Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 22607b6544
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 22 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io/ioutil"
    25. 

  25. 	"net/http"
    26. 

  26. 	"os"
    27. 

  27. 	"strconv"
    28. 

  28. 	"strings"
    29. 

  29. 

  30. 	"github.com/go-logr/logr"
    31. 

  31. 	vault "github.com/hashicorp/vault/api"
    32. 

  32. 	"github.com/tidwall/gjson"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"k8s.io/apimachinery/pkg/types"
    35. 

  35. 	ctrl "sigs.k8s.io/controller-runtime"
    36. 

  36. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    37. 

  37. 

  38. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    39. 

  39. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/provider"
    41. 

  41. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    42. 

  42. )
    43. 

  43. 

  44. var (
    45. 

  45. 	_ provider.Provider      = &connector{}
    46. 

  46. 	_ provider.SecretsClient = &client{}
    47. 

  47. )
    48. 

  48. 

  49. const (
    50. 

  50. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    51. 

  51. 

  52. 	errVaultStore         = "received invalid Vault SecretStore resource: %w"
    53. 

  53. 	errVaultClient        = "cannot setup new vault client: %w"
    54. 

  54. 	errVaultCert          = "cannot set Vault CA certificate: %w"
    55. 

  55. 	errReadSecret         = "cannot read secret data from Vault: %w"
    56. 

  56. 	errAuthFormat         = "cannot initialize Vault client: no valid auth method specified"
    57. 

  57. 	errInvalidCredentials = "invalid vault credentials: %w"
    58. 

  58. 	errDataField          = "failed to find data field"
    59. 

  59. 	errJSONUnmarshall     = "failed to unmarshall JSON"
    60. 

  60. 	errSecretFormat       = "secret data not in expected format"
    61. 

  61. 	errVaultToken         = "cannot parse Vault authentication token: %w"
    62. 

  62. 	errVaultReqParams     = "cannot set Vault request parameters: %w"
    63. 

  63. 	errVaultRequest       = "error from Vault request: %w"
    64. 

  64. 	errVaultResponse      = "cannot parse Vault response: %w"
    65. 

  65. 	errServiceAccount     = "cannot read Kubernetes service account token from file system: %w"
    66. 

  66. 

  67. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    68. 

  68. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    69. 

  69. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    70. 

  70. 

  71. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    72. 

  72. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    73. 

  73. 	errConfigMapFmt  = "cannot find config map data for key: %q"
    74. 

  74. 

  75. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    76. 

  76. 

  77. 	errVaultRevokeToken = "error while revoking token: %w"
    78. 

  78. 

  79. 	errUnknownCAProvider = "unknown caProvider type given"
    80. 

  80. 	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
    81. 

  81. )
    82. 

  82. 

  83. type Client interface {
    84. 

  84. 	NewRequest(method, requestPath string) *vault.Request
    85. 

  85. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    86. 

  86. 	SetToken(v string)
    87. 

  87. 	Token() string
    88. 

  88. 	ClearToken()
    89. 

  89. 	SetNamespace(namespace string)
    90. 

  90. 	AddHeader(key, value string)
    91. 

  91. }
    92. 

  92. 

  93. type client struct {
    94. 

  94. 	kube      kclient.Client
    95. 

  95. 	store     *esv1alpha1.VaultProvider
    96. 

  96. 	log       logr.Logger
    97. 

  97. 	client    Client
    98. 

  98. 	namespace string
    99. 

  99. 	storeKind string
    100. 

  100. }
    101. 

  101. 

  102. func init() {
    103. 

  103. 	schema.Register(&connector{
    104. 

  104. 		newVaultClient: newVaultClient,
    105. 

  105. 	}, &esv1alpha1.SecretStoreProvider{
    106. 

  106. 		Vault: &esv1alpha1.VaultProvider{},
    107. 

  107. 	})
    108. 

  108. }
    109. 

  109. 

  110. func newVaultClient(c *vault.Config) (Client, error) {
    111. 

  111. 	return vault.NewClient(c)
    112. 

  112. }
    113. 

  113. 

  114. type connector struct {
    115. 

  115. 	newVaultClient func(c *vault.Config) (Client, error)
    116. 

  116. }
    117. 

  117. 

  118. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    119. 

  119. 	storeSpec := store.GetSpec()
    120. 

  120. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    121. 

