Merge pull request #175 from trevorbox/deletion-integration-tests-merge

No longer require the /data suffix in the path for RandomSecrets usin…

api/v1alpha1/authenginemount_types.go

@@ -42,7 +42,7 @@ type AuthEngineMountSpec struct {
 	AuthMount `json:",inline"`
 
 	// Path at which this auth engine will be mounted
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path /sys/auth/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/databasesecretengineconfig_types.go

@@ -46,7 +46,7 @@ type DatabaseSecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/databasesecretenginerole_types.go

@@ -43,7 +43,7 @@ type DatabaseSecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/databasesecretenginestaticrole_types.go

@@ -43,7 +43,7 @@ type DatabaseSecretEngineStaticRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/githubsecretengineconfig_types.go

@@ -48,7 +48,7 @@ type GitHubSecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/githubsecretenginerole_types.go

@@ -43,7 +43,7 @@ type GitHubSecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/permissionset/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/permissionset/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/jwtoidcauthengineconfig_types.go

@@ -39,7 +39,7 @@ type JWTOIDCAuthEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/jwtoidcauthenginerole_types.go

@@ -37,7 +37,7 @@ type JWTOIDCAuthEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/kubernetesauthengineconfig_types.go

@@ -42,7 +42,7 @@ type KubernetesAuthEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/kubernetesauthenginerole_types.go

@@ -43,7 +43,7 @@ type KubernetesAuthEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/role/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/role/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/kubernetessecretengineconfig_types.go

@@ -49,7 +49,7 @@ type KubernetesSecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/kubernetessecretenginerole_types.go

@@ -41,7 +41,7 @@ type KubernetesSecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/ldapauthengineconfig_types.go

@@ -39,7 +39,7 @@ type LDAPAuthEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/ldapauthenginegroup_types.go

@@ -37,7 +37,7 @@ type LDAPAuthEngineGroupSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/pkisecretengineconfig_types.go

@@ -47,7 +47,7 @@ type PKISecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/pkisecretenginerole_types.go

@@ -42,7 +42,7 @@ type PKISecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the role.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/quaysecretengineconfig_types.go

@@ -42,7 +42,7 @@ type QuaySecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/quaysecretenginerole_types.go

@@ -58,7 +58,7 @@ type QuaySecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/quaysecretenginestaticrole_types.go

@@ -38,7 +38,7 @@ type QuaySecretEngineStaticRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/static-roles/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/static-roles/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/rabbitmqsecretengineconfig_types.go

@@ -45,7 +45,7 @@ type RabbitMQSecretEngineConfigSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}/config/connection.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}/config/connection.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

api/v1alpha1/rabbitmqsecretenginerole_types.go

@@ -40,7 +40,7 @@ type RabbitMQSecretEngineRoleSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication"`
 
 	// Path at which to make the configuration.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path"`

api/v1alpha1/randomsecret_types.go

@@ -50,8 +50,10 @@ type RandomSecretSpec struct {
 	Authentication vaultutils.KubeAuthConfiguration `json:"authentication,omitempty"`
 
 	// Path at which to create the secret.
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
-	// The authentication role must have the following capabilities = [ "create", "update", "delete"] on that path.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
+	// If IsKVSecretsEngineV2 is false, the authentication role must have the following capabilities = [ "create", "update", "delete"] on the {[spec.authentication.namespace]}/{spec.path}/{metadata.name} path.
+	// If IsKVSecretsEngineV2 is true, the authentication role must have the following capabilities = [ "create", "update"] on the {[spec.authentication.namespace]}/{spec.path}/data/{metadata.name} path and capabilities = [ "delete"] on the {[spec.authentication.namespace]}/{spec.path}/metadata/{metadata.name} path.
+	// Additionally, if IsKVSecretsEngineV2 is true, it is acceptable for this value to have a suffix of "/data" or not. This suffix is no longer needed but still supported for backwards compatibility.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`
 
