VA: support default VaultAuthGlobal refs (#847)

Add support for inheriting from a default VaultAuthGlobal in the case where one is not explicitly set on the referring VaultAuth instance.

Author: benashz

api/v1beta1/vaultauth_types.go

@@ -320,14 +320,25 @@ func (a *VaultAuthConfigGCP) Validate() error {
 type VaultAuthGlobalRef struct {
 	// Name of the VaultAuthGlobal resource.
 	// +kubebuilder:validation:Pattern=`^([a-z0-9.-]{1,253})$`
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 	// Namespace of the VaultAuthGlobal resource. If not provided, the namespace of
 	// the referring VaultAuth resource is used.
 	// +kubebuilder:validation:Pattern=`^([a-z0-9.-]{1,253})$`
 	Namespace string `json:"namespace,omitempty"`
 	// MergeStrategy configures the merge strategy for HTTP headers and parameters
 	// that are included in all Vault authentication requests.
 	MergeStrategy *MergeStrategy `json:"mergeStrategy,omitempty"`
+	// AllowDefault when set to true will use the default VaultAuthGlobal resource
+	// as the default if Name is not set. The 'allow-default-globals' option must be
+	// set on the operator's '-global-vault-auth-options' flag
+	//
+	// The default VaultAuthGlobal search is conditional.
+	// When a ref Namespace is not set, the search follows the order:
+	//  1. The referring VaultAuth Namespace.
+	//  2. The Operator's namespace.
+	// Otherwise, the search follows the order:
+	//  1. The VaultAuthGlobal ref Namespace.
+	AllowDefault *bool `json:"allowDefault,omitempty"`
 }
 
 // MergeStrategy provides the configuration for merging HTTP headers and
@@ -423,8 +434,8 @@ type VaultAuthStatus struct {
 	SpecHash   string             `json:"specHash,omitempty"`
 }
 
-//+kubebuilder:object:root=true
-//+kubebuilder:subresource:status
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 
 // VaultAuth is the Schema for the vaultauths API
 type VaultAuth struct {
@@ -444,7 +455,7 @@ type StorageEncryption struct {
 	KeyName string `json:"keyName"`
 }
 
-//+kubebuilder:object:root=true
+// +kubebuilder:object:root=true
 
 // VaultAuthList contains a list of VaultAuth
 type VaultAuthList struct {

api/v1beta1/zz_generated.deepcopy.go

@@ -246,6 +246,20 @@ spec:
               vaultAuthGlobalRef:
                 description: VaultAuthGlobalRef.
                 properties:
+                  allowDefault:
+                    description: |-
+                      AllowDefault when set to true will use the default VaultAuthGlobal resource
+                      as the default if Name is not set. The 'allow-default-globals' option must be
+                      set on the operator's '-global-vault-auth-options' flag
+
+
+                      The default VaultAuthGlobal search is conditional.
+                      When a ref Namespace is not set, the search follows the order:
+                       1. The referring VaultAuth Namespace.
+                       2. The Operator's namespace.
+                      Otherwise, the search follows the order:
+                       1. The VaultAuthGlobal ref Namespace.
+                    type: boolean
                   mergeStrategy:
                     description: |-
                       MergeStrategy configures the merge strategy for HTTP headers and parameters
@@ -307,8 +321,6 @@ spec:
                       the referring VaultAuth resource is used.
                     pattern: ^([a-z0-9.-]{1,253})$
                     type: string
-                required:
-                - name
                 type: object
               vaultConnectionRef:
                 description: |-

chart/crds/secrets.hashicorp.com_vaultauths.yaml

@@ -164,7 +164,7 @@ imagePullSecrets:
 
 
 {{/*
-globalTransformationOptions configures the manager's --global-transformation-options
+globalTransformationOptions configures the manager's --global-transformation-options flag.
 */}}
 {{- define "vso.globalTransformationOptions" -}}
 {{- $opts := list -}}
@@ -176,6 +176,19 @@ globalTransformationOptions configures the manager's --global-transformation-opt
 {{- end -}}
 {{- end -}}
 
+{{/*
+globalVaultAuthOptions configures the manager's --global-vault-auth-options flag.
+*/}}
+{{- define "vso.globalVaultAuthOptions" -}}
+{{- $opts := list -}}
+{{- if .Values.controller.manager.globalVaultAuthOptions.allowDefaultGlobals }}
+{{- $opts = mustAppend $opts "allow-default-globals" -}}
+{{- end -}}
+{{- if $opts -}}
+{{- $opts | join "," -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 backoffOnSecretSourceError provides the backoff options for the manager when a
 secret source error occurs.

