Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 02a8878707
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 23 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io/ioutil"
    25. 

  25. 	"net/http"
    26. 

  26. 	"os"
    27. 

  27. 	"strconv"
    28. 

  28. 	"strings"
    29. 

  29. 

  30. 	"github.com/go-logr/logr"
    31. 

  31. 	vault "github.com/hashicorp/vault/api"
    32. 

  32. 	"github.com/tidwall/gjson"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"k8s.io/apimachinery/pkg/types"
    35. 

  35. 	ctrl "sigs.k8s.io/controller-runtime"
    36. 

  36. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    37. 

  37. 

  38. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    39. 

  39. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/provider"
    41. 

  41. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    42. 

  42. )
    43. 

  43. 

  44. var (
    45. 

  45. 	_ provider.Provider      = &connector{}
    46. 

  46. 	_ provider.SecretsClient = &client{}
    47. 

  47. )
    48. 

  48. 

  49. const (
    50. 

  50. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    51. 

  51. 

  52. 	errVaultStore         = "received invalid Vault SecretStore resource: %w"
    53. 

  53. 	errVaultClient        = "cannot setup new vault client: %w"
    54. 

  54. 	errVaultCert          = "cannot set Vault CA certificate: %w"
    55. 

  55. 	errReadSecret         = "cannot read secret data from Vault: %w"
    56. 

  56. 	errAuthFormat         = "cannot initialize Vault client: no valid auth method specified"
    57. 

  57. 	errInvalidCredentials = "invalid vault credentials: %w"
    58. 

  58. 	errDataField          = "failed to find data field"
    59. 

  59. 	errJSONUnmarshall     = "failed to unmarshall JSON"
    60. 

  60. 	errSecretFormat       = "secret data not in expected format"
    61. 

  61. 	errUnexpectedKey      = "unexpected key in data: %s"
    62. 

  62. 	errVaultToken         = "cannot parse Vault authentication token: %w"
    63. 

  63. 	errVaultReqParams     = "cannot set Vault request parameters: %w"
    64. 

  64. 	errVaultRequest       = "error from Vault request: %w"
    65. 

  65. 	errVaultResponse      = "cannot parse Vault response: %w"
    66. 

  66. 	errServiceAccount     = "cannot read Kubernetes service account token from file system: %w"
    67. 

  67. 

  68. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    69. 

  69. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    70. 

  70. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    71. 

  71. 

  72. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    73. 

  73. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    74. 

  74. 	errConfigMapFmt  = "cannot find config map data for key: %q"
    75. 

  75. 

  76. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    77. 

  77. 

  78. 	errVaultRevokeToken = "error while revoking token: %w"
    79. 

  79. 

  80. 	errUnknownCAProvider = "unknown caProvider type given"
    81. 

  81. 	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
    82. 

  82. )
    83. 

  83. 

  84. type Client interface {
    85. 

  85. 	NewRequest(method, requestPath string) *vault.Request
    86. 

  86. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    87. 

  87. 	SetToken(v string)
    88. 

  88. 	Token() string
    89. 

  89. 	ClearToken()
    90. 

  90. 	SetNamespace(namespace string)
    91. 

  91. 	AddHeader(key, value string)
    92. 

  92. }
    93. 

  93. 

  94. type client struct {
    95. 

  95. 	kube      kclient.Client
    96. 

  96. 	store     *esv1beta1.VaultProvider
    97. 

  97. 	log       logr.Logger
    98. 

  98. 	client    Client
    99. 

  99. 	namespace string
    100. 

  100. 	storeKind string
    101. 

  101. }
    102. 

  102. 

  103. func init() {
    104. 

  104. 	schema.Register(&connector{
    105. 

  105. 		newVaultClient: newVaultClient,
    106. 

  106. 	}, &esv1beta1.SecretStoreProvider{
    107. 

  107. 		Vault: &esv1beta1.VaultProvider{},
    108. 

  108. 	})
    109. 

  109. }
    110. 

  110. 

  111. func newVaultClient(c *vault.Config) (Client, error) {
    112. 

  112. 	return vault.NewClient(c)
    113. 

  113. }
    114. 

  114. 

  115. type connector struct {
    116. 

  116. 	newVaultClient func(c *vault.Config) (Client, error)
    117. 

  117. }
    118. 

  118. 

  119. func (c *connector) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    120. 

  120. 	storeSpec := store.GetSpec()
    121. 

  121. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    122. 

  122. 		return nil, errors.New(errVaultStore)
    123. 

  123. 	}
    124. 

  124. 	vaultSpec := storeSpec.Provider.Vault
    125. 

  125. 

  126. 	vStore := &client{
    127. 

  127. 		kube:      kube,
    128. 

  128. 		store:     vaultSpec,
    129. 

  129. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    130. 

  130. 		namespace: namespace,
    131. 

  131. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    132. 

  132. 	}
    133. 

  133. 

  134. 	cfg, err := vStore.newConfig()
    135. 

  135. 	if err != nil {
    136. 

  136. 		return nil, err
    137. 

  137. 	}
    138. 

  138. 

  139. 	client, err := c.newVaultClient(cfg)
    140. 

  140. 	if err != nil {
    141. 

  141. 		return nil, fmt.Errorf(errVaultClient, err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	if vaultSpec.Namespace != nil {
    145. 

  145. 		client.SetNamespace(*vaultSpec.Namespace)
    146. 

  146. 	}
    147. 

  147. 

  148. 	if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
    149. 

  149. 		client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
    150. 

  150. 	}
    151. 

  151. 

  152. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    153. 

  153. 		return nil, err
    154. 

  154. 	}
    155. 

  155. 

  156. 	vStore.client = client
    157. 

  157. 

  158. 	return vStore, nil
    159. 

  159. }
    160. 

  160. 

  161. // Empty GetAllSecrets.
    162. 

  162. func (v *client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    163. 

  163. 	// TO be implemented
    164. 

  164. 	return nil, fmt.Errorf("GetAllSecrets not implemented")
    165. 

  165. }
    166. 

  166. 

  167. // GetSecret supports two types:
    168. 

  168. // 1. get the full secret as json-encoded value
    169. 

  169. //    by leaving the ref.Property empty.
    170. 

  170. // 2. get a key from the secret.
    171. 

  171. //    Nested values are supported by specifying a gjson expression
    172. 

  172. func (v *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    173. 

  173. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    174. 

  174. 	if err != nil {
    175. 

  175. 		return nil, err
    176. 

  176. 	}
    177. 

  177. 	jsonStr, err := json.Marshal(data)
    178. 

  178. 	if err != nil {
    179. 

  179. 		return nil, err
    180. 

  180. 	}
    181. 

  181. 	// (1): return raw json if no property is defined
    182. 

  182. 	if ref.Property == "" {
    183. 

  183. 		return jsonStr, nil
    184. 

  184. 	}
    185. 

  185. 

  186. 	// For backwards compatibility we want the
    187. 

  187. 	// actual keys to take precedence over gjson syntax
    188. 

  188. 	// (2): extract key from secret with property
    189. 

  189. 	if _, ok := data[ref.Property]; ok {
    190. 

  190. 		return getTypedKey(data, ref.Property)
    191. 

  191. 	}
    192. 

  192. 

  193. 	// (3): extract key from secret using gjson
    194. 

  194. 	val := gjson.Get(string(jsonStr), ref.Property)
    195. 

  195. 	if !val.Exists() {
    196. 

  196. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    197. 

  197. 	}
    198. 

  198. 	return []byte(val.String()), nil
    199. 

  199. }
    200. 

  200. 

  201. // GetSecretMap supports two modes of operation:
    202. 

  202. // 1. get the full secret from the vault data payload (by leaving .property empty).
    203. 

  203. // 2. extract key/value pairs from a (nested) object.
    204. 

  204. func (v *client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    205. 

  205. 	data, err := v.GetSecret(ctx, ref)
    206. 

  206. 	if err != nil {
    207. 

  207. 		return nil, err
    208. 

  208. 	}
    209. 

  209. 

  210. 	var secretData map[string]interface{}
    211. 

  211. 	err = json.Unmarshal(data, &secretData)
    212. 

  212. 	if err != nil {
    213. 

  213. 		return nil, err
    214. 

  214. 	}
    215. 

  215. 	byteMap := make(map[string][]byte, len(secretData))
    216. 

  216. 	for k := range secretData {
    217. 

  217. 		byteMap[k], err = getTypedKey(secretData, k)
    218. 

  218. 		if err != nil {
    219. 

  219. 			return nil, err
    220. 

  220. 		}
    221. 

  221. 	}
    222. 

  222. 

  223. 	return byteMap, nil
    224. 

  224. }
    225. 

  225. 

  226. func getTypedKey(data map[string]interface{}, key string) ([]byte, error) {
    227. 

  227. 	v, ok := data[key]
    228. 

  228. 	if !ok {
    229. 

  229. 		return nil, fmt.Errorf(errUnexpectedKey, key)
    230. 

  230. 	}
    231. 

  231. 	switch t := v.(type) {
    232. 

  232. 	case string:
    233. 

  233. 		return []byte(t), nil
    234. 

  234. 	case map[string]interface{}:
    235. 

  235. 		return json.Marshal(t)
    236. 

  236. 	case []byte:
    237. 

  237. 		return t, nil
    238. 

  238. 	// also covers int and float32 due to json.Marshal
    239. 

  239. 	case float64:
    240. 

  240. 		return []byte(strconv.FormatFloat(t, 'f', -1, 64)), nil
    241. 

  241. 	case bool:
    242. 

  242. 		return []byte(strconv.FormatBool(t)), nil
    243. 

  243. 	case nil:
    244. 

  244. 		return []byte(nil), nil
    245. 

  245. 	default:
    246. 

  246. 		return nil, errors.New(errSecretFormat)
    247. 

  247. 	}
    248. 

  248. }
    249. 

  249. 

  250. func (v *client) Close(ctx context.Context) error {
    251. 

  251. 	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
    252. 

  252. 	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
    253. 

  253. 		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
    254. 

  254. 		_, err := v.client.RawRequestWithContext(ctx, req)
    255. 

  255. 		if err != nil {
    256. 

  256. 			return fmt.Errorf(errVaultRevokeToken, err)
    257. 

  257. 		}
    258. 

  258. 		v.client.ClearToken()
    259. 

  259. 	}
    260. 

  260. 	return nil
    261. 

  261. }
    262. 

  262. 

  263. func (v *client) Validate() error {
    264. 

  264. 	err := checkToken(context.Background(), v)
    265. 

  265. 	if err != nil {
    266. 

  266. 		return fmt.Errorf(errInvalidCredentials, err)
    267. 

  267. 	}
    268. 

  268. 	return nil
    269. 

  269. }
    270. 

  270. 

  271. func (v *client) buildPath(path string) string {
    272. 

  272. 	optionalMount := v.store.Path
    273. 

  273. 	origPath := strings.Split(path, "/")
    274. 

  274. 	newPath := make([]string, 0)
    275. 

  275. 	cursor := 0
    276. 

  276. 

  277. 	if optionalMount != nil && origPath[0] != *optionalMount {
    278. 

  278. 		// Default case before path was optional
    279. 

  279. 		// Ensure that the requested path includes the SecretStores paths as prefix
    280. 

  280. 		newPath = append(newPath, *optionalMount)
    281. 

  281. 	} else {
    282. 

  282. 		newPath = append(newPath, origPath[cursor])
    283. 

  283. 		cursor++
    284. 

  284. 	}
    285. 

  285. 

  286. 	if v.store.Version == esv1beta1.VaultKVStoreV2 {
    287. 

  287. 		// Add the required `data` part of the URL for the v2 API
    288. 

  288. 		if len(origPath) < 2 || origPath[1] != "data" {
    289. 

  289. 			newPath = append(newPath, "data")
    290. 

  290. 		}
    291. 

  291. 	}
    292. 

  292. 	newPath = append(newPath, origPath[cursor:]...)
    293. 

  293. 	returnPath := strings.Join(newPath, "/")
    294. 

  294. 

  295. 	return returnPath
    296. 

  296. }
    297. 

  297. 

  298. func (v *client) readSecret(ctx context.Context, path, version string) (map[string]interface{}, error) {
    299. 

  299. 	dataPath := v.buildPath(path)
    300. 

  300. 

  301. 	// path formated according to vault docs for v1 and v2 API
    302. 

  302. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    303. 

  303. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    304. 

  304. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s", dataPath))
    305. 

  305. 	if version != "" {
    306. 

  306. 		req.Params.Set("version", version)
    307. 

  307. 	}
    308. 

  308. 

  309. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    310. 

  310. 	if err != nil {
    311. 

  311. 		return nil, fmt.Errorf(errReadSecret, err)
    312. 

  312. 	}
    313. 

  313. 

  314. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    315. 

  315. 	if err != nil {
    316. 

  316. 		return nil, err
    317. 

  317. 	}
    318. 

  318. 

  319. 	secretData := vaultSecret.Data
    320. 

  320. 	if v.store.Version == esv1beta1.VaultKVStoreV2 {
    321. 

  321. 		// Vault KV2 has data embedded within sub-field
    322. 

  322. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    323. 

  323. 		dataInt, ok := vaultSecret.Data["data"]
    324. 

  324. 

  325. 		if !ok {
    326. 

  326. 			return nil, errors.New(errDataField)
    327. 

  327. 		}
    328. 

  328. 		secretData, ok = dataInt.(map[string]interface{})
    329. 

  329. 		if !ok {
    330. 

  330. 			return nil, errors.New(errJSONUnmarshall)
    331. 

  331. 		}
    332. 

  332. 	}
    333. 

  333. 

  334. 	return secretData, nil
    335. 

  335. }
    336. 

  336. 

  337. func (v *client) newConfig() (*vault.Config, error) {
    338. 

  338. 	cfg := vault.DefaultConfig()
    339. 

  339. 	cfg.Address = v.store.Server
    340. 

  340. 

  341. 	if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
    342. 

  342. 		return cfg, nil
    343. 

  343. 	}
    344. 

  344. 

  345. 	caCertPool := x509.NewCertPool()
    346. 

  346. 

  347. 	if len(v.store.CABundle) > 0 {
    348. 

  348. 		ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    349. 

  349. 		if !ok {
    350. 

  350. 			return nil, errors.New(errVaultCert)
    351. 

  351. 		}
    352. 

  352. 	}
    353. 

  353. 

  354. 	if v.store.CAProvider != nil && v.storeKind == esv1beta1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
    355. 

  355. 		return nil, errors.New(errCANamespace)
    356. 

  356. 	}
    357. 

  357. 

  358. 	if v.store.CAProvider != nil {
    359. 

  359. 		var cert []byte
    360. 

  360. 		var err error
    361. 

  361. 

  362. 		switch v.store.CAProvider.Type {
    363. 

  363. 		case esv1beta1.CAProviderTypeSecret:
    364. 

  364. 			cert, err = getCertFromSecret(v)
    365. 

  365. 		case esv1beta1.CAProviderTypeConfigMap:
    366. 

  366. 			cert, err = getCertFromConfigMap(v)
    367. 

  367. 		default:
    368. 

  368. 			return nil, errors.New(errUnknownCAProvider)
    369. 

  369. 		}
    370. 

  370. 

  371. 		if err != nil {
    372. 

  372. 			return nil, err
    373. 

  373. 		}
    374. 

  374. 

  375. 		ok := caCertPool.AppendCertsFromPEM(cert)
    376. 

  376. 		if !ok {
    377. 

  377. 			return nil, errors.New(errVaultCert)
    378. 

  378. 		}
    379. 

  379. 	}
    380. 

  380. 

  381. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    382. 

  382. 		transport.TLSClientConfig.RootCAs = caCertPool
    383. 

  383. 	}
    384. 

  384. 

  385. 	// If either read-after-write consistency feature is enabled, enable ReadYourWrites
    386. 

  386. 	cfg.ReadYourWrites = v.store.ReadYourWrites || v.store.ForwardInconsistent
    387. 

  387. 

  388. 	return cfg, nil
    389. 

  389. }
    390. 

  390. 

  391. func getCertFromSecret(v *client) ([]byte, error) {
    392. 

  392. 	secretRef := esmeta.SecretKeySelector{
    393. 

  393. 		Name: v.store.CAProvider.Name,
    394. 

  394. 		Key:  v.store.CAProvider.Key,
    395. 

  395. 	}
    396. 

  396. 

  397. 	if v.store.CAProvider.Namespace != nil {
    398. 

  398. 		secretRef.Namespace = v.store.CAProvider.Namespace
    399. 

  399. 	}
    400. 

  400. 

  401. 	ctx := context.Background()
    402. 

  402. 	res, err := v.secretKeyRef(ctx, &secretRef)
    403. 

  403. 	if err != nil {
    404. 

  404. 		return nil, fmt.Errorf(errVaultCert, err)
    405. 

  405. 	}
    406. 

  406. 

  407. 	return []byte(res), nil
    408. 

  408. }
    409. 

  409. 

  410. func getCertFromConfigMap(v *client) ([]byte, error) {
    411. 

  411. 	objKey := types.NamespacedName{
    412. 

  412. 		Name: v.store.CAProvider.Name,
    413. 

  413. 	}
    414. 

  414. 

  415. 	if v.store.CAProvider.Namespace != nil {
    416. 

  416. 		objKey.Namespace = *v.store.CAProvider.Namespace
    417. 

  417. 	}
    418. 

  418. 

  419. 	configMapRef := &corev1.ConfigMap{}
    420. 

  420. 	ctx := context.Background()
    421. 

  421. 	err := v.kube.Get(ctx, objKey, configMapRef)
    422. 

  422. 	if err != nil {
    423. 

  423. 		return nil, fmt.Errorf(errVaultCert, err)
    424. 

  424. 	}
    425. 

  425. 

  426. 	val, ok := configMapRef.Data[v.store.CAProvider.Key]
    427. 

  427. 	if !ok {
    428. 

