add support for the VSO CSI driver (#1097)

.gitignore

@@ -44,3 +44,5 @@ bin/*
 *.png
 build
 .DS_Store
+
+.tmp*

Makefile

@@ -20,6 +20,7 @@ BUNDLE_DIR ?= $(OPERATOR_BUILD_DIR)/bundle
 CHART_ROOT ?= chart
 CHART_CRDS_DIR ?= $(CHART_ROOT)/crds
 
+VAULT_DOCS_VERSION ?= v1.20.x
 VAULT_IMAGE_TAG ?= latest
 VAULT_IMAGE_REPO ?=
 K8S_VAULT_NAMESPACE ?= vault
@@ -52,6 +53,7 @@ SKIP_CLEANUP ?=
 SKIP_AWS_TESTS ?= true
 SKIP_AWS_STATIC_CREDS_TEST ?= true
 SKIP_GCP_TESTS ?= true
+SKIP_HCPVSAPPS_TESTS ?= false
 
 # filter bats unit tests to run.
 BATS_TESTS_FILTER ?= .\*
@@ -661,7 +663,7 @@ clean:
 # Usage: make gen-helm-docs
 # If no options are given, helm.mdx from a local copy of the vault repository will be used.
 # Adapted from https://github.com/hashicorp/consul-k8s/tree/main/hack/helm-reference-gen
-VAULT_DOCS_PATH ?= ../vault/website/content/docs/platform/k8s/vso/helm.mdx
+VAULT_DOCS_PATH ?= ../web-unified-docs/content/vault/$(VAULT_DOCS_VERSION)/content/docs/deploy/kubernetes/vso/helm.mdx
 gen-helm-docs:
 	@cd hack/helm-reference-gen; go run ./... --vault=$(VAULT_DOCS_PATH)
 

