Skip to content

Commit

Permalink
PR Feedback. Moving vault helper functions to be on the structs they …
Browse files Browse the repository at this point in the history
…were taking as arguments.
  • Loading branch information
jmurret committed May 18, 2022
1 parent 106e22d commit f7e6353
Show file tree
Hide file tree
Showing 7 changed files with 131 additions and 98 deletions.
8 changes: 4 additions & 4 deletions acceptance/framework/vault/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ type KubernetesAuthRoleConfiguration struct {

// ConfigureKubernetesAuthRole configures a role in Vault for the component for the Kubernetes auth method
// that will be used by the test Helm chart installation.
func ConfigureK8SAuthRole(t *testing.T, vaultClient *vapi.Client, config *KubernetesAuthRoleConfiguration) {
func (config *KubernetesAuthRoleConfiguration) ConfigureK8SAuthRole(t *testing.T, vaultClient *vapi.Client) {
// Create the Auth Roles for the component.
// Auth roles bind policies to Kubernetes service accounts, which
// then enables the Vault agent init container to call 'vault login'
Expand Down Expand Up @@ -132,7 +132,7 @@ type PKIAndAuthRoleConfiguration struct {
SkipPKIMount bool
}

func ConfigurePKIAndAuthRole(t *testing.T, vaultClient *vapi.Client, config *PKIAndAuthRoleConfiguration) {
func (config *PKIAndAuthRoleConfiguration) ConfigurePKIAndAuthRole(t *testing.T, vaultClient *vapi.Client) {
config.CAPath = fmt.Sprintf("%s/cert/ca", config.BaseURL)
// Configure role with read access to <baseURL>/cert/ca
ConfigurePKI(t, vaultClient, config.BaseURL, config.PolicyName,
Expand All @@ -151,7 +151,7 @@ func ConfigurePKIAndAuthRole(t *testing.T, vaultClient *vapi.Client, config *PKI
RoleName: config.RoleName,
PolicyNames: config.PolicyName,
}
ConfigureK8SAuthRole(t, vaultClient, authMethodRoleConfig)
authMethodRoleConfig.ConfigureK8SAuthRole(t, vaultClient)
}

type SaveVaultSecretConfiguration struct {
Expand All @@ -161,7 +161,7 @@ type SaveVaultSecretConfiguration struct {
Value string
}

func SaveSecret(t *testing.T, vaultClient *vapi.Client, config *SaveVaultSecretConfiguration) {
func (config *SaveVaultSecretConfiguration) Save(t *testing.T, vaultClient *vapi.Client) {
policy := fmt.Sprintf(`
path "%s" {
capabilities = ["read"]
Expand Down
35 changes: 20 additions & 15 deletions acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ func TestSnapshotAgent_Vault(t *testing.T) {
MaxTTL: "1h",
AuthMethodPath: "kubernetes",
}
vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig)
serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient)

// -------------------------
// KV2 secrets
Expand All @@ -77,7 +77,7 @@ func TestSnapshotAgent_Vault(t *testing.T) {
Value: gossipKey,
PolicyName: "gossip",
}
vault.SaveSecret(t, vaultClient, gossipSecret)
gossipSecret.Save(t, vaultClient)

// License
licenseSecret := &vault.SaveVaultSecretConfiguration{
Expand All @@ -87,7 +87,7 @@ func TestSnapshotAgent_Vault(t *testing.T) {
PolicyName: "license",
}
if cfg.EnableEnterprise {
vault.SaveSecret(t, vaultClient, licenseSecret)
licenseSecret.Save(t, vaultClient)
}

// Bootstrap Token
Expand All @@ -99,7 +99,7 @@ func TestSnapshotAgent_Vault(t *testing.T) {
Value: bootstrapToken,
PolicyName: "bootstrap",
}
vault.SaveSecret(t, vaultClient, bootstrapTokenSecret)
bootstrapTokenSecret.Save(t, vaultClient)

// Snapshot Agent config
snapshotAgentConfig := generateSnapshotAgentConfig(t, bootstrapToken)
Expand All @@ -110,7 +110,7 @@ func TestSnapshotAgent_Vault(t *testing.T) {
Value: snapshotAgentConfig,
PolicyName: "snapshot-agent-config",
}
vault.SaveSecret(t, vaultClient, snapshotAgentConfigSecret)
snapshotAgentConfigSecret.Save(t, vaultClient)