  121. 		return nil, errors.New(errVaultStore)
    122. 

  122. 	}
    123. 

  123. 	vaultSpec := storeSpec.Provider.Vault
    124. 

  124. 

  125. 	vStore := &client{
    126. 

  126. 		kube:      kube,
    127. 

  127. 		store:     vaultSpec,
    128. 

  128. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    129. 

  129. 		namespace: namespace,
    130. 

  130. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    131. 

  131. 	}
    132. 

  132. 

  133. 	cfg, err := vStore.newConfig()
    134. 

  134. 	if err != nil {
    135. 

  135. 		return nil, err
    136. 

  136. 	}
    137. 

  137. 

  138. 	client, err := c.newVaultClient(cfg)
    139. 

  139. 	if err != nil {
    140. 

  140. 		return nil, fmt.Errorf(errVaultClient, err)
    141. 

  141. 	}
    142. 

  142. 

  143. 	if vaultSpec.Namespace != nil {
    144. 

  144. 		client.SetNamespace(*vaultSpec.Namespace)
    145. 

  145. 	}
    146. 

  146. 

  147. 	if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
    148. 

  148. 		client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
    149. 

  149. 	}
    150. 

  150. 

  151. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    152. 

  152. 		return nil, err
    153. 

  153. 	}
    154. 

  154. 

  155. 	vStore.client = client
    156. 

  156. 

  157. 	return vStore, nil
    158. 

  158. }
    159. 

  159. 

  160. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    161. 

  161. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    162. 

  162. 	if err != nil {
    163. 

  163. 		return nil, err
    164. 

  164. 	}
    165. 

  165. 

  166. 	// return raw json if no property is defined
    167. 

  167. 	if ref.Property == "" {
    168. 

  168. 		return data, nil
    169. 

  169. 	}
    170. 

  170. 

  171. 	val := gjson.Get(string(data), ref.Property)
    172. 

  172. 	if !val.Exists() {
    173. 

  173. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    174. 

  174. 	}
    175. 

  175. 	return []byte(val.String()), nil
    176. 

  176. }
    177. 

  177. 

  178. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    179. 

  179. 	data, err := v.GetSecret(ctx, ref)
    180. 

  180. 	if err != nil {
    181. 

  181. 		return nil, err
    182. 

  182. 	}
    183. 

  183. 

  184. 	var secretData map[string]interface{}
    185. 

  185. 	err = json.Unmarshal(data, &secretData)
    186. 

  186. 	if err != nil {
    187. 

  187. 		return nil, err
    188. 

  188. 	}
    189. 

  189. 	byteMap := make(map[string][]byte, len(secretData))
    190. 

  190. 	for k, v := range secretData {
    191. 

  191. 		switch t := v.(type) {
    192. 

  192. 		case string:
    193. 

  193. 			byteMap[k] = []byte(t)
    194. 

  194. 		case map[string]interface{}:
    195. 

  195. 			jsonData, err := json.Marshal(t)
    196. 

  196. 			if err != nil {
    197. 

  197. 				return nil, err
    198. 

  198. 			}
    199. 

  199. 			byteMap[k] = jsonData
    200. 

  200. 		case []byte:
    201. 

  201. 			byteMap[k] = t
    202. 

  202. 		// also covers int and float32 due to json.Marshal
    203. 

  203. 		case float64:
    204. 

  204. 			byteMap[k] = []byte(strconv.FormatFloat(t, 'f', -1, 64))
    205. 

  205. 		case bool:
    206. 

  206. 			byteMap[k] = []byte(strconv.FormatBool(t))
    207. 

  207. 		case nil:
    208. 

  208. 			byteMap[k] = []byte(nil)
    209. 

  209. 		default:
    210. 

  210. 			return nil, errors.New(errSecretFormat)
    211. 

  211. 		}
    212. 

  212. 	}
    213. 

  213. 

  214. 	return byteMap, nil
    215. 

  215. }
    216. 

  216. 

  217. func (v *client) Close(ctx context.Context) error {
    218. 

  218. 	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
    219. 

  219. 	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
    220. 

  220. 		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
    221. 

  221. 		_, err := v.client.RawRequestWithContext(ctx, req)
    222. 

  222. 		if err != nil {
    223. 

  223. 			return fmt.Errorf(errVaultRevokeToken, err)
    224. 

  224. 		}
    225. 

