diff --git a/CHANGELOG.md b/CHANGELOG.md index caba766..8a9a3ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,16 @@ ## Unreleased +IMPROVEMENTS: + +* New flags to configure default Vault namespace and TLS details. [[GH-138](https://github.com/hashicorp/vault-csi-provider/pull/138)] + * `-vault-namespace` + * `-vault-tls-ca-cert` + * `-vault-tls-ca-directory` + * `-vault-tls-server-name` + * `-vault-tls-client-cert` + * `-vault-tls-client-key` + * `-vault-tls-skip-verify` + ## 1.0.0 (January 25th, 2022) CHANGES: diff --git a/internal/client/client.go b/internal/client/client.go index 77f6a17..c4f9688 100644 --- a/internal/client/client.go +++ b/internal/client/client.go @@ -8,24 +8,47 @@ import ( "github.com/hashicorp/vault/api" ) -func New(vaultAddress string, tlsConfig config.TLSConfig) (*api.Client, error) { +// New creates a Vault client configured for a specific SecretProviderClass (SPC). +// Config is read from environment variables first, then flags, then the SPC in +// ascending order of precedence. +func New(spcParameters config.Parameters, flagsConfig config.FlagsConfig) (*api.Client, error) { cfg := api.DefaultConfig() - err := cfg.ConfigureTLS(&api.TLSConfig{ - CACert: tlsConfig.CACertPath, - CAPath: tlsConfig.CADirectory, - ClientCert: tlsConfig.ClientCertPath, - ClientKey: tlsConfig.ClientKeyPath, - TLSServerName: tlsConfig.TLSServerName, - Insecure: tlsConfig.SkipVerify, - }) + if cfg.Error != nil { + return nil, cfg.Error + } + if err := overlayConfig(cfg, flagsConfig.VaultAddr, flagsConfig.TLSConfig()); err != nil { + return nil, err + } + if err := overlayConfig(cfg, spcParameters.VaultAddress, spcParameters.VaultTLSConfig); err != nil { + return nil, err + } + + client, err := api.NewClient(cfg) if err != nil { return nil, err } - if vaultAddress != "" { - cfg.Address = vaultAddress + + // Set Vault namespace if configured. + if flagsConfig.VaultNamespace != "" { + client.SetNamespace(flagsConfig.VaultNamespace) + } + if spcParameters.VaultNamespace != "" { + client.SetNamespace(spcParameters.VaultNamespace) + } + + return client, nil +} + +func overlayConfig(cfg *api.Config, vaultAddr string, tlsConfig api.TLSConfig) error { + err := cfg.ConfigureTLS(&tlsConfig) + if err != nil { + return err + } + if vaultAddr != "" { + cfg.Address = vaultAddr } - return api.NewClient(cfg) + return nil } func Do(ctx context.Context, c *api.Client, req *api.Request) (*api.Secret, error) { diff --git a/internal/client/client_test.go b/internal/client/client_test.go index e2ee5da..d834ed1 100644 --- a/internal/client/client_test.go +++ b/internal/client/client_test.go @@ -14,6 +14,8 @@ import ( "time" "github.com/hashicorp/vault-csi-provider/internal/config" + "github.com/hashicorp/vault/api" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -31,30 +33,60 @@ func TestNew(t *testing.T) { for _, tc := range []struct { name string - cfg config.TLSConfig + cfg api.TLSConfig }{ { name: "file", - cfg: config.TLSConfig{ - CACertPath: caPath, + cfg: api.TLSConfig{ + CACert: caPath, }, }, { name: "directory", - cfg: config.TLSConfig{ - CADirectory: "testdata", + cfg: api.TLSConfig{ + CAPath: "testdata", }, }, } { - _, err = New("https://vault:8200", tc.cfg) + _, err = New(config.Parameters{ + VaultTLSConfig: tc.cfg, + }, config.FlagsConfig{}) require.NoError(t, err, tc.name) } } -func TestNew_Error(t *testing.T) { - _, err := New("https://vault:8200", config.TLSConfig{ - CADirectory: "bad_directory", +func TestConfigPrecedence(t *testing.T) { + if originalVaultAddr, isSet := os.LookupEnv(api.EnvVaultAddress); isSet { + defer os.Setenv(api.EnvVaultAddress, originalVaultAddr) + } + err := os.Setenv(api.EnvVaultAddress, "from-env") + require.NoError(t, err) + + client, err := New(config.Parameters{}, config.FlagsConfig{}) + require.NoError(t, err) + assert.Equal(t, "from-env", client.Address()) + + client, err = New(config.Parameters{}, config.FlagsConfig{ + VaultAddr: "from-flags", + }) + require.NoError(t, err) + assert.Equal(t, "from-flags", client.Address()) + + client, err = New(config.Parameters{ + VaultAddress: "from-parameters", + }, config.FlagsConfig{ + VaultAddr: "from-flags", }) + require.NoError(t, err) + assert.Equal(t, "from-parameters", client.Address()) +} + +func TestNew_Error(t *testing.T) { + _, err := New(config.Parameters{ + VaultTLSConfig: api.TLSConfig{ + CAPath: "bad_directory", + }, + }, config.FlagsConfig{}) require.Error(t, err) } diff --git a/internal/config/config.go b/internal/config/config.go index ec4f2f3..fd16524 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -6,20 +6,51 @@ import ( "os" "strconv" + "github.com/hashicorp/vault/api" "gopkg.in/yaml.v3" "k8s.io/apimachinery/pkg/types" ) -// Config represents all of the provider's configurable behaviour from the MountRequest proto message: +// Config represents all of the provider's configurable behaviour from the SecretProviderClass, +// transmitted in the MountRequest proto message: // * Parameters from the `Attributes` field. // * Plus the rest of the proto fields we consume. // See sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1/service.pb.go type Config struct { - Parameters + Parameters Parameters TargetPath string FilePermission os.FileMode } +type FlagsConfig struct { + Endpoint string + Debug bool + Version bool + HealthAddr string + + VaultAddr string + VaultMount string + VaultNamespace string + + TLSCACertPath string + TLSCADirectory string + TLSServerName string + TLSClientCert string + TLSClientKey string + TLSSkipVerify bool +} + +func (fc FlagsConfig) TLSConfig() api.TLSConfig { + return api.TLSConfig{ + CACert: fc.TLSCACertPath, + CAPath: fc.TLSCADirectory, + ClientCert: fc.TLSClientCert, + ClientKey: fc.TLSClientKey, + TLSServerName: fc.TLSServerName, + Insecure: fc.TLSSkipVerify, + } +} + // Parameters stores the parameters specified in a mount request's `Attributes` field. // It consists of the parameters section from the SecretProviderClass being mounted // and pod metadata provided by the driver. @@ -34,20 +65,11 @@ type Parameters struct { VaultRoleName string VaultKubernetesMountPath string VaultNamespace string - VaultTLSConfig TLSConfig + VaultTLSConfig api.TLSConfig Secrets []Secret PodInfo PodInfo } -type TLSConfig struct { - CACertPath string - CADirectory string - TLSServerName string - SkipVerify bool - ClientCertPath string - ClientKeyPath string -} - type PodInfo struct { Name string UID types.UID @@ -63,31 +85,29 @@ type Secret struct { SecretArgs map[string]interface{} `yaml:"secretArgs,omitempty"` } -func Parse(parametersStr, targetPath, permissionStr string, defaultVaultAddr string, defaultVaultKubernetesMountPath string) (Config, error) { +func Parse(parametersStr, targetPath, permissionStr string) (Config, error) { config := Config{ TargetPath: targetPath, } var err error - config.Parameters, err = parseParameters(parametersStr, defaultVaultAddr, defaultVaultKubernetesMountPath) + config.Parameters, err = parseParameters(parametersStr) if err != nil { return