CNTRLPLANE-3361: pluginlifecycle: treat transit-mount as required

pkg/operator/encryption/kms/pluginlifecycle/sidecar_test.go

@@ -108,11 +108,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 	sidecarArgs := []string{
 		"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 		"-vault-address=https://vault.example.com:8200",
+		"-transit-mount=transit",
 		"-transit-key=my-key",
 		"-approle-role-id=dummy-role-id-555",
 		"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 		"-vault-namespace=my-namespace",
-		"-transit-mount=transit",
 	}
 
 	socketMount := corev1.VolumeMount{
@@ -179,11 +179,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-777.sock",
 							"-vault-address=https://vault2.example.com:8200",
+							"-transit-mount=transit2",
 							"-transit-key=other-key",
 							"-approle-role-id=dummy-role-id-777",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-777",
 							"-vault-namespace=other-namespace",
-							"-transit-mount=transit2",
 						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},
@@ -193,11 +193,11 @@ func TestAddKMSPluginSidecarToPodSpec(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 						VolumeMounts: []corev1.VolumeMount{socketMount},
 					},

pkg/operator/encryption/kms/pluginlifecycle/vault.go

@@ -37,6 +37,7 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
 	args := []string{
 		fmt.Sprintf("-listen-address=%s", v.udsPath),
 		fmt.Sprintf("-vault-address=%s", v.config.VaultAddress),
+		fmt.Sprintf("-transit-mount=%s", v.config.TransitMount),
 		fmt.Sprintf("-transit-key=%s", v.config.TransitKey),
 		// TODO(bertinatto): dummy value for the Vault mock plugin; will come from the encryption-config secret.
 		fmt.Sprintf("-approle-role-id=dummy-role-id-%s", v.keyID),
@@ -49,10 +50,6 @@ func (v *vault) BuildSidecarContainer() (corev1.Container, error) {
 		args = append(args, fmt.Sprintf("-vault-namespace=%s", v.config.VaultNamespace))
 	}
 
-	if v.config.TransitMount != "" {
-		args = append(args, fmt.Sprintf("-transit-mount=%s", v.config.TransitMount))
-	}
-
 	return corev1.Container{
 		Name:  v.Name(),
 		Image: v.config.KMSPluginImage,

pkg/operator/encryption/kms/pluginlifecycle/vault_test.go

@@ -43,11 +43,11 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 					},
 				},
@@ -88,11 +88,11 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms-555.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-555",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-555",
 							"-vault-namespace=my-namespace",
-							"-transit-mount=transit",
 						},
 					},
 				},
@@ -106,8 +106,8 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 					KMSPluginImage: "quay.io/test/vault:v2",
 					VaultAddress:   "https://vault.example.com:8200",
 					TransitKey:     "my-key",
+					TransitMount:   "transit",
 					VaultNamespace: "",
-					TransitMount:   "",
 				},
 			},
 			containerName: "kms-plugin",
@@ -122,12 +122,12 @@ func TestVaultSidecarProvider_BuildSidecarContainer(t *testing.T) {
 						Args: []string{
 							"-listen-address=unix:///var/run/kmsplugin/kms.sock",
 							"-vault-address=https://vault.example.com:8200",
+							"-transit-mount=transit",
 							"-transit-key=my-key",
 							"-approle-role-id=dummy-role-id-999",
 							"-approle-secret-id-path=/var/run/secrets/vault-kms/secret-id-999",
 							// These are not added
 							// "-vault-namespace=",
-							// "-transit-mount=",
 						},
 					},
 				},

test/library/encryption/kms/k8s-mock-plugin/wrapper/main.go

@@ -37,12 +37,12 @@ func main() {
 
 	flag.StringVar(&o.listenAddress, "listen-address", "", "Listen address for the KMS plugin (e.g. unix:///var/run/kmsplugin/kms.sock)")
 	flag.StringVar(&o.vaultAddress, "vault-address", "", "Vault server address")
+	flag.StringVar(&o.transitMount, "transit-mount", "", "Vault transit secret engine mount path")
 	flag.StringVar(&o.transitKey, "transit-key", "", "Vault transit key name")
 	flag.StringVar(&o.approleRoleID, "approle-role-id", "", "Vault AppRole role ID")
 	flag.StringVar(&o.approleSecretIDPath, "approle-secret-id-path", "", "Path to file containing Vault AppRole secret ID")
 	flag.StringVar(&o.logLevel, "log-level", "", "Log level (optional, valid value: debug-extended)")
 	flag.StringVar(&o.vaultNamespace, "vault-namespace", "", "Vault namespace (optional)")
-	flag.StringVar(&o.transitMount, "transit-mount", "", "Vault transit secret engine mount path (optional)")
 	flag.Parse()
 
 	flag.VisitAll(func(f *flag.Flag) {
@@ -64,6 +64,9 @@ func (o *options) validate() error {
 	if o.vaultAddress == "" {
 		return fmt.Errorf("--vault-address must be set")
 	}
+	if o.transitMount == "" {
+		return fmt.Errorf("--transit-mount must be set")
+	}
 	if o.transitKey == "" {
 		return fmt.Errorf("--transit-key must be set")
 	}