  225. 		v.client.ClearToken()
    226. 

  226. 	}
    227. 

  227. 	return nil
    228. 

  228. }
    229. 

  229. 

  230. func (v *client) Validate() error {
    231. 

  231. 	err := checkToken(context.Background(), v)
    232. 

  232. 	if err != nil {
    233. 

  233. 		return fmt.Errorf(errInvalidCredentials, err)
    234. 

  234. 	}
    235. 

  235. 	return nil
    236. 

  236. }
    237. 

  237. 

  238. func (v *client) buildPath(path string) string {
    239. 

  239. 	optionalMount := v.store.Path
    240. 

  240. 	origPath := strings.Split(path, "/")
    241. 

  241. 	newPath := make([]string, 0)
    242. 

  242. 	cursor := 0
    243. 

  243. 

  244. 	if optionalMount != nil && origPath[0] != *optionalMount {
    245. 

  245. 		// Default case before path was optional
    246. 

  246. 		// Ensure that the requested path includes the SecretStores paths as prefix
    247. 

  247. 		newPath = append(newPath, *optionalMount)
    248. 

  248. 	} else {
    249. 

  249. 		newPath = append(newPath, origPath[cursor])
    250. 

  250. 		cursor++
    251. 

  251. 	}
    252. 

  252. 

  253. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    254. 

  254. 		// Add the required `data` part of the URL for the v2 API
    255. 

  255. 		if len(origPath) < 2 || origPath[1] != "data" {
    256. 

  256. 			newPath = append(newPath, "data")
    257. 

  257. 		}
    258. 

  258. 	}
    259. 

  259. 	newPath = append(newPath, origPath[cursor:]...)
    260. 

  260. 	returnPath := strings.Join(newPath, "/")
    261. 

  261. 

  262. 	return returnPath
    263. 

  263. }
    264. 

  264. 

  265. func (v *client) readSecret(ctx context.Context, path, version string) ([]byte, error) {
    266. 

  266. 	dataPath := v.buildPath(path)
    267. 

  267. 

  268. 	// path formated according to vault docs for v1 and v2 API
    269. 

  269. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    270. 

  270. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    271. 

  271. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s", dataPath))
    272. 

  272. 	if version != "" {
    273. 

  273. 		req.Params.Set("version", version)
    274. 

  274. 	}
    275. 

  275. 

  276. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    277. 

  277. 	if err != nil {
    278. 

  278. 		return nil, fmt.Errorf(errReadSecret, err)
    279. 

  279. 	}
    280. 

  280. 

  281. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    282. 

  282. 	if err != nil {
    283. 

  283. 		return nil, err
    284. 

  284. 	}
    285. 

  285. 

  286. 	secretData := vaultSecret.Data
    287. 

  287. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    288. 

  288. 		// Vault KV2 has data embedded within sub-field
    289. 

  289. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    290. 

  290. 		dataInt, ok := vaultSecret.Data["data"]
    291. 

  291. 

  292. 		if !ok {
    293. 

  293. 			return nil, errors.New(errDataField)
    294. 

  294. 		}
    295. 

  295. 		secretData, ok = dataInt.(map[string]interface{})
    296. 

  296. 		if !ok {
    297. 

  297. 			return nil, errors.New(errJSONUnmarshall)
    298. 

  298. 		}
    299. 

  299. 	}
    300. 

  300. 

  301. 	// return json string
    302. 

  302. 	return json.Marshal(secretData)
    303. 

  303. }
    304. 

  304. 

  305. func (v *client) newConfig() (*vault.Config, error) {
    306. 

  306. 	cfg := vault.DefaultConfig()
    307. 

  307. 	cfg.Address = v.store.Server
    308. 

  308. 

  309. 	if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
    310. 

  310. 		return cfg, nil
    311. 

  311. 	}
    312. 

  312. 

  313. 	caCertPool := x509.NewCertPool()
    314. 

  314. 

  315. 	if len(v.store.CABundle) > 0 {
    316. 

  316. 		ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    317. 

  317. 		if !ok {
    318. 

  318. 			return nil, errors.New(errVaultCert)
    319. 

  319. 		}
    320. 

  320. 	}
    321. 

  321. 

  322. 	if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
    323. 

  323. 		return nil, errors.New(errCANamespace)
    324. 

  324. 	}
    325. 

  325. 

