From d15f744211210afb24f8bc4ba927ee8143f13f0e Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 24 Jan 2022 21:05:07 +0000 Subject: [PATCH] Deprecate -write-secrets and -health_addr flags (#133) --- .circleci/config.yml | 3 --- .github/workflows/build.yml | 1 - .release/ci.hcl | 2 +- CHANGELOG.md | 6 ++++++ Makefile | 20 ++------------------ internal/provider/provider.go | 13 +++---------- internal/server/server.go | 9 ++++----- main.go | 22 +++++++++------------- 8 files changed, 25 insertions(+), 51 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index bc1c294..866afe4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -96,9 +96,6 @@ jobs: make e2e-setup export DISPLAY_SETUP_TEARDOWN_LOGS=true make e2e-test - # Now switch the behaviour of --write-secrets and run the tests a second time. - make e2e-switch-write-secrets - make e2e-test workflows: version: 2 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31725e8..b7aae1b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,4 +91,3 @@ jobs: arch: ${{matrix.arch}} tags: | docker.io/hashicorp/${{env.repo}}:${{env.version}} - ecr.public.aws/hashicorp/${{env.repo}}:${{env.version}} diff --git a/.release/ci.hcl b/.release/ci.hcl index c03a267..b68c516 100644 --- a/.release/ci.hcl +++ b/.release/ci.hcl @@ -91,6 +91,6 @@ event "verify" { } notification { - on = "always" + on = "fail" } } \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index fc4a899..c5926c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ ## Unreleased +CHANGES: + +* `-write-secrets` flag removed. All secrets are now written to the filesystem by the CSI secrets store driver. [[GH-133](https://github.com/hashicorp/vault-csi-provider/pull/133)] + * **NOTE:** CSI secrets store driver v0.0.21+ is required. +* `-health_addr` flag removed, use `-health-addr` instead. [[GH-133](https://github.com/hashicorp/vault-csi-provider/pull/133)] + ## 0.4.0 (January 12th, 2022) CHANGES: diff --git a/Makefile b/Makefile index e2e945a..351dce1 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ REGISTRY_NAME?=docker.io/hashicorp IMAGE_NAME=vault-csi-provider # VERSION defines the next version to build/release -VERSION?=0.4.0 +VERSION?=1.0.0 IMAGE_TAG=$(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION) IMAGE_TAG_LATEST=$(REGISTRY_NAME)/$(IMAGE_NAME):latest BUILD_DATE=$$(date +%Y-%m-%d-%H:%M) @@ -13,7 +13,7 @@ CSI_DRIVER_VERSION=1.0.0 VAULT_HELM_VERSION=0.16.1 CI_TEST_ARGS?= -.PHONY: default build test lint image e2e-container e2e-setup e2e-teardown e2e-test e2e-switch-write-secrets e2e-set-write-secrets mod setup-kind version promote-staging-manifest +.PHONY: default build test lint image e2e-container e2e-setup e2e-teardown e2e-test mod setup-kind version promote-staging-manifest GO111MODULE?=on export GO111MODULE @@ -80,22 +80,6 @@ e2e-teardown: e2e-test: bats test/bats/provider.bats -# Check the current behaviour of -write-secrets flag and switch it. -# If the flag is missing, switch to true because the default is false. -e2e-switch-write-secrets: - @if [ "$(shell kubectl get pods -n csi -l app.kubernetes.io/name=vault-csi-provider -o json | jq -r '.items[0].spec.containers[0].args[] | match("-write_secrets=(true|false)").captures[0].string')" = "true" ]; then\ - WRITE_SECRETS=false make e2e-set-write-secrets;\ - else\ - WRITE_SECRETS=true make e2e-set-write-secrets;\ - fi - -e2e-set-write-secrets: - helm upgrade vault https://github.com/hashicorp/vault-helm/archive/v$(VAULT_HELM_VERSION).tar.gz \ - --wait --timeout=5m \ - --namespace=csi \ - --values=test/bats/configs/vault/vault.values.yaml \ - --set "csi.extraArgs={-write-secrets=$(WRITE_SECRETS)}";\ - mod: @go mod tidy diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 46dece0..a09af46 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -227,7 +227,7 @@ func (p *provider) getSecret(ctx context.Context, client *api.Client, secretConf } // MountSecretsStoreObjectContent mounts content of the vault object to target path -func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, writeSecrets bool) (*pb.MountResponse, error) { +func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config) (*pb.MountResponse, error) { versions := make(map[string]string) client, err := vaultclient.New(cfg.Parameters.VaultAddress, cfg.Parameters.VaultTLSConfig) @@ -255,15 +255,8 @@ func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, wr } versions[fmt.Sprintf("%s:%s:%s", secret.ObjectName, secret.SecretPath, secret.Method)] = "0" - if writeSecrets { - err = writeSecret(p.logger, cfg.TargetPath, secret.ObjectName, content, cfg.FilePermission) - if err != nil { - return nil, err - } - } else { - files = append(files, &pb.File{Path: secret.ObjectName, Mode: int32(cfg.FilePermission), Contents: content}) - p.logger.Info("secret added to mount response", "directory", cfg.TargetPath, "file", secret.ObjectName) - } + files = append(files, &pb.File{Path: secret.ObjectName, Mode: int32(cfg.FilePermission), Contents: content}) + p.logger.Info("secret added to mount response", "directory", cfg.TargetPath, "file", secret.ObjectName) } var ov []*pb.ObjectVersion diff --git a/internal/server/server.go b/internal/server/server.go index ef384ae..29415a0 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -17,10 +17,9 @@ var ( // Server implements the secrets-store-csi-driver provider gRPC service interface. type Server struct { - Logger hclog.Logger - VaultAddr string - VaultMount string - WriteSecrets bool + Logger hclog.Logger + VaultAddr string + VaultMount string } func (p *Server) Version(context.Context, *pb.VersionRequest) (*pb.VersionResponse, error) { @@ -38,7 +37,7 @@ func (p *Server) Mount(ctx context.Context, req *pb.MountRequest) (*pb.MountResp } provider := provider.NewProvider(p.Logger.Named("provider")) - resp, err := provider.HandleMountRequest(ctx, cfg, p.WriteSecrets) + resp, err := provider.HandleMountRequest(ctx, cfg) if err != nil { return nil, fmt.Errorf("error making mount request: %w", err) } diff --git a/main.go b/main.go index 5633d42..d25940e 100644 --- a/main.go +++ b/main.go @@ -30,16 +30,13 @@ func main() { func realMain(logger hclog.Logger) error { var ( - endpoint = flag.String("endpoint", "/tmp/vault.sock", "path to socket on which to listen for driver gRPC calls") - debug = flag.Bool("debug", false, "sets log to debug level") - selfVersion = flag.Bool("version", false, "prints the version information") - vaultAddr = flag.String("vault-addr", "https://127.0.0.1:8200", "default address for connecting to Vault") - vaultMount = flag.String("vault-mount", "kubernetes", "default Vault mount path for Kubernetes authentication") - writeSecrets = flag.Bool("write-secrets", false, "deprecated, write secrets directly to filesystem (true), or send secrets to CSI driver in gRPC response (false)") - healthAddr = new(string) + endpoint = flag.String("endpoint", "/tmp/vault.sock", "path to socket on which to listen for driver gRPC calls") + debug = flag.Bool("debug", false, "sets log to debug level") + selfVersion = flag.Bool("version", false, "prints the version information") + vaultAddr = flag.String("vault-addr", "https://127.0.0.1:8200", "default address for connecting to Vault") + vaultMount = flag.String("vault-mount", "kubernetes", "default Vault mount path for Kubernetes authentication") + healthAddr = flag.String("health-addr", ":8080", "configure http listener for reporting health") ) - flag.StringVar(healthAddr, "health_addr", "", "deprecated, please use -health-addr") - flag.StringVar(healthAddr, "health-addr", ":8080", "configure http listener for reporting health") flag.Parse() // set log level @@ -86,10 +83,9 @@ func realMain(logger hclog.Logger) error { defer listener.Close() s := &providerserver.Server{ - Logger: serverLogger, - VaultAddr: *vaultAddr, - VaultMount: *vaultMount, - WriteSecrets: *writeSecrets, + Logger: serverLogger, + VaultAddr: *vaultAddr, + VaultMount: *vaultMount, } pb.RegisterCSIDriverProviderServer(server, s)