vault kubernetes auth

This commit is contained in:
Erik De Lamarter 2022-04-25 22:45:22 +02:00
parent 3c4d0412ef
commit dec1067add
No known key found for this signature in database
GPG key ID: 1470FA5D23177A9B
3 changed files with 49 additions and 26 deletions

View file

@ -18,6 +18,7 @@ import (
vault "github.com/hashicorp/vault/api"
auth "github.com/hashicorp/vault/api/auth/approle"
kubeauth "github.com/hashicorp/vault/api/auth/kubernetes"
)
func init() {
@ -34,6 +35,7 @@ type VaultOptions struct {
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
PKIRoleEd25519 string `json:"pkiRoleEd25519,omitempty"`
KubernetesRole string `json:"kubernetesRole,omitempty"`
RoleID string `json:"roleID,omitempty"`
SecretID auth.SecretID `json:"secretID,omitempty"`
AppRole string `json:"appRole,omitempty"`
@ -77,6 +79,23 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
return nil, fmt.Errorf("unable to initialize vault client: %w", err)
}
if vc.KubernetesRole != "" {
var kubernetesAuth *kubeauth.KubernetesAuth
kubernetesAuth, err = kubeauth.NewKubernetesAuth(
vc.KubernetesRole,
)
if err != nil {
return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
}
authInfo, err := client.Auth().Login(ctx, kubernetesAuth)
if err != nil {
return nil, fmt.Errorf("unable to login to Kubernetes auth method: %w", err)
}
if authInfo == nil {
return nil, errors.New("no auth info was returned after login")
}
} else {
var appRoleAuth *auth.AppRoleAuth
if vc.IsWrappingToken {
appRoleAuth, err = auth.NewAppRoleAuth(
@ -103,6 +122,7 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
if authInfo == nil {
return nil, errors.New("no auth info was returned after login")
}
}
return &VaultCAS{
client: client,
@ -272,11 +292,11 @@ func loadOptions(config json.RawMessage) (*VaultOptions, error) {
vc.PKIRoleEd25519 = vc.PKIRoleDefault
}
if vc.RoleID == "" {
return nil, errors.New("vaultCAS config options must define `roleID`")
if vc.RoleID == "" && vc.KubernetesRole == "" {
return nil, errors.New("vaultCAS config options must define `roleID` or `kubernetesRole`")
}
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" && vc.RoleID != "" {
return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
}

1
go.mod
View file

@ -29,6 +29,7 @@ require (
github.com/googleapis/gax-go/v2 v2.1.1
github.com/hashicorp/vault/api v1.3.1
github.com/hashicorp/vault/api/auth/approle v0.1.1
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
github.com/jhump/protoreflect v1.9.0 // indirect
github.com/mattn/go-colorable v0.1.8 // indirect
github.com/mattn/go-isatty v0.0.13 // indirect

2
go.sum
View file

@ -449,6 +449,8 @@ github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO
github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0 h1:6BtyahbF4aQp8gg3ww0A/oIoqzbhpNP1spXU3nHE0n0=
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0/go.mod h1:Pdgk78uIs0mgDOLvc3a+h/vYIT9rznw2sz+ucuH9024=
github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=