diff --git a/OWNERS.md b/OWNERS.md index 599b40e4..154e10c5 100644 --- a/OWNERS.md +++ b/OWNERS.md @@ -9,5 +9,6 @@ organization](https://github.com/upbound/) will list their repository maintainer * Alper Ulucinar ([ulucinar](https://github.com/ulucinar)) * Sergen Yalcin ([sergenyalcin](https://github.com/sergenyalcin)) +* Markus Schweig ([humoflife](https://github.com/humoflife)) See [CODEOWNERS](./CODEOWNERS) for automatic PR assignment. diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go index 629843f6..761a3797 100644 --- a/apis/v1beta1/types.go +++ b/apis/v1beta1/types.go @@ -16,12 +16,99 @@ type ProviderConfigSpec struct { // This is a URL with a scheme, a hostname // and a port but with no path. Address string `json:"address"` - // Optional Token, but only auth method for now. - // Token string `json:"token"` + + // Optional. If true the environment variable + // VAULT_ADDR in the Terraform process environment + // will be set to the value of the address argument + // from this provider. By default, this is false. + AddAddressToEnv bool `json:"add_address_to_env, omitempty"` + + // Optional. Set this to true to disable verification + // of the Vault server's TLS certificate. This is + // strongly discouraged except in prototype or + // development environments, since it exposes the + // possibility that Terraform can be tricked into + // writing secrets to a server controlled by an intruder. + SkipTlsVerify bool `json:"skip_tls_verify, omitempty"` + + // Optional. Name to use as the SNI host when connecting + // via TLS. + TlsServerName string `json:"tls_server_name, omitempty"` + + // Optional. Set this to true to disable creation of an + // intermediate ephemeral Vault token for Terraform to use. + // Enabling this is strongly discouraged since it increases + // the potential for a renewable Vault token being exposed + // in clear text. Only change this setting when the provided + // token cannot be permitted to create child tokens and there + // is no risk of exposure from the output of Terraform. + SkipChildToken bool `json:"skip_child_token, omitempty"` + + // Optional. Used as the duration for the intermediate Vault + // token Terraform issues itself, which in turn limits the + // duration of secret leases issued by Vault. Defaults to + // 20 minutes. + MaxLeaseTtlSeconds int `json:"max_lease_ttl_seconds, omitempty"` + + // Optional. Used as the maximum number of retries when a + // 5xx error code is encountered. Defaults to 2 retries. + MaxRetries int `json:"max_retries, omitempty"` + + // Optional. Maximum number of retries for Client Controlled + // Consistency related operations. Defaults to 10 retries. + MaxRetriesCcc int `json:"max_retries_ccc, omitempty"` + + // Optional. Set the namespace to use. + Namespace string `json:"namespace, omitempty"` + + // Optional. Skip the dynamic fetching of the Vault server + // version. Set to true when the /sys/seal-status API + // endpoint is not available. + SkipGetVaultVersion bool `json:"skip_get_vault_version, omitempty"` + + // Optional. Override the target Vault server semantic + // version. Normally the version is dynamically set + // from the /sys/seal-status API endpoint. In the case + // where this endpoint is not available an override can + // be specified here. + VaultVersionOverride string `json:"vault_version_override", omitempty"` + + // Optional. A configuration block, described below, + // that provides headers to be sent along with all + // requests to the Vault server. This block can be + // specified multiple times. + // + // Headers are not supported for now + // Headers ProviderHeaders `json:"headers, omitempty"` + // Credentials required to authenticate to this provider. + // There are many options to authenticate. They include + // - token - (Optional) Vault token that will be used + // by Terraform to authenticate. May be set via the + // VAULT_TOKEN environment variable. If none is otherwise + // supplied, Terraform will attempt to read it from + // ~/.vault-token (where the vault command stores its + // current token). Terraform will issue itself a new token + // that is a child of the one given, with a short TTL to + // limit the exposure of any requested secrets, unless + // skip_child_token is set to true (see below). Note + // that the given token must have the update capability + // on the auth/token/create path in Vault in order to create + // child tokens. A token is required for the provider. A + // token can explicitly set via token argument, alternatively + // a token can be dynamically set via an auth_login* block. Credentials ProviderCredentials `json:"credentials"` } +// ProviderHeaders optional. +// Headers are not supported for now +// type ProviderHeaders struct { +// Required header name +// name string `json:"name"` +// Required header value +// value string `json:"value"` +// } + // ProviderCredentials required to authenticate. type ProviderCredentials struct { // Source of the provider credentials. diff --git a/examples/adsecretrole/adsecretrole.yaml b/examples/adsecretrole/adsecretrole.yaml index 25207a26..04182dd8 100644 --- a/examples/adsecretrole/adsecretrole.yaml +++ b/examples/adsecretrole/adsecretrole.yaml @@ -8,6 +8,6 @@ spec: role: customer_success serviceAccountName: customer_success ttl: 60 - #namespace: upbound-system + namespace: vault-test providerConfigRef: name: vault-provider-config diff --git a/examples/token/token.yaml b/examples/token/token.yaml new file mode 100644 index 00000000..a02846a8 --- /dev/null +++ b/examples/token/token.yaml @@ -0,0 +1,12 @@ +apiVersion: vault.vault.upbound.io/v1alpha1 +kind: Token +metadata: + name: vault-token +spec: + forProvider: + roleName: "app" + ttl: "24h" + renewMinLease: 43200 + renewIncrement: 86400 + providerConfigRef: + name: vault-provider-config diff --git a/examples/tokenauthbackendrole/tokenauthbackendrole.yaml b/examples/tokenauthbackendrole/tokenauthbackendrole.yaml new file mode 100644 index 00000000..03b44614 --- /dev/null +++ b/examples/tokenauthbackendrole/tokenauthbackendrole.yaml @@ -0,0 +1,9 @@ +apiVersion: token.vault.upbound.io/v1alpha1 +kind: AuthBackendRole +metadata: + name: app +spec: + forProvider: + roleName: "app" + providerConfigRef: + name: vault-provider-config diff --git a/internal/clients/vault.go b/internal/clients/vault.go index 66fcdd53..8a3f479c 100644 --- a/internal/clients/vault.go +++ b/internal/clients/vault.go @@ -94,7 +94,30 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr // Assign mandatory address parameter ps.Configuration[keyAddress] = pc.Spec.Address - //ps.Configuration[keyToken] = pc.Spec.Token + + // ps.Configuration[keySkipTlsVerify] = pc.Spec.SkipTlsVerify + // if pc.Spec.TlsServerName != "" { + // ps.Configuration[keyTlsServerName] = pc.Spec.TlsServerName + // } + // ps.Configuration[keySkipChildToken] = pc.Spec.SkipChildToken + // if pc.Spec.MaxLeaseTtlSeconds != 0 { + // ps.Configuration[keyMaxLeaseTtlSeconds] = pc.Spec.MaxLeaseTtlSeconds + // } + // if pc.Spec.MaxRetries != 0 { + // ps.Configuration[keyMaxRetries] = pc.Spec.MaxRetries + // } + // if pc.Spec.MaxRetriesCcc != 0 { + // ps.Configuration[keyMaxRetriesCcc] = pc.Spec.MaxRetriesCcc + // } + // if pc.Spec.Namespace != "" { + // ps.Configuration[keyNamespace] = pc.Spec.Namespace + // } + // ps.Configuration[keySkipGetVaultVersion] = pc.Spec.SkipGetVaultVersion + // ps.Configuration[keyVaultVersionOverride] = pc.Spec.VaultVersionOverride + // Headers are not supported for now + // if pc.Spec.Headers != (v1beta1.ProviderHeaders{}) { + // ps.Configuration[keyHeaders] = pc.Spec.Headers + // } data, err := resource.CommonCredentialExtractor(ctx, pc.Spec.Credentials.Source, client, pc.Spec.Credentials.CommonCredentialSelectors) if err != nil { @@ -163,36 +186,6 @@ func TerraformSetupBuilder(version, providerSource, providerVersion string) terr if v, ok := creds[keyClientAuth]; ok { ps.Configuration[keyClientAuth] = v } - if v, ok := creds[keySkipTlsVerify]; ok { - ps.Configuration[keySkipTlsVerify] = v - } - if v, ok := creds[keyTlsServerName]; ok { - ps.Configuration[keyTlsServerName] = v - } - if v, ok := creds[keySkipChildToken]; ok { - ps.Configuration[keySkipChildToken] = v - } - if v, ok := creds[keyMaxLeaseTtlSeconds]; ok { - ps.Configuration[keyMaxLeaseTtlSeconds] = v - } - if v, ok := creds[keyMaxRetries]; ok { - ps.Configuration[keyMaxRetries] = v - } - if v, ok := creds[keyMaxRetriesCcc]; ok { - ps.Configuration[keyMaxRetriesCcc] = v - } - if v, ok := creds[keyNamespace]; ok { - ps.Configuration[keyNamespace] = v - } - if v, ok := creds[keySkipGetVaultVersion]; ok { - ps.Configuration[keySkipGetVaultVersion] = v - } - if v, ok := creds[keyVaultVersionOverride]; ok { - ps.Configuration[keyVaultVersionOverride] = v - } - if v, ok := creds[keyHeaders]; ok { - ps.Configuration[keyHeaders] = v - } return ps, nil } } diff --git a/package/crds/vault.upbound.io_providerconfigs.yaml b/package/crds/vault.upbound.io_providerconfigs.yaml index 2ba0c747..ca089c76 100644 --- a/package/crds/vault.upbound.io_providerconfigs.yaml +++ b/package/crds/vault.upbound.io_providerconfigs.yaml @@ -47,13 +47,29 @@ spec: spec: description: A ProviderConfigSpec defines the desired state of a ProviderConfig. properties: + add_address_to_env: + description: Optional. If true the environment variable VAULT_ADDR + in the Terraform process environment will be set to the value of + the address argument from this provider. By default, this is false. + type: boolean address: description: Required origin URL of the Vault server. This is a URL with a scheme, a hostname and a port but with no path. type: string credentials: - description: Optional Token, but only auth method for now. Token string - `json:"token"` Credentials required to authenticate to this provider. + description: Credentials required to authenticate to this provider. + There are many options to authenticate. They include - token - (Optional) + Vault token that will be used by Terraform to authenticate. May + be set via the VAULT_TOKEN environment variable. If none is otherwise + supplied, Terraform will attempt to read it from ~/.vault-token + (where the vault command stores its current token). Terraform will + issue itself a new token that is a child of the one given, with + a short TTL to limit the exposure of any requested secrets, unless + skip_child_token is set to true (see below). Note that the given + token must have the update capability on the auth/token/create path + in Vault in order to create child tokens. A token is required for + the provider. A token can explicitly set via token argument, alternatively + a token can be dynamically set via an auth_login* block. properties: env: description: Env is a reference to an environment variable that @@ -105,9 +121,66 @@ spec: required: - source type: object + max_lease_ttl_seconds: + description: Optional. Used as the duration for the intermediate Vault + token Terraform issues itself, which in turn limits the duration + of secret leases issued by Vault. Defaults to 20 minutes. + type: integer + max_retries: + description: Optional. Used as the maximum number of retries when + a 5xx error code is encountered. Defaults to 2 retries. + type: integer + max_retries_ccc: + description: Optional. Maximum number of retries for Client Controlled + Consistency related operations. Defaults to 10 retries. + type: integer + namespace: + description: Optional. Set the namespace to use. + type: string + skip_child_token: + description: Optional. Set this to true to disable creation of an + intermediate ephemeral Vault token for Terraform to use. Enabling + this is strongly discouraged since it increases the potential for + a renewable Vault token being exposed in clear text. Only change + this setting when the provided token cannot be permitted to create + child tokens and there is no risk of exposure from the output of + Terraform. + type: boolean + skip_get_vault_version: + description: Optional. Skip the dynamic fetching of the Vault server + version. Set to true when the /sys/seal-status API endpoint is not + available. + type: boolean + skip_tls_verify: + description: Optional. Set this to true to disable verification of + the Vault server's TLS certificate. This is strongly discouraged + except in prototype or development environments, since it exposes + the possibility that Terraform can be tricked into writing secrets + to a server controlled by an intruder. + type: boolean + tls_server_name: + description: Optional. Name to use as the SNI host when connecting + via TLS. + type: string + vault_version_override: + description: Optional. Override the target Vault server semantic version. + Normally the version is dynamically set from the /sys/seal-status + API endpoint. In the case where this endpoint is not available an + override can be specified here. + type: string required: + - add_address_to_env - address - credentials + - max_lease_ttl_seconds + - max_retries + - max_retries_ccc + - namespace + - skip_child_token + - skip_get_vault_version + - skip_tls_verify + - tls_server_name + - vault_version_override type: object status: description: A ProviderConfigStatus reflects the observed state of a ProviderConfig.