Remove vault support from the operator (banzaicloud#682)

Author: baluchicken

.licensei.toml

@@ -35,7 +35,6 @@ ignored = [
   "github.com/prometheus/",
   "github.com/prometheus/client_golang",
   "gopkg.in/square/go-jose.v2",
-  "github.com/hashicorp/vault/api",
   "github.com/hashicorp/golang-lru",
   "github.com/golang/groupcache",
   "github.com/beorn7/perks",

api/v1alpha1/kafkauser_types.go

@@ -37,7 +37,7 @@ type KafkaUserSpec struct {
 
 type PKIBackendSpec struct {
 	IssuerRef *cmmeta.ObjectReference `json:"issuerRef,omitempty"`
-	// +kubebuilder:validation:Enum={"cert-manager","vault","k8s-csr"}
+	// +kubebuilder:validation:Enum={"cert-manager","k8s-csr"}
 	PKIBackend string `json:"pkiBackend"`
 	// SignerName indicates requested signer, and is a qualified name.
 	SignerName string `json:"signerName,omitempty"`

api/v1beta1/common_types.go

@@ -115,8 +115,6 @@ func (r SecurityProtocol) Equal(s SecurityProtocol) bool {
 const (
 	// PKIBackendCertManager invokes cert-manager for user certificate management
 	PKIBackendCertManager PKIBackend = "cert-manager"
-	// PKIBackendVault invokes vault PKI for user certificate management
-	PKIBackendVault PKIBackend = "vault"
 	// PKIBackendProvided used to point the operator to use the PKI set in the cluster CR
 	// for admin and users required for the cluster to run
 	PKIBackendProvided PKIBackend = "pki-backend-provided"

api/v1beta1/kafkacluster_types.go

@@ -70,7 +70,6 @@ type KafkaClusterSpec struct {
 	CruiseControlConfig CruiseControlConfig `json:"cruiseControlConfig"`
 	EnvoyConfig         EnvoyConfig         `json:"envoyConfig,omitempty"`
 	MonitoringConfig    MonitoringConfig    `json:"monitoringConfig,omitempty"`
-	VaultConfig         VaultConfig         `json:"vaultConfig,omitempty"`
 	AlertManagerConfig  *AlertManagerConfig `json:"alertManagerConfig,omitempty"`
 	IstioIngressConfig  IstioIngressConfig  `json:"istioIngressConfig,omitempty"`
 	// Envs defines environment variables for Kafka broker Pods.
@@ -338,7 +337,7 @@ type SSLSecrets struct {
 	JKSPasswordName string                  `json:"jksPasswordName"`
 	Create          bool                    `json:"create,omitempty"`
 	IssuerRef       *cmmeta.ObjectReference `json:"issuerRef,omitempty"`
-	// +kubebuilder:validation:Enum={"cert-manager","vault"}
+	// +kubebuilder:validation:Enum={"cert-manager"}
 	PKIBackend PKIBackend `json:"pkiBackend,omitempty"`
 }
 
@@ -347,14 +346,6 @@ type SSLSecrets struct {
 // E.g. TLSSecretName and JKSPasswordName are only required if Create is false
 // Or heck, do we even want to bother supporting an imported PKI?
 
-// VaultConfig defines the configuration for a vault PKI backend
-type VaultConfig struct {
-	AuthRole  string `json:"authRole"`
-	PKIPath   string `json:"pkiPath"`
-	IssuePath string `json:"issuePath"`
-	UserStore string `json:"userStore"`
-}
-
 // AlertManagerConfig defines configuration for alert manager
 type AlertManagerConfig struct {
 	// DownScaleLimit the limit for auto-downscaling the Kafka cluster.

