Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vault: support k8s auth method #1580

Merged
merged 5 commits into from
Jun 8, 2022
Merged

vault: support k8s auth method #1580

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
aa8c510
k8s vault auth
May 12, 2022
0ca3149
capacity of options is 2
May 12, 2022
54cf5e7
Trigger ci-cd
May 12, 2022
6f893c2
Trigger circle ci/cd
May 12, 2022
c08987d
Update default service account token path
May 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -434,7 +434,7 @@ following to generate all binaries:
$ make build
```

If you want to run the tests, first install [consul](https://www.consul.io/docs/install/index.html) and [vault](https://www.vaultproject.io/docs/install/) locally, then:
If you want to run the tests, first install [consul](https://www.consul.io/docs/install/index.html), [nomad](https://learn.hashicorp.com/tutorials/nomad/get-started-install) and [vault](https://www.vaultproject.io/docs/install/) locally, then:

```shell
$ make test
Expand Down
45 changes: 41 additions & 4 deletions config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2446,17 +2446,54 @@ func TestDefaultConfig(t *testing.T) {
},
false,
},
{
"VAULT_K8S_AUTH_ROLE_NAME",
"VAULT_K8S_AUTH_ROLE_NAME",
&Config{
Vault: &VaultConfig{
K8SAuthRoleName: String("VAULT_K8S_AUTH_ROLE_NAME"),
},
},
false,
},
{
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN",
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN",
&Config{
Vault: &VaultConfig{
K8SServiceAccountToken: String("VAULT_K8S_SERVICE_ACCOUNT_TOKEN"),
},
},
false,
},
{
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH",
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH",
&Config{
Vault: &VaultConfig{
K8SServiceAccountTokenPath: String("VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH"),
},
},
false,
},
{
"VAULT_K8S_SERVICE_MOUNT_PATH",
"VAULT_K8S_SERVICE_MOUNT_PATH",
&Config{
Vault: &VaultConfig{
K8SServiceMountPath: String("VAULT_K8S_SERVICE_MOUNT_PATH"),
},
},
false,
},
}

for i, tc := range cases {
t.Run(fmt.Sprintf("%d_%s", i, tc.env), func(t *testing.T) {
r := DefaultConfig().Merge(tc.e)
r.Finalize()

if err := os.Setenv(tc.env, tc.val); err != nil {
t.Fatal(err)
}
defer os.Unsetenv(tc.env)
t.Setenv(tc.env, tc.val)
c := DefaultConfig()
c.Finalize()

Expand Down
86 changes: 86 additions & 0 deletions config/vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,14 @@ const (
// DefaultLeaseRenewalThreshold is the default fraction of a non-renewable
// lease to wait for before refreshing
DefaultLeaseRenewalThreshold = .90

// DefaultK8SServiceAccountTokenPath is a default path to a file
// with service token for the k8s auth method.
DefaultK8SServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
Kryvchun marked this conversation as resolved.
Show resolved Hide resolved

// DefaultK8SServiceMountPath is a default value of the k8s auth method
// login path.
DefaultK8SServiceMountPath = "kubernetes"
)

// VaultConfig is the configuration for connecting to a vault server.
Expand Down Expand Up @@ -83,6 +91,34 @@ type VaultConfig struct {
// refresh dynamic, non-renewable leases, measured as a fraction of the lease
// duration.
LeaseRenewalThreshold *float64 `mapstructure:"lease_renewal_threshold"`

// If Token is empty and K8SAuthRoleName is set, it means to use
// k8s vault auth method.
//
// The kubernetes auth method can be used to authenticate with Vault
// using a Kubernetes Service Account Token. This method of
// authentication makes it easy to introduce a Vault token into
// a Kubernetes Pod.
//
// This can also be set via the VAULT_K8S_AUTH_ROLE_NAME.
K8SAuthRoleName *string `mapstructure:"k8s_auth_role_name"`
// K8SServiceAccountTokenPath is the path of file that contains
// a K8SServiceAccountToken. It will be ignored if K8SServiceAccountToken
// is set.
//
// Default value is "/var/run/secrets/kubernetes.io/serviceaccount/token".
Kryvchun marked this conversation as resolved.
Show resolved Hide resolved
//
// This can also be set via the VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH.
K8SServiceAccountTokenPath *string `mapstructure:"k8s_service_account_token_path"`
// Value of an account token for k8s auth method.
//
// This can also be set via the VAULT_K8S_SERVICE_ACCOUNT_TOKEN.
K8SServiceAccountToken *string `mapstructure:"k8s_service_account_token"`
// K8SServiceMountPath is a part of k8s login path, by default the value is
// "kubernetes". In this case a full path will be "auth/kubernetes/login".
//
// This can also be set via the VAULT_K8S_SERVICE_MOUNT_PATH.
K8SServiceMountPath *string `mapstructure:"k8s_service_mount_path"`
}

