Update Vault login to use env vars instead of cluster spec annotations

* Vault login namespace now found from OPERATOR_VAULT_NAMESPACE env var
  in the operator container. If not set then use default Vault namespace
* Vault login auth path now found from OPERATOR_VAULT_AUTH_PATH env var
  in the operator container. If not set then default to using the
  auth path "auth/kubernetes"
* Above means that Vault login step no longer uses any information from
  the current RabbitMQ cluster spec

Author: George Harley

internal/cluster_reference.go

@@ -65,7 +65,7 @@ func ParseRabbitmqClusterReference(ctx context.Context, c client.Client, rmq top
 	svc := &corev1.Service{}
 	if cluster.Spec.SecretBackend.Vault != nil && cluster.Spec.SecretBackend.Vault.DefaultUserPath != "" {
 		// ask the configured secure store for the credentials available at the path retrieved from the cluster resource
-		secretStoreClient, err := SecretStoreClientProvider(cluster.Spec.SecretBackend.Vault)
+		secretStoreClient, err := SecretStoreClientProvider()
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("unable to create a client connection to secret store: %w", err)
 		}

internal/cluster_reference_test.go

@@ -158,7 +158,7 @@ var _ = Describe("ParseRabbitmqClusterReference", func() {
 				fakeCredentialsProvider.DataReturnsOnCall(1, []byte(existingRabbitMQPassword), true)
 
 				fakeSecretStoreClient.ReadCredentialsReturns(fakeCredentialsProvider, nil)
-				internal.SecretStoreClientProvider = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
+				internal.SecretStoreClientProvider = func() (internal.SecretStoreClient, error) {
 					return fakeSecretStoreClient, nil
 				}
 			})

internal/vault_reader.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"errors"
 	"fmt"
-	rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1"
 	"os"
 	"sync"
 	"time"
@@ -56,12 +55,12 @@ var (
 	SecretClientCreationError   error
 )
 
-func GetSecretStoreClient(vaultSpec *rabbitmqv1beta1.VaultSpec) (SecretStoreClient, error) {
-	createSecretStoreClientOnce.Do(InitializeClient(vaultSpec))
+func GetSecretStoreClient() (SecretStoreClient, error) {
+	createSecretStoreClientOnce.Do(InitializeClient())
 	return SecretClient, SecretClientCreationError
 }
 
-func InitializeClient(vaultSpec *rabbitmqv1beta1.VaultSpec) func() {
+func InitializeClient() func() {
 	return func() {
 		// VAULT_ADDR environment variable will be the address that pod uses to communicate with Vault.
 		config := vault.DefaultConfig() // modify for more granular configuration
@@ -71,7 +70,7 @@ func InitializeClient(vaultSpec *rabbitmqv1beta1.VaultSpec) func() {
 			return
 		}
 
-		go renewToken(vaultClient, vaultSpec, FirstLoginAttemptResultCh)
+		go renewToken(vaultClient, FirstLoginAttemptResultCh)
 		err = <-FirstLoginAttemptResultCh
 		if err != nil {
 			SecretClientCreationError = fmt.Errorf("unable to login to Vault: %w", err)
@@ -152,33 +151,31 @@ func availableKeys(m map[string]interface{}) []string {
 	return result
 }
 
-func login(vaultClient *vault.Client, vaultSpec *rabbitmqv1beta1.VaultSpec) (*vault.Secret, error) {
+func login(vaultClient *vault.Client) (*vault.Secret, error) {
 	logger := ctrl.LoggerFrom(nil)
 
-	var annotations = vaultSpec.Annotations
-	if annotations["vault.hashicorp.com/namespace"] != "" {
-		vaultClient.SetNamespace(annotations["vault.hashicorp.com/namespace"])
-	}
-
 	jwt, err := ReadServiceAccountTokenFunc()
 	if err != nil {
 		return nil, fmt.Errorf("unable to read file containing service account token: %w", err)
 	}
 