// -------------------------
// Additional Auth Roles
Expand All @@ -122,55 +122,60 @@ func TestSnapshotAgent_Vault(t *testing.T) {

// server
consulServerRole := "server"
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
srvAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: serverPKIConfig.ServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: consulServerRole,
PolicyNames: serverPolicies,
})
}
srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// client
consulClientRole := "client"
consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client")
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: consulClientServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: consulClientRole,
PolicyNames: gossipSecret.PolicyName,
})
}
clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// manageSystemACLs
manageSystemACLsRole := "server-acl-init"
manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init")
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: manageSystemACLsServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: manageSystemACLsRole,
PolicyNames: bootstrapTokenSecret.PolicyName,
})
}
aclAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// allow all components to access server ca
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
srvCAAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: "*",
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: serverPKIConfig.RoleName,
PolicyNames: serverPKIConfig.PolicyName,
})
}
srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// snapshot agent config
snapAgentRole := "snapshot-agent"
snapAgentServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "snapshot-agent")
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
saAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: snapAgentServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: snapAgentRole,
PolicyNames: fmt.Sprintf("%s,%s", licenseSecret.PolicyName, snapshotAgentConfigSecret.PolicyName),
})
}
saAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

vaultCASecret := vault.CASecretName(vaultReleaseName)

Expand Down
28 changes: 16 additions & 12 deletions acceptance/tests/vault/vault_namespaces_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func TestVault_VaultNamespace(t *testing.T) {
MaxTTL: "1h",
AuthMethodPath: "kubernetes",
}
vault.ConfigurePKIAndAuthRole(t, vaultClient, serverPKIConfig)
serverPKIConfig.ConfigurePKIAndAuthRole(t, vaultClient)

// -------------------------
// KV2 secrets
Expand All @@ -85,7 +85,7 @@ func TestVault_VaultNamespace(t *testing.T) {
Value: gossipKey,
PolicyName: "gossip",
}
vault.SaveSecret(t, vaultClient, gossipSecret)
gossipSecret.Save(t, vaultClient)

// License
licenseSecret := &vault.SaveVaultSecretConfiguration{
Expand All @@ -95,7 +95,7 @@ func TestVault_VaultNamespace(t *testing.T) {
PolicyName: "license",
}
if cfg.EnableEnterprise {
vault.SaveSecret(t, vaultClient, licenseSecret)
licenseSecret.Save(t, vaultClient)
}

//Bootstrap Token
Expand All @@ -107,7 +107,7 @@ func TestVault_VaultNamespace(t *testing.T) {
Value: bootstrapToken,
PolicyName: "bootstrap",
}
vault.SaveSecret(t, vaultClient, bootstrapTokenSecret)
bootstrapTokenSecret.Save(t, vaultClient)

// -------------------------
// Additional Auth Roles
Expand All @@ -119,44 +119,48 @@ func TestVault_VaultNamespace(t *testing.T) {

// server
consulServerRole := "server"
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
srvAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: serverPKIConfig.ServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: consulServerRole,
PolicyNames: serverPolicies,
})
}
srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// client
consulClientRole := "client"
consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client")
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: consulClientServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: consulClientRole,
PolicyNames: gossipSecret.PolicyName,
})
}
clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// manageSystemACLs
manageSystemACLsRole := "server-acl-init"
manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init")
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
aclAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: manageSystemACLsServiceAccountName,
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: manageSystemACLsRole,
PolicyNames: bootstrapTokenSecret.PolicyName,
})
}
aclAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

// allow all components to access server ca
vault.ConfigureK8SAuthRole(t, vaultClient, &vault.KubernetesAuthRoleConfiguration{
srvCAAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{
ServiceAccountName: "*",
KubernetesNamespace: ns,
AuthMethodPath: "kubernetes",
RoleName: serverPKIConfig.RoleName,
PolicyNames: serverPKIConfig.PolicyName,
})
}
srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient)

vaultCASecret := vault.CASecretName(vaultReleaseName)

Expand Down
Loading

0 comments on commit f7e6353

Please sign in to comment.