Ana Sayfa Keşfet Yardım
Giriş Yap
logic855
/
helm-external-secrets
şunun yansıması https://github.com/external-secrets/external-secrets
1
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 6f3adf91d5
Dallar Biçim İmleri
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 15 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/x509"
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 

  49. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    50. 

  50. 	errVaultClient    = "cannot setup new vault client: %w"
    51. 

  51. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    52. 

  52. 	errReadSecret     = "cannot read secret data from Vault: %w"
    53. 

  53. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    54. 

  54. 	errDataField      = "failed to find data field: %v"
    55. 

  55. 	errJSONUnmarshall = "failed to unmarshall JSON: %v"
    56. 

  56. 	errSecretFormat   = "secret data not in expected format: %v"
    57. 

  57. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    58. 

  58. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    59. 

  59. 	errVaultRequest   = "error from Vault request: %w"
    60. 

  60. 	errVaultResponse  = "cannot parse Vault response: %w"
    61. 

  61. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    62. 

  62. 

  63. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    64. 

  64. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    65. 

  65. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    66. 

  66. 

  67. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    68. 

  68. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    69. 

  69. )
    70. 

  70. 

  71. type Client interface {
    72. 

  72. 	NewRequest(method, requestPath string) *vault.Request
    73. 

  73. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    74. 

  74. 	SetToken(v string)
    75. 

  75. 	SetNamespace(namespace string)
    76. 

  76. }
    77. 

  77. 

  78. type client struct {
    79. 

  79. 	kube      kclient.Client
    80. 

  80. 	store     *esv1alpha1.VaultProvider
    81. 

  81. 	log       logr.Logger
    82. 

  82. 	client    Client
    83. 

  83. 	namespace string
    84. 

  84. 	storeKind string
    85. 

  85. }
    86. 

  86. 

  87. func init() {
    88. 

  88. 	schema.Register(&connector{
    89. 

  89. 		newVaultClient: newVaultClient,
    90. 

  90. 	}, &esv1alpha1.SecretStoreProvider{
    91. 

  91. 		Vault: &esv1alpha1.VaultProvider{},
    92. 

  92. 	})
    93. 

  93. }
    94. 

  94. 

  95. func newVaultClient(c *vault.Config) (Client, error) {
    96. 

  96. 	return vault.NewClient(c)
    97. 

  97. }
    98. 

  98. 

  99. type connector struct {
    100. 

  100. 	newVaultClient func(c *vault.Config) (Client, error)
    101. 

  101. }
    102. 

  102. 

  103. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    104. 

  104. 	storeSpec := store.GetSpec()
    105. 

  105. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    106. 

  106. 		return nil, errors.New(errVaultStore)
    107. 

  107. 	}
    108. 

  108. 	vaultSpec := storeSpec.Provider.Vault
    109. 

  109. 

  110. 	vStore := &client{
    111. 

  111. 		kube:      kube,
    112. 

  112. 		store:     vaultSpec,
    113. 

  113. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    114. 

  114. 		namespace: namespace,
    115. 

  115. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    116. 

  116. 	}
    117. 

  117. 

  118. 	cfg, err := vStore.newConfig()
    119. 

  119. 	if err != nil {
    120. 

  120. 		return nil, err
    121. 

  121. 	}
    122. 

  122. 

  123. 	client, err := c.newVaultClient(cfg)
    124. 

  124. 	if err != nil {
    125. 

  125. 		return nil, fmt.Errorf(errVaultClient, err)
    126. 

  126. 	}
    127. 

  127. 

  128. 	if vaultSpec.Namespace != nil {
    129. 

  129. 		client.SetNamespace(*vaultSpec.Namespace)
    130. 

  130. 	}
    131. 

  131. 

  132. 	if err := vStore.setAuth(ctx, client); err != nil {
    133. 

  133. 		return nil, err
    134. 

  134. 	}
    135. 

  135. 