Config{}, err } - err = json.Unmarshal([]byte(permissionStr), &config.FilePermission) - if err != nil { + if err := json.Unmarshal([]byte(permissionStr), &config.FilePermission); err != nil { return Config{}, err } - err = config.validate() - if err != nil { + if err := config.validate(); err != nil { return Config{}, err } return config, nil } -func parseParameters(parametersStr string, defaultVaultAddress string, defaultVaultKubernetesMountPath string) (Parameters, error) { +func parseParameters(parametersStr string) (Parameters, error) { var params map[string]string err := json.Unmarshal([]byte(parametersStr), ¶ms) if err != nil { @@ -98,11 +118,11 @@ func parseParameters(parametersStr string, defaultVaultAddress string, defaultVa parameters.VaultRoleName = params["roleName"] parameters.VaultAddress = params["vaultAddress"] parameters.VaultNamespace = params["vaultNamespace"] - parameters.VaultTLSConfig.CACertPath = params["vaultCACertPath"] - parameters.VaultTLSConfig.CADirectory = params["vaultCADirectory"] + parameters.VaultTLSConfig.CACert = params["vaultCACertPath"] + parameters.VaultTLSConfig.CAPath = params["vaultCADirectory"] parameters.VaultTLSConfig.TLSServerName = params["vaultTLSServerName"] - parameters.VaultTLSConfig.ClientCertPath = params["vaultTLSClientCertPath"] - parameters.VaultTLSConfig.ClientKeyPath = params["vaultTLSClientKeyPath"] + parameters.VaultTLSConfig.ClientCert = params["vaultTLSClientCertPath"] + parameters.VaultTLSConfig.ClientKey = params["vaultTLSClientKeyPath"] parameters.VaultKubernetesMountPath = params["vaultKubernetesMountPath"] parameters.PodInfo.Name = params["csi.storage.k8s.io/pod.name"] parameters.PodInfo.UID = types.UID(params["csi.storage.k8s.io/pod.uid"]) @@ -111,7 +131,7 @@ func parseParameters(parametersStr string, defaultVaultAddress string, defaultVa if skipTLS, ok := params["vaultSkipTLSVerify"]; ok { value, err := strconv.ParseBool(skipTLS) if err == nil { - parameters.VaultTLSConfig.SkipVerify = value + parameters.VaultTLSConfig.Insecure = value } else { return Parameters{}, err } @@ -123,15 +143,6 @@ func parseParameters(parametersStr string, defaultVaultAddress string, defaultVa return Parameters{}, err } - // Set default values. - if parameters.VaultAddress == "" { - parameters.VaultAddress = defaultVaultAddress - } - - if parameters.VaultKubernetesMountPath == "" { - parameters.VaultKubernetesMountPath = defaultVaultKubernetesMountPath - } - return parameters, nil } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 4d6dc6a..020f23d 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -6,6 +6,7 @@ import ( "path/filepath" "testing" + "github.com/hashicorp/vault/api" "github.com/stretchr/testify/require" "gopkg.in/yaml.v3" ) @@ -34,8 +35,6 @@ spec: common_name: "internal.example.com" method: "PUT" ` - defaultVaultAddress = "http://127.0.0.1:8200" - defaultVaultKubernetesMountPath = "kubernetes" ) func TestParseParametersFromYaml(t *testing.T) { @@ -52,12 +51,10 @@ func TestParseParametersFromYaml(t *testing.T) { require.NoError(t, err) // This is now the form the provider receives the data in. - params, err := parseParameters(string(paramsBytes), defaultVaultAddress, defaultVaultKubernetesMountPath) + params, err := parseParameters(string(paramsBytes)) require.NoError(t, err) require.Equal(t, Parameters{ - VaultAddress: defaultVaultAddress, - VaultKubernetesMountPath: defaultVaultKubernetesMountPath, Secrets: []Secret{ { ObjectName: "test-certs", @@ -86,19 +83,18 @@ func TestParseParameters(t *testing.T) { // This file's contents are copied directly from a driver mount request. parametersStr, err := ioutil.ReadFile(filepath.Join("testdata", "example-parameters-string.txt")) require.NoError(t, err) - actual, err := parseParameters(string(parametersStr), defaultVaultAddress, defaultVaultKubernetesMountPath) + actual, err := parseParameters(string(parametersStr)) require.NoError(t, err) expected := Parameters{ VaultRoleName: "example-role", VaultAddress: "http://vault:8200", - VaultTLSConfig: TLSConfig{ - SkipVerify: true, + VaultTLSConfig: api.TLSConfig{ + Insecure: true, }, Secrets: []Secret{ {"bar1", "v1/secret/foo1", "", "GET", nil}, {"bar2", "v1/secret/foo2", "", "", nil}, }, - VaultKubernetesMountPath: defaultVaultKubernetesMountPath, PodInfo: PodInfo{ Name: "nginx-secrets-store-inline", UID: "9aeb260f-d64a-426c-9872-95b6bab37e00", @@ -112,11 +108,6 @@ func TestParseParameters(t *testing.T) { func TestParseConfig(t *testing.T) { const roleName = "example-role" const targetPath = "/some/path" - defaultParams := Parameters{ - VaultAddress: defaultVaultAddress, - VaultKubernetesMountPath: defaultVaultKubernetesMountPath, - VaultNamespace: "", - } for _, tc := range []struct { name string targetPath string @@ -135,9 +126,9 @@ func TestParseConfig(t *testing.T) { TargetPath: targetPath, FilePermission: 420, Parameters: func() Parameters { - expected := defaultParams + expected := Parameters{} expected.VaultRoleName = roleName - expected.VaultTLSConfig.SkipVerify = true + expected.VaultTLSConfig.Insecure = true expected.Secrets = []Secret{ {"bar1", "v1/secret/foo1", "", "", nil}, } @@ -146,38 +137,57 @@ func TestParseConfig(t *testing.T) { }, }, { - name: "non-defaults can be set", + name: "set all options", targetPath: targetPath, parameters: map[string]string{ - "roleName": "example-role", - "vaultSkipTLSVerify": "true", - "vaultAddress": "my-vault-address", - "vaultNamespace": "my-vault-namespace", - "vaultKubernetesMountPath": "my-mount-path", - "KubernetesServiceAccountPath": "my-account-path", - "objects": objects, + "roleName": "example-role", + "vaultSkipTLSVerify": "true", + "vaultAddress": "my-vault-address", + "vaultNamespace": "my-vault-namespace", + "vaultKubernetesMountPath": "my-mount-path", + "vaultCACertPath": "my-ca-cert-path", + "vaultCADirectory": "my-ca-directory", + "vaultTLSServerName": "mytls-server-name", + "vaultTLSClientCertPath": "my-tls-client-cert-path", + "vaultTLSClientKeyPath": "my-tls-client-key-path", + "csi.storage.k8s.io/pod.name": "my-pod-name", + "csi.storage.k8s.io/pod.uid": "my-pod-uid", + "csi.storage.k8s.io/pod.namespace": "my-pod-namespace", + "csi.storage.k8s.io/serviceAccount.name": "my-pod-sa-name", + "objects": objects, }, expected: Config{ TargetPath: targetPath, FilePermission: 420, - Parameters: func() Parameters { - expected := defaultParams - expected.VaultRoleName = roleName - expected.VaultAddress = "my-vault-address" - expected.VaultNamespace = "my-vault-namespace" - expected.VaultKubernetesMountPath = "my-mount-path" - expected.VaultTLSConfig.SkipVerify = true - expected.Secrets = []Secret{ + Parameters: Parameters{ + VaultRoleName: roleName, + VaultAddress: "my-vault-address", + VaultNamespace: "my-vault-namespace", + VaultKubernetesMountPath: "my-mount-path", + Secrets: []Secret{ {"bar1", "v1/secret/foo1", "", "", nil}, - } - return expected - }(), + }, + VaultTLSConfig: api.TLSConfig{ + CACert: "my-ca-cert-path", + CAPath: "my-ca-directory", + ClientCert: "my-tls-client-cert-path", + ClientKey: "my-tls-client-key-path", + TLSServerName: "mytls-server-name", + Insecure: true, + }, + PodInfo: PodInfo{ + "my-pod-name", + "my-pod-uid", + "my-pod-namespace", + "my-pod-sa-name", + }, + }, }, }, } { parametersStr, err := json.Marshal(tc.parameters) require.NoError(t, err) - cfg, err := Parse(string(parametersStr), tc.targetPath, "420", defaultVaultAddress, defaultVaultKubernetesMountPath) + cfg, err := Parse(string(parametersStr), tc.targetPath, "420") require.NoError(t, err, tc.name) require.Equal(t, tc.expected, cfg) } @@ -207,7 +217,7 @@ func TestParseConfig_Errors(t *testing.T) { } { parametersStr, err := json.Marshal(tc.parameters) require.NoError(t, err) - _, err = Parse(string(parametersStr), "/some/path", "420", defaultVaultAddress, defaultVaultKubernetesMountPath) + _, err = Parse(string(parametersStr), "/some/path", "420") require.Error(t, err, tc.name) } } @@ -216,7 +226,7 @@ func TestValidateConfig(t *testing.T) { minimumValid := Config{ TargetPath: "a", Parameters: Parameters{ - VaultAddress: defaultVaultAddress, + VaultAddress: "http://127.0.0.1:8200", VaultRoleName: "b", Secrets: []Secret{{}}, }, @@ -235,7 +245,7 @@ func TestValidateConfig(t *testing.T) { name: "No role name", cfg: func() Config { cfg := minimumValid - cfg.VaultRoleName = "" + cfg.Parameters.VaultRoleName = "" return cfg }(), }, @@ -251,7 +261,7 @@ func TestValidateConfig(t *testing.T) { name: "No secrets configured", cfg: func() Config { cfg := minimumValid - cfg.Secrets = []Secret{} + cfg.Parameters.Secrets = []Secret{} return cfg }(), }, diff --git a/internal/provider/provider.go b/internal/provider/provider.go index a09af46..b15c886 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -227,18 +227,17 @@ func (p *provider) getSecret(ctx context.Context, client *api.Client, secretConf } // MountSecretsStoreObjectContent mounts content of the vault object to target path -func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config) (*pb.MountResponse, error) { +func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, flagsConfig config.FlagsConfig) (*pb.MountResponse, error) { versions := make(map[string]string) - client, err := vaultclient.New(cfg.Parameters.VaultAddress, cfg.Parameters.VaultTLSConfig) + client, err := vaultclient.New(cfg.Parameters, flagsConfig) if err != nil { return nil, err } - // Set Vault namespace if configured - if cfg.VaultNamespace != "" { - p.logger.Debug("setting Vault namespace", "namespace", cfg.VaultNamespace) - client.SetNamespace(cfg.VaultNamespace) + // Set default k8s auth path if unset. + if cfg.Parameters.VaultKubernetesMountPath == "" { + cfg.Parameters.VaultKubernetesMountPath = flagsConfig.VaultMount } // Authenticate to vault using the jwt token diff --git a/internal/server/server.go b/internal/server/server.go index a61f827..85022a5 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -17,12 +17,18 @@ var ( // Server implements the secrets-store-csi-driver provider gRPC service interface. type Server struct { - Logger hclog.Logger - VaultAddr string - VaultMount string + logger hclog.Logger + flagsConfig config.FlagsConfig } -func (p *Server) Version(context.Context, *pb.VersionRequest) (*pb.VersionResponse, error) { +func NewServer(logger hclog.Logger, flagsConfig config.FlagsConfig) *Server { + return &Server{ + logger: logger, + flagsConfig: flagsConfig, + } +} + +func (s *Server) Version(context.Context, *pb.VersionRequest) (*pb.VersionResponse, error) { return &pb.VersionResponse{ Version: "v1alpha1", RuntimeName: "vault-csi-provider", @@ -30,14 +36,14 @@ func (p *Server) Version(context.Context, *pb.VersionRequest) (*pb.VersionRespon }, nil } -func (p *Server) Mount(ctx context.Context, req *pb.MountRequest) (*pb.MountResponse, error) { - cfg, err := config.Parse(req.Attributes, req.TargetPath, req.Permission, p.VaultAddr, p.VaultMount) +func (s *Server) Mount(ctx context.Context, req *pb.MountRequest) (*pb.MountResponse, error) { + cfg, err := config.Parse(req.Attributes, req.TargetPath, req.Permission) if err != nil { return nil, err } - provider := provider.NewProvider(p.Logger.Named("provider")) - resp, err := provider.HandleMountRequest(ctx, cfg) + provider := provider.NewProvider(s.logger.Named("provider")) + resp, err := provider.HandleMountRequest(ctx, cfg, s.flagsConfig) if err != nil { return nil, fmt.Errorf("error making mount request: %w", err) } diff --git a/main.go b/main.go index d25940e..0f790ef 100644 --- a/main.go +++ b/main.go @@ -12,6 +12,7 @@ import ( "time" "github.com/hashicorp/go-hclog" + "github.com/hashicorp/vault-csi-provider/internal/config" providerserver "github.com/hashicorp/vault-csi-provider/internal/server" "github.com/hashicorp/vault-csi-provider/internal/version" "google.golang.org/grpc" @@ -29,23 +30,31 @@ func main() { } func realMain(logger hclog.Logger) error { - var ( - endpoint = flag.String("endpoint", "/tmp/vault.sock", "path to socket on which to listen for driver gRPC calls") - debug = flag.Bool("debug", false, "sets log to debug level") - selfVersion = flag.Bool("version", false, "prints the version information") - vaultAddr = flag.String("vault-addr", "https://127.0.0.1:8200", "default address for connecting to Vault") - vaultMount = flag.String("vault-mount", "kubernetes", "default Vault mount path for Kubernetes authentication") - healthAddr = flag.String("health-addr", ":8080", "configure http listener for reporting health") - ) + var flags = config.FlagsConfig{} + flag.StringVar(&flags.Endpoint, "endpoint", "/tmp/vault.sock", "Path to socket on which to listen for driver gRPC calls.") + flag.BoolVar(&flags.Debug, "debug", false, "Sets log to debug level.") + flag.BoolVar(&flags.Version, "version", false, "Prints the version information.") + flag.StringVar(&flags.HealthAddr, "health-addr", ":8080", "Configure http listener for reporting health.") + + flag.StringVar(&flags.VaultAddr, "vault-addr", "https://127.0.0.1:8200", "Default address for connecting to Vault. Can also be specified via the VAULT_ADDR environment variable.") + flag.StringVar(&flags.VaultMount, "vault-mount", "kubernetes", "Default Vault mount path for Kubernetes authentication.") + flag.StringVar(&flags.VaultNamespace, "vault-namespace", "", "Default Vault namespace for Vault requests. Can also be specified via the VAULT_NAMESPACE environment variable.") + + flag.StringVar(&flags.TLSCACertPath, "vault-tls-ca-cert", "", "Path on disk to a single PEM-encoded CA certificate to trust for Vault. Takes precendence over -vault-tls-ca-directory. Can also be specified via the VAULT_CACERT environment variable.") + flag.StringVar(&flags.TLSCADirectory, "vault-tls-ca-directory", "", "Path on disk to a directory of PEM-encoded CA certificates to trust for Vault. Can also be specified via the VAULT_CAPATH environment variable.") + flag.StringVar(&flags.TLSServerName, "vault-tls-server-name", "", "Name to use as the SNI host when connecting to Vault via TLS. Can also be specified via the VAULT_TLS_SERVER_NAME environment