Allow P2F custom templates via ConfigMap

[john-odonnell]

Desired Outcome

From ONYX-14093:

Currently custom templates must be provided through the conjur.org/secret-file-template.{secret-group} annotation. We would also like to be able to provide a template through a configmap such that the configmap is mounted as a volume and secrets-provider reads the template as a file from the file system.

The template file should be mounted to a hard-coded path, and must use the file name {secret-group}.tpl. Add documentation to PUSH_TO_FILE.md that describes this path.

Secrets Provider must be told to look for a mounted ConfigMap template. There are a couple of options here:

• adding a new annotation which indicates that a secret group is used a template mounted from a ConfigMap
• adding a new "template" file format enum for the conjur.org/secret-file-format.{secret-group} annotation
  Providing both the template filepath and annotation should result in a fatal error.

Implemented Changes

Behavioral Changes

If a secret group's output file format, specified with the annotation conjur.org/secret-file-format.{secret-group}, is set to template, then the function newSecretGroup will look for either an annotation- or ConfigMap-based template string.

The ConfigMap defining templates must be mounted to /conjur/templates, and the key for a given template value must be {secret-group}.tpl. At secret group creation, Secrets Provider will only attempt to read from this file. If the file does not exist, it is assumed that a template was not provided via ConfigMap.

If the annotation conjur.org/secret-file-format.{secret-group} is set to template, and templates are provided through BOTH the group's annotation and volume-mounted ConfigMap, secret group creation will receive a failing error.

If the annotation conjur.org/secret-file-format.{secret-group} is not set to template, Secrets Provider will never look for a template in either form. If a template is provided by either/both method(s), it will be ignored.

Explicit Changes

• Added template to conjur.org/secret-file-format.{secret-group} accepted values
• Added pkg/secrets/pushtofile/pull_from_reader.go, a counterpart to push_to_writer.go, to mock and dependency-inject reading content from the filesystem.
• In secret_group.go:
  • Separated func NewSecretGroups into itself and func newSecretGroupsWithDeps to dep-inject file reading operations
  • Added new functions collectTemplate and readTemplateFromFile
• Updated unit tests to reflect the above changes
• PUSH_TO_FILE.md updates

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue link: ONYX-14903

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[codeclimate]

Function newSecretGroup has 5 return statements (exceeds 4 allowed).

[codeclimate]

Function collectTemplate has 5 return statements (exceeds 4 allowed).

[diverdane]

Looks great!!! I'm thinking we should ignore the warnings about 5 returns in 2 functions. That seems too restrictive for Go.

I just have one question on whether UT covers custom template not being defined by either Annotation or ConfigMap.

[diverdane]

I see this UT test case for custom template being provided by both annotation and configmap.

Is there a corresponding UT test case for secret file format being template, but no custom template defined by either annotation or configmap?

[john-odonnell]

Just added a test case for the above context.

[codeclimate]

Code Climate has analyzed commit 4d0dcf8 and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Complexity	2

The test coverage on the diff in this pull request is 94.2% (50% is the threshold).

This pull request will bring the total coverage in the repository to 92.9% (0.1% change).

View more on Code Climate.

[diverdane]

LGTM!!! I don't know if there's a way to add a repository-specific CodeClimate config that would allow more then 4 returns for Golang functions. If not, I think we should just ignore the two instances of CodeClimate errors for 5 returns in a function.