diff --git a/pkg/reconciliation/reconcile_racks.go b/pkg/reconciliation/reconcile_racks.go index e27d81b0..1b4a997b 100644 --- a/pkg/reconciliation/reconcile_racks.go +++ b/pkg/reconciliation/reconcile_racks.go @@ -911,7 +911,7 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult { // filePath := "/vault/secrets/database-config.txt" // We want to mount it as a directory and read the files as usernames - if dc.Spec.UserInfo.CSI != nil && filePath != "" { + if dc.Spec.UserInfo.CSI != nil || dc.Spec.UserInfo.SecretName != "" { filePath = "/mnt/secrets/users" } @@ -951,18 +951,24 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult { // TODO If Secret name is set, mount it just like the CSI - if dc.Spec.UserInfo.SecretName != "" { - - } - - if dc.Spec.UserInfo.CSI != nil { + if dc.Spec.UserInfo.SecretName != "" || dc.Spec.UserInfo.CSI != nil { vol := corev1.Volume{ Name: "user-source", - VolumeSource: corev1.VolumeSource{ - // TODO Add .. something? + } + if dc.Spec.UserInfo.SecretName != "" { + vol.VolumeSource = corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: dc.Spec.UserInfo.SecretName, + }, + } + } + + if dc.Spec.UserInfo.CSI != nil { + vol.VolumeSource = corev1.VolumeSource{ CSI: dc.Spec.UserInfo.CSI, - }, + } } + job.Spec.Template.Spec.Volumes = []corev1.Volume{vol} job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{ { diff --git a/tests/external_secret/README.md b/tests/external_secret/README.md index acc04a68..cfd942e6 100644 --- a/tests/external_secret/README.md +++ b/tests/external_secret/README.md @@ -20,7 +20,7 @@ kubectl exec -it vault-0 -- /bin/sh vault secrets enable -path=internal kv-v2 -vault kv put internal/database/config superuser="superpassword" +vault kv put internal/database/config username="superuser" password="superpassword" vault auth enable kubernetes @@ -42,11 +42,11 @@ vault write auth/kubernetes/role/internal-app \ ## Install CSI driver: -Not sure if syncSecret is needed, but Vault documentation wants it.. +Remember to enable CSI in the Install Vault step. ``` -helm install csi secrets-store-csi-driver/secrets-store-csi-driver \ - --set syncSecret.enabled=true --namespace cass-operator +helm install csi secrets-store-csi-driver/secrets-store-csi-driver --namespace cass-operator +# --set syncSecret.enabled=true ``` Create the SecretProviderClass: @@ -62,13 +62,14 @@ spec: vaultAddress: "http://vault.default:8200" roleName: "internal-app" objects: | - - objectName: "superuser" + - objectName: "username" secretPath: "internal/database/config" - secretKey: "superuser" + secretKey: "username" + - objectName: "password" + secretPath: "internal/database/config" + secretKey: "password" ``` -The objectName becomes the username and the secretKey's data becomes the password. - ## Now create the DC: ```