kms: support key rotation for vault

Signed-off-by: Praveen M <[email protected]>
noobaa · Oct 6, 2024 · 372422e · 372422e
1 parent d509538
commit 372422e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/pkg/util/kms/kms_vault.go b/pkg/util/kms/kms_vault.go
@@ -24,7 +24,9 @@ const (
 
 // Vault is a vault driver
 type Vault struct {
-	UID string // NooBaa system UID
+	UID  string // NooBaa system UID
+	name string // NooBaa system name
+	ns   string // NooBaa system namespace
 }
 
 // NewVault is vault driver constructor
@@ -33,7 +35,7 @@ func NewVault(
 	namespace string,
 	uid string,
 ) Driver {
-	return &Vault{uid}
+	return &Vault{uid, name, namespace}
 }
 
 //
@@ -179,8 +181,8 @@ func writeCrtsToFile(secretName string, namespace string, secretValue []byte, en
 
 // Version returns the current driver KMS version
 // either single string or map, i.e. rotating key
-func (*Vault) Version(kms *KMS) Version {
-	return &VersionSingleSecret{kms, nil}
+func (k *Vault) Version(kms *KMS) Version {
+	return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns}
 }
 
 // Register Vault driver with KMS layer

diff --git a/pkg/util/kms/kms_version.go b/pkg/util/kms/kms_version.go
@@ -102,7 +102,7 @@ func (v *VersionRotatingSecret) Reconcile(r SecretReconciler) error {
 
 // Get implements SecretStorage interface for the secret map, i.e. rotating master root key
 func (v *VersionRotatingSecret) Get() error {
-	s, _, err := v.k.GetSecret(v.backendSecretName(), v.k.driver.GetContext())
+	s, _, err := v.k.GetSecret(v.BackendSecretName(), v.k.driver.GetContext())
 	if err != nil {
 		// handle k8s get from non-existent secret
 		if strings.Contains(err.Error(), "not found") {
@@ -120,8 +120,8 @@ func (v *VersionRotatingSecret) Get() error {
 	return nil
 }
 
-// backendSecretName returns the rotating secret backend secret name
-func (v *VersionRotatingSecret) backendSecretName() string {
+// BackendSecretName returns the rotating secret backend secret name
+func (v *VersionRotatingSecret) BackendSecretName() string {
 	return v.name + "-root-master-key-backend"
 }
 
@@ -137,7 +137,7 @@ func (v *VersionRotatingSecret) Set(val string) error {
 	s[ActiveRootKey] = key
 	s[key] = val
 	v.data = s
-	_, err := v.k.PutSecret(v.backendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
+	_, err := v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
 	return err
 }
 
@@ -154,11 +154,15 @@ func (v *VersionRotatingSecret) deleteSingleStringSecret() bool {
 func (v *VersionRotatingSecret) Delete() error {
 	// Delete rotating secret backend
 	backendSecret := &corev1.Secret{}
-	backendSecret.Name = v.backendSecretName()
+	backendSecret.Name = v.BackendSecretName()
 	backendSecret.Namespace = v.ns
 	if !util.KubeDelete(backendSecret) {
 		return fmt.Errorf("KMS Delete error for the rotating master root secret backend")
+	}
 
+	err := v.k.DeleteSecret(v.BackendSecretName(), v.k.driver.DeleteContext())
+	if err != nil {
+		return err
 	}
 
 	return nil

diff --git a/pkg/util/kms/test/dev/kms_dev_test.go b/pkg/util/kms/test/dev/kms_dev_test.go
@@ -41,7 +41,7 @@ func simpleKmsSpec(token, apiAddress string) nbv1.KeyManagementServiceSpec {
 func checkExternalSecret(noobaa *nbv1.NooBaa, expectedNil bool) {
 	k := noobaa.Spec.Security.KeyManagementService
 	uid := string(noobaa.UID)
-	driver := &kms.Vault{uid}
+	driver := kms.NewVault(noobaa.Name, noobaa.Namespace, uid)
 	path := k.ConnectionDetails[vault.VaultBackendPathKey] + driver.Path()
 	cmd := exec.Command("kubectl", "exec", "vault-0", "--", "vault", "kv", "get", path)
 	logger.Printf("Running command: path %v args %v ", cmd.Path, cmd.Args)