  136. 	vStore.client = client
    137. 

  137. 	return vStore, nil
    138. 

  138. }
    139. 

  139. 

  140. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    141. 

  141. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    142. 

  142. 	if err != nil {
    143. 

  143. 		return nil, err
    144. 

  144. 	}
    145. 

  145. 	value, exists := data[ref.Property]
    146. 

  146. 	if !exists {
    147. 

  147. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    148. 

  148. 	}
    149. 

  149. 	return value, nil
    150. 

  150. }
    151. 

  151. 

  152. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    153. 

  153. 	return v.readSecret(ctx, ref.Key, ref.Version)
    154. 

  154. }
    155. 

  155. 

  156. func (v *client) Close() error {
    157. 

  157. 	return nil
    158. 

  158. }
    159. 

  159. 

  160. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    161. 

  161. 	kvPath := v.store.Path
    162. 

  162. 

  163. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    164. 

  164. 		if !strings.HasSuffix(kvPath, "/data") {
    165. 

  165. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    166. 

  166. 		}
    167. 

  167. 	}
    168. 

  168. 

  169. 	// path formated according to vault docs for v1 and v2 API
    170. 

  170. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    171. 

  171. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    172. 

  172. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    173. 

  173. 	if version != "" {
    174. 

  174. 		req.Params.Set("version", version)
    175. 

  175. 	}
    176. 

  176. 

  177. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    178. 

  178. 	if err != nil {
    179. 

  179. 		return nil, fmt.Errorf(errReadSecret, err)
    180. 

  180. 	}
    181. 

  181. 

  182. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    183. 

  183. 	if err != nil {
    184. 

  184. 		return nil, err
    185. 

  185. 	}
    186. 

  186. 

  187. 	secretData := vaultSecret.Data
    188. 

  188. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    189. 

  189. 		// Vault KV2 has data embedded within sub-field
    190. 

  190. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    191. 

  191. 		dataInt, ok := vaultSecret.Data["data"]
    192. 

  192. 

  193. 		if !ok {
    194. 

  194. 			return nil, fmt.Errorf(errDataField, vaultSecret.Data)
    195. 

  195. 		}
    196. 

  196. 		secretData, ok = dataInt.(map[string]interface{})
    197. 

  197. 		if !ok {
    198. 

  198. 			return nil, fmt.Errorf(errJSONUnmarshall, dataInt)
    199. 

  199. 		}
    200. 

  200. 	}
    201. 

  201. 

  202. 	byteMap := make(map[string][]byte, len(secretData))
    203. 

  203. 	for k, v := range secretData {
    204. 

  204. 		switch t := v.(type) {
    205. 

  205. 		case string:
    206. 

  206. 			byteMap[k] = []byte(t)
    207. 

  207. 		case []byte:
    208. 

  208. 			byteMap[k] = t
    209. 

  209. 		case map[string]interface{}:
    210. 

  210. 			jsonString, err := json.Marshal(t)
    211. 

  211. 			byteMap[k] = jsonString
    212. 

  212. 			if err != nil {
    213. 

  213. 				return nil, err
    214. 

  214. 			}
    215. 

  215. 

  216. 		default:
    217. 

  217. 			return nil, fmt.Errorf(errSecretFormat, secretData)
    218. 

  218. 		}
    219. 

  219. 	}
    220. 

  220. 

  221. 	return byteMap, nil
    222. 

  222. }
    223. 

  223. 

  224. func (v *client) newConfig() (*vault.Config, error) {
    225. 

  225. 	cfg := vault.DefaultConfig()
    226. 

  226. 	cfg.Address = v.store.Server
    227. 

  227. 

  228. 	if len(v.store.CABundle) == 0 {
    229. 

  229. 		return cfg, nil
    230. 

  230. 	}
    231. 

  231. 

  232. 	caCertPool := x509.NewCertPool()
    233. 

  233. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    234. 

  234. 	if !ok {
    235. 

