Strona główna Odkrywaj Pomoc
Zaloguj się
logic855
/
helm-external-secrets
kopia lustrzana https://github.com/external-secrets/external-secrets
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: 60f565b19b
Gałęzie Tagi
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 23 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io/ioutil"
    25. 

  25. 	"net/http"
    26. 

  26. 	"os"
    27. 

  27. 	"strconv"
    28. 

  28. 	"strings"
    29. 

  29. 

  30. 	"github.com/go-logr/logr"
    31. 

  31. 	vault "github.com/hashicorp/vault/api"
    32. 

  32. 	"github.com/tidwall/gjson"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"k8s.io/apimachinery/pkg/types"
    35. 

  35. 	ctrl "sigs.k8s.io/controller-runtime"
    36. 

  36. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    37. 

  37. 

  38. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    39. 

  39. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/provider"
    41. 

  41. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    42. 

  42. )
    43. 

  43. 

  44. var (
    45. 

  45. 	_ provider.Provider      = &connector{}
    46. 

  46. 	_ provider.SecretsClient = &client{}
    47. 

  47. )
    48. 

  48. 

  49. const (
    50. 

  50. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    51. 

  51. 

  52. 	errVaultStore         = "received invalid Vault SecretStore resource: %w"
    53. 

  53. 	errVaultClient        = "cannot setup new vault client: %w"
    54. 

  54. 	errVaultCert          = "cannot set Vault CA certificate: %w"
    55. 

  55. 	errReadSecret         = "cannot read secret data from Vault: %w"
    56. 

  56. 	errAuthFormat         = "cannot initialize Vault client: no valid auth method specified"
    57. 

  57. 	errInvalidCredentials = "invalid vault credentials: %w"
    58. 

  58. 	errDataField          = "failed to find data field"
    59. 

  59. 	errJSONUnmarshall     = "failed to unmarshall JSON"
    60. 

  60. 	errSecretFormat       = "secret data not in expected format"
    61. 

  61. 	errUnexpectedKey      = "unexpected key in data: %s"
    62. 

  62. 	errVaultToken         = "cannot parse Vault authentication token: %w"
    63. 

  63. 	errVaultReqParams     = "cannot set Vault request parameters: %w"
    64. 

  64. 	errVaultRequest       = "error from Vault request: %w"
    65. 

  65. 	errVaultResponse      = "cannot parse Vault response: %w"
    66. 

  66. 	errServiceAccount     = "cannot read Kubernetes service account token from file system: %w"
    67. 

  67. 

  68. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    69. 

  69. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    70. 

  70. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    71. 

  71. 

  72. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    73. 

  73. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    74. 

  74. 	errConfigMapFmt  = "cannot find config map data for key: %q"
    75. 

  75. 

  76. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    77. 

  77. 

  78. 	errVaultRevokeToken = "error while revoking token: %w"
    79. 

  79. 

  80. 	errUnknownCAProvider = "unknown caProvider type given"
    81. 

  81. 	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
    82. 

  82. )
    83. 

  83. 

  84. type Client interface {
    85. 

  85. 	NewRequest(method, requestPath string) *vault.Request
    86. 

  86. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    87. 

  87. 	SetToken(v string)
    88. 

  88. 	Token() string
    89. 

  89. 	ClearToken()
    90. 

  90. 	SetNamespace(namespace string)
    91. 

  91. 	AddHeader(key, value string)
    92. 

  92. }
    93. 

  93. 

  94. type client struct {
    95. 

  95. 	kube      kclient.Client
    96. 

  96. 	store     *esv1alpha1.VaultProvider
    97. 

  97. 	log       logr.Logger
    98. 

  98. 	client    Client
    99. 

  99. 	namespace string
    100. 

  100. 	storeKind string
    101. 

  101. }
    102. 

  102. 

  103. func init() {
    104. 

  104. 	schema.Register(&connector{
    105. 

  105. 		newVaultClient: newVaultClient,
    106. 

  106. 	}, &esv1alpha1.SecretStoreProvider{
    107. 

  107. 		Vault: &esv1alpha1.VaultProvider{},
    108. 

  108. 	})
    109. 

  109. }
    110. 

  110. 

  111. func newVaultClient(c *vault.Config) (Client, error) {
    112. 

  112. 	return vault.NewClient(c)
    113. 

  113. }
    114. 

  114. 

  115. type connector struct {
    116. 

  116. 	newVaultClient func(c *vault.Config) (Client, error)
    117. 

  117. }
    118. 

  118. 

  119. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    120. 