  326. 	if v.store.CAProvider != nil {
    327. 

  327. 		var cert []byte
    328. 

  328. 		var err error
    329. 

  329. 

  330. 		switch v.store.CAProvider.Type {
    331. 

  331. 		case esv1alpha1.CAProviderTypeSecret:
    332. 

  332. 			cert, err = getCertFromSecret(v)
    333. 

  333. 		case esv1alpha1.CAProviderTypeConfigMap:
    334. 

  334. 			cert, err = getCertFromConfigMap(v)
    335. 

  335. 		default:
    336. 

  336. 			return nil, errors.New(errUnknownCAProvider)
    337. 

  337. 		}
    338. 

  338. 

  339. 		if err != nil {
    340. 

  340. 			return nil, err
    341. 

  341. 		}
    342. 

  342. 

  343. 		ok := caCertPool.AppendCertsFromPEM(cert)
    344. 

  344. 		if !ok {
    345. 

  345. 			return nil, errors.New(errVaultCert)
    346. 

  346. 		}
    347. 

  347. 	}
    348. 

  348. 

  349. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    350. 

  350. 		transport.TLSClientConfig.RootCAs = caCertPool
    351. 

  351. 	}
    352. 

  352. 

  353. 	// If either read-after-write consistency feature is enabled, enable ReadYourWrites
    354. 

  354. 	cfg.ReadYourWrites = v.store.ReadYourWrites || v.store.ForwardInconsistent
    355. 

  355. 

  356. 	return cfg, nil
    357. 

  357. }
    358. 

  358. 

  359. func getCertFromSecret(v *client) ([]byte, error) {
    360. 

  360. 	secretRef := esmeta.SecretKeySelector{
    361. 

  361. 		Name: v.store.CAProvider.Name,
    362. 

  362. 		Key:  v.store.CAProvider.Key,
    363. 

  363. 	}
    364. 

  364. 

  365. 	if v.store.CAProvider.Namespace != nil {
    366. 

  366. 		secretRef.Namespace = v.store.CAProvider.Namespace
    367. 

  367. 	}
    368. 

  368. 

  369. 	ctx := context.Background()
    370. 

  370. 	res, err := v.secretKeyRef(ctx, &secretRef)
    371. 

  371. 	if err != nil {
    372. 

  372. 		return nil, fmt.Errorf(errVaultCert, err)
    373. 

  373. 	}
    374. 

  374. 

  375. 	return []byte(res), nil
    376. 

  376. }
    377. 

  377. 

  378. func getCertFromConfigMap(v *client) ([]byte, error) {
    379. 

  379. 	objKey := types.NamespacedName{
    380. 

  380. 		Name: v.store.CAProvider.Name,
    381. 

  381. 	}
    382. 

  382. 

  383. 	if v.store.CAProvider.Namespace != nil {
    384. 

  384. 		objKey.Namespace = *v.store.CAProvider.Namespace
    385. 

  385. 	}
    386. 

  386. 

  387. 	configMapRef := &corev1.ConfigMap{}
    388. 

  388. 	ctx := context.Background()
    389. 

  389. 	err := v.kube.Get(ctx, objKey, configMapRef)
    390. 

  390. 	if err != nil {
    391. 

  391. 		return nil, fmt.Errorf(errVaultCert, err)
    392. 

  392. 	}
    393. 

  393. 

  394. 	val, ok := configMapRef.Data[v.store.CAProvider.Key]
    395. 

  395. 	if !ok {
    396. 

  396. 		return nil, fmt.Errorf(errConfigMapFmt, v.store.CAProvider.Key)
    397. 

  397. 	}
    398. 

  398. 

  399. 	return []byte(val), nil
    400. 

  400. }
    401. 

  401. 

  402. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    403. 

  403. 	tokenExists, err := setSecretKeyToken(ctx, v, client)
    404. 

  404. 	if tokenExists {
    405. 

  405. 		return err
    406. 

  406. 	}
    407. 

  407. 

  408. 	tokenExists, err = setAppRoleToken(ctx, v, client)
    409. 

  409. 	if tokenExists {
    410. 

  410. 		return err
    411. 

  411. 	}
    412. 

  412. 

  413. 	tokenExists, err = setKubernetesAuthToken(ctx, v, client)
    414. 

  414. 	if tokenExists {
    415. 

  415. 		return err
    416. 

