From 992b0f8888cf0199e6c84cb112cf5e13ab1c2750 Mon Sep 17 00:00:00 2001
From: Michael Burman <michael.burman@datastax.com>
Date: Fri, 1 Jul 2022 21:32:26 +0300
Subject: [PATCH] Mount a secret for user job

---
 pkg/reconciliation/reconcile_racks.go | 24 +++++++++++++++---------
 tests/external_secret/README.md       | 17 +++++++++--------
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/pkg/reconciliation/reconcile_racks.go b/pkg/reconciliation/reconcile_racks.go
index e27d81b0..1b4a997b 100644
--- a/pkg/reconciliation/reconcile_racks.go
+++ b/pkg/reconciliation/reconcile_racks.go
@@ -911,7 +911,7 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult {
 		// filePath := "/vault/secrets/database-config.txt"
 
 		// We want to mount it as a directory and read the files as usernames
-		if dc.Spec.UserInfo.CSI != nil && filePath != "" {
+		if dc.Spec.UserInfo.CSI != nil || dc.Spec.UserInfo.SecretName != "" {
 			filePath = "/mnt/secrets/users"
 		}
 
@@ -951,18 +951,24 @@ func (rc *ReconciliationContext) CreateUsers() result.ReconcileResult {
 
 		// TODO If Secret name is set, mount it just like the CSI
 
-		if dc.Spec.UserInfo.SecretName != "" {
-
-		}
-
-		if dc.Spec.UserInfo.CSI != nil {
+		if dc.Spec.UserInfo.SecretName != "" || dc.Spec.UserInfo.CSI != nil {
 			vol := corev1.Volume{
 				Name: "user-source",
-				VolumeSource: corev1.VolumeSource{
-					// TODO Add .. something?
+			}
+			if dc.Spec.UserInfo.SecretName != "" {
+				vol.VolumeSource = corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: dc.Spec.UserInfo.SecretName,
+					},
+				}
+			}
+
+			if dc.Spec.UserInfo.CSI != nil {
+				vol.VolumeSource = corev1.VolumeSource{
 					CSI: dc.Spec.UserInfo.CSI,
-				},
+				}
 			}
+
 			job.Spec.Template.Spec.Volumes = []corev1.Volume{vol}
 			job.Spec.Template.Spec.Containers[0].VolumeMounts = []corev1.VolumeMount{
 				{
diff --git a/tests/external_secret/README.md b/tests/external_secret/README.md
index acc04a68..cfd942e6 100644
--- a/tests/external_secret/README.md
+++ b/tests/external_secret/README.md
@@ -20,7 +20,7 @@ kubectl exec -it vault-0 -- /bin/sh
 
 vault secrets enable -path=internal kv-v2
 
-vault kv put internal/database/config superuser="superpassword"
+vault kv put internal/database/config username="superuser" password="superpassword"
 
 vault auth enable kubernetes
 
@@ -42,11 +42,11 @@ vault write auth/kubernetes/role/internal-app \
 
 ## Install CSI driver:
 
-Not sure if syncSecret is needed, but Vault documentation wants it..
+Remember to enable CSI in the Install Vault step.
 
 ```
-helm install csi secrets-store-csi-driver/secrets-store-csi-driver \
-    --set syncSecret.enabled=true --namespace cass-operator
+helm install csi secrets-store-csi-driver/secrets-store-csi-driver --namespace cass-operator
+#    --set syncSecret.enabled=true 
 ```
 
 Create the SecretProviderClass:
@@ -62,13 +62,14 @@ spec:
     vaultAddress: "http://vault.default:8200"
     roleName: "internal-app"
     objects: |
-      - objectName: "superuser"
+      - objectName: "username"
         secretPath: "internal/database/config"
-        secretKey: "superuser"
+        secretKey: "username"
+      - objectName: "password"
+        secretPath: "internal/database/config"
+        secretKey: "password"
 ```
 
-The objectName becomes the username and the secretKey's data becomes the password.
-
 ## Now create the DC:
 
 ```