api/v1beta1/zz_generated.deepcopy.go

@@ -17798,7 +17798,6 @@ spec:
                           the PKIManager
                         enum:
                         - cert-manager
-                        - vault
                         type: string
                       tlsSecretName:
                         type: string
@@ -17851,24 +17850,6 @@ spec:
                 required:
                 - failureThreshold
                 type: object
-              vaultConfig:
-                description: VaultConfig defines the configuration for a vault PKI
-                  backend
-                properties:
-                  authRole:
-                    type: string
-                  issuePath:
-                    type: string
-                  pkiPath:
-                    type: string
-                  userStore:
-                    type: string
-                required:
-                - authRole
-                - issuePath
-                - pkiPath
-                - userStore
-                type: object
               zkAddresses:
                 description: ZKAddresses specifies the ZooKeeper connection string
                   in the form hostname:port where host and port are the host and port
@@ -18228,7 +18209,6 @@ spec:
                   pkiBackend:
                     enum:
                     - cert-manager
-                    - vault
                     - k8s-csr
                     type: string
                   signerName:

charts/kafka-operator/templates/crds.yaml

@@ -122,11 +122,6 @@ spec:
           secret:
             secretName: {{ .Values.webhook.certs.secret }}
       {{- end }}
-      {{- if .Values.operator.vaultSecret }}
-        - name: {{ .Values.operator.vaultSecret }}
-          secret:
-            secretName: {{ .Values.operator.vaultSecret }}
-      {{- end }}
       {{- if .Values.additionalVolumes }}
       {{- include "chart.additionalVolumes" . | nindent 8 }}
       {{- end }}
@@ -186,14 +181,6 @@ spec:
           {{- if .Values.additionalEnv }}
           {{ toYaml .Values.additionalEnv | nindent 12 }}
           {{- end }}
-          {{- if .Values.operator.vaultAddress }}
-            - name: VAULT_ADDR
-              value: {{ .Values.operator.vaultAddress }}
-          {{- end }}
-          {{- if .Values.operator.vaultSecret }}
-            - name: VAULT_CACERT
-              value: /etc/vault/certs/ca.crt
-          {{- end }}
           ports:
           {{- if .Values.webhook.enabled }}
             - containerPort: {{ .Values.webhook.serverPort | default 443 }}
@@ -212,11 +199,6 @@ spec:
               name: serving-cert
               readOnly: true
           {{- end }}
-          {{- if .Values.operator.vaultSecret }}
-            - mountPath: /etc/vault/certs
-              name: {{ .Values.operator.vaultSecret }}
-              readOnly: true
-          {{- end }}
           resources:
 {{ toYaml .Values.operator.resources | nindent 12 }}
 {{- if .Values.additionalSidecars }}

charts/kafka-operator/templates/operator-deployment-with-webhook.yaml

@@ -14,10 +14,6 @@ operator:
     repository: ghcr.io/banzaicloud/kafka-operator
     tag: ""
     pullPolicy: IfNotPresent
-  vaultAddress: ""
-  # vaultSecret containing a `ca.crt` key with the Vault CA Certificate
-  vaultSecret: ""
-  # set of namespaces where the operator watches resources
   namespaces: ""
   verboseLogging: false
   developmentLogging: false

charts/kafka-operator/values.yaml

@@ -17797,7 +17797,6 @@ spec:
                           the PKIManager
                         enum:
                         - cert-manager
-                        - vault
                         type: string
                       tlsSecretName:
                         type: string
@@ -17850,24 +17849,6 @@ spec:
                 required:
                 - failureThreshold
                 type: object
-              vaultConfig:
-                description: VaultConfig defines the configuration for a vault PKI
-                  backend
-                properties:
-                  authRole:
-                    type: string
-                  issuePath:
-                    type: string
-                  pkiPath:
-                    type: string
-                  userStore:
-                    type: string
-                required:
-                - authRole
-                - issuePath
-                - pkiPath
-                - userStore
-                type: object
               zkAddresses:
                 description: ZKAddresses specifies the ZooKeeper connection string
                   in the form hostname:port where host and port are the host and port

config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml

@@ -82,7 +82,6 @@ spec:
                   pkiBackend:
                     enum:
                     - cert-manager
-                    - vault
                     - k8s-csr
                     type: string
                   signerName: