feat/move from vault mountpoint to openbao

CHANGELOG.md

@@ -4,6 +4,7 @@ Changes:
 * Dependency updates:
   * `github.com/hashicorp/vault/sdk` v0.11.1 => v0.12.0
   * `sigs.k8s.io/controller-runtime` v0.17.2 => v0.17.3
+  * switch to /openbao from /vault for all VolumePaths
 
 ## 1.4.1 (April 8, 2024)
 

Makefile

@@ -55,7 +55,7 @@ image: build
 # Run multiple times to deploy new builds of the injector.
 OPENBAO_HELM_POST_INSTALL_ARGS ?=
 ifndef TEST_WITHOUT_OPENBAO_TLS
-	OPENBAO_HELM_POST_INSTALL_ARGS = "--set=injector.extraEnvironmentVars.AGENT_INJECT_BAO_CACERT_BYTES=$$(kubectl exec openbao-0 -- sh -c 'cat /tmp/vault-ca.pem | base64 -w0')"
+	OPENBAO_HELM_POST_INSTALL_ARGS = "--set=injector.extraEnvironmentVars.AGENT_INJECT_BAO_CACERT_BYTES=$$(kubectl exec openbao-0 -- sh -c 'cat /tmp/openbao-ca.pem | base64 -w0')"
 endif
 deploy:
 	helm upgrade --install openbao openbao $(OPENBAO_HELM_DEFAULT_ARGS) \
@@ -85,7 +85,7 @@ exercise:
 		--annotations="openbao.org/tls-server-name=openbao-0" \
 		--overrides='{ "apiVersion": "v1", "spec": { "serviceAccountName": "test-app-sa" } }'
 	kubectl wait --for=condition=Ready --timeout=5m pod nginx
-	kubectl exec nginx -c nginx -- cat /vault/secrets/secret.txt
+	kubectl exec nginx -c nginx -- cat /openbao/secrets/secret.txt
 
 # Teardown any resources created in deploy and exercise targets.
 teardown:

agent-inject/agent/agent.go

@@ -166,7 +166,7 @@ type Agent struct {
 	CopyVolumeMounts string
 
 	// InjectToken controls whether the auto-auth token is injected into the
-	// secrets volume (e.g. /vault/secrets/token)
+	// secrets volume (e.g. /openbao/secrets/token)
 	InjectToken bool
 
 	// EnableQuit controls whether the quit endpoint is enabled on a localhost

agent-inject/agent/annotations.go

@@ -81,7 +81,7 @@ const (
 	AnnotationAgentInjectTemplateFile = "openbao.org/agent-inject-template-file"
 
 	// AnnotationAgentInjectToken is the annotation key for injecting the
-	// auto-auth token into the secrets volume (e.g. /vault/secrets/token)
+	// auto-auth token into the secrets volume (e.g. /openbao/secrets/token)
 	AnnotationAgentInjectToken = "openbao.org/agent-inject-token"
 
 	// AnnotationAgentInjectCommand is the key annotation that configures Openbao Agent

agent-inject/agent/config_test.go

@@ -27,7 +27,7 @@ func TestNewConfig(t *testing.T) {
 		AnnotationOpenbaoCAKey:                            "ca-key",
 		AnnotationOpenbaoClientCert:                       "client-cert",
 		AnnotationOpenbaoClientKey:                        "client-key",
-		AnnotationOpenbaoSecretVolumePath:                 "/vault/secrets",
+		AnnotationOpenbaoSecretVolumePath:                 "/openbao/secrets",
 		AnnotationProxyAddress:                          "http://proxy:3128",
 		"openbao.org/agent-inject-secret-foo":   "db/creds/foo",
 		"openbao.org/agent-inject-template-foo": "template foo",
@@ -127,16 +127,16 @@ func TestNewConfig(t *testing.T) {
 
 	for _, template := range config.Templates {
 		if strings.Contains(template.Destination, "foo") {
-			if template.Destination != "/vault/secrets/foo" {
-				t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/foo", template.Destination)
+			if template.Destination != "/openbao/secrets/foo" {
+				t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/foo", template.Destination)
 			}
 
 			if template.Contents != "template foo" {
 				t.Errorf("expected template contents to be %s, got %s", "template foo", template.Contents)
 			}
 		} else if strings.Contains(template.Destination, "bar") {
-			if template.Destination != "/vault/secrets/bar" {
-				t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/bar", template.Destination)
+			if template.Destination != "/openbao/secrets/bar" {
+				t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/bar", template.Destination)
 			}
 
 			if !strings.Contains(template.Contents, "with secret \"db/creds/bar\"") {
@@ -167,8 +167,8 @@ func TestNewConfig(t *testing.T) {
 				t.Errorf("expected template command to be %s, got %s", "/tmp/smth.sh", template.Command)
 			}
 		} else if template.Source == "just-template-file" {
-			if template.Destination != "/vault/secrets/just-template-file" {
-				t.Errorf("expected template destination to be %s, got %s", "/vault/secrets/just-template-file", template.Destination)
+			if template.Destination != "/openbao/secrets/just-template-file" {
+				t.Errorf("expected template destination to be %s, got %s", "/openbao/secrets/just-template-file", template.Destination)
 			}
 		} else {
 			t.Error("shouldn't have got here")
@@ -512,7 +512,7 @@ func TestConfigOpenbaoAgentCache_persistent(t *testing.T) {
 				UseAutoAuthToken: "true",
 				Persist: &CachePersist{
 					Type: "kubernetes",
-					Path: "/vault/agent-cache",
+					Path: "/openbao/agent-cache",
 				},
 			},
 			expectedListeners: []*Listener{
@@ -534,7 +534,7 @@ func TestConfigOpenbaoAgentCache_persistent(t *testing.T) {
 				UseAutoAuthToken: "true",
 				Persist: &CachePersist{
 					Type:      "kubernetes",
-					Path:      "/vault/agent-cache",
+					Path:      "/openbao/agent-cache",
 					ExitOnErr: true,
 				},
 			},
@@ -813,7 +813,7 @@ func TestConfigAgentQuit(t *testing.T) {
 				UseAutoAuthToken: "true",
 				Persist: &CachePersist{
 					Type: "kubernetes",
-					Path: "/vault/agent-cache",
+					Path: "/openbao/agent-cache",
 				},
 			},
 		},
@@ -829,7 +829,7 @@ func TestConfigAgentQuit(t *testing.T) {
 				UseAutoAuthToken: "true",
 				Persist: &CachePersist{
 					Type: "kubernetes",
-					Path: "/vault/agent-cache",
+					Path: "/openbao/agent-cache",
 				},
 			},
 		},

agent-inject/agent/container_sidecar_test.go

@@ -1298,7 +1298,7 @@ func TestAgentJsonPatch(t *testing.T) {
 		VolumeMounts: []v1.VolumeMount{
 			{Name: "foobar", ReadOnly: true, MountPath: "serviceaccount/somewhere"},
 			{Name: "home-sidecar", MountPath: "/home/openbao"},
-			{Name: "openbao-secrets", MountPath: "/vault/secrets"},
+			{Name: "openbao-secrets", MountPath: "/openbao/secrets"},
 		},
 		Lifecycle: &v1.Lifecycle{
 			PreStop: &v1.LifecycleHandler{
@@ -1330,7 +1330,7 @@ func TestAgentJsonPatch(t *testing.T) {
 	baseInitContainer.VolumeMounts = []v1.VolumeMount{
 		{Name: "home-init", MountPath: "/home/openbao"},
 		{Name: "foobar", ReadOnly: true, MountPath: "serviceaccount/somewhere"},
-		{Name: "openbao-secrets", MountPath: "/vault/secrets"},
+		{Name: "openbao-secrets", MountPath: "/openbao/secrets"},
 	}
 	baseInitContainer.Lifecycle = nil
 

agent-inject/agent/container_volume.go

@@ -15,15 +15,15 @@ const (
 	tokenVolumeNameSidecar = "home-sidecar"
 	tokenVolumePath        = "/home/openbao"
 	configVolumeName       = "openbao-config"
-	configVolumePath       = "/vault/configs"
+	configVolumePath       = "/openbao/configs"
 	secretVolumeName       = "openbao-secrets"
 	tlsSecretVolumeName    = "openbao-tls-secrets"
-	tlsSecretVolumePath    = "/vault/tls"
-	secretVolumePath       = "/vault/secrets"
+	tlsSecretVolumePath    = "/openbao/tls"
+	secretVolumePath       = "/openbao/secrets"
 	extraSecretVolumeName  = "extra-secrets"
-	extraSecretVolumePath  = "/vault/custom"
+	extraSecretVolumePath  = "/openbao/custom"
 	cacheVolumeName        = "openbao-agent-cache"
-	cacheVolumePath        = "/vault/agent-cache"
+	cacheVolumePath        = "/openbao/agent-cache"
 )
 
 func (a *Agent) getUniqueMountPaths() []string {