chart/templates/_helpers.tpl

@@ -78,9 +78,13 @@ spec:
         {{- if .Values.controller.manager.maxConcurrentReconciles }}
         - --max-concurrent-reconciles={{ .Values.controller.manager.maxConcurrentReconciles }}
         {{- end }}
-        {{- $opts := include "vso.globalTransformationOptions" . -}}
-        {{- if $opts }}
-        - --global-transformation-options={{ $opts }}
+        {{- $gTransOpts := include "vso.globalTransformationOptions" . -}}
+        {{- if $gTransOpts }}
+        - --global-transformation-options={{ $gTransOpts }}
+        {{- end }}
+        {{- $gVaultAuthOpts := include "vso.globalVaultAuthOptions" . -}}
+        {{- if $gVaultAuthOpts }}
+        - --global-vault-auth-options={{ $gVaultAuthOpts }}
         {{- end }}
         {{- with include "vso.backoffOnSecretSourceError" . }}
         {{- . -}}

chart/templates/deployment.yaml

@@ -192,6 +192,17 @@ controller:
       # in the destination K8s Secret.
       excludeRaw: false
 
+    # Global Vault auth options. In addition to the boolean options
+    # below, these options may be set via the
+    # `VSO_GLOBAL_VAULT_OPTION_OPTIONS` environment variable as a
+    # comma-separated list. Valid values are: `allow-default-globals`
+    globalVaultAuthOptions:
+      # allowDefaultGlobals directs the operator search for a "default"
+      # VaultAuthGlobal if none is specified on the referring VaultAuth CR.
+      # Default: true
+      # @type: boolean
+      allowDefaultGlobals: true
+
     # Backoff settings for the controller manager. These settings control the backoff behavior
     # when the controller encounters an error while fetching secrets from the SecretSource.
     # For example given the following settings:

chart/values.yaml

@@ -246,6 +246,20 @@ spec:
               vaultAuthGlobalRef:
                 description: VaultAuthGlobalRef.
                 properties:
+                  allowDefault:
+                    description: |-
+                      AllowDefault when set to true will use the default VaultAuthGlobal resource
+                      as the default if Name is not set. The 'allow-default-globals' option must be
+                      set on the operator's '-global-vault-auth-options' flag
+
+
+                      The default VaultAuthGlobal search is conditional.
+                      When a ref Namespace is not set, the search follows the order:
+                       1. The referring VaultAuth Namespace.
+                       2. The Operator's namespace.
+                      Otherwise, the search follows the order:
+                       1. The VaultAuthGlobal ref Namespace.
+                    type: boolean
                   mergeStrategy:
                     description: |-
                       MergeStrategy configures the merge strategy for HTTP headers and parameters
@@ -307,8 +321,6 @@ spec:
                       the referring VaultAuth resource is used.
                     pattern: ^([a-z0-9.-]{1,253})$
                     type: string
-                required:
-                - name
                 type: object
               vaultConnectionRef:
                 description: |-

config/crd/bases/secrets.hashicorp.com_vaultauths.yaml

@@ -47,26 +47,26 @@ var userAgent = fmt.Sprintf("vso/%s", version.Version().String())
 // HCPVaultSecretsAppReconciler reconciles a HCPVaultSecretsApp object
 type HCPVaultSecretsAppReconciler struct {
 	client.Client
-	Scheme                     *runtime.Scheme
-	Recorder                   record.EventRecorder
-	SecretDataBuilder          *helpers.SecretDataBuilder
-	HMACValidator              helpers.HMACValidator
-	MinRefreshAfter            time.Duration
-	referenceCache             ResourceReferenceCache
-	GlobalTransformationOption *helpers.GlobalTransformationOption
-	BackOffRegistry            *BackOffRegistry
+	Scheme                      *runtime.Scheme
+	Recorder                    record.EventRecorder
+	SecretDataBuilder           *helpers.SecretDataBuilder
+	HMACValidator               helpers.HMACValidator
+	MinRefreshAfter             time.Duration
+	referenceCache              ResourceReferenceCache
+	GlobalTransformationOptions *helpers.GlobalTransformationOptions
+	BackOffRegistry             *BackOffRegistry
 }
 
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=hcpvaultsecretsapps/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 //
 // required for rollout-restart
-//+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
-//+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
-//+kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
-//+kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;patch
+// +kubebuilder:rbac:groups=argoproj.io,resources=rollouts,verbs=get;list;watch;patch
 //
 