variable.") + flag.StringVar(&flags.TLSClientCert, "vault-tls-client-cert", "", "Path on disk to a PEM-encoded client certificate for mTLS communication with Vault. If set, also requires -vault-tls-client-key. Can also be specified via the VAULT_CLIENT_CERT environment variable.") + flag.StringVar(&flags.TLSClientKey, "vault-tls-client-key", "", "Path on disk to a PEM-encoded client key for mTLS communication with Vault. If set, also requires -vault-tls-client-cert. Can also be specified via the VAULT_CLIENT_KEY environment variable.") + flag.BoolVar(&flags.TLSSkipVerify, "vault-tls-skip-verify", false, "Disable verification of TLS certificates. Can also be specified via the VAULT_SKIP_VERIFY environment variable.") flag.Parse() // set log level logger.SetLevel(hclog.Info) - if *debug { + if flags.Debug { logger.SetLevel(hclog.Debug) } - if *selfVersion { + if flags.Version { v, err := version.GetVersion() if err != nil { return fmt.Errorf("failed to print version, err: %w", err) @@ -76,23 +85,19 @@ func realMain(logger hclog.Logger) error { server.GracefulStop() }() - listener, err := listen(logger, *endpoint) + listener, err := listen(logger, flags.Endpoint) if err != nil { return err } defer listener.Close() - s := &providerserver.Server{ - Logger: serverLogger, - VaultAddr: *vaultAddr, - VaultMount: *vaultMount, - } - pb.RegisterCSIDriverProviderServer(server, s) + srv := providerserver.NewServer(serverLogger, flags) + pb.RegisterCSIDriverProviderServer(server, srv) // Create health handler mux := http.NewServeMux() ms := http.Server{ - Addr: *healthAddr, + Addr: flags.HealthAddr, Handler: mux, } defer func() { @@ -108,7 +113,7 @@ func realMain(logger hclog.Logger) error { // Start health handler go func() { - logger.Info("Starting health handler", "addr", *healthAddr) + logger.Info("Starting health handler", "addr", flags.HealthAddr) if err := ms.ListenAndServe(); err != nil && err != http.ErrServerClosed { logger.Error("Error with health handler", "error", err) } diff --git a/test/bats/configs/nginx/templates/nginix.yaml b/test/bats/configs/nginx/templates/nginix.yaml index 8c03b89..686260d 100644 --- a/test/bats/configs/nginx/templates/nginix.yaml +++ b/test/bats/configs/nginx/templates/nginix.yaml @@ -12,6 +12,7 @@ spec: terminationGracePeriodSeconds: 0 containers: - image: docker.mirror.hashicorp.services/nginx + imagePullPolicy: IfNotPresent name: nginx volumeMounts: - name: secrets-store-inline diff --git a/test/bats/configs/vault-kv-secretproviderclass.yaml b/test/bats/configs/vault-kv-secretproviderclass.yaml index 415d94a..c133204 100644 --- a/test/bats/configs/vault-kv-secretproviderclass.yaml +++ b/test/bats/configs/vault-kv-secretproviderclass.yaml @@ -7,10 +7,6 @@ spec: provider: vault parameters: roleName: "kv-role" - vaultAddress: https://vault:8200 - vaultCACertPath: /mnt/tls/ca.crt - vaultTLSClientCertPath: /mnt/tls/client.crt - vaultTLSClientKeyPath: /mnt/tls/client.key objects: | - objectName: "secret-1" secretPath: "secret/data/kv1" diff --git a/test/bats/configs/vault/vault.values.yaml b/test/bats/configs/vault/vault.values.yaml index 30605de..f3beed1 100644 --- a/test/bats/configs/vault/vault.values.yaml +++ b/test/bats/configs/vault/vault.values.yaml @@ -47,6 +47,11 @@ server: csi: enabled: true debug: true + extraArgs: + - -vault-addr=https://vault:8200 + - -vault-tls-ca-cert=/mnt/tls/ca.crt + - -vault-tls-client-cert=/mnt/tls/client.crt + - -vault-tls-client-key=/mnt/tls/client.key image: repository: "e2e/vault-csi-provider"