Deprecate -write-secrets and -health_addr flags

.circleci/config.yml

@@ -96,9 +96,6 @@ jobs:
             make e2e-setup
             export DISPLAY_SETUP_TEARDOWN_LOGS=true
             make e2e-test
-            # Now switch the behaviour of --write-secrets and run the tests a second time.
-            make e2e-switch-write-secrets
-            make e2e-test
 
 workflows:
   version: 2

.github/workflows/build.yml

@@ -90,5 +90,4 @@ jobs:
           target: default
           arch: ${{matrix.arch}}
           tags: |
-            docker.io/hashicorp/${{env.repo}}:${{env.version}}
-            ecr.public.aws/hashicorp/${{env.repo}}:${{env.version}}
+            docker.io/hashicorp/${{env.repo}}:${{env.version}}

.release/ci.hcl

@@ -91,6 +91,6 @@ event "verify" {
   }
 
   notification {
-    on = "always"
+    on = "fail"
   }
 }

CHANGELOG.md

@@ -1,5 +1,11 @@
 ## Unreleased
 
+CHANGES:
+
+* `-write-secrets` flag removed. All secrets are now written to the filesystem by the CSI secrets store driver. [[GH-133](https://github.com/hashicorp/vault-csi-provider/pull/133)]
+  * **NOTE:** CSI secrets store driver v0.0.21+ is required.
+* `-health_addr` flag removed, use `-health-addr` instead. [[GH-133](https://github.com/hashicorp/vault-csi-provider/pull/133)]
+
 ## 0.4.0 (January 12th, 2022)
 
 CHANGES:

Makefile

@@ -1,7 +1,7 @@
 REGISTRY_NAME?=docker.io/hashicorp
 IMAGE_NAME=vault-csi-provider
 # VERSION defines the next version to build/release
-VERSION?=0.4.0
+VERSION?=1.0.0
 IMAGE_TAG=$(REGISTRY_NAME)/$(IMAGE_NAME):$(VERSION)
 IMAGE_TAG_LATEST=$(REGISTRY_NAME)/$(IMAGE_NAME):latest
 BUILD_DATE=$$(date +%Y-%m-%d-%H:%M)
@@ -13,7 +13,7 @@ CSI_DRIVER_VERSION=1.0.0
 VAULT_HELM_VERSION=0.16.1
 CI_TEST_ARGS?=
 
-.PHONY: default build test lint image e2e-container e2e-setup e2e-teardown e2e-test e2e-switch-write-secrets e2e-set-write-secrets mod setup-kind version promote-staging-manifest
+.PHONY: default build test lint image e2e-container e2e-setup e2e-teardown e2e-test mod setup-kind version promote-staging-manifest
 
 GO111MODULE?=on
 export GO111MODULE
@@ -80,22 +80,6 @@ e2e-teardown:
 e2e-test:
 	bats test/bats/provider.bats
 
-# Check the current behaviour of -write-secrets flag and switch it.
-# If the flag is missing, switch to true because the default is false.
-e2e-switch-write-secrets:
-	@if [ "$(shell kubectl get pods -n csi -l app.kubernetes.io/name=vault-csi-provider -o json | jq -r '.items[0].spec.containers[0].args[] | match("-write_secrets=(true|false)").captures[0].string')" = "true" ]; then\
-		WRITE_SECRETS=false make e2e-set-write-secrets;\
-	else\
-		WRITE_SECRETS=true make e2e-set-write-secrets;\
-	fi
-
-e2e-set-write-secrets:
-	helm upgrade vault https://github.com/hashicorp/vault-helm/archive/v$(VAULT_HELM_VERSION).tar.gz \
-		--wait --timeout=5m \
-		--namespace=csi \
-		--values=test/bats/configs/vault/vault.values.yaml \
-		--set "csi.extraArgs={-write-secrets=$(WRITE_SECRETS)}";\
-
 mod:
 	@go mod tidy
 

internal/provider/provider.go

@@ -227,7 +227,7 @@ func (p *provider) getSecret(ctx context.Context, client *api.Client, secretConf
 }
 
