Skip to content

Commit 1257c2b

Browse files
author
Martin Jackson
committed
Remove CA processing code and fix linter issues
1 parent 8acafe7 commit 1257c2b

9 files changed

Lines changed: 7 additions & 277 deletions

Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ help: ## This help message
88
.PHONY: super-linter
99
super-linter: ## Runs super linter locally
1010
rm -rf .mypy_cache
11+
rm -rf .ansible
1112
podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
1213
-e VALIDATE_ANSIBLE=false \
1314
-e VALIDATE_BASH=false \

roles/vault_utils/defaults/main.yml

Lines changed: 0 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -84,32 +84,3 @@ vault_ss_csi_role_ttl: "15m"
8484
# - stable_slug: hub-sscsi-<ns>-<sa>-<app> (sanitized); spokes prefix sanitized vault_path
8585
# Per-entry override wins: ssCsiWorkloadAuth[].roleSlug (suffix only; still prefixed with <mount>-sscsi-)
8686
vault_ss_csi_role_slug_mode: hash
87-
88-
# After vault unseal / during vault_secrets_init: copy hub ingress CA into predictable ConfigMaps for
89-
# Vault CSI TLS (openshift-sscsi-vault defaults). Argo-friendly: no pemLiteral in Git; set
90-
# syncProviderCaConfigMap.createConfigMap: false and mount this CM on the Vault CSI provider.
91-
#
92-
# Default false on this branch: skip in-role CA gather + ConfigMap apply (use GitOps / platform CA
93-
# distribution as appropriate). Override with vault_ss_csi_inject_route_ca_configmap: true for
94-
# openshift-ingress + kube-root gather and hub/spoke ConfigMaps in this role.
95-
vault_ss_csi_inject_route_ca_configmap: false
96-
vault_ss_csi_route_ca_configmap_name: openshift-sscsi-vault-vault-tls-ca
97-
vault_ss_csi_route_ca_configmap_key: vault-tls-ca.pem
98-
vault_ss_csi_route_ca_ingress_namespace: openshift-ingress
99-
vault_ss_csi_route_ca_ingress_configmap_primary: router-ca
100-
vault_ss_csi_route_ca_ingress_configmap_fallback: router-ca-certs
101-
# After primary/fallback, try these names (some clusters have no router-ca; only service-ca-bundle, etc.).
102-
vault_ss_csi_route_ca_ingress_configmap_candidates:
103-
- service-ca-bundle
104-
- openshift-service-ca.crt
105-
- kube-root-ca.crt
106-
# Merged into _rhvp_ingress_data_keys first; some clusters use ca.crt only.
107-
vault_ss_csi_route_ca_ingress_data_key: ca-bundle.crt
108-
vault_ss_csi_route_ca_ingress_data_keys:
109-
- ca-bundle.crt
110-
- ca.crt
111-
- ingress-ca.crt
112-
vault_ss_csi_route_ca_include_kube_root: true
113-
vault_ss_csi_route_ca_kube_root_namespace: external-secrets
114-
vault_ss_csi_route_ca_kube_root_name: kube-root-ca.crt
115-
vault_ss_csi_route_ca_kube_root_key: ca.crt

roles/vault_utils/tasks/vault_ss_csi_apply_route_ca_configmap_hub.yaml

Lines changed: 0 additions & 23 deletions
This file was deleted.

roles/vault_utils/tasks/vault_ss_csi_apply_route_ca_configmap_spoke.yaml

Lines changed: 0 additions & 31 deletions
This file was deleted.

roles/vault_utils/tasks/vault_ss_csi_gather_route_ca_pem.yaml

Lines changed: 0 additions & 70 deletions
This file was deleted.

roles/vault_utils/tasks/vault_ss_csi_gather_route_ca_try_ingress_cm.yaml

Lines changed: 0 additions & 30 deletions
This file was deleted.