api/v1beta1/csisecrets_types.go

@@ -0,0 +1,131 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CSISecretsSpec defines the desired state of CSISecrets. It contains the
+// configuration for the CSI driver to populate the secret data.
+type CSISecretsSpec struct {
+	// Namespace is the Vault namespace where the secret is located.
+	Namespace string `json:"namespace,omitempty"`
+	// AccessControl provides configuration for controlling access to the secret.
+	AccessControl AccessControl `json:"accessControl"`
+	// Secrets that will be synced with the CSI driver.
+	Secrets SecretCollection `json:"secrets"`
+	// SyncConfig provides configuration for syncing the secret data with the CSI driver.
+	SyncConfig CSISyncConfig `json:"syncConfig,omitempty"`
+	// VaultAuthRef is the reference to the VaultAuth resource.
+	VaultAuthRef *VaultAuthRef `json:"vaultAuthRef,omitempty"`
+}
+
+type SecretCollection struct {
+	// Transformation provides configuration for transforming the secret data before
+	// it is stored in the CSI volume.
+	Transformation *Transformation `json:"transformation,omitempty"`
+	// VaultAppRoleSecretIDs is a list of AppRole secret IDs to be used to populate the secret.
+	VaultAppRoleSecretIDs []VaultAppRoleSecretID `json:"vaultAppRoleSecretIDs,omitempty"`
+	// VaultStaticSecrets is a list of static secrets to be synced by the CSI driver.
+	VaultStaticSecrets []VaultStaticSecretCollectable `json:"vaultStaticSecrets,omitempty"`
+}
+
+// VaultAppRoleSecretID defines the AppRole secret ID to be used to populate the secret.
+type VaultAppRoleSecretID struct {
+	// Mount path to the AppRole auth engine.
+	Mount string `json:"mount"`
+	// Role is the name of the AppRole.
+	Role string `json:"role"`
+	// Metadata is the metadata to be associated with the secret ID. It is set on
+	// the token generated by the secret ID.
+	Metadata map[string]string `json:"metadata,omitempty"`
+	// CIDRList is the list of CIDR blocks that access the secret ID.
+	CIDRList []string `json:"cidrList,omitempty"`
+	// TokenBoundCIDRs is the list of CIDR blocks that can be used to authenticate
+	// using tokens generated by this secret ID.
+	TokenBoundCIDRs []string `json:"tokenBoundCIDRs,omitempty"`
+	// TTL is the TTL for the secret ID, after which it becomes invalid.
+	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$`
+	TTL string `json:"ttl,omitempty"`
+	// NumUses is the number of times the secret ID can be used.
+	NumUses int `json:"numUses,omitempty"`
+	// WrapTTL is the TTL for the wrapped secret ID.
+	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$`
+	WrapTTL string `json:"wrapTTL,omitempty"`
+	// SyncRoleID is the flag to fetch the role ID from the AppRole auth engine.
+	// Requires that the provisioning VaultAuth has the necessary permissions to fetch the role ID.
+	SyncRoleID *bool `json:"syncRoleID,omitempty"`
+	// Transformation provides configuration for transforming the secret data before
+	// it is stored in the CSI volume.
+	Transformation *Transformation `json:"transformation,omitempty"`
+}
+
+type CSISyncConfig struct {
+	// ContainerState is the state of the container that the CSI driver always sync
+	// on. This configuration is useful to sync when the last state of the container
+	// is in the terminated state and the restart count is greater than 0.
+	ContainerState *ContainerState `json:"containerState"`
+}
+
+type ContainerState struct {
+	// NamePattern of the container. Can be expressed as a regular expression.
+	NamePattern string `json:"namePattern,omitempty"`
+	// ImagePattern of the container. Can be expressed as a regular expression.
+	ImagePattern string `json:"imagePattern,omitempty"`
+}
+
+// AccessControl provides configuration for controlling access to the secret.
+// It allows specifying the namespaces, service account, pod names, and pod
+// labels that should be allowed to access the secret.
+type AccessControl struct {
+	// ServiceAccountPattern is the name of the service account that should be used to
+	// access the secret. It can be specified as a regex pattern.
+	// A valid service account is always required.
+	ServiceAccountPattern string `json:"serviceAccountPattern"`
+	// NamespacePatterns is a list of namespace name regex patterns that are allowed access.
+	NamespacePatterns []string `json:"namespacePatterns,omitempty"`
+	// PodNamePatterns is a list of pod name regex patterns that should be allowed access.
+	PodNamePatterns []string `json:"podNamePatterns,omitempty"`
+	// PodLabels is a map of pod label key-value pairs that should be allowed access.
+	PodLabels map[string]string `json:"podLabels,omitempty"`
+	// MatchPolicy is the policy to use when matching the access control rules. If
+	// set to "any", only one of the rules should match. If set to "all", all the
+	// rules should match.
+	//
+	// +kubebuilder:validation:Enum=any;all
+	// +kubebuilder:default=all
+	MatchPolicy string `json:"matchPolicy,omitempty"`
+}
+
+// CSISecretsStatus defines the observed state of CSISecrets
+type CSISecretsStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// CSISecrets is the Schema for the csisecrets API
+type CSISecrets struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   CSISecretsSpec   `json:"spec,omitempty"`
+	Status CSISecretsStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// CSISecretsList contains a list of CSISecrets
+type CSISecretsList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CSISecrets `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&CSISecrets{}, &CSISecretsList{})
+}

api/v1beta1/secrettransformation_types.go

@@ -28,18 +28,18 @@ type SecretTransformation struct {
 // SecretTransformationSpec defines the desired state of SecretTransformation
 type SecretTransformationSpec struct {
 	// Templates maps a template name to its Template. Templates are always included
-	// in the rendered K8s Secret with the specified key.
+	// in the rendered secret with the specified key.
 	Templates map[string]Template `json:"templates,omitempty"`
-	// SourceTemplates are never included in the rendered K8s Secret, they can be
+	// SourceTemplates are never included in the rendered secret, they can be
 	// used to provide common template definitions, etc.
 	SourceTemplates []SourceTemplate `json:"sourceTemplates,omitempty"`
 	// Includes contains regex patterns used to filter top-level source secret data
-	// fields for inclusion in the final K8s Secret data. These pattern filters are
+	// fields for inclusion in the final secret data. These pattern filters are
 	// never applied to templated fields as defined in Templates. They are always
 	// applied last.
 	Includes []string `json:"includes,omitempty"`
 	// Excludes contains regex patterns used to filter top-level source secret data
-	// fields for exclusion from the final K8s Secret data. These pattern filters are
+	// fields for exclusion from the final secret data. These pattern filters are
 	// never applied to templated fields as defined in Templates. They are always
 	// applied before any inclusion patterns. To exclude all source secret data
 	// fields, you can configure the single pattern ".*".