  120. 	storeSpec := store.GetSpec()
    121. 

  121. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    122. 

  122. 		return nil, errors.New(errVaultStore)
    123. 

  123. 	}
    124. 

  124. 	vaultSpec := storeSpec.Provider.Vault
    125. 

  125. 

  126. 	vStore := &client{
    127. 

  127. 		kube:      kube,
    128. 

  128. 		store:     vaultSpec,
    129. 

  129. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    130. 

  130. 		namespace: namespace,
    131. 

  131. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    132. 

  132. 	}
    133. 

  133. 

  134. 	cfg, err := vStore.newConfig()
    135. 

  135. 	if err != nil {
    136. 

  136. 		return nil, err
    137. 

  137. 	}
    138. 

  138. 

  139. 	client, err := c.newVaultClient(cfg)
    140. 

  140. 	if err != nil {
    141. 

  141. 		return nil, fmt.Errorf(errVaultClient, err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	if vaultSpec.Namespace != nil {
    145. 

  145. 		client.SetNamespace(*vaultSpec.Namespace)
    146. 

  146. 	}
    147. 

  147. 

  148. 	if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
    149. 

  149. 		client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
    150. 

  150. 	}
    151. 

  151. 

  152. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    153. 

  153. 		return nil, err
    154. 

  154. 	}
    155. 

  155. 

  156. 	vStore.client = client
    157. 

  157. 

  158. 	return vStore, nil
    159. 

  159. }
    160. 

  160. 

  161. // GetSecret supports two types:
    162. 

  162. // 1. get the full secret as json-encoded value
    163. 

  163. //    by leaving the ref.Property empty.
    164. 

  164. // 2. get a key from the secret.
    165. 

  165. //    Nested values are supported by specifying a gjson expression
    166. 

  166. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    167. 

  167. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    168. 

  168. 	if err != nil {
    169. 

  169. 		return nil, err
    170. 

  170. 	}
    171. 

  171. 	jsonStr, err := json.Marshal(data)
    172. 

  172. 	if err != nil {
    173. 

  173. 		return nil, err
    174. 

  174. 	}
    175. 

  175. 	// (1): return raw json if no property is defined
    176. 

  176. 	if ref.Property == "" {
    177. 

  177. 		return jsonStr, nil
    178. 

  178. 	}
    179. 

  179. 

  180. 	// For backwards compatibility we want the
    181. 

  181. 	// actual keys to take precedence over gjson syntax
    182. 

  182. 	// (2): extract key from secret with property
    183. 

  183. 	if _, ok := data[ref.Property]; ok {
    184. 

  184. 		return getTypedKey(data, ref.Property)
    185. 

  185. 	}
    186. 

  186. 

  187. 	// (2): extract key from secret using gjson
    188. 

  188. 	val := gjson.Get(string(jsonStr), ref.Property)
    189. 

  189. 	if !val.Exists() {
    190. 

  190. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    191. 

  191. 	}
    192. 

  192. 	return []byte(val.String()), nil
    193. 

  193. }
    194. 

  194. 

  195. // GetSecretMap supports two modes of operation:
    196. 

  196. // 1. get the full secret from the vault data payload (by leaving .property empty).
    197. 

  197. // 2. extract key/value pairs from a (nested) object.
    198. 

  198. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    199. 

  199. 	data, err := v.GetSecret(ctx, ref)
    200. 

  200. 	if err != nil {
    201. 

  201. 		return nil, err
    202. 

  202. 	}
    203. 

  203. 

  204. 	var secretData map[string]interface{}
    205. 

  205. 	err = json.Unmarshal(data, &secretData)
    206. 

  206. 	if err != nil {
    207. 

  207. 		return nil, err
    208. 

  208. 	}
    209. 

  209. 	byteMap := make(map[string][]byte, len(secretData))
    210. 

  210. 	for k := range secretData {
    211. 

  211. 		byteMap[k], err = getTypedKey(secretData, k)
    212. 

  212. 		if err != nil {
    213. 

  213. 			return nil, err
    214. 

  214. 		}
    215. 

  215. 	}
    216. 

  216. 

  217. 	return byteMap, nil
    218. 

  218. }
    219. 

  219. 

  220. func getTypedKey(data map[string]interface{}, key string) ([]byte, error) {
    221. 

  221. 	v, ok := data[key]
    222. 

  222. 	if !ok {
    223. 

  223. 		return nil, fmt.Errorf(errUnexpectedKey, key)
    224. 

  224. 	}
    225. 

  225. 	switch t := v.(type) {
    226. 

  226. 	case string:
    227. 

  227. 		return []byte(t), nil
    228. 

  228. 	case map[string]interface{}:
    229. 

  229. 		return json.Marshal(t)
    230. 

  230. 	case []byte:
    231. 

  231. 		return t, nil
    232. 

  232. 	// also covers int and float32 due to json.Marshal
    233. 

  233. 	case float64:
    234. 

  234. 		return []byte(strconv.FormatFloat(t, 'f', -1, 64)), nil
    235. 

  235. 	case bool:
    236. 

  236. 		return []byte(strconv.FormatBool(t)), nil
    237. 

  237. 	case nil:
    238. 

  238. 		return []byte(nil), nil
    239. 

  239. 	default:
    240. 

  240. 		return nil, errors.New(errSecretFormat)
    241. 

  241. 	}
    242. 

  242. }
    243. 

  243. 

  244. func (v *client) Close(ctx context.Context) error {
    245. 

  245. 	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
    246. 

  246. 	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
    247. 

  247. 		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
    248. 

  248. 		_, err := v.client.RawRequestWithContext(ctx, req)
    249. 

  249. 		if err != nil {
    250. 

  250. 			return fmt.Errorf(errVaultRevokeToken, err)
    251. 

  251. 		}
    252. 

  252. 		v.client.ClearToken()
    253. 

  253. 	}
    254. 

  254. 	return nil
    255. 

  255. }
    256. 

  256. 

  257. func (v *client) Validate() error {
    258. 

  258. 	err := checkToken(context.Background(), v)
    259. 

  259. 	if err != nil {
    260. 

  260. 		return fmt.Errorf(errInvalidCredentials, err)
    261. 

  261. 	}
    262. 

  262. 	return nil
    263. 

  263. }
    264. 

  264. 

  265. func (v *client) buildPath(path string) string {
    266. 

  266. 	optionalMount := v.store.Path
    267. 

  267. 	origPath := strings.Split(path, "/")
    268. 

  268. 	newPath := make([]string, 0)
    269. 

  269. 	cursor := 0
    270. 

  270. 

  271. 	if optionalMount != nil && origPath[0] != *optionalMount {
    272. 

  272. 		// Default case before path was optional
    273. 

  273. 		// Ensure that the requested path includes the SecretStores paths as prefix
    274. 

  274. 		newPath = append(newPath, *optionalMount)
    275. 

  275. 	} else {
    276. 

  276. 		newPath = append(newPath, origPath[cursor])
    277. 

  277. 		cursor++
    278. 

  278. 	}
    279. 

  279. 

  280. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    281. 

  281. 		// Add the required `data` part of the URL for the v2 API
    282. 

  282. 		if len(origPath) < 2 || origPath[1] != "data" {
    283. 

  283. 			newPath = append(newPath, "data")
    284. 

  284. 		}
    285. 

  285. 	}
    286. 

  286. 	newPath = append(newPath, origPath[cursor:]...)
    287. 

  287. 	returnPath := strings.Join(newPath, "/")
    288. 

  288. 

  289. 	return returnPath
    290. 

  290. }
    291. 

  291. 

  292. func (v *client) readSecret(ctx context.Context, path, version string) (map[string]interface{}, error) {
    293. 

  293. 	dataPath := v.buildPath(path)
    294. 

  294. 

  295. 	// path formated according to vault docs for v1 and v2 API
    296. 

  296. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    297. 

  297. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    298. 

  298. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s", dataPath))
    299. 

  299. 	if version != "" {
    300. 

  300. 		req.Params.Set("version", version)
    301. 

  301. 	}
    302. 

  302. 

  303. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    304. 

  304. 	if err != nil {
    305. 

  305. 		return nil, fmt.Errorf(errReadSecret, err)
    306. 

  306. 	}
    307. 

  307. 

  308. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    309. 

  309. 	if err != nil {
    310. 

  310. 		return nil, err
    311. 

  311. 	}
    312. 

  312. 

  313. 	secretData := vaultSecret.Data
    314. 

  314. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    315. 

  315. 		// Vault KV2 has data embedded within sub-field
    316. 

  316. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    317. 

  317. 		dataInt, ok := vaultSecret.Data["data"]
    318. 

  318. 

  319. 		if !ok {
    320. 

  320. 			return nil, errors.New(errDataField)
    321. 

  321. 		}
    322. 

  322. 		secretData, ok = dataInt.(map[string]interface{})
    323. 

  323. 		if !ok {
    324. 

  324. 			return nil, errors.New(errJSONUnmarshall)
    325. 

