vault.go 55 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package vault
  13. import (
  14. "bytes"
  15. "context"
  16. "crypto/tls"
  17. "crypto/x509"
  18. "encoding/json"
  19. "errors"
  20. "fmt"
  21. "net/http"
  22. "os"
  23. "strings"
  24. "time"
  25. "github.com/aws/aws-sdk-go/aws"
  26. "github.com/aws/aws-sdk-go/aws/credentials"
  27. "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
  28. "github.com/go-logr/logr"
  29. "github.com/golang-jwt/jwt/v5"
  30. vault "github.com/hashicorp/vault/api"
  31. approle "github.com/hashicorp/vault/api/auth/approle"
  32. authaws "github.com/hashicorp/vault/api/auth/aws"
  33. authkubernetes "github.com/hashicorp/vault/api/auth/kubernetes"
  34. authldap "github.com/hashicorp/vault/api/auth/ldap"
  35. authuserpass "github.com/hashicorp/vault/api/auth/userpass"
  36. "github.com/spf13/pflag"
  37. "github.com/tidwall/gjson"
  38. authenticationv1 "k8s.io/api/authentication/v1"
  39. corev1 "k8s.io/api/core/v1"
  40. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  41. "k8s.io/apimachinery/pkg/types"
  42. "k8s.io/client-go/kubernetes"
  43. typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
  44. ctrl "sigs.k8s.io/controller-runtime"
  45. kclient "sigs.k8s.io/controller-runtime/pkg/client"
  46. ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
  47. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  48. esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  49. "github.com/external-secrets/external-secrets/pkg/cache"
  50. "github.com/external-secrets/external-secrets/pkg/constants"
  51. "github.com/external-secrets/external-secrets/pkg/feature"
  52. "github.com/external-secrets/external-secrets/pkg/find"
  53. "github.com/external-secrets/external-secrets/pkg/metrics"
  54. vaultiamauth "github.com/external-secrets/external-secrets/pkg/provider/vault/iamauth"
  55. "github.com/external-secrets/external-secrets/pkg/provider/vault/util"
  56. "github.com/external-secrets/external-secrets/pkg/utils"
  57. )
  58. var (
  59. _ esv1beta1.Provider = &Connector{}
  60. _ esv1beta1.SecretsClient = &client{}
  61. enableCache bool
  62. logger = ctrl.Log.WithName("provider").WithName("vault")
  63. clientCache *cache.Cache[util.Client]
  64. )
  65. const (
  66. serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
  67. defaultAWSRegion = "us-east-1"
  68. defaultAWSAuthMountPath = "aws"
  69. errVaultStore = "received invalid Vault SecretStore resource: %w"
  70. errVaultCacheCreate = "cannot create Vault client cache: %s"
  71. errVaultCacheRemove = "error removing item from Vault client cache: %w"
  72. errVaultCacheEviction = "unexpected eviction from Vault client cache"
  73. errVaultClient = "cannot setup new vault client: %w"
  74. errVaultCert = "cannot set Vault CA certificate: %w"
  75. errReadSecret = "cannot read secret data from Vault: %w"
  76. errAuthFormat = "cannot initialize Vault client: no valid auth method specified"
  77. errInvalidCredentials = "invalid vault credentials: %w"
  78. errDataField = "failed to find data field"
  79. errJSONUnmarshall = "failed to unmarshall JSON"
  80. errPathInvalid = "provided Path isn't a valid kv v2 path"
  81. errUnexpectedKey = "unexpected key in data: %s"
  82. errVaultToken = "cannot parse Vault authentication token: %w"
  83. errVaultRequest = "error from Vault request: %w"
  84. errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
  85. errJwtNoTokenSource = "neither `secretRef` nor `kubernetesServiceAccountToken` was supplied as token source for jwt authentication"
  86. errUnsupportedKvVersion = "cannot perform find operations with kv version v1"
  87. errUnsupportedMetadataKvVersion = "cannot perform metadata fetch operations with kv version v1"
  88. errNotFound = "secret not found"
  89. errIrsaTokenEnvVarNotFoundOnPod = "expected env variable: %s not found on controller's pod"
  90. errIrsaTokenFileNotFoundOnPod = "web ddentity token file not found at %s location: %w"
  91. errIrsaTokenFileNotReadable = "could not read the web identity token from the file %s: %w"
  92. errIrsaTokenNotValidJWT = "could not parse web identity token available at %s. not a valid jwt?: %w"
  93. errPodInfoNotFoundOnToken = "could not find pod identity info on token %s: %w"
  94. errGetKubeSA = "cannot get Kubernetes service account %q: %w"
  95. errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
  96. errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
  97. errGetKubeSATokenRequest = "cannot request Kubernetes service account token for service account %q: %w"
  98. errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
  99. errSecretKeyFmt = "cannot find secret data for key: %q"
  100. errConfigMapFmt = "cannot find config map data for key: %q"
  101. errClientTLSAuth = "error from Client TLS Auth: %q"
  102. errVaultRevokeToken = "error while revoking token: %w"
  103. errUnknownCAProvider = "unknown caProvider type given"
  104. errCANamespace = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
  105. errInvalidStore = "invalid store"
  106. errInvalidStoreSpec = "invalid store spec"
  107. errInvalidStoreProv = "invalid store provider"
  108. errInvalidVaultProv = "invalid vault provider"
  109. errInvalidAppRoleID = "invalid Auth.AppRole: neither `roleId` nor `roleRef` was supplied"
  110. errInvalidAppRoleRef = "invalid Auth.AppRole.RoleRef: %w"
  111. errInvalidAppRoleSec = "invalid Auth.AppRole.SecretRef: %w"
  112. errInvalidClientCert = "invalid Auth.Cert.ClientCert: %w"
  113. errInvalidCertSec = "invalid Auth.Cert.SecretRef: %w"
  114. errInvalidJwtSec = "invalid Auth.Jwt.SecretRef: %w"
  115. errInvalidJwtK8sSA = "invalid Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef: %w"
  116. errInvalidKubeSA = "invalid Auth.Kubernetes.ServiceAccountRef: %w"
  117. errInvalidKubeSec = "invalid Auth.Kubernetes.SecretRef: %w"
  118. errInvalidLdapSec = "invalid Auth.Ldap.SecretRef: %w"
  119. errInvalidTokenRef = "invalid Auth.TokenSecretRef: %w"
  120. errInvalidUserPassSec = "invalid Auth.UserPass.SecretRef: %w"
  121. )
  122. // https://github.com/external-secrets/external-secrets/issues/644
  123. var _ esv1beta1.SecretsClient = &client{}
  124. var _ esv1beta1.Provider = &Connector{}
  125. type client struct {
  126. kube kclient.Client
  127. store *esv1beta1.VaultProvider
  128. log logr.Logger
  129. corev1 typedcorev1.CoreV1Interface
  130. client util.Client
  131. auth util.Auth
  132. logical util.Logical
  133. token util.Token
  134. namespace string
  135. storeKind string
  136. }
  137. func NewVaultClient(c *vault.Config) (util.Client, error) {
  138. cl, err := vault.NewClient(c)
  139. if err != nil {
  140. return nil, err
  141. }
  142. auth := cl.Auth()
  143. logical := cl.Logical()
  144. token := cl.Auth().Token()
  145. out := util.VClient{
  146. SetTokenFunc: cl.SetToken,
  147. TokenFunc: cl.Token,
  148. ClearTokenFunc: cl.ClearToken,
  149. AuthField: auth,
  150. AuthTokenField: token,
  151. LogicalField: logical,
  152. SetNamespaceFunc: cl.SetNamespace,
  153. AddHeaderFunc: cl.AddHeader,
  154. }
  155. return &out, nil
  156. }
  157. func getVaultClient(c *Connector, store esv1beta1.GenericStore, cfg *vault.Config) (util.Client, error) {
  158. isStaticToken := store.GetSpec().Provider.Vault.Auth.TokenSecretRef != nil
  159. useCache := enableCache && !isStaticToken
  160. key := cache.Key{
  161. Name: store.GetObjectMeta().Name,
  162. Namespace: store.GetObjectMeta().Namespace,
  163. Kind: store.GetTypeMeta().Kind,
  164. }
  165. if useCache {
  166. client, ok := clientCache.Get(store.GetObjectMeta().ResourceVersion, key)
  167. if ok {
  168. return client, nil
  169. }
  170. }
  171. client, err := c.NewVaultClient(cfg)
  172. if err != nil {
  173. return nil, fmt.Errorf(errVaultClient, err)
  174. }
  175. if useCache && !clientCache.Contains(key) {
  176. clientCache.Add(store.GetObjectMeta().ResourceVersion, key, client)
  177. }
  178. return client, nil
  179. }
  180. type Connector struct {
  181. NewVaultClient func(c *vault.Config) (util.Client, error)
  182. }
  183. // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
  184. func (c *Connector) Capabilities() esv1beta1.SecretStoreCapabilities {
  185. return esv1beta1.SecretStoreReadWrite
  186. }
  187. func (c *Connector) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
  188. // controller-runtime/client does not support TokenRequest or other subresource APIs
