Skip to content

Commit

Permalink
Mount a secret for user job
Browse files Browse the repository at this point in the history
  • Loading branch information
burmanm committed Jan 16, 2023
1 parent 22d1093 commit 992b0f8
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 17 deletions.
24 changes: 15 additions & 9 deletions pkg/reconciliation/reconcile_racks.go
Original file line number Diff line number Diff line change
Expand Up @@ -911,7 +911,7 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult {
// filePath := "/vault/secrets/database-config.txt"

// We want to mount it as a directory and read the files as usernames
if dc.Spec.UserInfo.CSI != nil && filePath != "" {
if dc.Spec.UserInfo.CSI != nil || dc.Spec.UserInfo.SecretName != "" {
filePath = "/mnt/secrets/users"
}

Expand Down Expand Up @@ -951,18 +951,24 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult {

// TODO If Secret name is set, mount it just like the CSI

if dc.Spec.UserInfo.SecretName != "" {

}

if dc.Spec.UserInfo.CSI != nil {
if dc.Spec.UserInfo.SecretName != "" || dc.Spec.UserInfo.CSI != nil {
vol := corev1.Volume{
Name: "user-source",
VolumeSource: corev1.VolumeSource{
// TODO Add .. something?
}
if dc.Spec.UserInfo.SecretName != "" {
vol.VolumeSource = corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: dc.Spec.UserInfo.SecretName,
},
}
}

if dc.Spec.UserInfo.CSI != nil {
vol.VolumeSource = corev1.VolumeSource{
CSI: dc.Spec.UserInfo.CSI,
},
}
}

job.Spec.Template.Spec.Volumes = []corev1.Volume{vol}
job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
{
Expand Down
17 changes: 9 additions & 8 deletions tests/external_secret/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ kubectl exec -it vault-0 -- /bin/sh
vault secrets enable -path=internal kv-v2
vault kv put internal/database/config superuser="superpassword"
vault kv put internal/database/config username="superuser" password="superpassword"
vault auth enable kubernetes
Expand All @@ -42,11 +42,11 @@ vault write auth/kubernetes/role/internal-app \

## Install CSI driver:

Not sure if syncSecret is needed, but Vault documentation wants it..
Remember to enable CSI in the Install Vault step.

```
helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
--set syncSecret.enabled=true --namespace cass-operator
helm install csi secrets-store-csi-driver/secrets-store-csi-driver --namespace cass-operator
# --set syncSecret.enabled=true
```

Create the SecretProviderClass:
Expand All @@ -62,13 +62,14 @@ spec:
vaultAddress: "http://vault.default:8200"
roleName: "internal-app"
objects: |
- objectName: "superuser"
- objectName: "username"
secretPath: "internal/database/config"
secretKey: "superuser"
secretKey: "username"
- objectName: "password"
secretPath: "internal/database/config"
secretKey: "password"
```
The objectName becomes the username and the secretKey's data becomes the password.
## Now create the DC:
```
Expand Down

0 comments on commit 992b0f8

Please sign in to comment.