vault: support k8s auth method

[Kryvchun]

Issue: hashicorp/envconsul#274

This PR implements support of K8S auth method:

1. Add new fields to CreateConsulClientInput:

   K8SAuthRoleName            string
   K8SServiceAccountMountPath string
   K8SServiceAccountToken     string
   K8SServiceMountPath        string

2. If a token is set in the function CreateVaultClient then ignore k8s auth method.
3. Execute client.Auth().Login(...) with vault.auth.KubernetesAuth auth method,
4. set the token.

This can't be integration tested, so I mocked one endpoint (/v1/auth/kubernetes/login) with an *httptest.Server, all other calls are proxied to Vault

[hashicorp-cla]

All committers have signed the CLA.

[ghost]

LGTM

[yellowmegaman]

LGTM
tested with auth role

[Kryvchun]

@eikenb Hi. Is everything okay with the implementation? Or do I need to fix something?

[eikenb]

Hey @Kryvchun, sorry for the silence. I was planning on working on this when I got to working on Envconsul which took a little longer than expected but I did start working on a new release for it this week and I plan on reviewing this as part of that (so I can loop it into the Envconsul release).

[eikenb]

Looks good and checks all the required boxes, thanks @Kryvchun!

Thanks also for the help reviewing and testing @ygworldr, @yellowmegaman!!! Super appreciate that as I have limited time to validate the k8ts side of things.

[Kryvchun]

How to use this with consul-template ? Is there any doc ?

You can configure (inside vault {} config):

• k8s_auth_role_name: string (role name, it enables this auth method)
• k8s_service_mount_path: string (a part of k8s login path, auth/:value/login, default: kubernetes)

Token:

• k8s_service_account_token_path: string (path to secret, default: /run/secrets/kubernetes.io/serviceaccount/token)
  Or
• k8s_service_account_token: string (value of an account token for k8s auth method).

There is no docs for this in consul-template, only in envconsul.

[solomon2201]

Good day. @Kryvchun and @eikenb I have a problem with your update. Previously we are using VaultClient in a init_container for take a token from vault and consul-template for took a secret and rotate access to vault. But we need connect to vault always because we are have dynamic env.

I made update to your commit. Its working well, consul take all secret from vault but we are lose token in 1h. I turned on the trace log for debug it. consul-template don`t rotate the token.
I understand, its just working with variable only ( but for token we need use VaultClient)
#vault_agent_token_file = "/tmp/vault/agent/token"
Can you add rotating token in consul-template for your new option?? We are really need that.

its update block code

vault {
  - vault_agent_token_file = "/var/run/secrets/vaultproject.io/.vault-token"  
 + k8s_service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 + k8s_service_mount_path =  "kubernetes"
 + k8s_auth_role_name = "app"
  unwrap_token           = false
  renew_token            = true
  retry {
    enabled     = true
    attempts    = 10
    attempts    = 3
    backoff     = "250ms"
    max_backoff = "1m"
  }

and vault accessor. You can see its not rotating.

---                 -----
accessor            bW8hQQQQaKSVxIR
creation_time       1674067534
creation_ttl        1h
display_name        kubernetes-app-app
entity_id           qqqqq-bcaa-55df-43ba-qqqqqqq
expire_time         2023-01-18T19:45:34.181388978Z
explicit_max_ttl    0s
id                  n/a
issue_time          2023-01-18T18:45:34.181398288Z
meta                map[role:app service_account_name:app service_account_namespace:app service_account_secret_name: service_account_uid:qqqq-qqq-490a-qqqqq-76d2863696d1]
num_uses            0
orphan              true
path                auth/kubernetes/login
policies            [app-database-creds-kubernetes app-secrets-rw default]
renewable           true
ttl                 29s
type                service

Thanks for your time