Support all secret types

Makefile

@@ -69,12 +69,12 @@ e2e-setup: e2e-container
 		--namespace=csi \
 		--set linux.image.pullPolicy="IfNotPresent" \
 		--set grpcSupportedProviders="azure;gcp;vault"
-	helm install vault https://github.com/hashicorp/vault-helm/archive/v0.9.0.tar.gz \
+	helm install vault https://github.com/hashicorp/vault-helm/archive/v0.9.1.tar.gz \
 		--wait --timeout=5m \
 		--namespace=csi \
 		--set injector.enabled=false \
 		--set server.dev.enabled=true \
-		--set 'server.extraEnvironmentVars.VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200'
+		--set server.image.repository=hashicorp.jfrog.io/docker/vault
 	kubectl apply --namespace=csi -f test/bats/configs/secrets-store-csi-driver-provider-vault.yaml
 	kubectl wait --namespace=csi --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
 	kubectl wait --namespace=csi --for=condition=Ready --timeout=5m pod -l app=secrets-store-csi-driver-provider-vault

go.mod

@@ -5,7 +5,7 @@ go 1.12
 require (
 	github.com/hashicorp/go-hclog v0.8.0
 	github.com/hashicorp/vault/api v1.0.4
-	github.com/mitchellh/mapstructure v1.4.1
+	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.6.1

internal/config/config.go

@@ -55,9 +55,11 @@ func (c TLSConfig) CertificatesConfigured() bool {
 }
 
 type Secret struct {
-	ObjectName    string `yaml:"objectName"`
-	ObjectPath    string `yaml:"objectPath"`
-	ObjectVersion string `yaml:"objectVersion"`
+	ObjectName string                 `yaml:"objectName,omitempty"`
+	SecretPath string                 `yaml:"secretPath,omitempty"`
+	SecretKey  string                 `yaml:"secretKey,omitempty"`
+	Method     string                 `yaml:"method,omitempty"`
+	SecretArgs map[string]interface{} `yaml:"secretArgs,omitempty"`
 }
 
 func Parse(parametersStr, targetPath, permissionStr string) (Config, error) {
@@ -110,25 +112,10 @@ func parseParameters(parametersStr string) (Parameters, error) {
 	}
 
 	secretsYaml := params["objects"]
-	// TODO: There is an unnecessary map under objects, instead of just directly storing an array there.
-	// Deserialisation can be simplified a fair bit if we remove it.
-	secretsMap := map[string][]string{}
-	err = yaml.Unmarshal([]byte(secretsYaml), &secretsMap)
+	err = yaml.Unmarshal([]byte(secretsYaml), &parameters.Secrets)
 	if err != nil {
 		return Parameters{}, err
 	}
-	secrets, ok := secretsMap["array"]
-	if !ok {
-		return Parameters{}, errors.New("no secrets to read configured")
-	}
-	for _, s := range secrets {
-		var secret Secret
-		err = yaml.Unmarshal([]byte(s), &secret)
-		if err != nil {
-			return Parameters{}, err
-		}
-		parameters.Secrets = append(parameters.Secrets, secret)
-	}
 
 	// Set default values.
 	if parameters.VaultAddress == "" {

internal/config/config_test.go

@@ -3,18 +3,87 @@ package config
 import (
 	"encoding/json"
 	"io/ioutil"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
 	"gotest.tools/assert"
 )
 
 const (
-	objects = "array:\n  - |\n    objectPath: \"v1/secret/foo1\"\n    objectName: \"bar1\"\n    objectVersion: \"\""
+	objects      = "-\n  secretPath: \"v1/secret/foo1\"\n  objectName: \"bar1\""
+	certsSPCYaml = `apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: vault-foo
+spec:
+  provider: vault
+  parameters:
+    objects: |
+      - objectName: "test-certs"
+        secretPath: "pki/issue/example-dot-com"
+        secretKey: "certificate"
+        secretArgs:
+          common_name: "test.example.com"
+          ip_sans: "127.0.0.1"
+          exclude_cn_from_sans: true
+        method: "PUT"
+      - objectName: "internal-certs"
+        secretPath: "pki/issue/example-dot-com"
+        secretArgs:
+          common_name: "internal.example.com"
+        method: "PUT"
+`
 )
 