  428. 		return nil, fmt.Errorf(errConfigMapFmt, v.store.CAProvider.Key)
    429. 

  429. 	}
    430. 

  430. 

  431. 	return []byte(val), nil
    432. 

  432. }
    433. 

  433. 

  434. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    435. 

  435. 	tokenExists, err := setSecretKeyToken(ctx, v, client)
    436. 

  436. 	if tokenExists {
    437. 

  437. 		return err
    438. 

  438. 	}
    439. 

  439. 

  440. 	tokenExists, err = setAppRoleToken(ctx, v, client)
    441. 

  441. 	if tokenExists {
    442. 

  442. 		return err
    443. 

  443. 	}
    444. 

  444. 

  445. 	tokenExists, err = setKubernetesAuthToken(ctx, v, client)
    446. 

  446. 	if tokenExists {
    447. 

  447. 		return err
    448. 

  448. 	}
    449. 

  449. 

  450. 	tokenExists, err = setLdapAuthToken(ctx, v, client)
    451. 

  451. 	if tokenExists {
    452. 

  452. 		return err
    453. 

  453. 	}
    454. 

  454. 

  455. 	tokenExists, err = setJwtAuthToken(ctx, v, client)
    456. 

  456. 	if tokenExists {
    457. 

  457. 		return err
    458. 

  458. 	}
    459. 

  459. 

  460. 	tokenExists, err = setCertAuthToken(ctx, v, client, cfg)
    461. 

  461. 	if tokenExists {
    462. 

  462. 		return err
    463. 

  463. 	}
    464. 

  464. 

  465. 	return errors.New(errAuthFormat)
    466. 

  466. }
    467. 

  467. 

  468. func setAppRoleToken(ctx context.Context, v *client, client Client) (bool, error) {
    469. 

  469. 	tokenRef := v.store.Auth.TokenSecretRef
    470. 

  470. 	if tokenRef != nil {
    471. 

  471. 		token, err := v.secretKeyRef(ctx, tokenRef)
    472. 

  472. 		if err != nil {
    473. 

  473. 			return true, err
    474. 

  474. 		}
    475. 

  475. 		client.SetToken(token)
    476. 

  476. 		return true, nil
    477. 

  477. 	}
    478. 

  478. 	return false, nil
    479. 

  479. }
    480. 

  480. 

  481. func setSecretKeyToken(ctx context.Context, v *client, client Client) (bool, error) {
    482. 

  482. 	appRole := v.store.Auth.AppRole
    483. 

  483. 	if appRole != nil {
    484. 

  484. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    485. 

  485. 		if err != nil {
    486. 

  486. 			return true, err
    487. 

  487. 		}
    488. 

  488. 		client.SetToken(token)
    489. 

  489. 		return true, nil
    490. 

  490. 	}
    491. 

  491. 	return false, nil
    492. 

  492. }
    493. 

  493. 

  494. func setKubernetesAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    495. 

  495. 	kubernetesAuth := v.store.Auth.Kubernetes
    496. 

  496. 	if kubernetesAuth != nil {
    497. 

  497. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    498. 

  498. 		if err != nil {
    499. 

  499. 			return true, err
    500. 

  500. 		}
    501. 

  501. 		client.SetToken(token)
    502. 

  502. 		return true, nil
    503. 

  503. 	}
    504. 

  504. 	return false, nil
    505. 

  505. }
    506. 

  506. 

  507. func setLdapAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    508. 

  508. 	ldapAuth := v.store.Auth.Ldap
    509. 

  509. 	if ldapAuth != nil {
    510. 

  510. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    511. 

  511. 		if err != nil {
    512. 

  512. 			return true, err
    513. 

  513. 		}
    514. 

  514. 		client.SetToken(token)
    515. 

  515. 		return true, nil
    516. 

  516. 	}
    517. 

  517. 	return false, nil
    518. 

  518. }
    519. 

  519. 

  520. func setJwtAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    521. 

  521. 	jwtAuth := v.store.Auth.Jwt
    522. 

  522. 	if jwtAuth != nil {
    523. 

  523. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    524. 

  524. 		if err != nil {
    525. 

  525. 			return true, err
    526. 

  526. 		}
    527. 

  527. 		client.SetToken(token)
    528. 

  528. 		return true, nil
    529. 

  529. 	}
    530. 

  530. 	return false, nil
    531. 

  531. }
    532. 

  532. 

  533. func setCertAuthToken(ctx context.Context, v *client, client Client, cfg *vault.Config) (bool, error) {
    534. 

  534. 	certAuth := v.store.Auth.Cert
    535. 

  535. 	if certAuth != nil {
    536. 

  536. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    537. 

  537. 		if err != nil {
    538. 

  538. 			return true, err
    539. 

  539. 		}
    540. 

  540. 		client.SetToken(token)
    541. 

  541. 		return true, nil
    542. 

  542. 	}
    543. 

  543. 	return false, nil
    544. 

  544. }
    545. 

  545. 

  546. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    547. 

  547. 	serviceAccount := &corev1.ServiceAccount{}
    548. 

  548. 	ref := types.NamespacedName{
    549. 

  549. 		Namespace: v.namespace,
    550. 

  550. 		Name:      serviceAccountRef.Name,
    551. 

  551. 	}
    552. 

  552. 	if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    553. 

  553. 		(serviceAccountRef.Namespace != nil) {
    554. 

  554. 		ref.Namespace = *serviceAccountRef.Namespace
    555. 

  555. 	}
    556. 

  556. 	err := v.kube.Get(ctx, ref, serviceAccount)
    557. 

  557. 	if err != nil {
    558. 

  558. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    559. 

  559. 	}
    560. 

  560. 	if len(serviceAccount.Secrets) == 0 {
    561. 

  561. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    562. 

  562. 	}
    563. 

  563. 	for _, tokenRef := range serviceAccount.Secrets {
    564. 

  564. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    565. 

  565. 			Name:      tokenRef.Name,
    566. 

  566. 			Namespace: &ref.Namespace,
    567. 

  567. 			Key:       "token",
    568. 

  568. 		})
    569. 

  569. 

  570. 		if err != nil {
    571. 

  571. 			continue
    572. 

  572. 		}
    573. 

  573. 

  574. 		return retval, nil
    575. 

  575. 	}
    576. 

  576. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    577. 

  577. }
    578. 

  578. 

  579. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    580. 

  580. 	secret := &corev1.Secret{}
    581. 

  581. 	ref := types.NamespacedName{
    582. 

  582. 		Namespace: v.namespace,
    583. 

  583. 		Name:      secretRef.Name,
    584. 

  584. 	}
    585. 

  585. 	if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    586. 

  586. 		(secretRef.Namespace != nil) {
    587. 

  587. 		ref.Namespace = *secretRef.Namespace
    588. 

  588. 	}
    589. 

  589. 	err := v.kube.Get(ctx, ref, secret)
    590. 

  590. 	if err != nil {
    591. 

  591. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    592. 

  592. 	}
    593. 

  593. 

  594. 	keyBytes, ok := secret.Data[secretRef.Key]
    595. 

  595. 	if !ok {
    596. 

  596. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    597. 

  597. 	}
    598. 

  598. 

  599. 	value := string(keyBytes)
    600. 

  600. 	valueStr := strings.TrimSpace(value)
    601. 

  601. 	return valueStr, nil
    602. 

  602. }
    603. 

  603. 

  604. // checkToken does a lookup and checks if the provided token exists.
    605. 

  605. func checkToken(ctx context.Context, vStore *client) error {
    606. 

  606. 	// https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
    607. 

  607. 	req := vStore.client.NewRequest("GET", "/v1/auth/token/lookup-self")
    608. 

  608. 	_, err := vStore.client.RawRequestWithContext(ctx, req)
    609. 

  609. 	return err
    610. 

  610. }
    611. 

  611. 

  612. // appRoleParameters creates the required body for Vault AppRole Auth.
    613. 

  613. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    614. 

  614. func appRoleParameters(role, secret string) map[string]string {
    615. 

  615. 	return map[string]string{
    616. 

  616. 		"role_id":   role,
    617. 

  617. 		"secret_id": secret,
    618. 

  618. 	}
    619. 

  619. }
    620. 

  620. 

  621. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1beta1.VaultAppRole) (string, error) {
    622. 

  622. 	roleID := strings.TrimSpace(appRole.RoleID)
    623. 

  623. 

  624. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    625. 

  625. 	if err != nil {
    626. 

  626. 		return "", err
    627. 

  627. 	}
    628. 

  628. 

  629. 	parameters := appRoleParameters(roleID, secretID)
    630. 

  630. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    631. 

  631. 	request := client.NewRequest("POST", url)
    632. 

  632. 

  633. 	err = request.SetJSONBody(parameters)
    634. 

  634. 	if err != nil {
    635. 

  635. 		return "", fmt.Errorf(errVaultReqParams, err)
    636. 

  636. 	}
    637. 

  637. 

  638. 	resp, err := client.RawRequestWithContext(ctx, request)
    639. 

  639. 	if err != nil {
    640. 

  640. 		return "", fmt.Errorf(errVaultRequest, err)
    641. 

