forked from TrueCloudLab/certificates
vault kubernetes auth
This commit is contained in:
parent
3c4d0412ef
commit
dec1067add
3 changed files with 49 additions and 26 deletions
|
@ -18,6 +18,7 @@ import (
|
|||
|
||||
vault "github.com/hashicorp/vault/api"
|
||||
auth "github.com/hashicorp/vault/api/auth/approle"
|
||||
kubeauth "github.com/hashicorp/vault/api/auth/kubernetes"
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
@ -34,6 +35,7 @@ type VaultOptions struct {
|
|||
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
|
||||
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
|
||||
PKIRoleEd25519 string `json:"pkiRoleEd25519,omitempty"`
|
||||
KubernetesRole string `json:"kubernetesRole,omitempty"`
|
||||
RoleID string `json:"roleID,omitempty"`
|
||||
SecretID auth.SecretID `json:"secretID,omitempty"`
|
||||
AppRole string `json:"appRole,omitempty"`
|
||||
|
@ -77,6 +79,23 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
|
|||
return nil, fmt.Errorf("unable to initialize vault client: %w", err)
|
||||
}
|
||||
|
||||
if vc.KubernetesRole != "" {
|
||||
var kubernetesAuth *kubeauth.KubernetesAuth
|
||||
kubernetesAuth, err = kubeauth.NewKubernetesAuth(
|
||||
vc.KubernetesRole,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
|
||||
}
|
||||
|
||||
authInfo, err := client.Auth().Login(ctx, kubernetesAuth)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to login to Kubernetes auth method: %w", err)
|
||||
}
|
||||
if authInfo == nil {
|
||||
return nil, errors.New("no auth info was returned after login")
|
||||
}
|
||||
} else {
|
||||
var appRoleAuth *auth.AppRoleAuth
|
||||
if vc.IsWrappingToken {
|
||||
appRoleAuth, err = auth.NewAppRoleAuth(
|
||||
|
@ -103,6 +122,7 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
|
|||
if authInfo == nil {
|
||||
return nil, errors.New("no auth info was returned after login")
|
||||
}
|
||||
}
|
||||
|
||||
return &VaultCAS{
|
||||
client: client,
|
||||
|
@ -272,11 +292,11 @@ func loadOptions(config json.RawMessage) (*VaultOptions, error) {
|
|||
vc.PKIRoleEd25519 = vc.PKIRoleDefault
|
||||
}
|
||||
|
||||
if vc.RoleID == "" {
|
||||
return nil, errors.New("vaultCAS config options must define `roleID`")
|
||||
if vc.RoleID == "" && vc.KubernetesRole == "" {
|
||||
return nil, errors.New("vaultCAS config options must define `roleID` or `kubernetesRole`")
|
||||
}
|
||||
|
||||
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
|
||||
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" && vc.RoleID != "" {
|
||||
return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
|
||||
}
|
||||
|
||||
|
|
1
go.mod
1
go.mod
|
@ -29,6 +29,7 @@ require (
|
|||
github.com/googleapis/gax-go/v2 v2.1.1
|
||||
github.com/hashicorp/vault/api v1.3.1
|
||||
github.com/hashicorp/vault/api/auth/approle v0.1.1
|
||||
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
|
||||
github.com/jhump/protoreflect v1.9.0 // indirect
|
||||
github.com/mattn/go-colorable v0.1.8 // indirect
|
||||
github.com/mattn/go-isatty v0.0.13 // indirect
|
||||
|
|
2
go.sum
2
go.sum
|
@ -449,6 +449,8 @@ github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO
|
|||
github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
|
||||
github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
|
||||
github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
|
||||
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0 h1:6BtyahbF4aQp8gg3ww0A/oIoqzbhpNP1spXU3nHE0n0=
|
||||
github.com/hashicorp/vault/api/auth/kubernetes v0.1.0/go.mod h1:Pdgk78uIs0mgDOLvc3a+h/vYIT9rznw2sz+ucuH9024=
|
||||
github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
|
||||
github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
|
||||
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
|
||||
|
|
Loading…
Reference in a new issue