diff --git a/CHANGELOG.md b/CHANGELOG.md index d4842f8..dc65969 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ Changes: * Dependency updates: * `github.com/hashicorp/vault/sdk` v0.11.1 => v0.12.0 * `sigs.k8s.io/controller-runtime` v0.17.2 => v0.17.3 - +* switch to /openbao from /vault for all VolumePaths #25 ## 1.4.1 (April 8, 2024) Changes: diff --git a/Makefile b/Makefile index ead281d..6c64462 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ image: build # Run multiple times to deploy new builds of the injector. OPENBAO_HELM_POST_INSTALL_ARGS ?= ifndef TEST_WITHOUT_OPENBAO_TLS - OPENBAO_HELM_POST_INSTALL_ARGS = "--set=injector.extraEnvironmentVars.AGENT_INJECT_BAO_CACERT_BYTES=$$(kubectl exec openbao-0 -- sh -c 'cat /tmp/vault-ca.pem | base64 -w0')" + OPENBAO_HELM_POST_INSTALL_ARGS = "--set=injector.extraEnvironmentVars.AGENT_INJECT_BAO_CACERT_BYTES=$$(kubectl exec openbao-0 -- sh -c 'cat /tmp/openbao-ca.pem | base64 -w0')" endif deploy: helm upgrade --install openbao openbao $(OPENBAO_HELM_DEFAULT_ARGS) \ @@ -85,7 +85,7 @@ exercise: --annotations="openbao.org/tls-server-name=openbao-0" \ --overrides='{ "apiVersion": "v1", "spec": { "serviceAccountName": "test-app-sa" } }' kubectl wait --for=condition=Ready --timeout=5m pod nginx - kubectl exec nginx -c nginx -- cat /vault/secrets/secret.txt + kubectl exec nginx -c nginx -- cat /openbao/secrets/secret.txt # Teardown any resources created in deploy and exercise targets. teardown: diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index 23b6872..8b84e1a 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -166,7 +166,7 @@ type Agent struct { CopyVolumeMounts string // InjectToken controls whether the auto-auth token is injected into the - // secrets volume (e.g. /vault/secrets/token) + // secrets volume (e.g. /openbao/secrets/token) InjectToken bool // EnableQuit controls whether the quit endpoint is enabled on a localhost diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 7d07646..a631310 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -81,7 +81,7 @@ const ( AnnotationAgentInjectTemplateFile = "openbao.org/agent-inject-template-file" // AnnotationAgentInjectToken is the annotation key for injecting the - // auto-auth token into the secrets volume (e.g. /vault/secrets/token) + // auto-auth token into the secrets volume (e.g. /openbao/secrets/token) AnnotationAgentInjectToken = "openbao.org/agent-inject-token" // AnnotationAgentInjectCommand is the key annotation that configures Openbao Agent diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go index 551b286..bf18b33 100644 --- a/agent-inject/agent/config_test.go +++ b/agent-inject/agent/config_test.go @@ -27,7 +27,7 @@ func TestNewConfig(t *testing.T) { AnnotationOpenbaoCAKey: "ca-key", AnnotationOpenbaoClientCert: "client-cert", AnnotationOpenbaoClientKey: "client-key", - AnnotationOpenbaoSecretVolumePath: "/vault/secrets", + AnnotationOpenbaoSecretVolumePath: "/openbao/secrets", AnnotationProxyAddress: "http://proxy:3128", "openbao.org/agent-inject-secret-foo": "db/creds/foo", "openbao.org/agent-inject-template-foo": "template foo", @@ -127,16 +127,16 @@ func TestNewConfig(t *testing.T) { for _, template := range config.Templates { if strings.Contains(template.Destination, "foo") { - if template.Destination != "/vault/secrets/foo" { - t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/foo", template.Destination) + if template.Destination != "/openbao/secrets/foo" { + t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/foo", template.Destination) } if template.Contents != "template foo" { t.Errorf("expected template contents to be %s, got %s", "template foo", template.Contents) } } else if strings.Contains(template.Destination, "bar") { - if template.Destination != "/vault/secrets/bar" { - t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/bar", template.Destination) + if template.Destination != "/openbao/secrets/bar" { + t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/bar", template.Destination) } if !strings.Contains(template.Contents, "with secret \"db/creds/bar\"") { @@ -167,8 +167,8 @@ func TestNewConfig(t *testing.T) { t.Errorf("expected template command to be %s, got %s", "/tmp/smth.sh", template.Command) } } else if template.Source == "just-template-file" { - if template.Destination != "/vault/secrets/just-template-file" { - t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/just-template-file", template.Destination) + if template.Destination != "/openbao/secrets/just-template-file" { + t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/just-template-file", template.Destination) } } else { t.Error("shouldn't have got here") @@ -512,7 +512,7 @@ func TestConfigOpenbaoAgentCache_persistent(t *testing.T) { UseAutoAuthToken: "true", Persist: &CachePersist{ Type: "kubernetes", - Path: "/vault/agent-cache", + Path: "/openbao/agent-cache", }, }, expectedListeners: []*Listener{ @@ -534,7 +534,7 @@ func TestConfigOpenbaoAgentCache_persistent(t *testing.T) { UseAutoAuthToken: "true", Persist: &CachePersist{ Type: "kubernetes", - Path: "/vault/agent-cache", + Path: "/openbao/agent-cache", ExitOnErr: true, }, }, @@ -813,7 +813,7 @@ func TestConfigAgentQuit(t *testing.T) { UseAutoAuthToken: "true", Persist: &CachePersist{ Type: "kubernetes", - Path: "/vault/agent-cache", + Path: "/openbao/agent-cache", }, }, }, @@ -829,7 +829,7 @@ func TestConfigAgentQuit(t *testing.T) { UseAutoAuthToken: "true", Persist: &CachePersist{ Type: "kubernetes", - Path: "/vault/agent-cache", + Path: "/openbao/agent-cache", }, }, }, diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go index e8ec04d..b6fc9af 100644 --- a/agent-inject/agent/container_sidecar_test.go +++ b/agent-inject/agent/container_sidecar_test.go @@ -1298,7 +1298,7 @@ func TestAgentJsonPatch(t *testing.T) { VolumeMounts: []v1.VolumeMount{ {Name: "foobar", ReadOnly: true, MountPath: "serviceaccount/somewhere"}, {Name: "home-sidecar", MountPath: "/home/openbao"}, - {Name: "openbao-secrets", MountPath: "/vault/secrets"}, + {Name: "openbao-secrets", MountPath: "/openbao/secrets"}, }, Lifecycle: &v1.Lifecycle{ PreStop: &v1.LifecycleHandler{ @@ -1330,7 +1330,7 @@ func TestAgentJsonPatch(t *testing.T) { baseInitContainer.VolumeMounts = []v1.VolumeMount{ {Name: "home-init", MountPath: "/home/openbao"}, {Name: "foobar", ReadOnly: true, MountPath: "serviceaccount/somewhere"}, - {Name: "openbao-secrets", MountPath: "/vault/secrets"}, + {Name: "openbao-secrets", MountPath: "/openbao/secrets"}, } baseInitContainer.Lifecycle = nil diff --git a/agent-inject/agent/container_volume.go b/agent-inject/agent/container_volume.go index e973b73..9ad028e 100644 --- a/agent-inject/agent/container_volume.go +++ b/agent-inject/agent/container_volume.go @@ -15,15 +15,15 @@ const ( tokenVolumeNameSidecar = "home-sidecar" tokenVolumePath = "/home/openbao" configVolumeName = "openbao-config" - configVolumePath = "/vault/configs" + configVolumePath = "/openbao/configs" secretVolumeName = "openbao-secrets" tlsSecretVolumeName = "openbao-tls-secrets" - tlsSecretVolumePath = "/vault/tls" - secretVolumePath = "/vault/secrets" + tlsSecretVolumePath = "/openbao/tls" + secretVolumePath = "/openbao/secrets" extraSecretVolumeName = "extra-secrets" - extraSecretVolumePath = "/vault/custom" + extraSecretVolumePath = "/openbao/custom" cacheVolumeName = "openbao-agent-cache" - cacheVolumePath = "/vault/agent-cache" + cacheVolumePath = "/openbao/agent-cache" ) func (a *Agent) getUniqueMountPaths() []string {