  416. 	}
    417. 

  417. 

  418. 	tokenExists, err = setLdapAuthToken(ctx, v, client)
    419. 

  419. 	if tokenExists {
    420. 

  420. 		return err
    421. 

  421. 	}
    422. 

  422. 

  423. 	tokenExists, err = setJwtAuthToken(ctx, v, client)
    424. 

  424. 	if tokenExists {
    425. 

  425. 		return err
    426. 

  426. 	}
    427. 

  427. 

  428. 	tokenExists, err = setCertAuthToken(ctx, v, client, cfg)
    429. 

  429. 	if tokenExists {
    430. 

  430. 		return err
    431. 

  431. 	}
    432. 

  432. 

  433. 	return errors.New(errAuthFormat)
    434. 

  434. }
    435. 

  435. 

  436. func setAppRoleToken(ctx context.Context, v *client, client Client) (bool, error) {
    437. 

  437. 	tokenRef := v.store.Auth.TokenSecretRef
    438. 

  438. 	if tokenRef != nil {
    439. 

  439. 		token, err := v.secretKeyRef(ctx, tokenRef)
    440. 

  440. 		if err != nil {
    441. 

  441. 			return true, err
    442. 

  442. 		}
    443. 

  443. 		client.SetToken(token)
    444. 

  444. 		return true, nil
    445. 

  445. 	}
    446. 

  446. 	return false, nil
    447. 

  447. }
    448. 

  448. 

  449. func setSecretKeyToken(ctx context.Context, v *client, client Client) (bool, error) {
    450. 

  450. 	appRole := v.store.Auth.AppRole
    451. 

  451. 	if appRole != nil {
    452. 

  452. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    453. 

  453. 		if err != nil {
    454. 

  454. 			return true, err
    455. 

  455. 		}
    456. 

  456. 		client.SetToken(token)
    457. 

  457. 		return true, nil
    458. 

  458. 	}
    459. 

  459. 	return false, nil
    460. 

  460. }
    461. 

  461. 

  462. func setKubernetesAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    463. 

  463. 	kubernetesAuth := v.store.Auth.Kubernetes
    464. 

  464. 	if kubernetesAuth != nil {
    465. 

  465. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    466. 

  466. 		if err != nil {
    467. 

  467. 			return true, err
    468. 

  468. 		}
    469. 

  469. 		client.SetToken(token)
    470. 

  470. 		return true, nil
    471. 

  471. 	}
    472. 

  472. 	return false, nil
    473. 

  473. }
    474. 

  474. 

  475. func setLdapAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    476. 

  476. 	ldapAuth := v.store.Auth.Ldap
    477. 

  477. 	if ldapAuth != nil {
    478. 

  478. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    479. 

  479. 		if err != nil {
    480. 

  480. 			return true, err
    481. 

  481. 		}
    482. 

  482. 		client.SetToken(token)
    483. 

  483. 		return true, nil
    484. 

  484. 	}
    485. 

  485. 	return false, nil
    486. 

  486. }
    487. 

  487. 

  488. func setJwtAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    489. 

  489. 	jwtAuth := v.store.Auth.Jwt
    490. 

  490. 	if jwtAuth != nil {
    491. 

  491. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    492. 

  492. 		if err != nil {
    493. 

  493. 			return true, err
    494. 

  494. 		}
    495. 

  495. 		client.SetToken(token)
    496. 

  496. 		return true, nil
    497. 

  497. 	}
    498. 

  498. 	return false, nil
    499. 

  499. }
    500. 

  500. 

  501. func setCertAuthToken(ctx context.Context, v *client, client Client, cfg *vault.Config) (bool, error) {
    502. 

  502. 	certAuth := v.store.Auth.Cert
    503. 

  503. 	if certAuth != nil {
    504. 

  504. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    505. 

  505. 		if err != nil {
    506. 

  506. 			return true, err
    507. 

  507. 		}
    508. 

  508. 		client.SetToken(token)
    509. 

  509. 		return true, nil
    510. 

  510. 	}
    511. 

  511. 	return false, nil
    512. 

  512. }
    513. 

  513. 

  514. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    515. 

  515. 	serviceAccount := &corev1.ServiceAccount{}
    516. 

  516. 	ref := types.NamespacedName{
    517. 

  517. 		Namespace: v.namespace,
    518. 

  518. 		Name:      serviceAccountRef.Name,
    519. 

  519. 	}
    520. 

  520. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    521. 

  521. 		(serviceAccountRef.Namespace != nil) {
    522. 

  522. 		ref.Namespace = *serviceAccountRef.Namespace
    523. 

  523. 	}
    524. 

  524. 	err := v.kube.Get(ctx, ref, serviceAccount)
    525. 

  525. 	if err != nil {
    526. 

  526. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    527. 

  527. 	}
    528. 

  528. 	if len(serviceAccount.Secrets) == 0 {
    529. 

  529. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    530. 

  530. 	}
    531. 

  531. 	for _, tokenRef := range serviceAccount.Secrets {
    532. 

  532. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    533. 

  533. 			Name:      tokenRef.Name,
    534. 

  534. 			Namespace: &ref.Namespace,
    535. 

  535. 			Key:       "token",
    536. 

  536. 		})
    537. 

  537. 

  538. 		if err != nil {
    539. 

  539. 			continue
    540. 

  540. 		}
    541. 

  541. 

  542. 		return retval, nil
    543. 

  543. 	}
    544. 

  544. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    545. 

  545. }
    546. 

  546. 

  547. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    548. 

  548. 	secret := &corev1.Secret{}
    549. 

  549. 	ref := types.NamespacedName{
    550. 

  550. 		Namespace: v.namespace,
    551. 

  551. 		Name:      secretRef.Name,
    552. 

  552. 	}
    553. 

  553. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    554. 

  554. 		(secretRef.Namespace != nil) {
    555. 

  555. 		ref.Namespace = *secretRef.Namespace
    556. 

  556. 	}
    557. 

  557. 	err := v.kube.Get(ctx, ref, secret)
    558. 

  558. 	if err != nil {
    559. 

  559. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    560. 

  560. 	}
    561. 

  561. 

  562. 	keyBytes, ok := secret.Data[secretRef.Key]
    563. 

  563. 	if !ok {
    564. 

  564. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    565. 

  565. 	}
    566. 

  566. 

  567. 	value := string(keyBytes)
    568. 

  568. 	valueStr := strings.TrimSpace(value)
    569. 

  569. 	return valueStr, nil
    570. 

  570. }
    571. 

  571. 

  572. // checkToken does a lookup and checks if the provided token exists.
    573. 

  573. func checkToken(ctx context.Context, vStore *client) error {
    574. 

  574. 	// https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
    575. 

  575. 	req := vStore.client.NewRequest("GET", "/v1/auth/token/lookup-self")
    576. 

  576. 	_, err := vStore.client.RawRequestWithContext(ctx, req)
    577. 

  577. 	return err
    578. 

  578. }
    579. 

  579. 

  580. // appRoleParameters creates the required body for Vault AppRole Auth.
    581. 

  581. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    582. 

  582. func appRoleParameters(role, secret string) map[string]string {
    583. 

  583. 	return map[string]string{
    584. 

  584. 		"role_id":   role,
    585. 

  585. 		"secret_id": secret,
    586. 

  586. 	}
    587. 

  587. }
    588. 

  588. 

  589. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    590. 

  590. 	roleID := strings.TrimSpace(appRole.RoleID)
    591. 

  591. 

  592. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    593. 

  593. 	if err != nil {
    594. 

  594. 		return "", err
    595. 

  595. 	}
    596. 

  596. 

  597. 	parameters := appRoleParameters(roleID, secretID)
    598. 

  598. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    599. 

  599. 	request := client.NewRequest("POST", url)
    600. 

  600. 

  601. 	err = request.SetJSONBody(parameters)
    602. 

  602. 	if err != nil {
    603. 

  603. 		return "", fmt.Errorf(errVaultReqParams, err)
    604. 

  604. 	}
    605. 

  605. 

  606. 	resp, err := client.RawRequestWithContext(ctx, request)
    607. 

  607. 	if err != nil {
    608. 

  608. 		return "", fmt.Errorf(errVaultRequest, err)
    609. 

  609. 	}
    610. 

  610. 

  611. 	defer resp.Body.Close()
    612. 

  612. 

  613. 	vaultResult := vault.Secret{}
    614. 

  614. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    615. 

  615. 		return "", fmt.Errorf(errVaultResponse, err)
    616. 

  616. 	}
    617. 

  617. 

