty" yaml:"clientCertificate,omitempty"`
+
+	// ClientKey validates is the base64-encoded certificate key for connecting to vault
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault CLient Certificate Key"
+	ClientKey string `json:"clientKey,omitempty" yaml:"clientKey,omitempty"`
+
+	// CertificateAuthority is the base64-encoded certificate authority for validaitng the vault certificate
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Vault Certificate Authority"
+	CertificateAuthority string `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"`
+}
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/authorization-crds.yaml b/operatorconfig/moduleconfig/authorization/v2.0.0-alpha/authorization-crds.yaml
@@ -258,7 +258,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: storages.csm-authorization.storage.dell.com
 spec:
   group: csm-authorization.storage.dell.com
@@ -294,10 +294,6 @@ spec:
             spec:
               description: StorageSpec defines the desired state of Storage
               properties:
-                credentialPath:
-                  type: string
-                credentialStore:
-                  type: string
                 endpoint:
                   type: string
                 pollInterval:
@@ -311,16 +307,37 @@ spec:
                     INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
                     Important: Run "make" to regenerate code after modifying this file
                   type: string
+                vault:
+                  properties:
+                    identifier:
+                      type: string
+                    kvEngine:
+                      type: string
+                    path:
+                      type: string
+                  type: object
               required:
                 - skipCertificateValidation
               type: object
             status:
               description: StorageStatus defines the observed state of Storage
               properties:
                 conditions:
-                  description: 'Storage.status.conditions.type are: "Available", "NotAvailable", and "UnKnown"'
+                  description:
+                    'Storage.status.conditions.type are: "Available", "NotAvailable",
+                    and "UnKnown"'
                   items:
-                    description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions.  For example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the observations of a foo's current state.\n\t    // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    // +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t    // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t    // other fields\n\t}"
+                    description:
+                      "Condition contains details for one aspect of the current
+                      state of this API Resource.\n---\nThis struct is intended for
+                      direct use as an array at the field path .status.conditions.  For
+                      example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                      observations of a foo's current state.\n\t    // Known .status.conditions.type
+                      are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                      +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                      \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                      patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                      \   // other fields\n\t}"
                     properties:
                       lastTransitionTime:
                         description: |-