 // MountSecretsStoreObjectContent mounts content of the vault object to target path
-func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, writeSecrets bool) (*pb.MountResponse, error) {
+func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config) (*pb.MountResponse, error) {
 	versions := make(map[string]string)
 
 	client, err := vaultclient.New(cfg.Parameters.VaultAddress, cfg.Parameters.VaultTLSConfig)
@@ -255,15 +255,8 @@ func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config, wr
 		}
 		versions[fmt.Sprintf("%s:%s:%s", secret.ObjectName, secret.SecretPath, secret.Method)] = "0"
 
-		if writeSecrets {
-			err = writeSecret(p.logger, cfg.TargetPath, secret.ObjectName, content, cfg.FilePermission)
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			files = append(files, &pb.File{Path: secret.ObjectName, Mode: int32(cfg.FilePermission), Contents: content})
-			p.logger.Info("secret added to mount response", "directory", cfg.TargetPath, "file", secret.ObjectName)
-		}
+		files = append(files, &pb.File{Path: secret.ObjectName, Mode: int32(cfg.FilePermission), Contents: content})
+		p.logger.Info("secret added to mount response", "directory", cfg.TargetPath, "file", secret.ObjectName)
 	}
 
 	var ov []*pb.ObjectVersion

internal/server/server.go

@@ -17,10 +17,9 @@ var (
 
 // Server implements the secrets-store-csi-driver provider gRPC service interface.
 type Server struct {
-	Logger       hclog.Logger
-	VaultAddr    string
-	VaultMount   string
-	WriteSecrets bool
+	Logger     hclog.Logger
+	VaultAddr  string
+	VaultMount string
 }
 
 func (p *Server) Version(context.Context, *pb.VersionRequest) (*pb.VersionResponse, error) {
@@ -38,7 +37,7 @@ func (p *Server) Mount(ctx context.Context, req *pb.MountRequest) (*pb.MountResp
 	}
 
 	provider := provider.NewProvider(p.Logger.Named("provider"))
-	resp, err := provider.HandleMountRequest(ctx, cfg, p.WriteSecrets)
+	resp, err := provider.HandleMountRequest(ctx, cfg)
 	if err != nil {
 		return nil, fmt.Errorf("error making mount request: %w", err)
 	}

main.go

@@ -30,16 +30,13 @@ func main() {
 
 func realMain(logger hclog.Logger) error {
 	var (
-		endpoint     = flag.String("endpoint", "/tmp/vault.sock", "path to socket on which to listen for driver gRPC calls")
-		debug        = flag.Bool("debug", false, "sets log to debug level")
-		selfVersion  = flag.Bool("version", false, "prints the version information")
-		vaultAddr    = flag.String("vault-addr", "https://127.0.0.1:8200", "default address for connecting to Vault")
-		vaultMount   = flag.String("vault-mount", "kubernetes", "default Vault mount path for Kubernetes authentication")
-		writeSecrets = flag.Bool("write-secrets", false, "deprecated, write secrets directly to filesystem (true), or send secrets to CSI driver in gRPC response (false)")
-		healthAddr   = new(string)
+		endpoint    = flag.String("endpoint", "/tmp/vault.sock", "path to socket on which to listen for driver gRPC calls")
+		debug       = flag.Bool("debug", false, "sets log to debug level")
+		selfVersion = flag.Bool("version", false, "prints the version information")
+		vaultAddr   = flag.String("vault-addr", "https://127.0.0.1:8200", "default address for connecting to Vault")
+		vaultMount  = flag.String("vault-mount", "kubernetes", "default Vault mount path for Kubernetes authentication")
+		healthAddr  = flag.String("health-addr", ":8080", "configure http listener for reporting health")
 	)
-	flag.StringVar(healthAddr, "health_addr", "", "deprecated, please use -health-addr")
-	flag.StringVar(healthAddr, "health-addr", ":8080", "configure http listener for reporting health")
 	flag.Parse()
 
 	// set log level
@@ -86,10 +83,9 @@ func realMain(logger hclog.Logger) error {
 	defer listener.Close()
 
 	s := &providerserver.Server{
-		Logger:       serverLogger,
-		VaultAddr:    *vaultAddr,
-		VaultMount:   *vaultMount,
-		WriteSecrets: *writeSecrets,
+		Logger:     serverLogger,
+		VaultAddr:  *vaultAddr,
+		VaultMount: *vaultMount,
 	}
 	pb.RegisterCSIDriverProviderServer(server, s)