forked from TrueCloudLab/certificates
vault kubernetes auth
This commit is contained in:
Erik De Lamarter
parent
3c4d0412ef
commit
dec1067add
3 changed files with 49 additions and 26 deletions
|
|
@ -18,6 +18,7 @@ import (
|
||||||
|
|
||||||
vault "github.com/hashicorp/vault/api"
|
vault "github.com/hashicorp/vault/api"
|
||||||
auth "github.com/hashicorp/vault/api/auth/approle"
|
auth "github.com/hashicorp/vault/api/auth/approle"
|
||||||
|
kubeauth "github.com/hashicorp/vault/api/auth/kubernetes"
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
|
@ -34,6 +35,7 @@ type VaultOptions struct {
|
||||||
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
|
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
|
||||||
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
|
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
|
||||||
PKIRoleEd25519 string `json:"pkiRoleEd25519,omitempty"`
|
PKIRoleEd25519 string `json:"pkiRoleEd25519,omitempty"`
|
||||||
|
KubernetesRole string `json:"kubernetesRole,omitempty"`
|
||||||
RoleID string `json:"roleID,omitempty"`
|
RoleID string `json:"roleID,omitempty"`
|
||||||
SecretID auth.SecretID `json:"secretID,omitempty"`
|
SecretID auth.SecretID `json:"secretID,omitempty"`
|
||||||
AppRole string `json:"appRole,omitempty"`
|
AppRole string `json:"appRole,omitempty"`
|
||||||
|
|
@ -77,31 +79,49 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
|
||||||
return nil, fmt.Errorf("unable to initialize vault client: %w", err)
|
return nil, fmt.Errorf("unable to initialize vault client: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var appRoleAuth *auth.AppRoleAuth
|
if vc.KubernetesRole != "" {
|
||||||
if vc.IsWrappingToken {
|
var kubernetesAuth *kubeauth.KubernetesAuth
|
||||||
appRoleAuth, err = auth.NewAppRoleAuth(
|
kubernetesAuth, err = kubeauth.NewKubernetesAuth(
|
||||||
vc.RoleID,
|
vc.KubernetesRole,
|
||||||
&vc.SecretID,
|
|
||||||
auth.WithWrappingToken(),
|
|
||||||
auth.WithMountPath(vc.AppRole),
|
|
||||||
)
|
)
|
||||||
} else {
|
if err != nil {
|
||||||
appRoleAuth, err = auth.NewAppRoleAuth(
|
return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
|
||||||
vc.RoleID,
|
}
|
||||||
&vc.SecretID,
|
|
||||||
auth.WithMountPath(vc.AppRole),
|
|
||||||
)
|
|
||||||
}
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
authInfo, err := client.Auth().Login(ctx, appRoleAuth)
|
authInfo, err := client.Auth().Login(ctx, kubernetesAuth)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
|
return nil, fmt.Errorf("unable to login to Kubernetes auth method: %w", err)
|
||||||
}
|
}
|
||||||
if authInfo == nil {
|
if authInfo == nil {
|
||||||
return nil, errors.New("no auth info was returned after login")
|
return nil, errors.New("no auth info was returned after login")
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
var appRoleAuth *auth.AppRoleAuth
|
||||||
|
if vc.IsWrappingToken {
|
||||||
|
appRoleAuth, err = auth.NewAppRoleAuth(
|
||||||
|
vc.RoleID,
|
||||||
|
&vc.SecretID,
|
||||||
|
auth.WithWrappingToken(),
|
||||||
|
auth.WithMountPath(vc.AppRole),
|
||||||
|
)
|
||||||
|
} else {
|
||||||
|
appRoleAuth, err = auth.NewAppRoleAuth(
|
||||||
|
vc.RoleID,
|
||||||
|
&vc.SecretID,
|
||||||
|
auth.WithMountPath(vc.AppRole),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
authInfo, err := client.Auth().Login(ctx, appRoleAuth)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
|
||||||
|
}
|
||||||
|
if authInfo == nil {
|
||||||
|
return nil, errors.New("no auth info was returned after login")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return &VaultCAS{
|
return &VaultCAS{
|
||||||
|
|
@ -272,11 +292,11 @@ func loadOptions(config json.RawMessage) (*VaultOptions, error) {
|
||||||
vc.PKIRoleEd25519 = vc.PKIRoleDefault
|
vc.PKIRoleEd25519 = vc.PKIRoleDefault
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.RoleID == "" {
|
if vc.RoleID == "" && vc.KubernetesRole == "" {
|
||||||
return nil, errors.New("vaultCAS config options must define `roleID`")
|
return nil, errors.New("vaultCAS config options must define `roleID` or `kubernetesRole`")
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
|
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" && vc.RoleID != "" {
|
||||||
return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
|
return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
1
go.mod
1
go.mod
|
|
@ -29,6 +29,7 @@ require (
|
||||||
github.com/googleapis/gax-go/v2 v2.1.1
|
github.com/googleapis/gax-go/v2 v2.1.1
|
||||||
github.com/hashicorp/vault/api v1.3.1
|
github.com/hashicorp/vault/api v1.3.1
|
||||||
github.com/hashicorp/vault/api/auth/approle v0.1.1
|
github.com/hashicorp/vault/api/auth/approle v0.1.1
|
||||||
|
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
|
||||||
github.com/jhump/protoreflect v1.9.0 // indirect
|
github.com/jhump/protoreflect v1.9.0 // indirect
|
||||||
github.com/mattn/go-colorable v0.1.8 // indirect
|
github.com/mattn/go-colorable v0.1.8 // indirect
|
||||||
github.com/mattn/go-isatty v0.0.13 // indirect
|
github.com/mattn/go-isatty v0.0.13 // indirect
|
||||||
|
|
|
||||||
2
go.sum
2
go.sum
|
|
@ -449,6 +449,8 @@ github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO
|
||||||
github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
|
github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
|
||||||
github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
|
github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
|
||||||
github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
|
github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
|
||||||
|
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0 h1:6BtyahbF4aQp8gg3ww0A/oIoqzbhpNP1spXU3nHE0n0=
|
||||||
|
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0/go.mod h1:Pdgk78uIs0mgDOLvc3a+h/vYIT9rznw2sz+ucuH9024=
|
||||||
github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
|
github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
|
||||||
github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
|
github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
|
||||||
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
|
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue