Merge pull request #287 from 13bscsaamjad/sec-eng-mnt-path-opt

feat/fix: make path optional in secret engine mount

Author: raffaelespazzoli

api/v1alpha1/secretenginemount_test.go

@@ -0,0 +1,72 @@
+package v1alpha1
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestSecretEngineMountGetPath(t *testing.T) {
+	tests := []struct {
+		name         string
+		mount        *SecretEngineMount
+		expectedPath string
+	}{
+		{
+			name: "with path and name specified",
+			mount: &SecretEngineMount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-mount",
+				},
+				Spec: SecretEngineMountSpec{
+					Path: "custom-path",
+					Name: "custom-name",
+				},
+			},
+			expectedPath: "sys/mounts/custom-path/custom-name",
+		},
+		{
+			name: "with path but no name specified",
+			mount: &SecretEngineMount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-mount",
+				},
+				Spec: SecretEngineMountSpec{
+					Path: "custom-path",
+				},
+			},
+			expectedPath: "sys/mounts/custom-path/test-mount",
+		},
+		{
+			name: "with name but no path specified",
+			mount: &SecretEngineMount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-mount",
+				},
+				Spec: SecretEngineMountSpec{
+					Name: "custom-name",
+				},
+			},
+			expectedPath: "sys/mounts/custom-name",
+		},
+		{
+			name: "with neither path nor name specified",
+			mount: &SecretEngineMount{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-mount",
+				},
+				Spec: SecretEngineMountSpec{},
+			},
+			expectedPath: "sys/mounts/test-mount",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.mount.GetPath()
+			if result != tt.expectedPath {
+				t.Errorf("GetPath() = %v, expected %v", result, tt.expectedPath)
+			}
+		})
+	}
+}

api/v1alpha1/secretenginemount_types.go

@@ -41,10 +41,21 @@ func (d *SecretEngineMount) IsDeletable() bool {
 }
 
 func (d *SecretEngineMount) GetPath() string {
+	var pathComponent string
+	if d.Spec.Path != "" {
+		pathComponent = string(d.Spec.Path)
+	} else {
+		// When Path is empty, use the name directly as the mount path
+		if d.Spec.Name != "" {
+			return vaultutils.CleansePath(d.GetEngineListPath() + "/" + d.Spec.Name)
+		}
+		return vaultutils.CleansePath(d.GetEngineListPath() + "/" + d.Name)
+	}
+
 	if d.Spec.Name != "" {
-		return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Spec.Name)
+		return vaultutils.CleansePath(d.GetEngineListPath() + "/" + pathComponent + "/" + d.Spec.Name)
 	}
-	return vaultutils.CleansePath(d.GetEngineListPath() + "/" + string(d.Spec.Path) + "/" + d.Name)
+	return vaultutils.CleansePath(d.GetEngineListPath() + "/" + pathComponent + "/" + d.Name)
 }
 func (d *SecretEngineMount) GetPayload() map[string]interface{} {
 	return d.Spec.toMap()
@@ -101,10 +112,10 @@ type SecretEngineMountSpec struct {
 
 	Mount `json:",inline"`
 
-	// Path at which this secret engine will be available
-	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
-	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path /sys/mounts/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
-	// +kubebuilder:validation:Required
+	// Path at which this secret engine will be available. If not specified, defaults to the resource name (/sys/mounts/{[spec.authentication.namespace]}/{metadata.name}).
+	// The final path in Vault will be {[spec.authentication.namespace]}/{[spec.path]}/{metadata.name}.
+	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on computed path /sys/mounts/{[spec.authentication.namespace]}/{[spec.path]}/{metadata.name} or /sys/mounts/{[spec.authentication.namespace]}/{metadata.name} if path is empty.
+	// +kubebuilder:validation:Optional
 	Path vaultutils.Path `json:"path,omitempty"`
 
 	// The name of the obejct created in Vault. If this is specified it takes precedence over {metatada.name}

config/crd/bases/redhatcop.redhat.io_secretenginemounts.yaml

@@ -214,9 +214,9 @@ spec:
                 x-kubernetes-map-type: granular
               path:
                 description: |-
-                  Path at which this secret engine will be available
-                  The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
-                  The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path /sys/mounts/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
+                  Path at which this secret engine will be available. If not specified, defaults to the resource name (/sys/mounts/{[spec.authentication.namespace]}/{metadata.name}).
+                  The final path in Vault will be {[spec.authentication.namespace]}/{[spec.path]}/{metadata.name}.
+                  The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on computed path /sys/mounts/{[spec.authentication.namespace]}/{[spec.path]}/{metadata.name} or /sys/mounts/{[spec.authentication.namespace]}/{metadata.name} if path is empty.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?
                 type: string
               sealWrap: