Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

feat: make cert auth mount path configurable (#5400)

* feat: vault auth cert path

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>

* chore: mark VaultCertAuth.Path as optional

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>

* chore: set default VaultCertAuth path if not specified

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>

---------

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Zbigniew Mandziejewicz 6 months ago
parent
91b390ef82
commit
ea11b0ace2
8 changed files with 72 additions and 1 deletions
Split View Show Diff Stats
  1. 6 0
      apis/externalsecrets/v1/secretstore_vault_types.go
  2. 6 0
      config/crds/bases/external-secrets.io_clustersecretstores.yaml
  3. 6 0
      config/crds/bases/external-secrets.io_secretstores.yaml
  4. 6 0
      config/crds/bases/generators.external-secrets.io_clustergenerators.yaml
  5. 6 0
      config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml
  6. 24 0
      deploy/crds/bundle.yaml
  7. 13 0
      docs/api/spec.md
  8. 5 1
      pkg/provider/vault/auth_cert.go

+ 6 - 0
apis/externalsecrets/v1/secretstore_vault_types.go
View File 

@@ -324,6 +324,12 @@ type VaultJwtAuth struct {
 
 // VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
 
 // method, with the role name and token stored in a Kubernetes Secret resource.
 
 type VaultCertAuth struct {
 
+	// Path where the Certificate authentication backend is mounted
 
+	// in Vault, e.g: "cert"
 
+	// +kubebuilder:default=cert
 
+	// +optional
 
+	Path string `json:"path"`
 
+
 
 	// ClientCert is a certificate to authenticate using the Cert Vault
 
 	// authentication method
 
 	// +optional

+ 6 - 0
config/crds/bases/external-secrets.io_clustersecretstores.yaml
View File 

@@ -4394,6 +4394,12 @@ spec:
 
                                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                     type: string
 
                                 type: object
 
+                              path:
 
+                                default: cert
 
+                                description: |-
 
+                                  Path where the Certificate authentication backend is mounted
 
+                                  in Vault, e.g: "cert"
 
+                                type: string
 
                               secretRef:
 
                                 description: |-
 
                                   SecretRef to a key in a Secret resource containing client private key to

+ 6 - 0
config/crds/bases/external-secrets.io_secretstores.yaml
View File 

@@ -4394,6 +4394,12 @@ spec:
 
                                     pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                     type: string
 
                                 type: object
 
+                              path:
 
+                                default: cert
 
+                                description: |-
 
+                                  Path where the Certificate authentication backend is mounted
 
+                                  in Vault, e.g: "cert"
 
+                                type: string
 
                               secretRef:
 
                                 description: |-
 
                                   SecretRef to a key in a Secret resource containing client private key to

+ 6 - 0
config/crds/bases/generators.external-secrets.io_clustergenerators.yaml
View File 

@@ -1253,6 +1253,12 @@ spec:
 
                                         pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                         type: string
 
                                     type: object
 
+                                  path:
 
+                                    default: cert
 
+                                    description: |-
 
+                                      Path where the Certificate authentication backend is mounted
 
+                                      in Vault, e.g: "cert"
 
+                                    type: string
 
                                   secretRef:
 
                                     description: |-
 
                                       SecretRef to a key in a Secret resource containing client private key to

+ 6 - 0
config/crds/bases/generators.external-secrets.io_vaultdynamicsecrets.yaml
View File 

@@ -183,6 +183,12 @@ spec:
 
                                 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                 type: string
 
                             type: object
 
+                          path:
 
+                            default: cert
 
+                            description: |-
 
+                              Path where the Certificate authentication backend is mounted
 
+                              in Vault, e.g: "cert"
 
+                            type: string
 
                           secretRef:
 
                             description: |-
 
                               SecretRef to a key in a Secret resource containing client private key to

+ 24 - 0
deploy/crds/bundle.yaml
View File 

@@ -6137,6 +6137,12 @@ spec:
 
                                       pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                       type: string
 
                                   type: object
 
+                                path:
 
+                                  default: cert
 
+                                  description: |-
 
+                                    Path where the Certificate authentication backend is mounted
 
+                                    in Vault, e.g: "cert"
 
+                                  type: string
 
                                 secretRef:
 
                                   description: |-
 
                                     SecretRef to a key in a Secret resource containing client private key to
 
@@ -17337,6 +17343,12 @@ spec:
 
                                       pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                       type: string
 
                                   type: object
 
+                                path:
 
+                                  default: cert
 
+                                  description: |-
 
+                                    Path where the Certificate authentication backend is mounted
 
+                                    in Vault, e.g: "cert"
 
+                                  type: string
 
                                 secretRef:
 
                                   description: |-
 
                                     SecretRef to a key in a Secret resource containing client private key to
 
@@ -24165,6 +24177,12 @@ spec:
 
                                           pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                           type: string
 
                                       type: object
 
+                                    path:
 
+                                      default: cert
 
+                                      description: |-
 
+                                        Path where the Certificate authentication backend is mounted
 
+                                        in Vault, e.g: "cert"
 
+                                      type: string
 
                                     secretRef:
 
                                       description: |-
 
                                         SecretRef to a key in a Secret resource containing client private key to
 
@@ -26673,6 +26691,12 @@ spec:
 
                                   pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
 
                                   type: string
 
                               type: object
 
+                            path:
 
+                              default: cert
 
+                              description: |-
 
+                                Path where the Certificate authentication backend is mounted
 
+                                in Vault, e.g: "cert"
 
+                              type: string
 
                             secretRef:
 
                               description: |-
 
                                 SecretRef to a key in a Secret resource containing client private key to

+ 13 - 0
docs/api/spec.md
View File 

@@ -10455,6 +10455,19 @@ method, with the role name and token stored in a Kubernetes Secret resource.</p>
 
 <tbody>
 
 <tr>
 
 <td>
 
+<code>path</code></br>
 
+<em>
 
+string
 
+</em>
 
+</td>
 
+<td>
 
+<em>(Optional)</em>
 
+<p>Path where the Certificate authentication backend is mounted
 
+in Vault, e.g: &ldquo;cert&rdquo;</p>
 
+</td>
 
+</tr>
 
+<tr>
 
+<td>
 
 <code>clientCert</code></br>
 
 <em>
 
 <a href="https://pkg.go.dev/github.com/external-secrets/external-secrets/apis/meta/v1#SecretKeySelector">

+ 5 - 1
pkg/provider/vault/auth_cert.go
View File 

@@ -67,7 +67,11 @@ func (c *client) requestTokenWithCertAuth(ctx context.Context, certAuth *esv1.Va
 
 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
 
 	}
 
 
-	url := strings.Join([]string{"auth", "cert", "login"}, "/")
 
+	path := certAuth.Path
 
+	if path == "" {
 
+		path = "cert"
 
+	}
 
+	url := strings.Join([]string{"auth", path, "login"}, "/")
 
 	vaultResult, err := c.logical.WriteWithContext(ctx, url, nil)
 
 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
 
 	if err != nil {