  325. 		}
    326. 

  326. 	}
    327. 

  327. 

  328. 	return secretData, nil
    329. 

  329. }
    330. 

  330. 

  331. func (v *client) newConfig() (*vault.Config, error) {
    332. 

  332. 	cfg := vault.DefaultConfig()
    333. 

  333. 	cfg.Address = v.store.Server
    334. 

  334. 

  335. 	if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
    336. 

  336. 		return cfg, nil
    337. 

  337. 	}
    338. 

  338. 

  339. 	caCertPool := x509.NewCertPool()
    340. 

  340. 

  341. 	if len(v.store.CABundle) > 0 {
    342. 

  342. 		ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    343. 

  343. 		if !ok {
    344. 

  344. 			return nil, errors.New(errVaultCert)
    345. 

  345. 		}
    346. 

  346. 	}
    347. 

  347. 

  348. 	if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
    349. 

  349. 		return nil, errors.New(errCANamespace)
    350. 

  350. 	}
    351. 

  351. 

  352. 	if v.store.CAProvider != nil {
    353. 

  353. 		var cert []byte
    354. 

  354. 		var err error
    355. 

  355. 

  356. 		switch v.store.CAProvider.Type {
    357. 

  357. 		case esv1alpha1.CAProviderTypeSecret:
    358. 

  358. 			cert, err = getCertFromSecret(v)
    359. 

  359. 		case esv1alpha1.CAProviderTypeConfigMap:
    360. 

  360. 			cert, err = getCertFromConfigMap(v)
    361. 

  361. 		default:
    362. 

  362. 			return nil, errors.New(errUnknownCAProvider)
    363. 

  363. 		}
    364. 

  364. 

  365. 		if err != nil {
    366. 

  366. 			return nil, err
    367. 

  367. 		}
    368. 

  368. 

  369. 		ok := caCertPool.AppendCertsFromPEM(cert)
    370. 

  370. 		if !ok {
    371. 

  371. 			return nil, errors.New(errVaultCert)
    372. 

  372. 		}
    373. 

  373. 	}
    374. 

  374. 

  375. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    376. 

  376. 		transport.TLSClientConfig.RootCAs = caCertPool
    377. 

  377. 	}
    378. 

  378. 

  379. 	// If either read-after-write consistency feature is enabled, enable ReadYourWrites
    380. 

  380. 	cfg.ReadYourWrites = v.store.ReadYourWrites || v.store.ForwardInconsistent
    381. 

  381. 

  382. 	return cfg, nil
    383. 

  383. }
    384. 

  384. 

  385. func getCertFromSecret(v *client) ([]byte, error) {
    386. 

  386. 	secretRef := esmeta.SecretKeySelector{
    387. 

  387. 		Name: v.store.CAProvider.Name,
    388. 

  388. 		Key:  v.store.CAProvider.Key,
    389. 

  389. 	}
    390. 

  390. 

  391. 	if v.store.CAProvider.Namespace != nil {
    392. 

  392. 		secretRef.Namespace = v.store.CAProvider.Namespace
    393. 

  393. 	}
    394. 

  394. 

  395. 	ctx := context.Background()
    396. 

  396. 	res, err := v.secretKeyRef(ctx, &secretRef)
    397. 

  397. 	if err != nil {
    398. 

  398. 		return nil, fmt.Errorf(errVaultCert, err)
    399. 

  399. 	}
    400. 

  400. 

  401. 	return []byte(res), nil
    402. 

  402. }
    403. 

  403. 

  404. func getCertFromConfigMap(v *client) ([]byte, error) {
    405. 

  405. 	objKey := types.NamespacedName{
    406. 

  406. 		Name: v.store.CAProvider.Name,
    407. 

  407. 	}
    408. 

  408. 

  409. 	if v.store.CAProvider.Namespace != nil {
    410. 

  410. 		objKey.Namespace = *v.store.CAProvider.Namespace
    411. 

  411. 	}
    412. 

  412. 

  413. 	configMapRef := &corev1.ConfigMap{}
    414. 

  414. 	ctx := context.Background()
    415. 

  415. 	err := v.kube.Get(ctx, objKey, configMapRef)
    416. 

  416. 	if err != nil {
    417. 

  417. 		return nil, fmt.Errorf(errVaultCert, err)
    418. 

  418. 	}
    419. 

  419. 

  420. 	val, ok := configMapRef.Data[v.store.CAProvider.Key]
    421. 

  421. 	if !ok {
    422. 

  422. 		return nil, fmt.Errorf(errConfigMapFmt, v.store.CAProvider.Key)
    423. 

