首頁 探索 說明
登入
logic855
/
helm-external-secrets
镜像来自 https://github.com/external-secrets/external-secrets
1
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 56c49a8fff
分支列表 標籤列表
helm-externa...
/
pkg
/
provider
/
vault
/
auth_approle.go

auth_approle.go 2.5 KB
文件歷史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package vault
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"strings"
    23. 

  23. 

  24. 	"github.com/hashicorp/vault/api/auth/approle"
    25. 

  25. 

  26. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    27. 

  27. 	"github.com/external-secrets/external-secrets/pkg/constants"
    28. 

  28. 	"github.com/external-secrets/external-secrets/pkg/esutils/resolvers"
    29. 

  29. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    30. 

  30. )
    31. 

  31. 

  32. const (
    33. 

  33. 	errInvalidAppRoleID = "invalid Auth.AppRole: neither `roleId` nor `roleRef` was supplied"
    34. 

  34. )
    35. 

  35. 

  36. func setAppRoleToken(ctx context.Context, v *client) (bool, error) {
    37. 

  37. 	appRole := v.store.Auth.AppRole
    38. 

  38. 	if appRole != nil {
    39. 

  39. 		err := v.requestTokenWithAppRoleRef(ctx, appRole)
    40. 

  40. 		if err != nil {
    41. 

  41. 			return true, err
    42. 

  42. 		}
    43. 

  43. 		return true, nil
    44. 

  44. 	}
    45. 

  45. 	return false, nil
    46. 

  46. }
    47. 

  47. 

  48. func (c *client) requestTokenWithAppRoleRef(ctx context.Context, appRole *esv1.VaultAppRole) error {
    49. 

  49. 	var err error
    50. 

  50. 	var roleID string // becomes the RoleID used to authenticate with HashiCorp Vault
    51. 

  51. 

  52. 	// prefer .auth.appRole.roleId, fallback to .auth.appRole.roleRef, give up after that.
    53. 

  53. 	if appRole.RoleID != "" { // use roleId from CRD, if configured
    54. 

  54. 		roleID = strings.TrimSpace(appRole.RoleID)
    55. 

  55. 	} else if appRole.RoleRef != nil { // use RoleID from Secret, if configured
    56. 

  56. 		roleID, err = resolvers.SecretKeyRef(ctx, c.kube, c.storeKind, c.namespace, appRole.RoleRef)
    57. 

  57. 		if err != nil {
    58. 

  58. 			return err
    59. 

  59. 		}
    60. 

  60. 	} else { // we ran out of ways to get RoleID. return an appropriate error
    61. 

  61. 		return errors.New(errInvalidAppRoleID)
    62. 

  62. 	}
    63. 

  63. 

  64. 	secretID, err := resolvers.SecretKeyRef(ctx, c.kube, c.storeKind, c.namespace, &appRole.SecretRef)
    65. 

  65. 	if err != nil {
    66. 

  66. 		return err
    67. 

  67. 	}
    68. 

  68. 	secret := approle.SecretID{FromString: secretID}
    69. 

  69. 	appRoleClient, err := approle.NewAppRoleAuth(roleID, &secret, approle.WithMountPath(appRole.Path))
    70. 

  70. 	if err != nil {
    71. 

  71. 		return err
    72. 

  72. 	}
    73. 

  73. 	_, err = c.auth.Login(ctx, appRoleClient)
    74. 

  74. 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLogin, err)
    75. 

  75. 	if err != nil {
    76. 

  76. 		return err
    77. 

  77. 	}
    78. 

  78. 	return nil
    79. 

  79. }
    80.