api/v1beta1/vaultauth_types.go

@@ -323,7 +323,7 @@ type VaultAuthGlobalRef struct {
 	Name string `json:"name,omitempty"`
 	// Namespace of the VaultAuthGlobal resource. If not provided, the namespace of
 	// the referring VaultAuth resource is used.
-	// +kubebuilder:validation:Pattern=`^([a-z0-9.-]{1,253})$`
+	// +kubebuilder:validation:Pattern=`^([a-z0-9-]{1,63})$`
 	Namespace string `json:"namespace,omitempty"`
 	// MergeStrategy configures the merge strategy for HTTP headers and parameters
 	// that are included in all Vault authentication requests.
@@ -456,6 +456,18 @@ type StorageEncryption struct {
 	KeyName string `json:"keyName"`
 }
 
+type VaultAuthRef struct {
+	// Name of the VaultAuth resource.
+	Name string `json:"name"`
+	// Namespace of the VaultAuth resource.
+	Namespace string `json:"namespace,omitempty"`
+	// TrustNamespace of the referring VaultAuth resource. This means that any Vault
+	// credentials will be provided by resources in the same namespace as the
+	// VaultAuth resource. Otherwise, the credentials will be provided by the secret
+	// resource's namespace.
+	TrustNamespace bool `json:"trustNamespace,omitempty"`
+}
+
 // +kubebuilder:object:root=true
 
 // VaultAuthList contains a list of VaultAuth

api/v1beta1/vaultstaticsecret_types.go

@@ -20,19 +20,6 @@ type VaultStaticSecretSpec struct {
 	// Namespace of the secrets engine mount in Vault. If not set, the namespace that's
 	// part of VaultAuth resource will be inferred.
 	Namespace string `json:"namespace,omitempty"`
-	// Mount for the secret in Vault
-	Mount string `json:"mount"`
-	// Path of the secret in Vault, corresponds to the `path` parameter for,
-	// kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret
-	// kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version
-	Path string `json:"path"`
-	// Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:
-	// https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version
-	// +kubebuilder:validation:Minimum=0
-	Version int `json:"version,omitempty"`
-	// Type of the Vault static secret
-	// +kubebuilder:validation:Enum={kv-v1,kv-v2}
-	Type string `json:"type"`
 	// RefreshAfter a period of time, in duration notation e.g. 30s, 1m, 24h
 	// +kubebuilder:validation:Type=string
 	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))$`
@@ -55,6 +42,31 @@ type VaultStaticSecretSpec struct {
 	Destination Destination `json:"destination"`
 	// SyncConfig configures sync behavior from Vault to VSO
 	SyncConfig *SyncConfig `json:"syncConfig,omitempty"`
+
+	VaultStaticSecretCommon `json:",inline"`
+}
+
+type VaultStaticSecretCommon struct {
+	// Mount for the secret in Vault
+	Mount string `json:"mount"`
+	// Path of the secret in Vault, corresponds to the `path` parameter for:
+	// kv-v1: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v1#read-secret
+	// kv-v2: https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#read-secret-version
+	Path string `json:"path"`
+	// Version of the secret to fetch. Only valid for type kv-v2. Corresponds to version query parameter:
+	// https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#version
+	// +kubebuilder:validation:Minimum=0
+	Version int `json:"version,omitempty"`
+	// Type of the Vault static secret
+	// +kubebuilder:validation:Enum={kv-v1,kv-v2}
+	Type string `json:"type"`
+}
+
+type VaultStaticSecretCollectable struct {
+	VaultStaticSecretCommon `json:",inline"`
+	// Transformation provides configuration for transforming the secret data before
+	// it is stored in the CSI volume.
+	Transformation *Transformation `json:"transformation,omitempty"`
 }
 
 // SyncConfig configures sync behavior from Vault to VSO