  423. 	}
    424. 

  424. 

  425. 	return []byte(val), nil
    426. 

  426. }
    427. 

  427. 

  428. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    429. 

  429. 	tokenExists, err := setSecretKeyToken(ctx, v, client)
    430. 

  430. 	if tokenExists {
    431. 

  431. 		return err
    432. 

  432. 	}
    433. 

  433. 

  434. 	tokenExists, err = setAppRoleToken(ctx, v, client)
    435. 

  435. 	if tokenExists {
    436. 

  436. 		return err
    437. 

  437. 	}
    438. 

  438. 

  439. 	tokenExists, err = setKubernetesAuthToken(ctx, v, client)
    440. 

  440. 	if tokenExists {
    441. 

  441. 		return err
    442. 

  442. 	}
    443. 

  443. 

  444. 	tokenExists, err = setLdapAuthToken(ctx, v, client)
    445. 

  445. 	if tokenExists {
    446. 

  446. 		return err
    447. 

  447. 	}
    448. 

  448. 

  449. 	tokenExists, err = setJwtAuthToken(ctx, v, client)
    450. 

  450. 	if tokenExists {
    451. 

  451. 		return err
    452. 

  452. 	}
    453. 

  453. 

  454. 	tokenExists, err = setCertAuthToken(ctx, v, client, cfg)
    455. 

  455. 	if tokenExists {
    456. 

  456. 		return err
    457. 

  457. 	}
    458. 

  458. 

  459. 	return errors.New(errAuthFormat)
    460. 

  460. }
    461. 

  461. 

  462. func setAppRoleToken(ctx context.Context, v *client, client Client) (bool, error) {
    463. 

  463. 	tokenRef := v.store.Auth.TokenSecretRef
    464. 

  464. 	if tokenRef != nil {
    465. 

  465. 		token, err := v.secretKeyRef(ctx, tokenRef)
    466. 

  466. 		if err != nil {
    467. 

  467. 			return true, err
    468. 

  468. 		}
    469. 

  469. 		client.SetToken(token)
    470. 

  470. 		return true, nil
    471. 

  471. 	}
    472. 

  472. 	return false, nil
    473. 

  473. }
    474. 

  474. 

  475. func setSecretKeyToken(ctx context.Context, v *client, client Client) (bool, error) {
    476. 

  476. 	appRole := v.store.Auth.AppRole
    477. 

  477. 	if appRole != nil {
    478. 

  478. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    479. 

  479. 		if err != nil {
    480. 

  480. 			return true, err
    481. 

  481. 		}
    482. 

  482. 		client.SetToken(token)
    483. 

  483. 		return true, nil
    484. 

  484. 	}
    485. 

  485. 	return false, nil
    486. 

  486. }
    487. 

  487. 

  488. func setKubernetesAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    489. 

  489. 	kubernetesAuth := v.store.Auth.Kubernetes
    490. 

  490. 	if kubernetesAuth != nil {
    491. 

  491. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    492. 

  492. 		if err != nil {
    493. 

  493. 			return true, err
    494. 

  494. 		}
    495. 

  495. 		client.SetToken(token)
    496. 

  496. 		return true, nil
    497. 

  497. 	}
    498. 

  498. 	return false, nil
    499. 

  499. }
    500. 

  500. 

  501. func setLdapAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    502. 

  502. 	ldapAuth := v.store.Auth.Ldap
    503. 

  503. 	if ldapAuth != nil {
    504. 

  504. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    505. 

  505. 		if err != nil {
    506. 

  506. 			return true, err
    507. 

  507. 		}
    508. 

  508. 		client.SetToken(token)
    509. 

  509. 		return true, nil
    510. 

  510. 	}
    511. 

  511. 	return false, nil
    512. 

  512. }
    513. 

  513. 

  514. func setJwtAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    515. 

  515. 	jwtAuth := v.store.Auth.Jwt
    516. 

  516. 	if jwtAuth != nil {
    517. 

  517. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    518. 

  518. 		if err != nil {
    519. 

  519. 			return true, err
    520. 

  520. 		}
    521. 

  521. 		client.SetToken(token)
    522. 

  522. 		return true, nil
    523. 

  523. 	}
    524. 

  524. 	return false, nil
    525. 

  525. }
    526. 

  526. 

  527. func setCertAuthToken(ctx context.Context, v *client, client Client, cfg *vault.Config) (bool, error) {
    528. 

  528. 	certAuth := v.store.Auth.Cert
    529. 

  529. 	if certAuth != nil {
    530. 

  530. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    531. 

  531. 		if err != nil {
    532. 

  532. 			return true, err
    533. 

  533. 		}
    534. 

  534. 		client.SetToken(token)
    535. 

  535. 		return true, nil
    536. 

  536. 	}
    537. 

  537. 	return false, nil
    538. 

  538. }
    539. 

  539. 

  540. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    541. 

  541. 	serviceAccount := &corev1.ServiceAccount{}
    542. 

  542. 	ref := types.NamespacedName{
    543. 

  543. 		Namespace: v.namespace,
    544. 

  544. 		Name:      serviceAccountRef.Name,
    545. 

  545. 	}
    546. 

  546. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    547. 

  547. 		(serviceAccountRef.Namespace != nil) {
    548. 

  548. 		ref.Namespace = *serviceAccountRef.Namespace
    549. 

  549. 	}
    550. 

  550. 	err := v.kube.Get(ctx, ref, serviceAccount)
    551. 

  551. 	if err != nil {
    552. 

  552. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    553. 

  553. 	}
    554. 

  554. 	if len(serviceAccount.Secrets) == 0 {
    555. 

  555. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    556. 

  556. 	}
    557. 

  557. 	for _, tokenRef := range serviceAccount.Secrets {
    558. 

  558. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    559. 

  559. 			Name:      tokenRef.Name,
    560. 

  560. 			Namespace: &ref.Namespace,
    561. 

  561. 			Key:       "token",
    562. 

  562. 		})
    563. 

  563. 

  564. 		if err != nil {
    565. 

  565. 			continue
    566. 

  566. 		}
    567. 

  567. 

  568. 		return retval, nil
    569. 

  569. 	}
    570. 

  570. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    571. 

  571. }
    572. 

  572. 

  573. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    574. 

  574. 	secret := &corev1.Secret{}
    575. 

  575. 	ref := types.NamespacedName{
    576. 

  576. 		Namespace: v.namespace,
    577. 

  577. 		Name:      secretRef.Name,
    578. 

  578. 	}
    579. 

  579. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    580. 

  580. 		(secretRef.Namespace != nil) {
    581. 

  581. 		ref.Namespace = *secretRef.Namespace
    582. 

  582. 	}
    583. 

  583. 	err := v.kube.Get(ctx, ref, secret)
    584. 

  584. 	if err != nil {
    585. 

  585. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    586. 

  586. 	}
    587. 

  587. 

  588. 	keyBytes, ok := secret.Data[secretRef.Key]
    589. 

  589. 	if !ok {
    590. 

  590. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    591. 

  591. 	}
    592. 

  592. 

  593. 	value := string(keyBytes)
    594. 

  594. 	valueStr := strings.TrimSpace(value)
    595. 

  595. 	return valueStr, nil
    596. 

  596. }
    597. 

  597. 

  598. // checkToken does a lookup and checks if the provided token exists.
    599. 

  599. func checkToken(ctx context.Context, vStore *client) error {
    600. 

  600. 	// https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
    601. 

  601. 	req := vStore.client.NewRequest("GET", "/v1/auth/token/lookup-self")
    602. 

  602. 	_, err := vStore.client.RawRequestWithContext(ctx, req)
    603. 

  603. 	return err
    604. 

  604. }
    605. 

  605. 

  606. // appRoleParameters creates the required body for Vault AppRole Auth.
    607. 

  607. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    608. 

  608. func appRoleParameters(role, secret string) map[string]string {
    609. 

  609. 	return map[string]string{
    610. 

  610. 		"role_id":   role,
    611. 

  611. 		"secret_id": secret,
    612. 

  612. 	}
    613. 

  613. }
    614. 

  614. 

  615. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    616. 

  616. 	roleID := strings.TrimSpace(appRole.RoleID)
    617. 

  617. 

  618. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    619. 

  619. 	if err != nil {
    620. 

  620. 		return "", err
    621. 

  621. 	}
    622. 

  622. 

  623. 	parameters := appRoleParameters(roleID, secretID)
    624. 

  624. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    625. 

  625. 	request := client.NewRequest("POST", url)
    626. 

  626. 

  627. 	err = request.SetJSONBody(parameters)
    628. 

  628. 	if err != nil {
    629. 

  629. 		return "", fmt.Errorf(errVaultReqParams, err)
    630. 

  630. 	}
    631. 

  631. 

  632. 	resp, err := client.RawRequestWithContext(ctx, request)
    633. 

  633. 	if err != nil {
    634. 

