From 9954df5e682a59aa1292ad3ee888707e1c603e8c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 14 Apr 2023 12:31:41 +0000 Subject: [PATCH] Add role for creating CSI's HMAC secret key (#872) --- templates/csi-daemonset.yaml | 5 +++++ templates/csi-role.yaml | 31 +++++++++++++++++++++++++++ templates/csi-rolebinding.yaml | 24 +++++++++++++++++++++ test/unit/csi-daemonset.bats | 29 ++++++++++++++++++++----- test/unit/csi-role.bats | 39 ++++++++++++++++++++++++++++++++++ test/unit/csi-rolebinding.bats | 22 +++++++++++++++++++ values.yaml | 4 ++++ 7 files changed, 149 insertions(+), 5 deletions(-) create mode 100644 templates/csi-role.yaml create mode 100644 templates/csi-rolebinding.yaml create mode 100644 test/unit/csi-role.bats create mode 100644 test/unit/csi-rolebinding.bats diff --git a/templates/csi-daemonset.yaml b/templates/csi-daemonset.yaml index 0285a0cbb..a32ef7c70 100644 --- a/templates/csi-daemonset.yaml +++ b/templates/csi-daemonset.yaml @@ -54,6 +54,11 @@ spec: args: - --endpoint=/provider/vault.sock - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} {{- if .Values.csi.extraArgs }} {{- toYaml .Values.csi.extraArgs | nindent 12 }} {{- end }} diff --git a/templates/csi-role.yaml b/templates/csi-role.yaml new file mode 100644 index 000000000..dd23af655 --- /dev/null +++ b/templates/csi-role.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/templates/csi-rolebinding.yaml b/templates/csi-rolebinding.yaml new file mode 100644 index 000000000..e61f2dc2d --- /dev/null +++ b/templates/csi-rolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/test/unit/csi-daemonset.bats b/test/unit/csi-daemonset.bats index 76c74b37f..3ad9675c4 100644 --- a/test/unit/csi-daemonset.bats +++ b/test/unit/csi-daemonset.bats @@ -168,6 +168,25 @@ load _helpers [ "${actual}" = "--debug=true" ] } +# HMAC secret arg +@test "csi/daemonset: HMAC secret arg is configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=vault-csi-provider-hmac-key" ] + + local actual=$(helm template \ + --show-only templates/csi-daemonset.yaml \ + --set "csi.enabled=true" \ + --set "csi.hmacSecretName=foo" \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].args[2]' | tee /dev/stderr) + [ "${actual}" = "--hmac-secret-name=foo" ] +} + # Extra args @test "csi/daemonset: extra args can be passed" { cd `chart_dir` @@ -176,7 +195,7 @@ load _helpers --set "csi.enabled=true" \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].args | length' | tee /dev/stderr) - [ "${actual}" = "2" ] + [ "${actual}" = "3" ] local object=$(helm template \ --show-only templates/csi-daemonset.yaml \ @@ -186,15 +205,15 @@ load _helpers yq -r '.spec.template.spec.containers[0]') local actual=$(echo $object | yq -r '.args | length' | tee /dev/stderr) - [ "${actual}" = "5" ] + [ "${actual}" = "6" ] local actual=$(echo $object | - yq -r '.args[2]' | tee /dev/stderr) + yq -r '.args[3]' | tee /dev/stderr) [ "${actual}" = "--foo=bar" ] local actual=$(echo $object | - yq -r '.args[3]' | tee /dev/stderr) + yq -r '.args[4]' | tee /dev/stderr) [ "${actual}" = "--bar baz" ] local actual=$(echo $object | - yq -r '.args[4]' | tee /dev/stderr) + yq -r '.args[5]' | tee /dev/stderr) [ "${actual}" = "first" ] } diff --git a/test/unit/csi-role.bats b/test/unit/csi-role.bats new file mode 100644 index 000000000..e7eb7e62c --- /dev/null +++ b/test/unit/csi-role.bats @@ -0,0 +1,39 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/Role: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-role.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/Role: names" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-role" ] + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "vault-csi-provider-hmac-key" ] +} + +@test "csi/Role: HMAC secret name configurable" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-role.yaml \ + --set "csi.enabled=true" \ + --set 'csi.hmacSecretName=foo' \ + . | tee /dev/stderr | + yq -r '.rules[0].resourceNames[0]' | tee /dev/stderr) + [ "${actual}" = "foo" ] +} \ No newline at end of file diff --git a/test/unit/csi-rolebinding.bats b/test/unit/csi-rolebinding.bats new file mode 100644 index 000000000..caf368b74 --- /dev/null +++ b/test/unit/csi-rolebinding.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "csi/RoleBinding: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/csi-rolebinding.yaml \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "csi/RoleBinding: name" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/csi-rolebinding.yaml \ + --set "csi.enabled=true" \ + . | tee /dev/stderr | + yq -r '.metadata.name' | tee /dev/stderr) + [ "${actual}" = "release-name-vault-csi-provider-rolebinding" ] +} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 9df0ffa1a..9e35ac8bc 100644 --- a/values.yaml +++ b/values.yaml @@ -1025,6 +1025,10 @@ csi: # cpu: 50m # memory: 128Mi + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + # Settings for the daemonSet used to run the provider. daemonSet: updateStrategy: