Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

Commit

Permalink
Implement ability to specify additional/override annotations when usi…
Browse files Browse the repository at this point in the history
…ng Vault Secret Manager (#556)

* Implement ability to specify additional annotations when using Vault secret manager

Signed-off-by: Pradithya Aria <[email protected]>

* Infer GOOS and GOARCH from environment (#552)

Signed-off-by: Jeev B <[email protected]>
Signed-off-by: Pradithya Aria <[email protected]>

* fix makefile to read variables from environment and overrides (#554)

Signed-off-by: Jeev B <[email protected]>
Signed-off-by: Pradithya Aria <[email protected]>

* Remove BarrierTick (#545)

* removed barrier logic

Signed-off-by: Daniel Rammer <[email protected]>

* deprecated TransitionTypeBarrier

Signed-off-by: Daniel Rammer <[email protected]>

* removed barrier tests

Signed-off-by: Daniel Rammer <[email protected]>

* bumping flyteplugins

Signed-off-by: Daniel Rammer <[email protected]>

---------

Signed-off-by: Daniel Rammer <[email protected]>
Signed-off-by: Pradithya Aria <[email protected]>

* Check for TerminateExecution error and eat Precondition status (#553)

* Check for TerminateExecution error and eat Precondition status

Signed-off-by: Haytham Abuelfutuh <[email protected]>

* lint

Signed-off-by: Haytham Abuelfutuh <[email protected]>

---------

Signed-off-by: Haytham Abuelfutuh <[email protected]>
Signed-off-by: Pradithya Aria <[email protected]>

* Rename to annotation

Signed-off-by: Pradithya Aria <[email protected]>

* Inline merging annotations

Signed-off-by: Pradithya Aria <[email protected]>

---------

Signed-off-by: Pradithya Aria <[email protected]>
Signed-off-by: Jeev B <[email protected]>
Signed-off-by: Daniel Rammer <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]>
Co-authored-by: Jeev B <[email protected]>
Co-authored-by: Dan Rammer <[email protected]>
Co-authored-by: Haytham Abuelfutuh <[email protected]>
  • Loading branch information
4 people authored Apr 19, 2023
1 parent e4ca252 commit 972c0d6
Show file tree
Hide file tree
Showing 3 changed files with 103 additions and 9 deletions.
5 changes: 3 additions & 2 deletions pkg/webhook/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,9 @@ type GCPSecretManagerConfig struct {
}

type VaultSecretManagerConfig struct {
Role string `json:"role" pflag:",Specifies the vault role to use"`
KVVersion KVVersion `json:"kvVersion" pflag:"-,The KV Engine Version. Defaults to 2. Use 1 for unversioned secrets. Refer to - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine."`
Role string `json:"role" pflag:",Specifies the vault role to use"`
KVVersion KVVersion `json:"kvVersion" pflag:"-,The KV Engine Version. Defaults to 2. Use 1 for unversioned secrets. Refer to - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine."`
Annotations map[string]string `json:"annotations" pflag:"-,Annotation to be added to user task pod. The annotation can also be used to override default annotations added by Flyte. Useful to customize Vault integration (https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations)"`
}

func GetConfig() *Config {
Expand Down
3 changes: 1 addition & 2 deletions pkg/webhook/vault_secret_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,7 @@ func (i VaultSecretManagerInjector) Inject(ctx context.Context, secret *coreIdl.
return p, false, err
}

p.ObjectMeta.Annotations = utils.UnionMaps(p.ObjectMeta.Annotations, commonVaultAnnotations)
p.ObjectMeta.Annotations = utils.UnionMaps(p.ObjectMeta.Annotations, secretVaultAnnotations)
p.ObjectMeta.Annotations = utils.UnionMaps(secretVaultAnnotations, commonVaultAnnotations, i.cfg.Annotations, p.ObjectMeta.Annotations)

case coreIdl.Secret_ENV_VAR:
return p, false, fmt.Errorf("Env_Var is not a supported mount requirement for Vault Secret Manager")
Expand Down
104 changes: 99 additions & 5 deletions pkg/webhook/vault_secret_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,69 @@ func ExpectedKVv2(uuid string) *corev1.Pod {
return expected
}

func NewInputPod() *corev1.Pod {
func ExpectedKVv3(uuid string) *corev1.Pod {
// Injects uuid into expected output for KV v2 secrets
expected := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
"vault.hashicorp.com/agent-inject": "true",
"vault.hashicorp.com/secret-volume-path": "/etc/flyte/secrets",
"vault.hashicorp.com/role": "flyte",
"vault.hashicorp.com/agent-pre-populate-only": "true",
fmt.Sprintf("vault.hashicorp.com/agent-inject-secret-%s", uuid): "foo",
fmt.Sprintf("vault.hashicorp.com/agent-inject-file-%s", uuid): "foo/bar",
fmt.Sprintf("vault.hashicorp.com/agent-inject-template-%s", uuid): `{{- with secret "foo" -}}{{ .Data.data.bar }}{{- end -}}`,
"vault.hashicorp.com/auth-config-type": "gce",
},
},
Spec: PodSpec,
}
return expected
}

func ExpectedKVv4(uuid string) *corev1.Pod {
// Injects uuid into expected output for KV v2 secrets
expected := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
"vault.hashicorp.com/agent-inject": "true",
"vault.hashicorp.com/secret-volume-path": "/etc/flyte/secrets",
"vault.hashicorp.com/role": "my-role",
"vault.hashicorp.com/agent-pre-populate-only": "true",
fmt.Sprintf("vault.hashicorp.com/agent-inject-secret-%s", uuid): "foo",
fmt.Sprintf("vault.hashicorp.com/agent-inject-file-%s", uuid): "foo/bar",
fmt.Sprintf("vault.hashicorp.com/agent-inject-template-%s", uuid): `{{- with secret "foo" -}}{{ .Data.data.bar }}{{- end -}}`,
},
},
Spec: PodSpec,
}
return expected
}

func ExpectedKVv5(uuid string) *corev1.Pod {
// Injects uuid into expected output for KV v2 secrets
expected := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
"vault.hashicorp.com/agent-inject": "true",
"vault.hashicorp.com/secret-volume-path": "/etc/flyte/secrets",
"vault.hashicorp.com/role": "flyte",
"vault.hashicorp.com/agent-pre-populate-only": "false",
fmt.Sprintf("vault.hashicorp.com/agent-inject-secret-%s", uuid): "foo",
fmt.Sprintf("vault.hashicorp.com/agent-inject-file-%s", uuid): "foo/bar",
fmt.Sprintf("vault.hashicorp.com/agent-inject-template-%s", uuid): `{{- with secret "foo" -}}{{ .Data.data.bar }}{{- end -}}`,
},
},
Spec: PodSpec,
}
return expected
}

func NewInputPod(annotations map[string]string) *corev1.Pod {
// Need to create a new Pod for every test since annotations are otherwise appended to original reference object
p := &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{},
Annotations: annotations,
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
Expand Down Expand Up @@ -122,7 +180,7 @@ func TestVaultSecretManagerInjector_Inject(t *testing.T) {
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion1},
secret: inputSecret,
p: NewInputPod(),
p: NewInputPod(map[string]string{}),
},
want: ExpectedKVv1,
wantErr: false,
Expand All @@ -132,17 +190,53 @@ func TestVaultSecretManagerInjector_Inject(t *testing.T) {
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion2},
secret: inputSecret,
p: NewInputPod(),
p: NewInputPod(map[string]string{}),
},
want: ExpectedKVv2,
wantErr: false,
},
{
name: "KVv3 Secret - extra annotations",
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion2, Annotations: map[string]string{
"vault.hashicorp.com/auth-config-type": "gce",
}},
secret: inputSecret,
p: NewInputPod(map[string]string{}),
},
want: ExpectedKVv3,
wantErr: false,
},
{
name: "KVv4 Secret - user override annotation",
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion2, Annotations: map[string]string{}},
secret: inputSecret,
p: NewInputPod(map[string]string{
"vault.hashicorp.com/role": "my-role",
}),
},
want: ExpectedKVv4,
wantErr: false,
},
{
name: "KVv5 Secret - system override annotation",
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion2, Annotations: map[string]string{
"vault.hashicorp.com/agent-pre-populate-only": "false", // override vault.hashicorp.com/agent-pre-populate-only
}},
secret: inputSecret,
p: NewInputPod(map[string]string{}),
},
want: ExpectedKVv5,
wantErr: false,
},
{
name: "Unsupported KV version",
args: args{
cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: 3},
secret: inputSecret,
p: NewInputPod(),
p: NewInputPod(map[string]string{}),
},
want: nil,
wantErr: true,
Expand Down

0 comments on commit 972c0d6

Please sign in to comment.