feat: support splitting certs and private key (#1006)

* feat: support splitting certs and private key

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

* test: add e2e tests for [Feature: WriteCertAndKeyInSeparateFiles]

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

.pipelines/templates/e2e-test.yaml

@@ -72,3 +72,7 @@ steps:
         CI_KIND_CLUSTER: ${{ parameters.ciKindCluster }}
       ${{ if parameters.isArcTest }}:
         IS_ARC_TEST: ${{ parameters.isArcTest }}
+      # If the image is a released versions (i.e <= v1.3), it still doesn't support the 
+      # split cert/key feature, so we need to skip tests for those versions.
+      ${{ if parameters.testReleasedVersion }}:
+        GINKGO_SKIP: WriteCertAndKeyInSeparateFiles

cmd/main.go

@@ -15,7 +15,6 @@ import (
 	"time"
 
 	"github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/metrics"
-	"github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider"
 	"github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/server"
 	"github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/utils"
 	"github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/version"
@@ -46,6 +45,10 @@ var (
 
 	metricsBackend = flag.String("metrics-backend", "Prometheus", "Backend used for metrics")
 	prometheusPort = flag.Int("prometheus-port", 8898, "Prometheus port for metrics backend")
+
+	constructPEMChain              = flag.Bool("construct-pem-chain", true, "explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT")
+	writeCertAndKeyInSeparateFiles = flag.Bool("write-cert-and-key-in-separate-files", false,
+		"Write cert and key in separate files. The individual files will be named as <secret-name>.crt and <secret-name>.key. These files will be created in addition to the single file.")
 )
 
 func main() {
@@ -89,9 +92,12 @@ func main() {
 		os.Exit(1)
 	}
 
-	if *provider.ConstructPEMChain {
+	if *constructPEMChain {
 		klog.Infof("construct pem chain feature enabled")
 	}
+	if *writeCertAndKeyInSeparateFiles {
+		klog.Infof("write cert and key in separate files feature enabled")
+	}
 	// Add csi-secrets-store user agent to adal requests
 	if err := adal.AddToUserAgent(version.GetUserAgent()); err != nil {
 		klog.ErrorS(err, "failed to add user agent to adal")
@@ -124,7 +130,7 @@ func main() {
 		grpc.UnaryInterceptor(utils.LogInterceptor()),
 	}
 	s := grpc.NewServer(opts...)
-	csiDriverProviderServer := server.New()
+	csiDriverProviderServer := server.New(*constructPEMChain, *writeCertAndKeyInSeparateFiles)
 	k8spb.RegisterCSIDriverProviderServer(s, csiDriverProviderServer)
 	// Register the health service.
 	grpc_health_v1.RegisterHealthServer(s, csiDriverProviderServer)

manifest_staging/charts/csi-secrets-store-provider-azure/README.md

@@ -144,3 +144,4 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `rbac.install`                                                   | Install default service account                                                                                                                                                                       | true                                                                                             |
 | `rbac.pspEnabled`                                                | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver AKV provider pod(s)                                                                                           | false                                                                                            |
 | `constructPEMChain`                                              | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT                                                                                                                         | `true`                                                                                           |
+| `writeCertAndKeyInSeparateFiles`                                 | Write cert and key in separate files. The individual files will be named as <secret-name>.crt and <secret-name>.key. These files will be created in addition to the single file.                      | `false`                                                                                          |

manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml

@@ -48,6 +48,9 @@ spec:
             - --healthz-port={{ .Values.windows.healthzPort }}
             - --healthz-path={{ .Values.windows.healthzPath }}
             - --healthz-timeout={{ .Values.windows.healthzTimeout }}
+            {{- if .Values.writeCertAndKeyInSeparateFiles }}
+            - --write-cert-and-key-in-separate-files={{ .Values.writeCertAndKeyInSeparateFiles }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.windows.healthzPath }}

manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml

@@ -59,6 +59,9 @@ spec:
             - --healthz-port={{ .Values.linux.healthzPort }}
             - --healthz-path={{ .Values.linux.healthzPath }}
             - --healthz-timeout={{ .Values.linux.healthzTimeout }}
+            {{- if .Values.writeCertAndKeyInSeparateFiles }}
+            - --write-cert-and-key-in-separate-files={{ .Values.writeCertAndKeyInSeparateFiles }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.linux.healthzPath }}

manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml

@@ -167,3 +167,6 @@ rbac:
 
 # explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT
 constructPEMChain: true
+
+# Write cert and key in separate files. The individual files will be named as <secret-name>.crt and <secret-name>.key. These files will be created in addition to the single file.
+writeCertAndKeyInSeparateFiles: false