  634. 		return "", fmt.Errorf(errVaultRequest, err)
    635. 

  635. 	}
    636. 

  636. 

  637. 	defer resp.Body.Close()
    638. 

  638. 

  639. 	vaultResult := vault.Secret{}
    640. 

  640. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    641. 

  641. 		return "", fmt.Errorf(errVaultResponse, err)
    642. 

  642. 	}
    643. 

  643. 

  644. 	token, err := vaultResult.TokenID()
    645. 

  645. 	if err != nil {
    646. 

  646. 		return "", fmt.Errorf(errVaultToken, err)
    647. 

  647. 	}
    648. 

  648. 

  649. 	return token, nil
    650. 

  650. }
    651. 

  651. 

  652. // kubeParameters creates the required body for Vault Kubernetes auth.
    653. 

  653. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    654. 

  654. func kubeParameters(role, jwt string) map[string]string {
    655. 

  655. 	return map[string]string{
    656. 

  656. 		"role": role,
    657. 

  657. 		"jwt":  jwt,
    658. 

  658. 	}
    659. 

  659. }
    660. 

  660. 

  661. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    662. 

  662. 	jwtString, err := getJwtString(ctx, v, kubernetesAuth)
    663. 

  663. 	if err != nil {
    664. 

  664. 		return "", err
    665. 

  665. 	}
    666. 

  666. 

  667. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    668. 

  668. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    669. 

  669. 	request := client.NewRequest("POST", url)
    670. 

  670. 

  671. 	err = request.SetJSONBody(parameters)
    672. 

  672. 	if err != nil {
    673. 

  673. 		return "", fmt.Errorf(errVaultReqParams, err)
    674. 

  674. 	}
    675. 

  675. 

  676. 	resp, err := client.RawRequestWithContext(ctx, request)
    677. 

  677. 	if err != nil {
    678. 

  678. 		return "", fmt.Errorf(errVaultRequest, err)
    679. 

  679. 	}
    680. 

  680. 

  681. 	defer resp.Body.Close()
    682. 

  682. 	vaultResult := vault.Secret{}
    683. 

  683. 	err = resp.DecodeJSON(&vaultResult)
    684. 

  684. 	if err != nil {
    685. 

  685. 		return "", fmt.Errorf(errVaultResponse, err)
    686. 

  686. 	}
    687. 

  687. 

  688. 	token, err := vaultResult.TokenID()
    689. 

  689. 	if err != nil {
    690. 

  690. 		return "", fmt.Errorf(errVaultToken, err)
    691. 

  691. 	}
    692. 

  692. 

  693. 	return token, nil
    694. 

  694. }
    695. 

  695. 

  696. func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    697. 

  697. 	if kubernetesAuth.ServiceAccountRef != nil {
    698. 

  698. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    699. 

  699. 		if err != nil {
    700. 

  700. 			return "", err
    701. 

  701. 		}
    702. 

  702. 		return jwt, nil
    703. 

  703. 	} else if kubernetesAuth.SecretRef != nil {
    704. 

  704. 		tokenRef := kubernetesAuth.SecretRef
    705. 

  705. 		if tokenRef.Key == "" {
    706. 

  706. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    707. 

  707. 			tokenRef.Key = "token"
    708. 

  708. 		}
    709. 

  709. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    710. 

  710. 		if err != nil {
    711. 

  711. 			return "", err
    712. 

  712. 		}
    713. 

  713. 		return jwt, nil
    714. 

  714. 	} else {
    715. 

  715. 		// Kubernetes authentication is specified, but without a referenced
    716. 

  716. 		// Kubernetes secret. We check if the file path for in-cluster service account
    717. 

  717. 		// exists and attempt to use the token for Vault Kubernetes auth.
    718. 

  718. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    719. 

  719. 			return "", fmt.Errorf(errServiceAccount, err)
    720. 

  720. 		}
    721. 

  721. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    722. 

  722. 		if err != nil {
    723. 

  723. 			return "", fmt.Errorf(errServiceAccount, err)
    724. 

  724. 		}
    725. 

  725. 		return string(jwtByte), nil
    726. 

  726. 	}
    727. 

  727. }
    728. 

  728. 

  729. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    730. 

  730. 	username := strings.TrimSpace(ldapAuth.Username)
    731. 

  731. 

  732. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    733. 

  733. 	if err != nil {
    734. 

  734. 		return "", err
    735. 

  735. 	}
    736. 

  736. 

  737. 	parameters := map[string]string{
    738. 

  738. 		"password": password,
    739. 

  739. 	}
    740. 

