Fix defaults for vault mount point on spoke clusters

Author: Martin Jackson

Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: vp-sscsi-spc
-version: 0.1.5
+version: 0.1.6
 description: >-
   Library chart for app-level Vault SecretProviderClass rendering with hub, spoke, and
   external Vault support. Cluster CA material is managed by a separate cluster-wide chart.

README.md

@@ -1,6 +1,6 @@
 # vp-sscsi-spc
 
-![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square)
+![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square)
 
 Library chart for app-level Vault SecretProviderClass rendering with hub, spoke, and external Vault support. Cluster CA material is managed by a separate cluster-wide chart.
 
@@ -12,7 +12,7 @@ This chart is the **library for `SecretProviderClass` only**, **one dependency p
 
 This chart renders **only** `SecretProviderClass` YAML (named templates or optional `installDefaultManifests`). Use it from application charts that need:
 
-- Hub-cluster Vault auth (`hub` mount + role)
+- Hub-cluster Vault auth (defaults `vaultKubernetesMountPath` to `hub` when `global.localClusterDomain == global.hubClusterDomain`, else `global.clusterDomain`; optional `vault.hubMountPath` override, hub role)
 - Spoke-cluster auth to centralized Vault (`clusterDomain` mount + role)
 - External Vault endpoint override (`vault.externalAddress`)
 - Optional reference to a pre-mounted CA path (`tls.vaultCACertPath`), or **`tls.projectedClusterCa.enabled: true`** to derive the path for **openshift-sscsi-vault**'s projected CNO/proxy bundle (same defaults as that chart's `syncProviderCaConfigMap`)
@@ -63,7 +63,7 @@ When `ocpSecretsStoreCsiVault.applicationKey` is set, the chart reads
 | ocpSecretsStoreCsiVault.tls.projectedClusterCa | object | `{"enabled":false,"injectTrustedCabundle":true,"keyInConfigMap":"vault-tls-ca.pem","mountDir":"/etc/pki/vault-ca","trustedCabundleDataKey":"ca-bundle.crt"}` | When `enabled` is true and `vaultCACertPath` is empty, set `vaultCACertPath` to the bundle file under **openshift-sscsi-vault** defaults (CNO proxy merge `ca-bundle.crt` vs PEM `vault-tls-ca.pem`). Align these fields with `ocpSecretsStoreCsiVault.caProvider.syncProviderCaConfigMap` on that chart. |
 | ocpSecretsStoreCsiVault.tls.vaultCACertPath | string | `""` | Explicit PEM path on the CSI provider pod. When non-empty, wins over `projectedClusterCa`. |
 | ocpSecretsStoreCsiVault.vault.externalAddress | string | `""` | If non-empty, used as `spec.parameters.vaultAddress` (external Vault endpoint). |
-| ocpSecretsStoreCsiVault.vault.hubMountPath | string | `"hub"` | Vault Kubernetes auth mount path for hub-style auth |
+| ocpSecretsStoreCsiVault.vault.hubMountPath | string | `""` | Optional override for hub-style `vaultKubernetesMountPath`. Empty defaults to `hub` when `global.localClusterDomain == global.hubClusterDomain`, else `global.clusterDomain`. |
 | ocpSecretsStoreCsiVault.workloadAuthIndex | int | `0` | Index into `clusterGroup.applications[applicationKey].ssCsiWorkloadAuth` when multiple entries are present. |
 
 ----------------------------------------------

README.md.gotmpl

@@ -13,7 +13,7 @@ This chart is the **library for `SecretProviderClass` only**, **one dependency p
 
 This chart renders **only** `SecretProviderClass` YAML (named templates or optional `installDefaultManifests`). Use it from application charts that need:
 
-- Hub-cluster Vault auth (`hub` mount + role)
+- Hub-cluster Vault auth (defaults `vaultKubernetesMountPath` to `hub` when `global.localClusterDomain == global.hubClusterDomain`, else `global.clusterDomain`; optional `vault.hubMountPath` override, hub role)
 - Spoke-cluster auth to centralized Vault (`clusterDomain` mount + role)
 - External Vault endpoint override (`vault.externalAddress`)
 - Optional reference to a pre-mounted CA path (`tls.vaultCACertPath`), or **`tls.projectedClusterCa.enabled: true`** to derive the path for **openshift-sscsi-vault**'s projected CNO/proxy bundle (same defaults as that chart's `syncProviderCaConfigMap`)