-	loginAuthPath := defaultAuthPath
-	annotations = vaultSpec.Annotations
-	if annotations["vault.hashicorp.com/auth-path"] != "" {
-		loginAuthPath = annotations["vault.hashicorp.com/auth-path"]
+	vaultNamespace := os.Getenv("OPERATOR_VAULT_NAMESPACE")
+	if vaultNamespace != "" {
+		vaultClient.SetNamespace(vaultNamespace)
+	}
+
+	loginAuthPath := os.Getenv("OPERATOR_VAULT_AUTH_PATH")
+	if loginAuthPath == "" {
+		loginAuthPath = defaultAuthPath
 	}
 
 	role := os.Getenv("OPERATOR_VAULT_ROLE")
 	if role == "" {
 		role = defaultVaultRole
-		logger.Info("Authenticating to Vault using default role value because OPERATOR_VAULT_ROLE env var is not set", "vault role", role)
-	} else {
-		logger.Info("Authenticating to Vault using role set from OPERATOR_VAULT_ROLE env var", "vault role", role)
 	}
 
+	logger.Info("Authenticating to Vault", "vault role", role, "vault namespace", vaultNamespace, "vault auth path", loginAuthPath)
+
 	vaultSecret, err := ReadVaultClientSecretFunc(vaultClient, string(jwt), role, loginAuthPath)
 	if err != nil {
 		return nil, fmt.Errorf("unable to obtain Vault client secret: %w", err)
@@ -192,12 +189,12 @@ func login(vaultClient *vault.Client, vaultSpec *rabbitmqv1beta1.VaultSpec) (*va
 	return vaultSecret, nil
 }
 
-func renewToken(client *vault.Client, vaultSpec *rabbitmqv1beta1.VaultSpec, initialLoginErrorCh chan<- error) {
+func renewToken(client *vault.Client, initialLoginErrorCh chan<- error) {
 	logger := ctrl.LoggerFrom(nil)
 	sentFirstLoginAttemptErr := false
 
 	for {
-		vaultLoginResp, err := login(client, vaultSpec)
+		vaultLoginResp, err := login(client)
 		if err != nil {
 			logger.Error(err, "unable to authenticate to Vault server")
 		}

internal/vault_reader_test.go

@@ -325,7 +325,7 @@ var _ = Describe("VaultReader", func() {
 					}, nil
 				}
 				getSecretStoreClientTester = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
-					internal.InitializeClient(vaultSpec)()
+					internal.InitializeClient()()
 					return internal.SecretClient, internal.SecretClientCreationError
 				}
 			})
@@ -381,7 +381,7 @@ var _ = Describe("VaultReader", func() {
 					}, nil
 				}
 				getSecretStoreClientTester = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
-					internal.InitializeClient(vaultSpec)()
+					internal.InitializeClient()()
 					return internal.SecretClient, internal.SecretClientCreationError
 				}
 			})
@@ -416,7 +416,7 @@ var _ = Describe("VaultReader", func() {
 					Role: "cheese-and-ham",
 				}
 				getSecretStoreClientTester = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
-					internal.InitializeClient(vaultSpec)()
+					internal.InitializeClient()()
 					return internal.SecretClient, internal.SecretClientCreationError
 				}
 			})
@@ -450,7 +450,7 @@ var _ = Describe("VaultReader", func() {
 					return nil, errors.New("login failed (quickly!)")
 				}
 				getSecretStoreClientTester = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
-					internal.InitializeClient(vaultSpec)()
+					internal.InitializeClient()()
 					return internal.SecretClient, internal.SecretClientCreationError
 				}
 			})
@@ -500,7 +500,7 @@ var _ = Describe("VaultReader", func() {
 					}, nil
 				}
 				getSecretStoreClientTester = func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error) {
-					internal.InitializeClient(vaultSpec)()
+					internal.InitializeClient()()
 					return internal.SecretClient, internal.SecretClientCreationError
 				}
 			})