  189. // so we need to construct our own client and use it to fetch tokens
  190. // (for Kubernetes service account token auth)
  191. restCfg, err := ctrlcfg.GetConfig()
  192. if err != nil {
  193. return nil, err
  194. }
  195. clientset, err := kubernetes.NewForConfig(restCfg)
  196. if err != nil {
  197. return nil, err
  198. }
  199. return c.newClient(ctx, store, kube, clientset.CoreV1(), namespace)
  200. }
  201. func (c *Connector) newClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, corev1 typedcorev1.CoreV1Interface, namespace string) (esv1beta1.SecretsClient, error) {
  202. storeSpec := store.GetSpec()
  203. if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
  204. return nil, errors.New(errVaultStore)
  205. }
  206. vaultSpec := storeSpec.Provider.Vault
  207. vStore, cfg, err := c.prepareConfig(kube, corev1, vaultSpec, storeSpec.RetrySettings, namespace, store.GetObjectKind().GroupVersionKind().Kind)
  208. if err != nil {
  209. return nil, err
  210. }
  211. client, err := getVaultClient(c, store, cfg)
  212. if err != nil {
  213. return nil, fmt.Errorf(errVaultClient, err)
  214. }
  215. return c.initClient(ctx, vStore, client, cfg, vaultSpec)
  216. }
  217. func (c *Connector) NewGeneratorClient(ctx context.Context, kube kclient.Client, corev1 typedcorev1.CoreV1Interface, vaultSpec *esv1beta1.VaultProvider, namespace string) (util.Client, error) {
  218. vStore, cfg, err := c.prepareConfig(kube, corev1, vaultSpec, nil, namespace, "Generator")
  219. if err != nil {
  220. return nil, err
  221. }
  222. client, err := c.NewVaultClient(cfg)
  223. if err != nil {
  224. return nil, err
  225. }
  226. _, err = c.initClient(ctx, vStore, client, cfg, vaultSpec)
  227. if err != nil {
  228. return nil, err
  229. }
  230. return client, nil
  231. }
  232. func (c *Connector) prepareConfig(kube kclient.Client, corev1 typedcorev1.CoreV1Interface, vaultSpec *esv1beta1.VaultProvider, retrySettings *esv1beta1.SecretStoreRetrySettings, namespace, storeKind string) (*client, *vault.Config, error) {
  233. vStore := &client{
  234. kube: kube,
  235. corev1: corev1,
  236. store: vaultSpec,
  237. log: logger,
  238. namespace: namespace,
  239. storeKind: storeKind,
  240. }
  241. cfg, err := vStore.newConfig()
  242. if err != nil {
  243. return nil, nil, err
  244. }
  245. // Setup retry options if present
  246. if retrySettings != nil {
  247. if retrySettings.MaxRetries != nil {
  248. cfg.MaxRetries = int(*retrySettings.MaxRetries)
  249. } else {
  250. // By default we rely only on the reconciliation process for retrying
  251. cfg.MaxRetries = 0
  252. }
  253. if retrySettings.RetryInterval != nil {
  254. retryWait, err := time.ParseDuration(*retrySettings.RetryInterval)
  255. if err != nil {
  256. return nil, nil, err
  257. }
  258. cfg.MinRetryWait = retryWait
  259. cfg.MaxRetryWait = retryWait
  260. }
  261. }
  262. return vStore, cfg, nil
  263. }
  264. func (c *Connector) initClient(ctx context.Context, vStore *client, client util.Client, cfg *vault.Config, vaultSpec *esv1beta1.VaultProvider) (esv1beta1.SecretsClient, error) {
  265. if vaultSpec.Namespace != nil {
  266. client.SetNamespace(*vaultSpec.Namespace)
  267. }
  268. if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
  269. client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
  270. }
  271. vStore.client = client
  272. vStore.auth = client.Auth()
  273. vStore.logical = client.Logical()
  274. vStore.token = client.AuthToken()
  275. // allow SecretStore controller validation to pass
  276. // when using referent namespace.
  277. if vStore.storeKind == esv1beta1.ClusterSecretStoreKind && vStore.namespace == "" && isReferentSpec(vaultSpec) {
  278. return vStore, nil
  279. }
  280. if err := vStore.setAuth(ctx, cfg); err != nil {
  281. return nil, err
  282. }
  283. return vStore, nil
  284. }
  285. func (c *Connector) ValidateStore(store esv1beta1.GenericStore) error {
  286. if store == nil {
  287. return fmt.Errorf(errInvalidStore)
  288. }
  289. spc := store.GetSpec()
  290. if spc == nil {
  291. return fmt.Errorf(errInvalidStoreSpec)
  292. }
  293. if spc.Provider == nil {
  294. return fmt.Errorf(errInvalidStoreProv)
  295. }
  296. p := spc.Provider.Vault
  297. if p == nil {
  298. return fmt.Errorf(errInvalidVaultProv)
  299. }
  300. if p.Auth.AppRole != nil {
  301. // check SecretRef for valid configuration
  302. if err := utils.ValidateReferentSecretSelector(store, p.Auth.AppRole.SecretRef); err != nil {
  303. return fmt.Errorf(errInvalidAppRoleSec, err)
  304. }
  305. // prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
  306. if p.Auth.AppRole.RoleID == "" { // prevents further RoleID tests if .auth.appRole.roleId is given
  307. if p.Auth.AppRole.RoleRef != nil { // check RoleRef for valid configuration
  308. if err := utils.ValidateReferentSecretSelector(store, *p.Auth.AppRole.RoleRef); err != nil {
  309. return fmt.Errorf(errInvalidAppRoleRef, err)
  310. }
  311. } else { // we ran out of ways to get RoleID. return an appropriate error
  312. return fmt.Errorf(errInvalidAppRoleID)
  313. }
  314. }
  315. }
  316. if p.Auth.Cert != nil {
  317. if err := utils.ValidateReferentSecretSelector(store, p.Auth.Cert.ClientCert); err != nil {
  318. return fmt.Errorf(errInvalidClientCert, err)
  319. }
  320. if err := utils.ValidateReferentSecretSelector(store, p.Auth.Cert.SecretRef); err != nil {
  321. return fmt.Errorf(errInvalidCertSec, err)
  322. }
  323. }
  324. if p.Auth.Jwt != nil {
  325. if p.Auth.Jwt.SecretRef != nil {
  326. if err := utils.ValidateReferentSecretSelector(store, *p.Auth.Jwt.SecretRef); err != nil {
  327. return fmt.Errorf(errInvalidJwtSec, err)
  328. }
  329. } else if p.Auth.Jwt.KubernetesServiceAccountToken != nil {
  330. if err := utils.ValidateReferentServiceAccountSelector(store, p.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef); err != nil {
  331. return fmt.Errorf(errInvalidJwtK8sSA, err)
  332. }
  333. } else {
  334. return fmt.Errorf(errJwtNoTokenSource)
  335. }
  336. }
  337. if p.Auth.Kubernetes != nil {
  338. if p.Auth.Kubernetes.ServiceAccountRef != nil {
  339. if err := utils.ValidateReferentServiceAccountSelector(store, *p.Auth.Kubernetes.ServiceAccountRef); err != nil {
  340. return fmt.Errorf(errInvalidKubeSA, err)
  341. }
  342. }
  343. if p.Auth.Kubernetes.SecretRef != nil {
  344. if err := utils.ValidateReferentSecretSelector(store, *p.Auth.Kubernetes.SecretRef); err != nil {
  345. return fmt.Errorf(errInvalidKubeSec, err)
  346. }
  347. }
  348. }
  349. if p.Auth.Ldap != nil {
  350. if err := utils.ValidateReferentSecretSelector(store, p.Auth.Ldap.SecretRef); err != nil {
  351. return fmt.Errorf(errInvalidLdapSec, err)
  352. }
  353. }
  354. if p.Auth.UserPass != nil {
  355. if err := utils.ValidateReferentSecretSelector(store, p.Auth.UserPass.SecretRef); err != nil {
  356. return fmt.Errorf(errInvalidUserPassSec, err)
  357. }
  358. }
  359. if p.Auth.TokenSecretRef != nil {
  360. if err := utils.ValidateReferentSecretSelector(store, *p.Auth.TokenSecretRef); err != nil {
  361. return fmt.Errorf(errInvalidTokenRef, err)
  362. }
  363. }
  364. if p.Auth.Iam != nil {
  365. if p.Auth.Iam.JWTAuth != nil {
  366. if p.Auth.Iam.JWTAuth.ServiceAccountRef != nil {
  367. if err := utils.ValidateReferentServiceAccountSelector(store, *p.Auth.Iam.JWTAuth.ServiceAccountRef); err != nil {
  368. return fmt.Errorf(errInvalidTokenRef, err)
  369. }
  370. }
  371. }
  372. if p.Auth.Iam.SecretRef != nil {
  373. if err := utils.ValidateReferentSecretSelector(store, p.Auth.Iam.SecretRef.AccessKeyID); err != nil {
  374. return fmt.Errorf(errInvalidTokenRef, err)
  375. }
  376. if err := utils.ValidateReferentSecretSelector(store, p.Auth.Iam.SecretRef.SecretAccessKey); err != nil {
  377. return fmt.Errorf(errInvalidTokenRef, err)
  378. }
  379. if p.Auth.Iam.SecretRef.SessionToken != nil {
  380. if err := utils.ValidateReferentSecretSelector(store, *p.Auth.Iam.SecretRef.SessionToken); err != nil {
  381. return fmt.Errorf(errInvalidTokenRef, err)
  382. }
  383. }
  384. }
  385. }
  386. return nil
  387. }
  388. func (v *client) DeleteSecret(ctx context.Context, remoteRef esv1beta1.PushSecretRemoteRef) error {
  389. path := v.buildPath(remoteRef.GetRemoteKey())
  390. metaPath, err := v.buildMetadataPath(remoteRef.GetRemoteKey())
  391. if err != nil {
  392. return err
  393. }
  394. // Retrieve the secret map from vault and convert the secret value in string form.