  618. 	token, err := vaultResult.TokenID()
    619. 

  619. 	if err != nil {
    620. 

  620. 		return "", fmt.Errorf(errVaultToken, err)
    621. 

  621. 	}
    622. 

  622. 

  623. 	return token, nil
    624. 

  624. }
    625. 

  625. 

  626. // kubeParameters creates the required body for Vault Kubernetes auth.
    627. 

  627. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    628. 

  628. func kubeParameters(role, jwt string) map[string]string {
    629. 

  629. 	return map[string]string{
    630. 

  630. 		"role": role,
    631. 

  631. 		"jwt":  jwt,
    632. 

  632. 	}
    633. 

  633. }
    634. 

  634. 

  635. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    636. 

  636. 	jwtString, err := getJwtString(ctx, v, kubernetesAuth)
    637. 

  637. 	if err != nil {
    638. 

  638. 		return "", err
    639. 

  639. 	}
    640. 

  640. 

  641. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    642. 

  642. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    643. 

  643. 	request := client.NewRequest("POST", url)
    644. 

  644. 

  645. 	err = request.SetJSONBody(parameters)
    646. 

  646. 	if err != nil {
    647. 

  647. 		return "", fmt.Errorf(errVaultReqParams, err)
    648. 

  648. 	}
    649. 

  649. 

  650. 	resp, err := client.RawRequestWithContext(ctx, request)
    651. 

  651. 	if err != nil {
    652. 

  652. 		return "", fmt.Errorf(errVaultRequest, err)
    653. 

  653. 	}
    654. 

  654. 

  655. 	defer resp.Body.Close()
    656. 

  656. 	vaultResult := vault.Secret{}
    657. 

  657. 	err = resp.DecodeJSON(&vaultResult)
    658. 

  658. 	if err != nil {
    659. 

  659. 		return "", fmt.Errorf(errVaultResponse, err)
    660. 

  660. 	}
    661. 

  661. 

  662. 	token, err := vaultResult.TokenID()
    663. 

  663. 	if err != nil {
    664. 

  664. 		return "", fmt.Errorf(errVaultToken, err)
    665. 

  665. 	}
    666. 

  666. 

  667. 	return token, nil
    668. 

  668. }
    669. 

  669. 

  670. func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    671. 

  671. 	if kubernetesAuth.ServiceAccountRef != nil {
    672. 

  672. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    673. 

  673. 		if err != nil {
    674. 

  674. 			return "", err
    675. 

  675. 		}
    676. 

  676. 		return jwt, nil
    677. 

  677. 	} else if kubernetesAuth.SecretRef != nil {
    678. 

  678. 		tokenRef := kubernetesAuth.SecretRef
    679. 

  679. 		if tokenRef.Key == "" {
    680. 

  680. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    681. 

  681. 			tokenRef.Key = "token"
    682. 

  682. 		}
    683. 

  683. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    684. 

  684. 		if err != nil {
    685. 

  685. 			return "", err
    686. 

  686. 		}
    687. 

  687. 		return jwt, nil
    688. 

  688. 	} else {
    689. 

  689. 		// Kubernetes authentication is specified, but without a referenced
    690. 

  690. 		// Kubernetes secret. We check if the file path for in-cluster service account
    691. 

  691. 		// exists and attempt to use the token for Vault Kubernetes auth.
    692. 

  692. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    693. 

  693. 			return "", fmt.Errorf(errServiceAccount, err)
    694. 

  694. 		}
    695. 

  695. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    696. 

  696. 		if err != nil {
    697. 

  697. 			return "", fmt.Errorf(errServiceAccount, err)
    698. 

  698. 		}
    699. 

  699. 		return string(jwtByte), nil
    700. 

  700. 	}
    701. 

  701. }
    702. 

  702. 

  703. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    704. 

  704. 	username := strings.TrimSpace(ldapAuth.Username)
    705. 

  705. 

  706. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    707. 

  707. 	if err != nil {
    708. 

  708. 		return "", err
    709. 

  709. 	}
    710. 

  710. 

  711. 	parameters := map[string]string{
    712. 

  712. 		"password": password,
    713. 

  713. 	}
    714. 

  714. 	url := strings.Join([]string{"/v1", "auth", ldapAuth.Path, "login", username}, "/")
    715. 

  715. 	request := client.NewRequest("POST", url)
    716. 

  716. 

