mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-15 11:07:00 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
133 lines
3.1 KiB
Go
133 lines
3.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package kubernetes
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
|
|
hclog "github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/command/agentproxyshared/auth"
|
|
)
|
|
|
|
const (
|
|
serviceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
)
|
|
|
|
type kubernetesMethod struct {
|
|
logger hclog.Logger
|
|
mountPath string
|
|
|
|
role string
|
|
|
|
// tokenPath is an optional path to a projected service account token inside
|
|
// the pod, for use instead of the default service account token.
|
|
tokenPath string
|
|
|
|
// jwtData is a ReadCloser used to inject a ReadCloser for mocking tests.
|
|
jwtData io.ReadCloser
|
|
}
|
|
|
|
// NewKubernetesAuthMethod reads the user configuration and returns a configured
|
|
// AuthMethod
|
|
func NewKubernetesAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
|
|
if conf == nil {
|
|
return nil, errors.New("empty config")
|
|
}
|
|
if conf.Config == nil {
|
|
return nil, errors.New("empty config data")
|
|
}
|
|
|
|
k := &kubernetesMethod{
|
|
logger: conf.Logger,
|
|
mountPath: conf.MountPath,
|
|
}
|
|
|
|
roleRaw, ok := conf.Config["role"]
|
|
if !ok {
|
|
return nil, errors.New("missing 'role' value")
|
|
}
|
|
k.role, ok = roleRaw.(string)
|
|
if !ok {
|
|
return nil, errors.New("could not convert 'role' config value to string")
|
|
}
|
|
|
|
tokenPathRaw, ok := conf.Config["token_path"]
|
|
if ok {
|
|
k.tokenPath, ok = tokenPathRaw.(string)
|
|
if !ok {
|
|
return nil, errors.New("could not convert 'token_path' config value to string")
|
|
}
|
|
}
|
|
|
|
if k.role == "" {
|
|
return nil, errors.New("'role' value is empty")
|
|
}
|
|
|
|
return k, nil
|
|
}
|
|
|
|
func (k *kubernetesMethod) Authenticate(ctx context.Context, client *api.Client) (string, http.Header, map[string]interface{}, error) {
|
|
k.logger.Trace("beginning authentication")
|
|
|
|
jwtString, err := k.readJWT()
|
|
if err != nil {
|
|
return "", nil, nil, fmt.Errorf("error reading JWT with Kubernetes Auth: %w", err)
|
|
}
|
|
|
|
return fmt.Sprintf("%s/login", k.mountPath), nil, map[string]interface{}{
|
|
"role": k.role,
|
|
"jwt": jwtString,
|
|
}, nil
|
|
}
|
|
|
|
func (k *kubernetesMethod) NewCreds() chan struct{} {
|
|
return nil
|
|
}
|
|
|
|
func (k *kubernetesMethod) CredSuccess() {
|
|
}
|
|
|
|
func (k *kubernetesMethod) Shutdown() {
|
|
}
|
|
|
|
// readJWT reads the JWT data for the Agent to submit to Vault. The default is
|
|
// to read the JWT from the default service account location, defined by the
|
|
// constant serviceAccountFile. In normal use k.jwtData is nil at invocation and
|
|
// the method falls back to reading the token path with os.Open, opening a file
|
|
// from either the default location or from the token_path path specified in
|
|
// configuration.
|
|
func (k *kubernetesMethod) readJWT() (string, error) {
|
|
// load configured token path if set, default to serviceAccountFile
|
|
tokenFilePath := serviceAccountFile
|
|
if k.tokenPath != "" {
|
|
tokenFilePath = k.tokenPath
|
|
}
|
|
|
|
data := k.jwtData
|
|
// k.jwtData should only be non-nil in tests
|
|
if data == nil {
|
|
f, err := os.Open(tokenFilePath)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
data = f
|
|
}
|
|
defer data.Close()
|
|
|
|
contentBytes, err := ioutil.ReadAll(data)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return strings.TrimSpace(string(contentBytes)), nil
|
|
}
|