  395. secretVal, err := v.readSecret(ctx, path, "")
  396. // If error is not of type secret not found, we should error
  397. if err != nil && errors.Is(err, esv1beta1.NoSecretError{}) {
  398. return nil
  399. }
  400. if err != nil {
  401. return err
  402. }
  403. // If Push for a Property, we need to delete the property and update the secret
  404. if remoteRef.GetProperty() != "" {
  405. delete(secretVal, remoteRef.GetProperty())
  406. if len(secretVal) > 0 {
  407. secretToPush := map[string]interface{}{
  408. "data": secretVal,
  409. }
  410. _, err = v.logical.WriteWithContext(ctx, path, secretToPush)
  411. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
  412. return err
  413. }
  414. }
  415. metadata, err := v.readSecretMetadata(ctx, remoteRef.GetRemoteKey())
  416. if err != nil {
  417. return err
  418. }
  419. manager, ok := metadata["managed-by"]
  420. if !ok || manager != "external-secrets" {
  421. return nil
  422. }
  423. _, err = v.logical.DeleteWithContext(ctx, path)
  424. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
  425. if err != nil {
  426. return fmt.Errorf("could not delete secret %v: %w", remoteRef.GetRemoteKey(), err)
  427. }
  428. _, err = v.logical.DeleteWithContext(ctx, metaPath)
  429. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultDeleteSecret, err)
  430. if err != nil {
  431. return fmt.Errorf("could not delete secret metadata %v: %w", remoteRef.GetRemoteKey(), err)
  432. }
  433. return nil
  434. }
  435. func (v *client) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1beta1.PushSecretData) error {
  436. value := secret.Data[data.GetSecretKey()]
  437. label := map[string]interface{}{
  438. "custom_metadata": map[string]string{
  439. "managed-by": "external-secrets",
  440. },
  441. }
  442. secretVal := make(map[string]interface{})
  443. path := v.buildPath(data.GetRemoteKey())
  444. metaPath, err := v.buildMetadataPath(data.GetRemoteKey())
  445. if err != nil {
  446. return err
  447. }
  448. // Retrieve the secret map from vault and convert the secret value in string form.
  449. vaultSecret, err := v.readSecret(ctx, path, "")
  450. // If error is not of type secret not found, we should error
  451. if err != nil && !errors.Is(err, esv1beta1.NoSecretError{}) {
  452. return err
  453. }
  454. // If the secret exists (err == nil), we should check if it is managed by external-secrets
  455. if err == nil {
  456. metadata, err := v.readSecretMetadata(ctx, data.GetRemoteKey())
  457. if err != nil {
  458. return err
  459. }
  460. manager, ok := metadata["managed-by"]
  461. if !ok || manager != "external-secrets" {
  462. return fmt.Errorf("secret not managed by external-secrets")
  463. }
  464. }
  465. buf := &bytes.Buffer{}
  466. enc := json.NewEncoder(buf)
  467. enc.SetEscapeHTML(false)
  468. err = enc.Encode(vaultSecret)
  469. if err != nil {
  470. return fmt.Errorf("error encoding vault secret: %w", err)
  471. }
  472. vaultSecretValue := bytes.TrimSpace(buf.Bytes())
  473. if err != nil {
  474. return fmt.Errorf("error marshaling vault secret: %w", err)
  475. }
  476. if bytes.Equal(vaultSecretValue, value) {
  477. return nil
  478. }
  479. // If a Push of a property only, we should merge and add/update the property
  480. if data.GetProperty() != "" {
  481. if _, ok := vaultSecret[data.GetProperty()]; ok {
  482. d := vaultSecret[data.GetProperty()].(string)
  483. if err != nil {
  484. return fmt.Errorf("error marshaling vault secret: %w", err)
  485. }
  486. // If the property has the same value, don't update the secret
  487. if bytes.Equal([]byte(d), value) {
  488. return nil
  489. }
  490. }
  491. for k, v := range vaultSecret {
  492. secretVal[k] = v
  493. }
  494. // Secret got from vault is already on map[string]string format
  495. secretVal[data.GetProperty()] = string(value)
  496. } else {
  497. err = json.Unmarshal(value, &secretVal)
  498. if err != nil {
  499. return fmt.Errorf("error unmarshalling vault secret: %w", err)
  500. }
  501. }
  502. secretToPush := map[string]interface{}{
  503. "data": secretVal,
  504. }
  505. if err != nil {
  506. return fmt.Errorf("failed to convert value to a valid JSON: %w", err)
  507. }
  508. _, err = v.logical.WriteWithContext(ctx, metaPath, label)
  509. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
  510. if err != nil {
  511. return err
  512. }
  513. // Otherwise, create or update the version.
  514. _, err = v.logical.WriteWithContext(ctx, path, secretToPush)
  515. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
  516. return err
  517. }
  518. // GetAllSecrets gets multiple secrets from the provider and loads into a kubernetes secret.
  519. // First load all secrets from secretStore path configuration
  520. // Then, gets secrets from a matching name or matching custom_metadata.
  521. func (v *client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
  522. if v.store.Version == esv1beta1.VaultKVStoreV1 {
  523. return nil, errors.New(errUnsupportedKvVersion)
  524. }
  525. searchPath := ""
  526. if ref.Path != nil {
  527. searchPath = *ref.Path + "/"
  528. }
  529. potentialSecrets, err := v.listSecrets(ctx, searchPath)
  530. if err != nil {
  531. return nil, err
  532. }
  533. if ref.Name != nil {
  534. return v.findSecretsFromName(ctx, potentialSecrets, *ref.Name)
  535. }
  536. return v.findSecretsFromTags(ctx, potentialSecrets, ref.Tags)
  537. }
  538. func (v *client) findSecretsFromTags(ctx context.Context, candidates []string, tags map[string]string) (map[string][]byte, error) {
  539. secrets := make(map[string][]byte)
  540. for _, name := range candidates {
  541. match := true
  542. metadata, err := v.readSecretMetadata(ctx, name)
  543. if err != nil {
  544. return nil, err
  545. }
  546. for tk, tv := range tags {
  547. p, ok := metadata[tk]
  548. if !ok || p != tv {
  549. match = false
  550. break
  551. }
  552. }
  553. if match {
  554. secret, err := v.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: name})
  555. if errors.Is(err, esv1beta1.NoSecretError{}) {
  556. continue
  557. }
  558. if err != nil {
  559. return nil, err
  560. }
  561. if secret != nil {
  562. secrets[name] = secret
  563. }
  564. }
  565. }
  566. return secrets, nil
  567. }
  568. func (v *client) findSecretsFromName(ctx context.Context, candidates []string, ref esv1beta1.FindName) (map[string][]byte, error) {
  569. secrets := make(map[string][]byte)
  570. matcher, err := find.New(ref)
  571. if err != nil {
  572. return nil, err
  573. }
  574. for _, name := range candidates {
  575. ok := matcher.MatchName(name)
  576. if ok {
  577. secret, err := v.GetSecret(ctx, esv1beta1.ExternalSecretDataRemoteRef{Key: name})
  578. if errors.Is(err, esv1beta1.NoSecretError{}) {
  579. continue
  580. }
  581. if err != nil {
  582. return nil, err
  583. }
  584. if secret != nil {
  585. secrets[name] = secret
  586. }
  587. }
  588. }
  589. return secrets, nil
  590. }
  591. func (v *client) listSecrets(ctx context.Context, path string) ([]string, error) {
  592. secrets := make([]string, 0)
  593. url, err := v.buildMetadataPath(path)
  594. if err != nil {
  595. return nil, err
  596. }
  597. secret, err := v.logical.ListWithContext(ctx, url)
  598. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultListSecrets, err)
  599. if err != nil {
  600. return nil, fmt.Errorf(errReadSecret, err)
  601. }
  602. if secret == nil {
  603. return nil, fmt.Errorf("provided path %v does not contain any secrets", url)
  604. }
  605. t, ok := secret.Data["keys"]
  606. if !ok {
  607. return nil, nil
  608. }
  609. paths := t.([]interface{})
  610. for _, p := range paths {
  611. strPath := p.(string)
  612. fullPath := path + strPath // because path always ends with a /
  613. if path == "" {
  614. fullPath = strPath
  615. }
  616. // Recurrently find secrets
  617. if !strings.HasSuffix(p.(string), "/") {
  618. secrets = append(secrets, fullPath)
  619. } else {
  620. partial, err := v.listSecrets(ctx, fullPath)
  621. if err != nil {
  622. return nil, err
  623. }
  624. secrets = append(secrets, partial...)
  625. }
  626. }
  627. return secrets, nil
  628. }
  629. func (v *client) readSecretMetadata(ctx context.Context, path string) (map[string]string, error) {
  630. metadata := make(map[string]string)
  631. url, err := v.buildMetadataPath(path)
  632. if err != nil {
  633. return nil, err
  634. }
  635. secret, err := v.logical.ReadWithDataWithContext(ctx, url, nil)
  636. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultReadSecretData, err)
  637. if err != nil {
  638. return nil, fmt.Errorf(errReadSecret, err)
  639. }
  640. if secret == nil {
  641. return nil, errors.New(errNotFound)
  642. }
  643. t, ok := secret.Data["custom_metadata"]
  644. if !ok {
  645. return nil, nil
  646. }
  647. d, ok := t.(map[string]interface{})
  648. if !ok {
  649. return metadata, nil
  650. }
  651. for k, v := range d {
  652. metadata[k] = v.(string)
  653. }
  654. return metadata, nil
  655. }
  656. // GetSecret supports two types:
  657. // 1. get the full secret as json-encoded value
  658. // by leaving the ref.Property empty.
  659. // 2. get a key from the secret.
  660. // Nested values are supported by specifying a gjson expression
  661. func (v *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
  662. var data map[string]interface{}
  663. var err error
  664. if ref.MetadataPolicy == esv1beta1.ExternalSecretMetadataPolicyFetch {
  665. if v.store.Version == esv1beta1.VaultKVStoreV1 {
  666. return nil, errors.New(errUnsupportedMetadataKvVersion)
  667. }
  668. metadata, err := v.readSecretMetadata(ctx, ref.Key)
  669. if err != nil {
  670. return nil, err
  671. }
  672. if len(metadata) == 0 {
  673. return nil, nil
  674. }
  675. data = make(map[string]interface{}, len(metadata))
  676. for k, v := range metadata {
  677. data[k] = v
  678. }
  679. } else {
  680. data, err = v.readSecret(ctx, ref.Key, ref.Version)
  681. if err != nil {
  682. return nil, err
  683. }
  684. }
  685. // Return nil if secret value is null
  686. if data == nil {
  687. return nil, esv1beta1.NoSecretError{}
  688. }
  689. jsonStr, err := json.Marshal(data)
  690. if err != nil {
  691. return nil, err
  692. }
  693. // (1): return raw json if no property is defined
  694. if ref.Property == "" {
  695. return jsonStr, nil
  696. }
  697. // For backwards compatibility we want the
  698. // actual keys to take precedence over gjson syntax
  699. // (2): extract key from secret with property
  700. if _, ok := data[ref.Property]; ok {
  701. return utils.GetByteValueFromMap(data, ref.Property)
  702. }
  703. // (3): extract key from secret using gjson
  704. val := gjson.Get(string(jsonStr), ref.Property)
  705. if !val.Exists() {
  706. return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
  707. }
  708. return []byte(val.String()), nil
  709. }
  710. // GetSecretMap supports two modes of operation:
  711. // 1. get the full secret from the vault data payload (by leaving .property empty).
  712. // 2. extract key/value pairs from a (nested) object.
  713. func (v *client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
  714. data, err := v.GetSecret(ctx, ref)
  715. if err != nil {
  716. return nil, err
  717. }
  718. var secretData map[string]interface{}
  719. err = json.Unmarshal(data, &secretData)
  720. if err != nil {
  721. return nil, err
  722. }
  723. byteMap := make(map[string][]byte, len(secretData))
  724. for k := range secretData {
  725. byteMap[k], err = utils.GetByteValueFromMap(secretData, k)
  726. if err != nil {
  727. return nil, err
  728. }
  729. }
  730. return byteMap, nil
  731. }
  732. func (v *client) Close(ctx context.Context) error {
  733. // Revoke the token if we have one set, it wasn't sourced from a TokenSecretRef,
  734. // and token caching isn't enabled
  735. if !enableCache && v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
  736. err := revokeTokenIfValid(ctx, v.client)
  737. if err != nil {
  738. return err
  739. }
  740. }
  741. return nil
  742. }
  743. func isReferentSpec(prov *esv1beta1.VaultProvider) bool {
  744. if prov.Auth.TokenSecretRef != nil && prov.Auth.TokenSecretRef.Namespace == nil {
  745. return true
  746. }
  747. if prov.Auth.AppRole != nil && prov.Auth.AppRole.SecretRef.Namespace == nil {
  748. return true
  749. }
  750. if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.SecretRef != nil && prov.Auth.Kubernetes.SecretRef.Namespace == nil {
  751. return true
  752. }
  753. if prov.Auth.Kubernetes != nil && prov.Auth.Kubernetes.ServiceAccountRef != nil && prov.Auth.Kubernetes.ServiceAccountRef.Namespace == nil {
  754. return true
  755. }
  756. if prov.Auth.Ldap != nil && prov.Auth.Ldap.SecretRef.Namespace == nil {
  757. return true
  758. }
  759. if prov.Auth.UserPass != nil && prov.Auth.UserPass.SecretRef.Namespace == nil {
  760. return true
  761. }
  762. if prov.Auth.Jwt != nil && prov.Auth.Jwt.SecretRef != nil && prov.Auth.Jwt.SecretRef.Namespace == nil {
  763. return true
  764. }
  765. if prov.Auth.Jwt != nil && prov.Auth.Jwt.KubernetesServiceAccountToken != nil && prov.Auth.Jwt.KubernetesServiceAccountToken.ServiceAccountRef.Namespace == nil {
  766. return true
  767. }
  768. if prov.Auth.Cert != nil && prov.Auth.Cert.SecretRef.Namespace == nil {
  769. return true
  770. }
  771. if prov.Auth.Iam != nil && prov.Auth.Iam.JWTAuth != nil && prov.Auth.Iam.JWTAuth.ServiceAccountRef != nil && prov.Auth.Iam.JWTAuth.ServiceAccountRef.Namespace == nil {
  772. return true
  773. }
  774. if prov.Auth.Iam != nil && prov.Auth.Iam.SecretRef != nil &&
  775. (prov.Auth.Iam.SecretRef.AccessKeyID.Namespace == nil ||
  776. prov.Auth.Iam.SecretRef.SecretAccessKey.Namespace == nil ||
  777. (prov.Auth.Iam.SecretRef.SessionToken != nil && prov.Auth.Iam.SecretRef.SessionToken.Namespace == nil)) {
  778. return true
  779. }
  780. return false
  781. }
  782. func (v *client) Validate() (esv1beta1.ValidationResult, error) {
  783. // when using referent namespace we can not validate the token
  784. // because the namespace is not known yet when Validate() is called
  785. // from the SecretStore controller.
  786. if v.storeKind == esv1beta1.ClusterSecretStoreKind && isReferentSpec(v.store) {
  787. return esv1beta1.ValidationResultUnknown, nil
  788. }
  789. _, err := checkToken(context.Background(), v.token)
  790. if err != nil {
  791. return esv1beta1.ValidationResultError, fmt.Errorf(errInvalidCredentials, err)
  792. }
  793. return esv1beta1.ValidationResultReady, nil
  794. }
  795. func (v *client) buildMetadataPath(path string) (string, error) {
  796. var url string
  797. if v.store.Path == nil && !strings.Contains(path, "data") {
  798. return "", fmt.Errorf(errPathInvalid)
  799. }
  800. if v.store.Path == nil {
  801. path = strings.Replace(path, "data", "metadata", 1)
  802. url = path
  803. } else {
  804. url = fmt.Sprintf("%s/metadata/%s", *v.store.Path, path)
  805. }
  806. return url, nil
  807. }
  808. /*
  809. buildPath is a helper method to build the vault equivalent path
  810. from ExternalSecrets and SecretStore manifests. the path build logic
  811. varies depending on the SecretStore KV version:
  812. Example inputs/outputs:
  813. # simple build:
  814. kv version == "v2":
  815. provider_path: "secret/path"
  816. input: "foo"
  817. output: "secret/path/data/foo" # provider_path and data are prepended
  818. kv version == "v1":
  819. provider_path: "secret/path"
  820. input: "foo"
  821. output: "secret/path/foo" # provider_path is prepended
  822. # inheriting paths:
  823. kv version == "v2":
  824. provider_path: "secret/path"
  825. input: "secret/path/foo"
  826. output: "secret/path/data/foo" #data is prepended
  827. kv version == "v2":
  828. provider_path: "secret/path"
  829. input: "secret/path/data/foo"
  830. output: "secret/path/data/foo" #noop
  831. kv version == "v1":
  832. provider_path: "secret/path"
  833. input: "secret/path/foo"
  834. output: "secret/path/foo" #noop
  835. # provider path not defined:
  836. kv version == "v2":
  837. provider_path: nil
  838. input: "secret/path/foo"
  839. output: "secret/data/path/foo" # data is prepended to secret/
  840. kv version == "v2":
  841. provider_path: nil
  842. input: "secret/path/data/foo"
  843. output: "secret/path/data/foo" #noop
  844. kv version == "v1":
  845. provider_path: nil
  846. input: "secret/path/foo"
  847. output: "secret/path/foo" #noop
  848. */
  849. func (v *client) buildPath(path string) string {
  850. optionalMount := v.store.Path
  851. out := path
  852. // if optionalMount is Set, remove it from path if its there
  853. if optionalMount != nil {
  854. cut := *optionalMount + "/"
  855. if strings.HasPrefix(out, cut) {
  856. // This current logic induces a bug when the actual secret resides on same path names as the mount path.
  857. _, out, _ = strings.Cut(out, cut)
  858. // if data succeeds optionalMount on v2 store, we should remove it as well
  859. if strings.HasPrefix(out, "data/") && v.store.Version == esv1beta1.VaultKVStoreV2 {
  860. _, out, _ = strings.Cut(out, "data/")
  861. }
  862. }
  863. buildPath := strings.Split(out, "/")
  864. buildMount := strings.Split(*optionalMount, "/")
  865. if v.store.Version == esv1beta1.VaultKVStoreV2 {
  866. buildMount = append(buildMount, "data")
  867. }
  868. buildMount = append(buildMount, buildPath...)
  869. out = strings.Join(buildMount, "/")
  870. return out
  871. }
  872. if !strings.Contains(out, "/data/") && v.store.Version == esv1beta1.VaultKVStoreV2 {
  873. buildPath := strings.Split(out, "/")
  874. buildMount := []string{buildPath[0], "data"}
  875. buildMount = append(buildMount, buildPath[1:]...)
  876. out = strings.Join(buildMount, "/")
  877. return out
  878. }
  879. return out
  880. }
  881. func (v *client) readSecret(ctx context.Context, path, version string) (map[string]interface{}, error) {
  882. dataPath := v.buildPath(path)
  883. // path formated according to vault docs for v1 and v2 API
  884. // v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
  885. // v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
  886. var params map[string][]string
  887. if version != "" {
  888. params = make(map[string][]string)
  889. params["version"] = []string{version}
  890. }
  891. vaultSecret, err := v.logical.ReadWithDataWithContext(ctx, dataPath, params)
  892. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultReadSecretData, err)
  893. if err != nil {
  894. return nil, fmt.Errorf(errReadSecret, err)
  895. }
  896. if vaultSecret == nil {
  897. return nil, esv1beta1.NoSecretError{}
  898. }
  899. secretData := vaultSecret.Data
  900. if v.store.Version == esv1beta1.VaultKVStoreV2 {
  901. // Vault KV2 has data embedded within sub-field
  902. // reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
  903. dataInt, ok := vaultSecret.Data["data"]
  904. if !ok {
  905. return nil, errors.New(errDataField)
  906. }
  907. if dataInt == nil {
  908. return nil, esv1beta1.NoSecretError{}
  909. }
  910. secretData, ok = dataInt.(map[string]interface{})
  911. if !ok {
  912. return nil, errors.New(errJSONUnmarshall)
  913. }
  914. }
  915. return secretData, nil
  916. }
  917. func (v *client) newConfig() (*vault.Config, error) {
  918. cfg := vault.DefaultConfig()
  919. cfg.Address = v.store.Server
  920. if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
  921. return cfg, nil
  922. }
  923. caCertPool := x509.NewCertPool()
  924. if len(v.store.CABundle) > 0 {
  925. ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
  926. if !ok {
  927. return nil, fmt.Errorf(errVaultCert, errors.New("failed to parse certificates from CertPool"))
  928. }
  929. }
  930. if v.store.CAProvider != nil && v.storeKind == esv1beta1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
  931. return nil, errors.New(errCANamespace)
  932. }
  933. if v.store.CAProvider != nil {
  934. var cert []byte
  935. var err error
  936. switch v.store.CAProvider.Type {
  937. case esv1beta1.CAProviderTypeSecret:
  938. cert, err = getCertFromSecret(v)
  939. case esv1beta1.CAProviderTypeConfigMap:
  940. cert, err = getCertFromConfigMap(v)
  941. default:
  942. return nil, errors.New(errUnknownCAProvider)
  943. }
  944. if err != nil {
  945. return nil, err
  946. }
  947. ok := caCertPool.AppendCertsFromPEM(cert)
  948. if !ok {
  949. return nil, fmt.Errorf(errVaultCert, errors.New("failed to parse certificates from CertPool"))
  950. }
  951. }
  952. if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
  953. transport.TLSClientConfig.RootCAs = caCertPool
  954. }
  955. // If either read-after-write consistency feature is enabled, enable ReadYourWrites
  956. cfg.ReadYourWrites = v.store.ReadYourWrites || v.store.ForwardInconsistent
  957. return cfg, nil
  958. }
  959. func getCertFromSecret(v *client) ([]byte, error) {
  960. secretRef := esmeta.SecretKeySelector{
  961. Name: v.store.CAProvider.Name,
  962. Key: v.store.CAProvider.Key,
  963. }
  964. if v.store.CAProvider.Namespace != nil {
  965. secretRef.Namespace = v.store.CAProvider.Namespace
  966. }
  967. ctx := context.Background()
  968. res, err := v.secretKeyRef(ctx, &secretRef)
  969. if err != nil {
  970. return nil, fmt.Errorf(errVaultCert, err)
  971. }
  972. return []byte(res), nil
  973. }
  974. func getCertFromConfigMap(v *client) ([]byte, error) {
  975. objKey := types.NamespacedName{
  976. Name: v.store.CAProvider.Name,
  977. }
  978. if v.store.CAProvider.Namespace != nil {
  979. objKey.Namespace = *v.store.CAProvider.Namespace
  980. }
  981. configMapRef := &corev1.ConfigMap{}
  982. ctx := context.Background()
  983. err := v.kube.Get(ctx, objKey, configMapRef)
  984. if err != nil {
  985. return nil, fmt.Errorf(errVaultCert, err)
  986. }
  987. val, ok := configMapRef.Data[v.store.CAProvider.Key]
  988. if !ok {
  989. return nil, fmt.Errorf(errConfigMapFmt, v.store.CAProvider.Key)
  990. }
  991. return []byte(val), nil
  992. }
  993. /*
  994. setAuth gets a new token using the configured mechanism.