+func TestParseParametersFromYaml(t *testing.T) {
+	// Test starts with a minimal simulation of the processing the driver does
+	// with each SecretProviderClass yaml.
+	var secretProviderClass struct {
+		Spec struct {
+			Parameters map[string]string `yaml:"parameters"`
+		} `yaml:"spec"`
+	}
+	err := yaml.Unmarshal([]byte(certsSPCYaml), &secretProviderClass)
+	require.NoError(t, err)
+	paramsBytes, err := json.Marshal(secretProviderClass.Spec.Parameters)
+
+	// This is now the form the provider receives the data in.
+	params, err := parseParameters(string(paramsBytes))
+	require.NoError(t, err)
+
+	assert.DeepEqual(t, Parameters{
+		VaultAddress:                 defaultVaultAddress,
+		KubernetesServiceAccountPath: defaultKubernetesServiceAccountPath,
+		VaultKubernetesMountPath:     defaultVaultKubernetesMountPath,
+		Secrets: []Secret{
+			{
+				ObjectName: "test-certs",
+				SecretPath: "pki/issue/example-dot-com",
+				SecretKey:  "certificate",
+				SecretArgs: map[string]interface{}{
+					"common_name":          "test.example.com",
+					"ip_sans":              "127.0.0.1",
+					"exclude_cn_from_sans": true,
+				},
+				Method: "PUT",
+			},
+			{
+				ObjectName: "internal-certs",
+				SecretPath: "pki/issue/example-dot-com",
+				SecretArgs: map[string]interface{}{
+					"common_name": "internal.example.com",
+				},
+				Method: "PUT",
+			},
+		},
+	}, params)
+}
+
 func TestParseParameters(t *testing.T) {
-	parametersStr, err := ioutil.ReadFile("testdata/example-parameters-string.txt")
+	// This file's contents are copied directly from a driver mount request.
+	parametersStr, err := ioutil.ReadFile(filepath.Join("testdata", "example-parameters-string.txt"))
 	require.NoError(t, err)
 	actual, err := parseParameters(string(parametersStr))
 	require.NoError(t, err)
@@ -25,8 +94,8 @@ func TestParseParameters(t *testing.T) {
 			VaultSkipTLSVerify: true,
 		},
 		Secrets: []Secret{
-			{"bar1", "v1/secret/foo1", ""},
-			{"bar2", "v1/secret/foo2", ""},
+			{"bar1", "v1/secret/foo1", "", "GET", nil},
+			{"bar2", "v1/secret/foo2", "", "", nil},
 		},
 		VaultKubernetesMountPath:     defaultVaultKubernetesMountPath,
 		KubernetesServiceAccountPath: defaultKubernetesServiceAccountPath,
@@ -64,7 +133,7 @@ func TestParseConfig(t *testing.T) {
 					expected.VaultRoleName = roleName
 					expected.TLSConfig.VaultSkipTLSVerify = true
 					expected.Secrets = []Secret{
-						{"bar1", "v1/secret/foo1", ""},
+						{"bar1", "v1/secret/foo1", "", "", nil},
 					}
 					return expected
 				}(),
@@ -92,7 +161,7 @@ func TestParseConfig(t *testing.T) {
 					expected.KubernetesServiceAccountPath = "my-account-path"
 					expected.TLSConfig.VaultSkipTLSVerify = true
 					expected.Secrets = []Secret{
-						{"bar1", "v1/secret/foo1", ""},
+						{"bar1", "v1/secret/foo1", "", "", nil},
 					}
 					return expected
 				}(),

internal/config/testdata/example-parameters-string.txt

@@ -1 +1,10 @@
-{"csi.storage.k8s.io/pod.name":"nginx-secrets-store-inline","csi.storage.k8s.io/pod.namespace":"test","csi.storage.k8s.io/pod.uid":"9aeb260f-d64a-426c-9872-95b6bab37e00","csi.storage.k8s.io/serviceAccount.name":"default","objects":"array:\n  - |\n    objectPath: \"v1/secret/foo1\"\n    objectName: \"bar1\"\n    objectVersion: \"\"\n  - |\n    objectPath: \"v1/secret/foo2\"\n    objectName: \"bar2\"\n    objectVersion: \"\"\n","roleName":"example-role","vaultAddress":"http://vault:8200","vaultSkipTLSVerify":"true"}
+{
+    "csi.storage.k8s.io/pod.name":"nginx-secrets-store-inline",
+    "csi.storage.k8s.io/pod.namespace":"test",
+    "csi.storage.k8s.io/pod.uid":"9aeb260f-d64a-426c-9872-95b6bab37e00",
+    "csi.storage.k8s.io/serviceAccount.name":"default",
+    "objects":"- secretPath: \"v1/secret/foo1\"\n  objectName: \"bar1\"\n  method: \"GET\"\n- secretPath: \"v1/secret/foo2\"\n  objectName: \"bar2\"",
+    "roleName":"example-role",
+    "vaultAddress":"http://vault:8200",
+    "vaultSkipTLSVerify":"true"
+}