mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-24 08:01:07 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
102 lines
3.7 KiB
Go
102 lines
3.7 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package client
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/x509"
|
|
"io/ioutil"
|
|
"net"
|
|
"os"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/certutil"
|
|
)
|
|
|
|
const (
|
|
// These environment variables aren't set by default.
|
|
// Vault may read them in if set through these environment variables.
|
|
// Example here:
|
|
// https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/
|
|
// The client itself does nothing directly with these variables, it's
|
|
// up to the caller. However, they live here so they'll be consistently
|
|
// named should the client ever be reused.
|
|
// We generally recommend preferring environmental settings over configured
|
|
// ones, allowing settings from the Downward API to override hard-coded
|
|
// ones.
|
|
EnvVarKubernetesNamespace = "VAULT_K8S_NAMESPACE"
|
|
EnvVarKubernetesPodName = "VAULT_K8S_POD_NAME"
|
|
|
|
// The service host and port environment variables are
|
|
// set by default inside a Kubernetes environment.
|
|
EnvVarKubernetesServiceHost = "KUBERNETES_SERVICE_HOST"
|
|
EnvVarKubernetesServicePort = "KUBERNETES_SERVICE_PORT"
|
|
)
|
|
|
|
var (
|
|
// These are presented as variables so they can be updated
|
|
// to point at test fixtures if needed. They aren't passed
|
|
// into inClusterConfig to avoid dependency injection.
|
|
Scheme = "https://"
|
|
TokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
RootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
|
|
)
|
|
|
|
// inClusterConfig returns a config object which uses the service account
|
|
// kubernetes gives to services. It's intended for clients that expect to be
|
|
// running inside a service running on kubernetes. It will return ErrNotInCluster
|
|
// if called from a process not running in a kubernetes environment.
|
|
// inClusterConfig is based on this:
|
|
// https://github.com/kubernetes/client-go/blob/a56922badea0f2a91771411eaa1173c9e9243908/rest/config.go#L451
|
|
func inClusterConfig() (*Config, error) {
|
|
host, port := os.Getenv(EnvVarKubernetesServiceHost), os.Getenv(EnvVarKubernetesServicePort)
|
|
if len(host) == 0 || len(port) == 0 {
|
|
return nil, ErrNotInCluster
|
|
}
|
|
|
|
token, err := ioutil.ReadFile(TokenFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
caBytes, err := ioutil.ReadFile(RootCAFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pool, err := certutil.NewCertPool(bytes.NewReader(caBytes))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &Config{
|
|
Host: Scheme + net.JoinHostPort(host, port),
|
|
CACertPool: pool,
|
|
BearerToken: string(token),
|
|
BearerTokenFile: TokenFile,
|
|
}, nil
|
|
}
|
|
|
|
// This config is based on the one returned here:
|
|
// https://github.com/kubernetes/client-go/blob/a56922badea0f2a91771411eaa1173c9e9243908/rest/config.go#L451
|
|
// It is pared down to the absolute minimum fields used by this code.
|
|
// The CACertPool is promoted to the top level from being originally on the TLSClientConfig
|
|
// because it is the only parameter of the TLSClientConfig used by this code.
|
|
// Also, it made more sense to simply reuse the pool rather than holding raw values
|
|
// and parsing it repeatedly.
|
|
type Config struct {
|
|
CACertPool *x509.CertPool
|
|
|
|
// Host must be a host string, a host:port pair, or a URL to the base of the apiserver.
|
|
// If a URL is given then the (optional) Path of that URL represents a prefix that must
|
|
// be appended to all request URIs used to access the apiserver. This allows a frontend
|
|
// proxy to easily relocate all of the apiserver endpoints.
|
|
Host string
|
|
|
|
// Server requires Bearer authentication. This client will not attempt to use
|
|
// refresh tokens for an OAuth2 flow.
|
|
BearerToken string
|
|
|
|
// Path to a file containing a BearerToken.
|
|
// If set, checks for a new token in the case of authorization errors.
|
|
BearerTokenFile string
|
|
}
|