vault kubernetes auth

2 years ago · dec1067add
parent 3c4d0412ef
commit dec1067add
3 changed files with 48 additions and 25 deletions
--- a/cas/vaultcas/vaultcas.go
+++ b/cas/vaultcas/vaultcas.go
@ -18,6 +18,7 @@ import (

 	vault "github.com/hashicorp/vault/api"
 	auth "github.com/hashicorp/vault/api/auth/approle"
+	kubeauth "github.com/hashicorp/vault/api/auth/kubernetes"
 )

 func init() {
@ -34,6 +35,7 @@ type VaultOptions struct {
 	PKIRoleRSA      string        `json:"pkiRoleRSA,omitempty"`
 	PKIRoleEC       string        `json:"pkiRoleEC,omitempty"`
 	PKIRoleEd25519  string        `json:"pkiRoleEd25519,omitempty"`
+	KubernetesRole  string        `json:"kubernetesRole,omitempty"`
 	RoleID          string        `json:"roleID,omitempty"`
 	SecretID        auth.SecretID `json:"secretID,omitempty"`
 	AppRole         string        `json:"appRole,omitempty"`
@ -77,31 +79,49 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
 		return nil, fmt.Errorf("unable to initialize vault client: %w", err)
 	}

-	var appRoleAuth *auth.AppRoleAuth
-	if vc.IsWrappingToken {
-		appRoleAuth, err = auth.NewAppRoleAuth(
-			vc.RoleID,
-			&vc.SecretID,
-			auth.WithWrappingToken(),
-			auth.WithMountPath(vc.AppRole),
+	if vc.KubernetesRole != "" {
+		var kubernetesAuth *kubeauth.KubernetesAuth
+		kubernetesAuth, err = kubeauth.NewKubernetesAuth(
+			vc.KubernetesRole,
 		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to initialize Kubernetes auth method: %w", err)
+		}
+
+		authInfo, err := client.Auth().Login(ctx, kubernetesAuth)
+		if err != nil {
+			return nil, fmt.Errorf("unable to login to Kubernetes auth method: %w", err)
+		}
+		if authInfo == nil {
+			return nil, errors.New("no auth info was returned after login")
+		}
 	} else {
-		appRoleAuth, err = auth.NewAppRoleAuth(
-			vc.RoleID,
-			&vc.SecretID,
-			auth.WithMountPath(vc.AppRole),
-		)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
-	}
+		var appRoleAuth *auth.AppRoleAuth
+		if vc.IsWrappingToken {
+			appRoleAuth, err = auth.NewAppRoleAuth(
+				vc.RoleID,
+				&vc.SecretID,
+				auth.WithWrappingToken(),
+				auth.WithMountPath(vc.AppRole),
+			)
+		} else {
+			appRoleAuth, err = auth.NewAppRoleAuth(
+				vc.RoleID,
+				&vc.SecretID,
+				auth.WithMountPath(vc.AppRole),
+			)
+		}
+		if err != nil {
+			return nil, fmt.Errorf("unable to initialize AppRole auth method: %w", err)
+		}

-	authInfo, err := client.Auth().Login(ctx, appRoleAuth)
-	if err != nil {
-		return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
-	}
-	if authInfo == nil {
-		return nil, errors.New("no auth info was returned after login")
+		authInfo, err := client.Auth().Login(ctx, appRoleAuth)
+		if err != nil {
+			return nil, fmt.Errorf("unable to login to AppRole auth method: %w", err)
+		}
+		if authInfo == nil {
+			return nil, errors.New("no auth info was returned after login")
+		}
 	}

 	return &VaultCAS{
@ -272,11 +292,11 @@ func loadOptions(config json.RawMessage) (*VaultOptions, error) {
 		vc.PKIRoleEd25519 = vc.PKIRoleDefault
 	}

-	if vc.RoleID == "" {
-		return nil, errors.New("vaultCAS config options must define `roleID`")
+	if vc.RoleID == "" && vc.KubernetesRole == "" {
+		return nil, errors.New("vaultCAS config options must define `roleID` or `kubernetesRole`")
 	}

-	if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
+	if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" && vc.RoleID != "" {
 		return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
 	}

--- a/go.mod
+++ b/go.mod
@ -29,6 +29,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.1.1
 	github.com/hashicorp/vault/api v1.3.1
 	github.com/hashicorp/vault/api/auth/approle v0.1.1
+	github.com/hashicorp/vault/api/auth/kubernetes v0.1.0
 	github.com/jhump/protoreflect v1.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.13 // indirect
--- a/go.sum
+++ b/go.sum
@ -449,6 +449,8 @@ github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/api/auth/approle v0.1.1 h1:R5yA+xcNvw1ix6bDuWOaLOq2L4L77zDCVsethNw97xQ=
 github.com/hashicorp/vault/api/auth/approle v0.1.1/go.mod h1:mHOLgh//xDx4dpqXoq6tS8Ob0FoCFWLU2ibJ26Lfmag=
+github.com/hashicorp/vault/api/auth/kubernetes v0.1.0 h1:6BtyahbF4aQp8gg3ww0A/oIoqzbhpNP1spXU3nHE0n0=
+github.com/hashicorp/vault/api/auth/kubernetes v0.1.0/go.mod h1:Pdgk78uIs0mgDOLvc3a+h/vYIT9rznw2sz+ucuH9024=
 github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
 github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=