 // Reconcile a secretsv1beta1.HCPVaultSecretsApp Custom Resource instance. Each
@@ -104,7 +104,7 @@ func (r *HCPVaultSecretsAppReconciler) Reconcile(ctx context.Context, req ctrl.R
 		}
 	}
 
-	transOption, err := helpers.NewSecretTransformationOption(ctx, r.Client, o, r.GlobalTransformationOption)
+	transOption, err := helpers.NewSecretTransformationOption(ctx, r.Client, o, r.GlobalTransformationOptions)
 	if err != nil {
 		r.Recorder.Eventf(o, corev1.EventTypeWarning, consts.ReasonTransformationError,
 			"Failed setting up SecretTransformationOption: %s", err)

controllers/hcpvaultsecretsapp_controller.go

@@ -38,17 +38,19 @@ type VaultAuthReconciler struct {
 	Recorder       record.EventRecorder
 	ClientFactory  vault.CachingClientFactory
 	referenceCache ResourceReferenceCache
+	// GlobalVaultAuthOptions is a struct that contains global VaultAuth options.
+	GlobalVaultAuthOptions *common.GlobalVaultAuthOptions
 }
 
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
-//+kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=get;list;create;watch
-//+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=secrets.hashicorp.com,resources=vaultauths/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=get;list;create;watch
+// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 // needed for managing cached Clients, duplicated in vaultconnection_controller.go
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;delete;update;patch;deletecollection
-//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;delete;update;patch;deletecollection
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch
 
 // Reconcile reconciles the secretsv1beta1.VaultAuth resource.
 // Each reconciliation will validate the resource's configuration
@@ -79,11 +81,6 @@ func (r *VaultAuthReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 
 	var conditions []metav1.Condition
 	if o.Spec.VaultAuthGlobalRef != nil {
-		globalRef, err := common.VaultAuthGlobalResourceRef(o)
-		r.referenceCache.Set(
-			VaultAuthGlobal, req.NamespacedName,
-			globalRef)
-
 		condition := metav1.Condition{
 			Type:               "VaultAuthGlobalRef",
 			Status:             "True",
@@ -92,7 +89,7 @@ func (r *VaultAuthReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			Reason:             "VaultAuthGlobalRef",
 		}
 
-		mObj, gObj, err := common.MergeInVaultAuthGlobal(ctx, r.Client, o)
+		mObj, gObj, err := common.MergeInVaultAuthGlobal(ctx, r.Client, o, r.GlobalVaultAuthOptions)
 		if err != nil {
 			condition.Message = err.Error()
 			condition.Status = "False"

controllers/vaultauth_controller.go

@@ -55,14 +55,14 @@ var _ reconcile.Reconciler = &VaultDynamicSecretReconciler{}
 // VaultDynamicSecretReconciler reconciles a VaultDynamicSecret object
 type VaultDynamicSecretReconciler struct {
 	client.Client
-	Scheme                     *runtime.Scheme
-	Recorder                   record.EventRecorder
-	ClientFactory              vault.ClientFactory
-	HMACValidator              helpers.HMACValidator
-	SyncRegistry               *SyncRegistry
-	BackOffRegistry            *BackOffRegistry
-	referenceCache             ResourceReferenceCache
-	GlobalTransformationOption *helpers.GlobalTransformationOption
+	Scheme                      *runtime.Scheme
+	Recorder                    record.EventRecorder
+	ClientFactory               vault.ClientFactory
+	HMACValidator               helpers.HMACValidator
+	SyncRegistry                *SyncRegistry
+	BackOffRegistry             *BackOffRegistry
+	referenceCache              ResourceReferenceCache
+	GlobalTransformationOptions *helpers.GlobalTransformationOptions
 	// sourceCh is used to trigger a requeue of resource instances from an
 	// external source. Should be set on a source.Channel in SetupWithManager.
 	// This channel should be closed when the controller is stopped.
@@ -263,7 +263,7 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
 		reason = consts.ReasonSecretRotated
 	}
 
-	transOption, err := helpers.NewSecretTransformationOption(ctx, r.Client, o, r.GlobalTransformationOption)
+	transOption, err := helpers.NewSecretTransformationOption(ctx, r.Client, o, r.GlobalTransformationOptions)
 	if err != nil {
 		r.Recorder.Eventf(o, corev1.EventTypeWarning, consts.ReasonTransformationError,
 			"Failed setting up SecretTransformationOption: %s", err)