  717. 	err = request.SetJSONBody(parameters)
    718. 

  718. 	if err != nil {
    719. 

  719. 		return "", fmt.Errorf(errVaultReqParams, err)
    720. 

  720. 	}
    721. 

  721. 

  722. 	resp, err := client.RawRequestWithContext(ctx, request)
    723. 

  723. 	if err != nil {
    724. 

  724. 		return "", fmt.Errorf(errVaultRequest, err)
    725. 

  725. 	}
    726. 

  726. 

  727. 	defer resp.Body.Close()
    728. 

  728. 

  729. 	vaultResult := vault.Secret{}
    730. 

  730. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    731. 

  731. 		return "", fmt.Errorf(errVaultResponse, err)
    732. 

  732. 	}
    733. 

  733. 

  734. 	token, err := vaultResult.TokenID()
    735. 

  735. 	if err != nil {
    736. 

  736. 		return "", fmt.Errorf(errVaultToken, err)
    737. 

  737. 	}
    738. 

  738. 

  739. 	return token, nil
    740. 

  740. }
    741. 

  741. 

  742. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    743. 

  743. 	role := strings.TrimSpace(jwtAuth.Role)
    744. 

  744. 

  745. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    746. 

  746. 	if err != nil {
    747. 

  747. 		return "", err
    748. 

  748. 	}
    749. 

  749. 

  750. 	parameters := map[string]string{
    751. 

  751. 		"role": role,
    752. 

  752. 		"jwt":  jwt,
    753. 

  753. 	}
    754. 

  754. 	url := strings.Join([]string{"/v1", "auth", jwtAuth.Path, "login"}, "/")
    755. 

  755. 	request := client.NewRequest("POST", url)
    756. 

  756. 

  757. 	err = request.SetJSONBody(parameters)
    758. 

  758. 	if err != nil {
    759. 

  759. 		return "", fmt.Errorf(errVaultReqParams, err)
    760. 

  760. 	}
    761. 

  761. 

  762. 	resp, err := client.RawRequestWithContext(ctx, request)
    763. 

  763. 	if err != nil {
    764. 

  764. 		return "", fmt.Errorf(errVaultRequest, err)
    765. 

  765. 	}
    766. 

  766. 

  767. 	defer resp.Body.Close()
    768. 

  768. 

  769. 	vaultResult := vault.Secret{}
    770. 

  770. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    771. 

  771. 		return "", fmt.Errorf(errVaultResponse, err)
    772. 

  772. 	}
    773. 

  773. 

  774. 	token, err := vaultResult.TokenID()
    775. 

  775. 	if err != nil {
    776. 

  776. 		return "", fmt.Errorf(errVaultToken, err)
    777. 

  777. 	}
    778. 

  778. 

  779. 	return token, nil
    780. 

  780. }
    781. 

  781. 

  782. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
    783. 

  783. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    784. 

  784. 	if err != nil {
    785. 

  785. 		return "", err
    786. 

  786. 	}
    787. 

  787. 

  788. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    789. 

  789. 	if err != nil {
    790. 

  790. 		return "", err
    791. 

  791. 	}
    792. 

  792. 

  793. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    794. 

  794. 	if err != nil {
    795. 

  795. 		return "", fmt.Errorf(errClientTLSAuth, err)
    796. 

  796. 	}
    797. 

  797. 

  798. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    799. 

  799. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    800. 

  800. 	}
    801. 

  801. 

  802. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    803. 

  803. 	request := client.NewRequest("POST", url)
    804. 

  804. 

  805. 	resp, err := client.RawRequestWithContext(ctx, request)
    806. 

  806. 	if err != nil {
    807. 

  807. 		return "", fmt.Errorf(errVaultRequest, err)
    808. 

  808. 	}
    809. 

  809. 

  810. 	defer resp.Body.Close()
    811. 

  811. 

  812. 	vaultResult := vault.Secret{}
    813. 

  813. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    814. 

  814. 		return "", fmt.Errorf(errVaultResponse, err)
    815. 

  815. 	}
    816. 

  816. 

  817. 	token, err := vaultResult.TokenID()
    818. 

  818. 	if err != nil {
    819. 

  819. 		return "", fmt.Errorf(errVaultToken, err)
    820. 

  820. 	}
    821. 

  821. 

  822. 	return token, nil
    823. 

  823. }
    824.