@@ -84,7 +86,21 @@ func (d *RandomSecret) GetVaultConnection() *vaultutils.VaultConnection {
 }
 
 func (d *RandomSecret) GetPath() string {
-	return string(d.Spec.Path) + "/" + d.Name
+
+	var path string = strings.TrimSpace(string(d.Spec.Path))
+	var sb strings.Builder
+
+	sb.WriteString(path)
+
+	const kvV2PathSuffix string = "/data"
+	if d.IsKVSecretsEngineV2() && !strings.HasSuffix(path, kvV2PathSuffix) {
+		sb.WriteString(kvV2PathSuffix)
+	}
+
+	sb.WriteByte('/')
+	sb.WriteString(d.Name)
+
+	return sb.String()
 }
 
 func (d *RandomSecret) getV1Payload() map[string]interface{} {

api/v1alpha1/secretenginemount_types.go

@@ -90,7 +90,7 @@ type SecretEngineMountSpec struct {
 	Mount `json:",inline"`
 
 	// Path at which this secret engine will be available
-	// The final path will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
+	// The final path in Vault will be {[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
 	// The authentication role must have the following capabilities = [ "create", "read", "update", "delete"] on that path /sys/mounts/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
 	// +kubebuilder:validation:Required
 	Path vaultutils.Path `json:"path,omitempty"`

config/crd/bases/redhatcop.redhat.io_authenginemounts.yaml

@@ -193,7 +193,7 @@ spec:
                 type: boolean
               path:
                 description: Path at which this auth engine will be mounted The final
-                  path will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}.
+                  path in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path /sys/auth/{[spec.authentication.namespace]}/{spec.path}/{metadata.name}.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_databasesecretengineconfigs.yaml

@@ -161,7 +161,7 @@ spec:
                 type: string
               path:
                 description: Path at which to make the configuration. The final path
-                  will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
+                  in Vault will be {[spec.authentication.namespace]}/{spec.path}/config/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_databasesecretengineroles.yaml

@@ -149,8 +149,8 @@ spec:
                   The TTL General Case.
                 type: string
               path:
-                description: Path at which to create the role. The final path will
-                  be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+                description: Path at which to create the role. The final path in Vault
+                  will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_databasesecretenginestaticroles.yaml

@@ -144,8 +144,8 @@ spec:
                     type: string
                 type: object
               path:
-                description: Path at which to create the role. The final path will
-                  be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
+                description: Path at which to create the role. The final path in Vault
+                  will be {[spec.authentication.namespace]}/{spec.path}/roles/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_githubsecretengineconfigs.yaml

@@ -131,9 +131,9 @@ spec:
                 type: string
               path:
                 description: Path at which to make the configuration. The final path
-                  will be {[spec.authentication.namespace]}/{spec.path}/config. The
-                  authentication role must have the following capabilities = [ "create",
-                  "read", "update", "delete"] on that path.
+                  in Vault will be {[spec.authentication.namespace]}/{spec.path}/config.
+                  The authentication role must have the following capabilities = [
+                  "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?
                 type: string
               sSHKeyReference:

config/crd/bases/redhatcop.redhat.io_githubsecretengineroles.yaml

@@ -133,8 +133,8 @@ spec:
                   is required. If both are provided, installationID takes precedence.
                 type: string
               path:
-                description: Path at which to create the role. The final path will
-                  be {[spec.authentication.namespace]}/{spec.path}/permissionset/{metadata.name}.
+                description: Path at which to create the role. The final path in Vault
+                  will be {[spec.authentication.namespace]}/{spec.path}/permissionset/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_jwtoidcauthengineconfigs.yaml

@@ -286,7 +286,7 @@ spec:
                 type: boolean
               path:
                 description: Path at which to make the configuration. The final path
-                  will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
+                  in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/config/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?

config/crd/bases/redhatcop.redhat.io_jwtoidcauthengineroles.yaml

@@ -216,7 +216,7 @@ spec:
                 type: integer
               path:
                 description: Path at which to make the configuration. The final path
-                  will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
+                  in Vault will be {[spec.authentication.namespace]}/auth/{spec.path}/groups/{metadata.name}.
                   The authentication role must have the following capabilities = [
                   "create", "read", "update", "delete"] on that path.
                 pattern: ^(?:/?[\w;:@&=\$-\.\+]*)+/?