  641. 	}
    642. 

  642. 

  643. 	defer resp.Body.Close()
    644. 

  644. 

  645. 	vaultResult := vault.Secret{}
    646. 

  646. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    647. 

  647. 		return "", fmt.Errorf(errVaultResponse, err)
    648. 

  648. 	}
    649. 

  649. 

  650. 	token, err := vaultResult.TokenID()
    651. 

  651. 	if err != nil {
    652. 

  652. 		return "", fmt.Errorf(errVaultToken, err)
    653. 

  653. 	}
    654. 

  654. 

  655. 	return token, nil
    656. 

  656. }
    657. 

  657. 

  658. // kubeParameters creates the required body for Vault Kubernetes auth.
    659. 

  659. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    660. 

  660. func kubeParameters(role, jwt string) map[string]string {
    661. 

  661. 	return map[string]string{
    662. 

  662. 		"role": role,
    663. 

  663. 		"jwt":  jwt,
    664. 

  664. 	}
    665. 

  665. }
    666. 

  666. 

  667. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
    668. 

  668. 	jwtString, err := getJwtString(ctx, v, kubernetesAuth)
    669. 

  669. 	if err != nil {
    670. 

  670. 		return "", err
    671. 

  671. 	}
    672. 

  672. 

  673. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    674. 

  674. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    675. 

  675. 	request := client.NewRequest("POST", url)
    676. 

  676. 

  677. 	err = request.SetJSONBody(parameters)
    678. 

  678. 	if err != nil {
    679. 

  679. 		return "", fmt.Errorf(errVaultReqParams, err)
    680. 

  680. 	}
    681. 

  681. 

  682. 	resp, err := client.RawRequestWithContext(ctx, request)
    683. 

  683. 	if err != nil {
    684. 

  684. 		return "", fmt.Errorf(errVaultRequest, err)
    685. 

  685. 	}
    686. 

  686. 

  687. 	defer resp.Body.Close()
    688. 

  688. 	vaultResult := vault.Secret{}
    689. 

  689. 	err = resp.DecodeJSON(&vaultResult)
    690. 

  690. 	if err != nil {
    691. 

  691. 		return "", fmt.Errorf(errVaultResponse, err)
    692. 

  692. 	}
    693. 

  693. 

  694. 	token, err := vaultResult.TokenID()
    695. 

  695. 	if err != nil {
    696. 

  696. 		return "", fmt.Errorf(errVaultToken, err)
    697. 

  697. 	}
    698. 

  698. 

  699. 	return token, nil
    700. 

  700. }
    701. 

  701. 

  702. func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
    703. 

  703. 	if kubernetesAuth.ServiceAccountRef != nil {
    704. 

  704. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    705. 

  705. 		if err != nil {
    706. 

  706. 			return "", err
    707. 

  707. 		}
    708. 

  708. 		return jwt, nil
    709. 

  709. 	} else if kubernetesAuth.SecretRef != nil {
    710. 

  710. 		tokenRef := kubernetesAuth.SecretRef
    711. 

  711. 		if tokenRef.Key == "" {
    712. 

  712. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    713. 

  713. 			tokenRef.Key = "token"
    714. 

  714. 		}
    715. 

  715. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    716. 

  716. 		if err != nil {
    717. 

  717. 			return "", err
    718. 

  718. 		}
    719. 

  719. 		return jwt, nil
    720. 

  720. 	} else {
    721. 

  721. 		// Kubernetes authentication is specified, but without a referenced
    722. 

  722. 		// Kubernetes secret. We check if the file path for in-cluster service account
    723. 

  723. 		// exists and attempt to use the token for Vault Kubernetes auth.
    724. 

  724. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    725. 

  725. 			return "", fmt.Errorf(errServiceAccount, err)
    726. 

  726. 		}
    727. 

  727. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    728. 

  728. 		if err != nil {
    729. 

  729. 			return "", fmt.Errorf(errServiceAccount, err)
    730. 

  730. 		}
    731. 

  731. 		return string(jwtByte), nil
    732. 

  732. 	}
    733. 

  733. }
    734. 

  734. 

  735. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1beta1.VaultLdapAuth) (string, error) {
    736. 

  736. 	username := strings.TrimSpace(ldapAuth.Username)
    737. 

  737. 

  738. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    739. 

  739. 	if err != nil {
    740. 

  740. 		return "", err
    741. 

  741. 	}
    742. 

  742. 

  743. 	parameters := map[string]string{
    744. 

  744. 		"password": password,
    745. 

  745. 	}
    746. 

  746. 	url := strings.Join([]string{"/v1", "auth", ldapAuth.Path, "login", username}, "/")
    747. 