// DefaultVaultConfig returns a configuration that is populated with the
Expand Down Expand Up @@ -136,6 +172,11 @@ func (c *VaultConfig) Copy() *VaultConfig {
o.DefaultLeaseDuration = c.DefaultLeaseDuration
o.LeaseRenewalThreshold = c.LeaseRenewalThreshold

o.K8SAuthRoleName = c.K8SAuthRoleName
o.K8SServiceAccountToken = c.K8SServiceAccountToken
o.K8SServiceAccountTokenPath = c.K8SServiceAccountTokenPath
o.K8SServiceMountPath = c.K8SServiceMountPath

return &o
}

Expand Down Expand Up @@ -205,6 +246,22 @@ func (c *VaultConfig) Merge(o *VaultConfig) *VaultConfig {
r.LeaseRenewalThreshold = o.LeaseRenewalThreshold
}

if o.K8SAuthRoleName != nil {
r.K8SAuthRoleName = o.K8SAuthRoleName
}

if o.K8SServiceAccountToken != nil {
r.K8SServiceAccountToken = o.K8SServiceAccountToken
}

if o.K8SServiceAccountTokenPath != nil {
r.K8SServiceAccountTokenPath = o.K8SServiceAccountTokenPath
}

if o.K8SServiceMountPath != nil {
r.K8SServiceMountPath = o.K8SServiceMountPath
}

return r
}

Expand Down Expand Up @@ -310,6 +367,27 @@ func (c *VaultConfig) Finalize() {
if c.LeaseRenewalThreshold == nil {
c.LeaseRenewalThreshold = Float64(DefaultLeaseRenewalThreshold)
}

if c.K8SAuthRoleName == nil {
c.K8SAuthRoleName = stringFromEnv([]string{
"VAULT_K8S_AUTH_ROLE_NAME",
}, "")
}
if c.K8SServiceAccountToken == nil {
c.K8SServiceAccountToken = stringFromEnv([]string{
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN",
}, "")
}
if c.K8SServiceAccountTokenPath == nil {
c.K8SServiceAccountTokenPath = stringFromEnv([]string{
"VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH",
}, DefaultK8SServiceAccountTokenPath)
}
if c.K8SServiceMountPath == nil {
c.K8SServiceMountPath = stringFromEnv([]string{
"VAULT_K8S_SERVICE_MOUNT_PATH",
}, DefaultK8SServiceMountPath)
}
}

// GoString defines the printable version of this struct.
Expand All @@ -331,6 +409,10 @@ func (c *VaultConfig) GoString() string {
"UnwrapToken:%s, "+
"DefaultLeaseDuration:%s, "+
"LeaseRenewalThreshold:%f, "+
"K8SAuthRoleName:%s, "+
"K8SServiceAccountToken:%s, "+
"K8SServiceAccountTokenPath:%s, "+
"K8SServiceMountPath:%s, "+
"}",
StringGoString(c.Address),
BoolGoString(c.Enabled),
Expand All @@ -344,5 +426,9 @@ func (c *VaultConfig) GoString() string {
BoolGoString(c.UnwrapToken),
TimeDurationGoString(c.DefaultLeaseDuration),
*c.LeaseRenewalThreshold,
StringGoString(c.K8SAuthRoleName),
StringGoString(c.K8SServiceAccountToken),
StringGoString(c.K8SServiceAccountTokenPath),
StringGoString(c.K8SServiceMountPath),
)
}
Loading