roles/vault_utils/tasks/vault_ss_csi_spoke_cluster.yaml

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,3 @@
2828
loop_control:
2929
label: "{{ item.app }}/{{ item.namespace }}/{{ item.serviceAccount }}"
3030
when: (_ss_rows_this_cluster | default([])) | length > 0
31-
32-
- name: Apply Vault route CA ConfigMaps on spoke for SS CSI TLS verification (same bundle as hub)
33-
ansible.builtin.include_tasks: vault_ss_csi_apply_route_ca_configmap_spoke.yaml
34-
when:
35-
- vault_ss_csi_inject_route_ca_configmap | default(true) | bool
36-
- _vault_route_ca_pem is defined
37-
- (_vault_route_ca_pem | trim | length) > 0
38-
- (_ss_rows_this_cluster | default([])) | length > 0

roles/vault_utils/tasks/vault_ss_csi_workload_auth.yaml

Lines changed: 0 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -148,18 +148,6 @@
148148
- vault_ss_csi_from_applications | default(true) | bool
149149
- vault_csi_kubernetes_auth | default(false) | bool
150150

151-
# Hub ingress CA → ConfigMap(s) named like openshift-sscsi-vault defaults (Argo-friendly: no pemLiteral in Git).
152-
# Skipped when vault_ss_csi_inject_route_ca_configmap is false (override to true to gather/apply here).
153-
- name: Gather hub ingress CA bundle for Vault route TLS (SS CSI)
154-
ansible.builtin.include_tasks: vault_ss_csi_gather_route_ca_pem.yaml
155-
when:
156-
- vault_ss_csi_inject_route_ca_configmap | default(true) | bool
157-
- vault_ss_csi_from_applications | default(true) | bool
158-
- (
159-
((_ss_csi_all_entries | default([])) | length > 0)
160-
or (vault_csi_kubernetes_auth | default(false) | bool)
161-
)
162-
163151
- name: Reset hub/spoke SS CSI classification lists
164152
ansible.builtin.set_fact:
165153
_ss_csi_hub_entries: []
@@ -221,10 +209,3 @@
221209
when:
222210
- vault_ss_csi_from_applications | default(true) | bool
223211
- (_ss_csi_hub_entries | default([])) | length > 0
224-
225-
- name: Apply Vault route CA ConfigMaps on hub namespaces for CSI TLS verification
226-
ansible.builtin.include_tasks: vault_ss_csi_apply_route_ca_configmap_hub.yaml
227-
when:
228-
- vault_ss_csi_inject_route_ca_configmap | default(true) | bool
229-
- _vault_route_ca_pem is defined
230-
- (_vault_route_ca_pem | trim | length) > 0

secrets-initialization-and-vault-unseal.md

Lines changed: 6 additions & 67 deletions
Original file line numberDiff line numberDiff line change
@@ -100,72 +100,13 @@ Summary:
100100
6. Read existing **`auth/{{ vault_hub }}/role/{{ vault_hub }}-role`**, merge policies with `vault_hub_role_default_policies`, and **`vault write`** the role when an update is needed (bound SA/namespace from active external-secrets config, TTL from `vault_hub_ttl`).
101101
7. **`include_tasks: vault_ss_csi_workload_auth.yaml`** for optional SS CSI Kubernetes auth roles from pattern values.
102102

103-
### Vault route CA ConfigMap for SS CSI TLS (hub ingress trust)
103+
### Vault route CA for SS CSI TLS
104104

105-
The **Secrets Store CSI** Vault provider talks to Vault over **HTTPS** (typically the **hub** Vault **Route** on OpenShift).
106-
With **`vaultSkipTLSVerify: "false"`**, the provider needs a **PEM trust bundle** for that route.
107-
Checking that bundle into Git as **`pemLiteral`**, or using Helm **`lookup`**, is awkward for GitOps.
108-
This role can **imperatively** create a **fixed-name `ConfigMap`** in every namespace that runs SS CSI workloads so charts can set **`createConfigMap: false`** and mount the bundle by name.
105+
The **SS CSI** path in this collection no longer gathers hub ingress CA material or applies CA `ConfigMap` objects.
106+
CA distribution for the Vault route is now expected to be handled by a separate chart.
109107

110-
**Branch `feature/sscsi-vp-proxy-cluster-ca-chart`:** `vault_ss_csi_inject_route_ca_configmap` defaults to **`false`**, so this role does **not** gather hub ingress CA or apply Vault route CA ConfigMaps unless you override it (inventory / extra vars). Supply TLS trust for the Vault route via your pattern (for example a hub GitOps chart such as **vp-manage-proxy-cluster-ca**) or set **`vault_ss_csi_inject_route_ca_configmap: true`** to use the in-role path documented below.
111-
112-
#### When this runs (play order)
113-
114-
| Phase | Tag | What happens |
115-
| ----- | --- | -------------- |
116-
| **Gather + hub apply** | `vault_secrets_init` | Included from **`vault_ss_csi_workload_auth.yaml`** after SS CSI entries are collected from **`values-<clustergroup>.yaml`**, after hub Vault Kubernetes auth roles are written for those entries. |
117-
| **Spoke apply** | `vault_spokes_init` | Included from **`vault_ss_csi_spoke_cluster.yaml`** for each ACM spoke that has **SS CSI** rows for that cluster (same PEM as the hub; Vault route stays on hub ingress). |
118-
119-
Gather runs only when **`vault_ss_csi_inject_route_ca_configmap`** is true, **`vault_ss_csi_from_applications`** is true, and **either** there is at least one SS CSI identity in **`_ss_csi_all_entries`** **or** legacy **`vault_csi_kubernetes_auth`** is enabled. With the default **`false`** on this branch, gather and ConfigMap apply are skipped.
120-
Hub ConfigMap apply runs when injection is on and the gathered PEM is non-empty, **after** hub SS CSI roles are configured (so hub workload namespaces are known).
121-
122-
If **`vault_spokes_init`** exits early (**`meta: end_play`** when there are no `ManagedCluster` resources or the ACM API is unavailable), **spoke** namespaces never receive the ConfigMap in that run; **hub** namespaces still do if **`vault_secrets_init`** completed.
123-
For hub-only clusters, use **`--skip-tags vault_spokes_init`** as documented in Step 4; route CA ConfigMaps on the hub are unaffected.
124-
125-
#### How the PEM bundle is built
126-
127-
Tasks live under **`roles/vault_utils/tasks/`**:
128-
129-
1. **`vault_ss_csi_gather_route_ca_pem.yaml`** (hub API only) walks **`openshift-ingress`** (or **`vault_ss_csi_route_ca_ingress_namespace`**) ConfigMaps in order: **`router-ca`**, **`router-ca-certs`**, then **`vault_ss_csi_route_ca_ingress_configmap_candidates`**
130-
(defaults: **`service-ca-bundle`**, **`openshift-service-ca.crt`**, **`kube-root-ca.crt`** when router CMs are absent). Each CM uses ordered data keys and PEM-like `.data` fallbacks (see **`defaults/main.yml`**).
131-
Optionally, when **`vault_ss_csi_route_ca_include_kube_root`** is true, it appends **`external-secrets/kube-root-ca.crt`** (`ca.crt`) so the bundle stays aligned with **External Secrets Operator** cluster trust.
132-
The result is **`_vault_route_ca_pem`**. If injection is enabled and **no router CA** can be read from either ingress ConfigMap, the play **fails** (kube-root alone is not sufficient to trust the Vault route).
133-
134-
2. **`vault_ss_csi_apply_route_ca_configmap_hub.yaml`** loops namespaces and applies **`kubernetes.core.k8s`** `ConfigMap` state: present.
135-
136-
3. **`vault_ss_csi_apply_route_ca_configmap_spoke.yaml`** does the same on each spoke using **`api_key`**, **`host`**, and **`ca_cert: /tmp/<cluster>.ca`** like other spoke tasks; **`local-cluster`** is skipped.
137-
138-
#### Where the ConfigMap is created
139-
140-
- **Hub:** **`{{ vault_ns }}`** (always in the list) **union** the **namespace** of each **`ssCsiWorkloadAuth`** row classified as **hub** (`cluster` is `hub`, `local-cluster`, or empty). Duplicates are removed.
141-
- **Spoke:** **`{{ vault_ns }}`** on that spoke **union** namespaces from SS CSI rows whose **`cluster`** matches the spoke (same matching rules as Vault role creation in **`vault_ss_csi_spoke_cluster.yaml`**).
142-
143-
The object is labeled **`app.kubernetes.io/name: rhvp-cluster-utils`**, **`app.kubernetes.io/component: vault-route-tls-ca`** for discovery and ownership.
144-
145-
#### ConfigMap name, key, and chart alignment
146-
147-
Defaults in **`roles/vault_utils/defaults/main.yml`** match **openshift-sscsi-vault** conventions so you can depend on a stable name without copying PEM into Git:
148-
149-
| Variable | Default | Role |
150-
| -------- | ------- | ---- |
151-
| `vault_ss_csi_inject_route_ca_configmap` | `false` | When `false`, CA gather/apply is skipped; set `true` to restore in-role gather + ConfigMaps. |
152-
| `vault_ss_csi_route_ca_configmap_name` | `openshift-sscsi-vault-vault-tls-ca` | ConfigMap `metadata.name`. |
153-
| `vault_ss_csi_route_ca_configmap_key` | `vault-tls-ca.pem` | Key under `data` holding the PEM text. |
154-
| `vault_ss_csi_route_ca_ingress_namespace` | `openshift-ingress` | Where router CA ConfigMaps live. |
155-
| `vault_ss_csi_route_ca_ingress_configmap_primary` | `router-ca` | First ConfigMap to read. |
156-
| `vault_ss_csi_route_ca_ingress_configmap_fallback` | `router-ca-certs` | Second ConfigMap if primary missing key. |
157-
| `vault_ss_csi_route_ca_ingress_configmap_candidates` | `service-ca-bundle`, … | Extra ConfigMap **names** tried after primary/fallback when router CMs are absent. |
158-
| `vault_ss_csi_route_ca_ingress_data_key` | `ca-bundle.crt` | First key tried (legacy); merged with `vault_ss_csi_route_ca_ingress_data_keys`. |
159-
| `vault_ss_csi_route_ca_ingress_data_keys` | `ca-bundle.crt`, `ca.crt`, … | Ordered keys per ConfigMap; then any PEM-like `.data` value. |
160-
| `vault_ss_csi_route_ca_include_kube_root` | `true` | Append `external-secrets` **kube-root-ca.crt**. |
161-
| `vault_ss_csi_route_ca_kube_root_*` | see defaults | Namespace, name, and data key for kube-root. |
162-
163-
**GitOps / Helm:** set **`vaultSkipTLSVerify: "false"`**, configure the subchart so **`syncProviderCaConfigMap.createConfigMap`** is **`false`**
164-
(do not create the CA ConfigMap from chart values), and mount the ConfigMap named above so **`vaultCACertPath`** points at
165-
**`/path/to/mount/{{ vault_ss_csi_route_ca_configmap_key }}`** (exact mount path depends on the chart’s volumeMount).
166-
Avoid **`pemLiteral`** and **`lookup`** for this CA if the playbook maintains the ConfigMap.
167-
168-
Set **`vault_ss_csi_inject_route_ca_configmap: false`** to skip gather and all applies if you supply trust another way.
108+
When using **Secrets Store CSI** against Vault over HTTPS (`vaultSkipTLSVerify: "false"`), ensure your platform/chart layer provides the CA bundle and mount path expected by your SS CSI deployment.
109+
The `vault_utils` role now only configures Vault auth backends, policies, and SS CSI Kubernetes auth roles.
169110