  740. 	url := strings.Join([]string{"/v1", "auth", ldapAuth.Path, "login", username}, "/")
    741. 

  741. 	request := client.NewRequest("POST", url)
    742. 

  742. 

  743. 	err = request.SetJSONBody(parameters)
    744. 

  744. 	if err != nil {
    745. 

  745. 		return "", fmt.Errorf(errVaultReqParams, err)
    746. 

  746. 	}
    747. 

  747. 

  748. 	resp, err := client.RawRequestWithContext(ctx, request)
    749. 

  749. 	if err != nil {
    750. 

  750. 		return "", fmt.Errorf(errVaultRequest, err)
    751. 

  751. 	}
    752. 

  752. 

  753. 	defer resp.Body.Close()
    754. 

  754. 

  755. 	vaultResult := vault.Secret{}
    756. 

  756. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    757. 

  757. 		return "", fmt.Errorf(errVaultResponse, err)
    758. 

  758. 	}
    759. 

  759. 

  760. 	token, err := vaultResult.TokenID()
    761. 

  761. 	if err != nil {
    762. 

  762. 		return "", fmt.Errorf(errVaultToken, err)
    763. 

  763. 	}
    764. 

  764. 

  765. 	return token, nil
    766. 

  766. }
    767. 

  767. 

  768. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    769. 

  769. 	role := strings.TrimSpace(jwtAuth.Role)
    770. 

  770. 

  771. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    772. 

  772. 	if err != nil {
    773. 

  773. 		return "", err
    774. 

  774. 	}
    775. 

  775. 

  776. 	parameters := map[string]string{
    777. 

  777. 		"role": role,
    778. 

  778. 		"jwt":  jwt,
    779. 

  779. 	}
    780. 

  780. 	url := strings.Join([]string{"/v1", "auth", jwtAuth.Path, "login"}, "/")
    781. 

  781. 	request := client.NewRequest("POST", url)
    782. 

  782. 

  783. 	err = request.SetJSONBody(parameters)
    784. 

  784. 	if err != nil {
    785. 

  785. 		return "", fmt.Errorf(errVaultReqParams, err)
    786. 

  786. 	}
    787. 

  787. 

  788. 	resp, err := client.RawRequestWithContext(ctx, request)
    789. 

  789. 	if err != nil {
    790. 

  790. 		return "", fmt.Errorf(errVaultRequest, err)
    791. 

  791. 	}
    792. 

  792. 

  793. 	defer resp.Body.Close()
    794. 

  794. 

  795. 	vaultResult := vault.Secret{}
    796. 

  796. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    797. 

  797. 		return "", fmt.Errorf(errVaultResponse, err)
    798. 

  798. 	}
    799. 

  799. 

  800. 	token, err := vaultResult.TokenID()
    801. 

  801. 	if err != nil {
    802. 

  802. 		return "", fmt.Errorf(errVaultToken, err)
    803. 

  803. 	}
    804. 

  804. 

  805. 	return token, nil
    806. 

  806. }
    807. 

  807. 

  808. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
    809. 

  809. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    810. 

  810. 	if err != nil {
    811. 

  811. 		return "", err
    812. 

  812. 	}
    813. 

  813. 

  814. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    815. 

  815. 	if err != nil {
    816. 

  816. 		return "", err
    817. 

  817. 	}
    818. 

  818. 

  819. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    820. 

  820. 	if err != nil {
    821. 

  821. 		return "", fmt.Errorf(errClientTLSAuth, err)
    822. 

  822. 	}
    823. 

  823. 

  824. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    825. 

  825. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    826. 

  826. 	}
    827. 

  827. 

  828. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    829. 

  829. 	request := client.NewRequest("POST", url)
    830. 

  830. 

  831. 	resp, err := client.RawRequestWithContext(ctx, request)
    832. 

  832. 	if err != nil {
    833. 

  833. 		return "", fmt.Errorf(errVaultRequest, err)
    834. 

  834. 	}
    835. 

  835. 

  836. 	defer resp.Body.Close()
    837. 

  837. 

  838. 	vaultResult := vault.Secret{}
    839. 

  839. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    840. 

  840. 		return "", fmt.Errorf(errVaultResponse, err)
    841. 

  841. 	}
    842. 

  842. 

  843. 	token, err := vaultResult.TokenID()
    844. 

  844. 	if err != nil {
    845. 

  845. 		return "", fmt.Errorf(errVaultToken, err)
    846. 

  846. 	}
    847. 

  847. 

  848. 	return token, nil
    849. 

  849. }
    850.