  747. 	request := client.NewRequest("POST", url)
    748. 

  748. 

  749. 	err = request.SetJSONBody(parameters)
    750. 

  750. 	if err != nil {
    751. 

  751. 		return "", fmt.Errorf(errVaultReqParams, err)
    752. 

  752. 	}
    753. 

  753. 

  754. 	resp, err := client.RawRequestWithContext(ctx, request)
    755. 

  755. 	if err != nil {
    756. 

  756. 		return "", fmt.Errorf(errVaultRequest, err)
    757. 

  757. 	}
    758. 

  758. 

  759. 	defer resp.Body.Close()
    760. 

  760. 

  761. 	vaultResult := vault.Secret{}
    762. 

  762. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    763. 

  763. 		return "", fmt.Errorf(errVaultResponse, err)
    764. 

  764. 	}
    765. 

  765. 

  766. 	token, err := vaultResult.TokenID()
    767. 

  767. 	if err != nil {
    768. 

  768. 		return "", fmt.Errorf(errVaultToken, err)
    769. 

  769. 	}
    770. 

  770. 

  771. 	return token, nil
    772. 

  772. }
    773. 

  773. 

  774. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1beta1.VaultJwtAuth) (string, error) {
    775. 

  775. 	role := strings.TrimSpace(jwtAuth.Role)
    776. 

  776. 

  777. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    778. 

  778. 	if err != nil {
    779. 

  779. 		return "", err
    780. 

  780. 	}
    781. 

  781. 

  782. 	parameters := map[string]string{
    783. 

  783. 		"role": role,
    784. 

  784. 		"jwt":  jwt,
    785. 

  785. 	}
    786. 

  786. 	url := strings.Join([]string{"/v1", "auth", jwtAuth.Path, "login"}, "/")
    787. 

  787. 	request := client.NewRequest("POST", url)
    788. 

  788. 

  789. 	err = request.SetJSONBody(parameters)
    790. 

  790. 	if err != nil {
    791. 

  791. 		return "", fmt.Errorf(errVaultReqParams, err)
    792. 

  792. 	}
    793. 

  793. 

  794. 	resp, err := client.RawRequestWithContext(ctx, request)
    795. 

  795. 	if err != nil {
    796. 

  796. 		return "", fmt.Errorf(errVaultRequest, err)
    797. 

  797. 	}
    798. 

  798. 

  799. 	defer resp.Body.Close()
    800. 

  800. 

  801. 	vaultResult := vault.Secret{}
    802. 

  802. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    803. 

  803. 		return "", fmt.Errorf(errVaultResponse, err)
    804. 

  804. 	}
    805. 

  805. 

  806. 	token, err := vaultResult.TokenID()
    807. 

  807. 	if err != nil {
    808. 

  808. 		return "", fmt.Errorf(errVaultToken, err)
    809. 

  809. 	}
    810. 

  810. 

  811. 	return token, nil
    812. 

  812. }
    813. 

  813. 

  814. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1beta1.VaultCertAuth, cfg *vault.Config) (string, error) {
    815. 

  815. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    816. 

  816. 	if err != nil {
    817. 

  817. 		return "", err
    818. 

  818. 	}
    819. 

  819. 

  820. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    821. 

  821. 	if err != nil {
    822. 

  822. 		return "", err
    823. 

  823. 	}
    824. 

  824. 

  825. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    826. 

  826. 	if err != nil {
    827. 

  827. 		return "", fmt.Errorf(errClientTLSAuth, err)
    828. 

  828. 	}
    829. 

  829. 

  830. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    831. 

  831. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    832. 

  832. 	}
    833. 

  833. 

  834. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    835. 

  835. 	request := client.NewRequest("POST", url)
    836. 

  836. 

  837. 	resp, err := client.RawRequestWithContext(ctx, request)
    838. 

  838. 	if err != nil {
    839. 

  839. 		return "", fmt.Errorf(errVaultRequest, err)
    840. 

  840. 	}
    841. 

  841. 

  842. 	defer resp.Body.Close()
    843. 

  843. 

  844. 	vaultResult := vault.Secret{}
    845. 

  845. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    846. 

  846. 		return "", fmt.Errorf(errVaultResponse, err)
    847. 

  847. 	}
    848. 

  848. 

  849. 	token, err := vaultResult.TokenID()
    850. 

  850. 	if err != nil {
    851. 

  851. 		return "", fmt.Errorf(errVaultToken, err)
    852. 

  852. 	}
    853. 

  853. 

  854. 	return token, nil
    855. 

  855. }
    856.