170111
---
171112

@@ -209,8 +150,6 @@ Included from `main.yml` only when **`vault_jwt_config | default(false) | bool`*
209150
| `unseal_secret` | `vaultkeys` | Secret name holding init JSON |
210151
| `unseal_namespace` | `imperative` | Namespace for unseal secret |
211152

212-
**SS CSI Vault route CA ConfigMaps:** see **Step 3***Vault route CA ConfigMap for SS CSI TLS* for `vault_ss_csi_inject_route_ca_configmap`, `vault_ss_csi_route_ca_configmap_*`, and ingress/kube-root source variables.
213-
214153
Override via inventory, extra vars, or role vars as needed.
215154

216155
---
@@ -227,7 +166,7 @@ Useful for reproducing only init+unseal without spokes or secret push.
227166

228167
---
229168

230-
## Related documentation in-repo
169+
## Related documentation in repository
231170

232171
- **`roles/vault_utils/README.md`** — Role variables, values-secret v1/v2 formats, Vault path layout (`secret/global`, `secret/hub`, spokes, `secret/pushsecrets`).
233172
- **`playbooks/process_secrets.yml`** / **`roles/load_secrets`** — Broader “load secrets” flow for patterns (not identical to `vault.yml`, but shares concepts like `find_vp_secrets` and backing store).

0 commit comments

Comments
 (0)