  995. If there's already a valid token, does nothing.
  996. */
  997. func (v *client) setAuth(ctx context.Context, cfg *vault.Config) error {
  998. tokenExists := false
  999. var err error
  1000. if v.client.Token() != "" {
  1001. tokenExists, err = checkToken(ctx, v.token)
  1002. }
  1003. if tokenExists {
  1004. v.log.V(1).Info("Re-using existing token")
  1005. return err
  1006. }
  1007. tokenExists, err = setSecretKeyToken(ctx, v)
  1008. if tokenExists {
  1009. v.log.V(1).Info("Set token from secret")
  1010. return err
  1011. }
  1012. tokenExists, err = setAppRoleToken(ctx, v)
  1013. if tokenExists {
  1014. v.log.V(1).Info("Retrieved new token using AppRole auth")
  1015. return err
  1016. }
  1017. tokenExists, err = setKubernetesAuthToken(ctx, v)
  1018. if tokenExists {
  1019. v.log.V(1).Info("Retrieved new token using Kubernetes auth")
  1020. return err
  1021. }
  1022. tokenExists, err = setLdapAuthToken(ctx, v)
  1023. if tokenExists {
  1024. v.log.V(1).Info("Retrieved new token using LDAP auth")
  1025. return err
  1026. }
  1027. tokenExists, err = setUserPassAuthToken(ctx, v)
  1028. if tokenExists {
  1029. v.log.V(1).Info("Retrieved new token using userPass auth")
  1030. return err
  1031. }
  1032. tokenExists, err = setJwtAuthToken(ctx, v)
  1033. if tokenExists {
  1034. v.log.V(1).Info("Retrieved new token using JWT auth")
  1035. return err
  1036. }
  1037. tokenExists, err = setCertAuthToken(ctx, v, cfg)
  1038. if tokenExists {
  1039. v.log.V(1).Info("Retrieved new token using certificate auth")
  1040. return err
  1041. }
  1042. tokenExists, err = setIamAuthToken(ctx, v, vaultiamauth.DefaultJWTProvider, vaultiamauth.DefaultSTSProvider)
  1043. if tokenExists {
  1044. v.log.V(1).Info("Retrieved new token using IAM auth")
  1045. return err
  1046. }
  1047. return errors.New(errAuthFormat)
  1048. }
  1049. func setSecretKeyToken(ctx context.Context, v *client) (bool, error) {
  1050. tokenRef := v.store.Auth.TokenSecretRef
  1051. if tokenRef != nil {
  1052. token, err := v.secretKeyRef(ctx, tokenRef)
  1053. if err != nil {
  1054. return true, err
  1055. }
  1056. v.client.SetToken(token)
  1057. return true, nil
  1058. }
  1059. return false, nil
  1060. }
  1061. func setAppRoleToken(ctx context.Context, v *client) (bool, error) {
  1062. appRole := v.store.Auth.AppRole
  1063. if appRole != nil {
  1064. err := v.requestTokenWithAppRoleRef(ctx, appRole)
  1065. if err != nil {
  1066. return true, err
  1067. }
  1068. return true, nil
  1069. }
  1070. return false, nil
  1071. }
  1072. func setKubernetesAuthToken(ctx context.Context, v *client) (bool, error) {
  1073. kubernetesAuth := v.store.Auth.Kubernetes
  1074. if kubernetesAuth != nil {
  1075. err := v.requestTokenWithKubernetesAuth(ctx, kubernetesAuth)
  1076. if err != nil {
  1077. return true, err
  1078. }
  1079. return true, nil
  1080. }
  1081. return false, nil
  1082. }
  1083. func setLdapAuthToken(ctx context.Context, v *client) (bool, error) {
  1084. ldapAuth := v.store.Auth.Ldap
  1085. if ldapAuth != nil {
  1086. err := v.requestTokenWithLdapAuth(ctx, ldapAuth)
  1087. if err != nil {
  1088. return true, err
  1089. }
  1090. return true, nil
  1091. }
  1092. return false, nil
  1093. }
  1094. func setUserPassAuthToken(ctx context.Context, v *client) (bool, error) {
  1095. userPassAuth := v.store.Auth.UserPass
  1096. if userPassAuth != nil {
  1097. err := v.requestTokenWithUserPassAuth(ctx, userPassAuth)
  1098. if err != nil {
  1099. return true, err
  1100. }
  1101. return true, nil
  1102. }
  1103. return false, nil
  1104. }
  1105. func setJwtAuthToken(ctx context.Context, v *client) (bool, error) {
  1106. jwtAuth := v.store.Auth.Jwt
  1107. if jwtAuth != nil {
  1108. err := v.requestTokenWithJwtAuth(ctx, jwtAuth)
  1109. if err != nil {
  1110. return true, err
  1111. }
  1112. return true, nil
  1113. }
  1114. return false, nil
  1115. }
  1116. func setCertAuthToken(ctx context.Context, v *client, cfg *vault.Config) (bool, error) {
  1117. certAuth := v.store.Auth.Cert
  1118. if certAuth != nil {
  1119. err := v.requestTokenWithCertAuth(ctx, certAuth, cfg)
  1120. if err != nil {
  1121. return true, err
  1122. }
  1123. return true, nil
  1124. }
  1125. return false, nil
  1126. }
  1127. func setIamAuthToken(ctx context.Context, v *client, jwtProvider util.JwtProviderFactory, assumeRoler vaultiamauth.STSProvider) (bool, error) {
  1128. iamAuth := v.store.Auth.Iam
  1129. isClusterKind := v.storeKind == esv1beta1.ClusterSecretStoreKind
  1130. if iamAuth != nil {
  1131. err := v.requestTokenWithIamAuth(ctx, iamAuth, isClusterKind, v.kube, v.namespace, jwtProvider, assumeRoler)
  1132. if err != nil {
  1133. return true, err
  1134. }
  1135. return true, nil
  1136. }
  1137. return false, nil
  1138. }
  1139. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
  1140. serviceAccount := &corev1.ServiceAccount{}
  1141. ref := types.NamespacedName{
  1142. Namespace: v.namespace,
  1143. Name: serviceAccountRef.Name,
  1144. }
  1145. if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
  1146. (serviceAccountRef.Namespace != nil) {
  1147. ref.Namespace = *serviceAccountRef.Namespace
  1148. }
  1149. err := v.kube.Get(ctx, ref, serviceAccount)
  1150. if err != nil {
  1151. return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
  1152. }
  1153. if len(serviceAccount.Secrets) == 0 {
  1154. return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
  1155. }
  1156. for _, tokenRef := range serviceAccount.Secrets {
  1157. retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
  1158. Name: tokenRef.Name,
  1159. Namespace: &ref.Namespace,
  1160. Key: "token",
  1161. })
  1162. if err != nil {
  1163. continue
  1164. }
  1165. return retval, nil
  1166. }
  1167. return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
  1168. }
  1169. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
  1170. secret := &corev1.Secret{}
  1171. ref := types.NamespacedName{
  1172. Namespace: v.namespace,
  1173. Name: secretRef.Name,
  1174. }
  1175. if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
  1176. (secretRef.Namespace != nil) {
  1177. ref.Namespace = *secretRef.Namespace
  1178. }
  1179. err := v.kube.Get(ctx, ref, secret)
  1180. if err != nil {
  1181. return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
  1182. }
  1183. keyBytes, ok := secret.Data[secretRef.Key]
  1184. if !ok {
  1185. return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
  1186. }
  1187. value := string(keyBytes)
  1188. valueStr := strings.TrimSpace(value)
  1189. return valueStr, nil
  1190. }
  1191. func (v *client) serviceAccountToken(ctx context.Context, serviceAccountRef esmeta.ServiceAccountSelector, additionalAud []string, expirationSeconds int64) (string, error) {
  1192. audiences := serviceAccountRef.Audiences
  1193. if len(additionalAud) > 0 {
  1194. audiences = append(audiences, additionalAud...)
  1195. }
  1196. tokenRequest := &authenticationv1.TokenRequest{
  1197. ObjectMeta: metav1.ObjectMeta{
  1198. Namespace: v.namespace,
  1199. },
  1200. Spec: authenticationv1.TokenRequestSpec{
  1201. Audiences: audiences,
  1202. ExpirationSeconds: &expirationSeconds,
  1203. },
  1204. }
  1205. if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
  1206. (serviceAccountRef.Namespace != nil) {
  1207. tokenRequest.Namespace = *serviceAccountRef.Namespace
  1208. }
  1209. tokenResponse, err := v.corev1.ServiceAccounts(tokenRequest.Namespace).CreateToken(ctx, serviceAccountRef.Name, tokenRequest, metav1.CreateOptions{})
  1210. if err != nil {
  1211. return "", fmt.Errorf(errGetKubeSATokenRequest, serviceAccountRef.Name, err)
  1212. }
  1213. return tokenResponse.Status.Token, nil
  1214. }
  1215. // checkToken does a lookup and checks if the provided token exists.
  1216. func checkToken(ctx context.Context, token util.Token) (bool, error) {
  1217. // https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
  1218. resp, err := token.LookupSelfWithContext(ctx)
  1219. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLookupSelf, err)
  1220. if err != nil {
  1221. return false, err
  1222. }
  1223. t, ok := resp.Data["type"]
  1224. if !ok {
  1225. return false, fmt.Errorf("could not assert token type")
  1226. }
  1227. tokenType := t.(string)
  1228. if tokenType == "batch" {
  1229. return false, nil
  1230. }
  1231. return true, nil
  1232. }
  1233. func revokeTokenIfValid(ctx context.Context, client util.Client) error {
  1234. valid, err := checkToken(ctx, client.AuthToken())
  1235. if err != nil {
  1236. return fmt.Errorf(errVaultRevokeToken, err)
  1237. }
  1238. if valid {
  1239. err = client.AuthToken().RevokeSelfWithContext(ctx, client.Token())
  1240. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultRevokeSelf, err)
  1241. if err != nil {
  1242. return fmt.Errorf(errVaultRevokeToken, err)
  1243. }
  1244. client.ClearToken()
  1245. }
  1246. return nil
  1247. }
  1248. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, appRole *esv1beta1.VaultAppRole) error {
  1249. var err error
  1250. var roleID string // becomes the RoleID used to authenticate with HashiCorp Vault
  1251. // prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
  1252. if appRole.RoleID != "" { // use roleId from CRD, if configured
  1253. roleID = strings.TrimSpace(appRole.RoleID)
  1254. } else if appRole.RoleRef != nil { // use RoleID from Secret, if configured
  1255. roleID, err = v.secretKeyRef(ctx, appRole.RoleRef)
  1256. if err != nil {
  1257. return err
  1258. }
  1259. } else { // we ran out of ways to get RoleID. return an appropriate error
  1260. return fmt.Errorf(errInvalidAppRoleID)
  1261. }
  1262. secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
  1263. if err != nil {
  1264. return err
  1265. }
  1266. secret := approle.SecretID{FromString: secretID}
  1267. appRoleClient, err := approle.NewAppRoleAuth(roleID, &secret, approle.WithMountPath(appRole.Path))
  1268. if err != nil {
  1269. return err
  1270. }
  1271. _, err = v.auth.Login(ctx, appRoleClient)
  1272. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
  1273. if err != nil {
  1274. return err
  1275. }
  1276. return nil
  1277. }
  1278. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, kubernetesAuth *esv1beta1.VaultKubernetesAuth) error {
  1279. jwtString, err := getJwtString(ctx, v, kubernetesAuth)
  1280. if err != nil {
  1281. return err
  1282. }
  1283. k, err := authkubernetes.NewKubernetesAuth(kubernetesAuth.Role, authkubernetes.WithServiceAccountToken(jwtString), authkubernetes.WithMountPath(kubernetesAuth.Path))
  1284. if err != nil {
  1285. return err
  1286. }
  1287. _, err = v.auth.Login(ctx, k)
  1288. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
  1289. if err != nil {
  1290. return err
  1291. }
  1292. return nil
  1293. }
  1294. func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
  1295. if kubernetesAuth.ServiceAccountRef != nil {
  1296. // Kubernetes <v1.24 fetch token via ServiceAccount.Secrets[]
  1297. // this behavior was removed in v1.24 and we must use TokenRequest API (see below)
  1298. jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
  1299. if jwt != "" {
  1300. return jwt, err
  1301. }
  1302. if err != nil {
  1303. v.log.V(1).Info("unable to fetch jwt from service account secret, trying service account token next")
  1304. }
  1305. // Kubernetes >=v1.24: fetch token via TokenRequest API
  1306. // note: this is a massive change from vault perspective: the `iss` claim will very likely change.
  1307. // Vault 1.9 deprecated issuer validation by default, and authentication with Vault clusters <1.9 will likely fail.
  1308. jwt, err = v.serviceAccountToken(ctx, *kubernetesAuth.ServiceAccountRef, nil, 600)
  1309. if err != nil {
  1310. return "", err
  1311. }
  1312. return jwt, nil
  1313. } else if kubernetesAuth.SecretRef != nil {
  1314. tokenRef := kubernetesAuth.SecretRef
  1315. if tokenRef.Key == "" {
  1316. tokenRef = kubernetesAuth.SecretRef.DeepCopy()
  1317. tokenRef.Key = "token"
  1318. }
  1319. jwt, err := v.secretKeyRef(ctx, tokenRef)
  1320. if err != nil {
  1321. return "", err
  1322. }
  1323. return jwt, nil
  1324. } else {
  1325. // Kubernetes authentication is specified, but without a referenced
  1326. // Kubernetes secret. We check if the file path for in-cluster service account
  1327. // exists and attempt to use the token for Vault Kubernetes auth.
  1328. if _, err := os.Stat(serviceAccTokenPath); err != nil {
  1329. return "", fmt.Errorf(errServiceAccount, err)
  1330. }
  1331. jwtByte, err := os.ReadFile(serviceAccTokenPath)
  1332. if err != nil {
  1333. return "", fmt.Errorf(errServiceAccount, err)
  1334. }
  1335. return string(jwtByte), nil
  1336. }
  1337. }
  1338. func (v *client) requestTokenWithLdapAuth(ctx context.Context, ldapAuth *esv1beta1.VaultLdapAuth) error {
  1339. username := strings.TrimSpace(ldapAuth.Username)
  1340. password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
  1341. if err != nil {
  1342. return err
  1343. }
  1344. pass := authldap.Password{FromString: password}
  1345. l, err := authldap.NewLDAPAuth(username, &pass, authldap.WithMountPath(ldapAuth.Path))
  1346. if err != nil {
  1347. return err
  1348. }
  1349. _, err = v.auth.Login(ctx, l)
  1350. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
  1351. if err != nil {
  1352. return err
  1353. }
  1354. return nil
  1355. }
  1356. func (v *client) requestTokenWithUserPassAuth(ctx context.Context, userPassAuth *esv1beta1.VaultUserPassAuth) error {
  1357. username := strings.TrimSpace(userPassAuth.Username)
  1358. password, err := v.secretKeyRef(ctx, &userPassAuth.SecretRef)
  1359. if err != nil {
  1360. return err
  1361. }
  1362. pass := authuserpass.Password{FromString: password}
  1363. l, err := authuserpass.NewUserpassAuth(username, &pass, authuserpass.WithMountPath(userPassAuth.Path))
  1364. if err != nil {
  1365. return err
  1366. }
  1367. _, err = v.auth.Login(ctx, l)
  1368. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
  1369. if err != nil {
  1370. return err
  1371. }
  1372. return nil
  1373. }
  1374. func (v *client) requestTokenWithJwtAuth(ctx context.Context, jwtAuth *esv1beta1.VaultJwtAuth) error {
  1375. role := strings.TrimSpace(jwtAuth.Role)
  1376. var jwt string
  1377. var err error
  1378. if jwtAuth.SecretRef != nil {
  1379. jwt, err = v.secretKeyRef(ctx, jwtAuth.SecretRef)
  1380. } else if k8sServiceAccountToken := jwtAuth.KubernetesServiceAccountToken; k8sServiceAccountToken != nil {
  1381. audiences := k8sServiceAccountToken.Audiences
  1382. if audiences == nil {
  1383. audiences = &[]string{"vault"}
  1384. }
  1385. expirationSeconds := k8sServiceAccountToken.ExpirationSeconds
  1386. if expirationSeconds == nil {
  1387. tmp := int64(600)
  1388. expirationSeconds = &tmp
  1389. }
  1390. jwt, err = v.serviceAccountToken(ctx, k8sServiceAccountToken.ServiceAccountRef, *audiences, *expirationSeconds)
  1391. } else {
  1392. err = fmt.Errorf(errJwtNoTokenSource)
  1393. }
  1394. if err != nil {
  1395. return err
  1396. }
  1397. parameters := map[string]interface{}{
  1398. "role": role,
  1399. "jwt": jwt,
  1400. }
  1401. url := strings.Join([]string{"auth", jwtAuth.Path, "login"}, "/")
  1402. vaultResult, err := v.logical.WriteWithContext(ctx, url, parameters)
  1403. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
  1404. if err != nil {
  1405. return err
  1406. }
  1407. token, err := vaultResult.TokenID()
  1408. if err != nil {
  1409. return fmt.Errorf(errVaultToken, err)
  1410. }
  1411. v.client.SetToken(token)
  1412. return nil
  1413. }
  1414. func (v *client) requestTokenWithCertAuth(ctx context.Context, certAuth *esv1beta1.VaultCertAuth, cfg *vault.Config) error {
  1415. clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
  1416. if err != nil {
  1417. return err
  1418. }
  1419. clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
  1420. if err != nil {
  1421. return err
  1422. }
  1423. cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
  1424. if err != nil {
  1425. return fmt.Errorf(errClientTLSAuth, err)
  1426. }
  1427. if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
  1428. transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
  1429. }
  1430. url := strings.Join([]string{"auth", "cert", "login"}, "/")
  1431. vaultResult, err := v.logical.WriteWithContext(ctx, url, nil)
  1432. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultWriteSecretData, err)
  1433. if err != nil {
  1434. return fmt.Errorf(errVaultRequest, err)
  1435. }
  1436. token, err := vaultResult.TokenID()
  1437. if err != nil {
  1438. return fmt.Errorf(errVaultToken, err)
  1439. }
  1440. v.client.SetToken(token)
  1441. return nil
  1442. }
  1443. func (v *client) requestTokenWithIamAuth(ctx context.Context, iamAuth *esv1beta1.VaultIamAuth, ick bool, k kclient.Client, n string, jwtProvider util.JwtProviderFactory, assumeRoler vaultiamauth.STSProvider) error {
  1444. jwtAuth := iamAuth.JWTAuth
  1445. secretRefAuth := iamAuth.SecretRef
  1446. regionAWS := defaultAWSRegion
  1447. awsAuthMountPath := defaultAWSAuthMountPath
  1448. if iamAuth.Region != "" {
  1449. regionAWS = iamAuth.Region
  1450. }
  1451. if iamAuth.Path != "" {
  1452. awsAuthMountPath = iamAuth.Path
  1453. }
  1454. var creds *credentials.Credentials
  1455. var err error
  1456. if jwtAuth != nil { // use credentials from a sa explicitly defined and referenced. Highest preference is given to this method/configuration.
  1457. creds, err = vaultiamauth.CredsFromServiceAccount(ctx, *iamAuth, regionAWS, ick, k, n, jwtProvider)
  1458. if err != nil {
  1459. return err
  1460. }
  1461. } else if secretRefAuth != nil { // if jwtAuth is not defined, check if secretRef is defined. Second preference.
  1462. logger.V(1).Info("using credentials from secretRef")
  1463. creds, err = vaultiamauth.CredsFromSecretRef(ctx, *iamAuth, ick, k, n)
  1464. if err != nil {
  1465. return err
  1466. }
  1467. }
  1468. // Neither of jwtAuth or secretRefAuth defined. Last preference.
  1469. // Default to controller pod's identity
  1470. if jwtAuth == nil && secretRefAuth == nil {
  1471. // Checking if controller pod's service account is IRSA enabled and Web Identity token is available on pod
  1472. tknFile, tknFileEnvVarPresent := os.LookupEnv(vaultiamauth.AWSWebIdentityTokenFileEnvVar)
  1473. if !tknFileEnvVarPresent {
  1474. return fmt.Errorf(errIrsaTokenEnvVarNotFoundOnPod, vaultiamauth.AWSWebIdentityTokenFileEnvVar) // No Web Identity(IRSA) token found on pod
  1475. }
  1476. // IRSA enabled service account, let's check that the jwt token filemount and file exists
  1477. if _, err := os.Stat(tknFile); err != nil {
  1478. return fmt.Errorf(errIrsaTokenFileNotFoundOnPod, tknFile, err)
  1479. }
  1480. // everything looks good so far, let's fetch the jwt token from AWS_WEB_IDENTITY_TOKEN_FILE
  1481. jwtByte, err := os.ReadFile(tknFile)
  1482. if err != nil {
  1483. return fmt.Errorf(errIrsaTokenFileNotReadable, tknFile, err)
  1484. }
  1485. // let's parse the jwt token
  1486. parser := jwt.NewParser(jwt.WithoutClaimsValidation())
  1487. token, _, err := parser.ParseUnverified(string(jwtByte), jwt.MapClaims{})
  1488. if err != nil {
  1489. return fmt.Errorf(errIrsaTokenNotValidJWT, tknFile, err) // JWT token parser error
  1490. }
  1491. var ns string
  1492. var sa string
  1493. // let's fetch the namespace and serviceaccount from parsed jwt token
  1494. if claims, ok := token.Claims.(jwt.MapClaims); ok {
  1495. ns = claims["kubernetes.io"].(map[string]interface{})["namespace"].(string)
  1496. sa = claims["kubernetes.io"].(map[string]interface{})["serviceaccount"].(map[string]interface{})["name"].(string)
  1497. } else {
  1498. return fmt.Errorf(errPodInfoNotFoundOnToken, tknFile, err)
  1499. }
  1500. creds, err = vaultiamauth.CredsFromControllerServiceAccount(ctx, sa, ns, regionAWS, k, jwtProvider)
  1501. if err != nil {
  1502. return err
  1503. }
  1504. }
  1505. config := aws.NewConfig().WithEndpointResolver(vaultiamauth.ResolveEndpoint())
  1506. if creds != nil {
  1507. config.WithCredentials(creds)
  1508. }
  1509. if regionAWS != "" {
  1510. config.WithRegion(regionAWS)
  1511. }
  1512. sess, err := vaultiamauth.GetAWSSession(config)
  1513. if err != nil {
  1514. return err
  1515. }
  1516. if iamAuth.AWSIAMRole != "" {
  1517. stsclient := assumeRoler(sess)
  1518. if iamAuth.ExternalID != "" {
  1519. var setExternalID = func(p *stscreds.AssumeRoleProvider) {
  1520. p.ExternalID = aws.String(iamAuth.ExternalID)
  1521. }
  1522. sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, iamAuth.AWSIAMRole, setExternalID))
  1523. } else {
  1524. sess.Config.WithCredentials(stscreds.NewCredentialsWithClient(stsclient, iamAuth.AWSIAMRole))
  1525. }
  1526. }
  1527. getCreds, err := sess.Config.Credentials.Get()
  1528. if err != nil {
  1529. return err
  1530. }
  1531. // Set environment variables. These would be fetched by Login
  1532. os.Setenv("AWS_ACCESS_KEY_ID", getCreds.AccessKeyID)
  1533. os.Setenv("AWS_SECRET_ACCESS_KEY", getCreds.SecretAccessKey)
  1534. os.Setenv("AWS_SESSION_TOKEN", getCreds.SessionToken)
  1535. var awsAuthClient *authaws.AWSAuth
  1536. if iamAuth.VaultAWSIAMServerID != "" {
  1537. awsAuthClient, err = authaws.NewAWSAuth(authaws.WithRegion(regionAWS), authaws.WithIAMAuth(), authaws.WithRole(iamAuth.Role), authaws.WithMountPath(awsAuthMountPath), authaws.WithIAMServerIDHeader(iamAuth.VaultAWSIAMServerID))
  1538. if err != nil {
  1539. return err
  1540. }
  1541. } else {
  1542. awsAuthClient, err = authaws.NewAWSAuth(authaws.WithRegion(regionAWS), authaws.WithIAMAuth(), authaws.WithRole(iamAuth.Role), authaws.WithMountPath(awsAuthMountPath))
  1543. if err != nil {
  1544. return err
  1545. }
  1546. }
  1547. _, err = v.auth.Login(ctx, awsAuthClient)
  1548. metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
  1549. if err != nil {
  1550. return err
  1551. }
  1552. return nil
  1553. }
  1554. func init() {
  1555. var vaultTokenCacheSize int
  1556. fs := pflag.NewFlagSet("vault", pflag.ExitOnError)
  1557. fs.BoolVar(&enableCache, "experimental-enable-vault-token-cache", false, "Enable experimental Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.")
  1558. // max. 265k vault leases with 30bytes each ~= 7MB
  1559. fs.IntVar(&vaultTokenCacheSize, "experimental-vault-token-cache-size", 2<<17, "Maximum size of Vault token cache. When more tokens than Only used if --experimental-enable-vault-token-cache is set.")
  1560. lateInit := func() {
  1561. logger.Info("initializing vault cache", "size", vaultTokenCacheSize)
  1562. clientCache = cache.Must(vaultTokenCacheSize, func(client util.Client) {
  1563. err := revokeTokenIfValid(context.Background(), client)
  1564. if err != nil {
  1565. logger.Error(err, "unable to revoke cached token on eviction")
  1566. }
  1567. })
  1568. }
  1569. feature.Register(feature.Feature{
  1570. Flags: fs,
  1571. Initialize: lateInit,
  1572. })
  1573. esv1beta1.Register(&Connector{
  1574. NewVaultClient: NewVaultClient,
  1575. }, &esv1beta1.SecretStoreProvider{
  1576. Vault: &esv1beta1.VaultProvider{},
  1577. })
  1578. }