templates/spc-library.tpl

@@ -192,7 +192,14 @@ spec:
     vaultTLSServerName: {{ .Values.ocpSecretsStoreCsiVault.tls.vaultTLSServerName | quote }}
 {{- end }}
 {{- if $isHubStyleAuth }}
-    vaultKubernetesMountPath: {{ .Values.ocpSecretsStoreCsiVault.vault.hubMountPath | quote }}
+{{- $hubMountPath := .Values.ocpSecretsStoreCsiVault.vault.hubMountPath | default "" | trim }}
+{{- $localDomain := $.Values.global.localClusterDomain | default "" | trim }}
+{{- $hubDomain := $.Values.global.hubClusterDomain | default "" | trim }}
+{{- $defaultHubMountPath := $.Values.global.clusterDomain | default "" | trim }}
+{{- if and (ne $localDomain "") (eq $localDomain $hubDomain) }}
+{{- $defaultHubMountPath = "hub" }}
+{{- end }}
+    vaultKubernetesMountPath: {{ coalesce $hubMountPath $defaultHubMountPath "hub" | quote }}
     roleName: {{ coalesce $workloadAuth.roleName .Values.ocpSecretsStoreCsiVault.auth.roleName "hub-role" | quote }}
 {{- else }}
     vaultKubernetesMountPath: {{ $.Values.global.clusterDomain | quote }}

tests/secretproviderclass_test.yaml

@@ -26,7 +26,7 @@ tests:
           apiVersion: secrets-store.csi.x-k8s.io/v1
           any: true
 
-  - it: uses hub defaults on a hub cluster
+  - it: uses hub mount path by default when localClusterDomain equals hubClusterDomain
     template: templates/install-default-manifests.yaml
     set:
       clusterGroup:
@@ -38,10 +38,10 @@ tests:
           name: app-secrets
         auth:
           roleName: hub-role
-        vault:
-          hubMountPath: hub
       global:
+        clusterDomain: group-one
         hubClusterDomain: apps.hub.example.org
+        localClusterDomain: apps.hub.example.org
     documentSelector:
       path: kind
       value: SecretProviderClass
@@ -62,6 +62,47 @@ tests:
           path: spec.parameters.roleName
           value: hub-role
 
+  - it: defaults hub-style mount path to global.clusterDomain when localClusterDomain differs
+    template: templates/install-default-manifests.yaml
+    set:
+      clusterGroup:
+        isHubCluster: true
+      ocpSecretsStoreCsiVault:
+        secretProviderClass:
+          installDefaultManifests: true
+      global:
+        clusterDomain: group-one
+        hubClusterDomain: apps.hub.example.org
+        localClusterDomain: spoke.apps.example.org
+    documentSelector:
+      path: kind
+      value: SecretProviderClass
+    asserts:
+      - equal:
+          path: spec.parameters.vaultKubernetesMountPath
+          value: group-one
+
+  - it: honors explicit hubMountPath override on a hub cluster
+    template: templates/install-default-manifests.yaml
+    set:
+      clusterGroup:
+        isHubCluster: true
+      ocpSecretsStoreCsiVault:
+        secretProviderClass:
+          installDefaultManifests: true
+        vault:
+          hubMountPath: hub
+      global:
+        clusterDomain: group-one
+        hubClusterDomain: apps.hub.example.org
+    documentSelector:
+      path: kind
+      value: SecretProviderClass
+    asserts:
+      - equal:
+          path: spec.parameters.vaultKubernetesMountPath
+          value: hub
+
   - it: uses spoke mount and role on spoke cluster with centralized Vault
     template: templates/install-default-manifests.yaml
     set:

values.yaml

@@ -19,8 +19,8 @@ ocpSecretsStoreCsiVault:
   vault:
     # -- If non-empty, used as `spec.parameters.vaultAddress` (external Vault endpoint).
     externalAddress: ""
-    # -- Vault Kubernetes auth mount path for hub-style auth
-    hubMountPath: hub
+    # -- Optional override for hub-style `vaultKubernetesMountPath`. Empty defaults to `hub` when `global.localClusterDomain == global.hubClusterDomain`, else `global.clusterDomain`.
+    hubMountPath: ""
 
   auth:
     # -- Vault Kubernetes auth role name for hub-style auth