  235. 		return nil, errors.New(errVaultCert)
    236. 

  236. 	}
    237. 

  237. 

  238. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    239. 

  239. 		transport.TLSClientConfig.RootCAs = caCertPool
    240. 

  240. 	}
    241. 

  241. 

  242. 	return cfg, nil
    243. 

  243. }
    244. 

  244. 

  245. func (v *client) setAuth(ctx context.Context, client Client) error {
    246. 

  246. 	tokenRef := v.store.Auth.TokenSecretRef
    247. 

  247. 	if tokenRef != nil {
    248. 

  248. 		token, err := v.secretKeyRef(ctx, tokenRef)
    249. 

  249. 		if err != nil {
    250. 

  250. 			return err
    251. 

  251. 		}
    252. 

  252. 		client.SetToken(token)
    253. 

  253. 		return nil
    254. 

  254. 	}
    255. 

  255. 

  256. 	appRole := v.store.Auth.AppRole
    257. 

  257. 	if appRole != nil {
    258. 

  258. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    259. 

  259. 		if err != nil {
    260. 

  260. 			return err
    261. 

  261. 		}
    262. 

  262. 		client.SetToken(token)
    263. 

  263. 		return nil
    264. 

  264. 	}
    265. 

  265. 

  266. 	kubernetesAuth := v.store.Auth.Kubernetes
    267. 

  267. 	if kubernetesAuth != nil {
    268. 

  268. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    269. 

  269. 		if err != nil {
    270. 

  270. 			return err
    271. 

  271. 		}
    272. 

  272. 		client.SetToken(token)
    273. 

  273. 		return nil
    274. 

  274. 	}
    275. 

  275. 

  276. 	ldapAuth := v.store.Auth.Ldap
    277. 

  277. 	if ldapAuth != nil {
    278. 

  278. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    279. 

  279. 		if err != nil {
    280. 

  280. 			return err
    281. 

  281. 		}
    282. 

  282. 		client.SetToken(token)
    283. 

  283. 		return nil
    284. 

  284. 	}
    285. 

  285. 

  286. 	jwtAuth := v.store.Auth.Jwt
    287. 

  287. 	if jwtAuth != nil {
    288. 

  288. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    289. 

  289. 		if err != nil {
    290. 

  290. 			return err
    291. 

  291. 		}
    292. 

  292. 		client.SetToken(token)
    293. 

  293. 		return nil
    294. 

  294. 	}
    295. 

  295. 

  296. 	return errors.New(errAuthFormat)
    297. 

  297. }
    298. 

  298. 

  299. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    300. 

  300. 	serviceAccount := &corev1.ServiceAccount{}
    301. 

  301. 	ref := types.NamespacedName{
    302. 

  302. 		Namespace: v.namespace,
    303. 

  303. 		Name:      serviceAccountRef.Name,
    304. 

  304. 	}
    305. 

  305. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    306. 

  306. 		(serviceAccountRef.Namespace != nil) {
    307. 

  307. 		ref.Namespace = *serviceAccountRef.Namespace
    308. 

  308. 	}
    309. 

  309. 	err := v.kube.Get(ctx, ref, serviceAccount)
    310. 

  310. 	if err != nil {
    311. 

  311. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    312. 

  312. 	}
    313. 

  313. 	if len(serviceAccount.Secrets) == 0 {
    314. 

  314. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    315. 

  315. 	}
    316. 

  316. 	for _, tokenRef := range serviceAccount.Secrets {
    317. 

  317. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    318. 

  318. 			Name:      tokenRef.Name,
    319. 

  319. 			Namespace: &ref.Namespace,
    320. 

  320. 			Key:       "token",
    321. 

  321. 		})
    322. 

  322. 

  323. 		if err != nil {
    324. 

  324. 			continue
    325. 

  325. 		}
    326. 

  326. 

  327. 		return retval, nil
    328. 

  328. 	}
    329. 

  329. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    330. 

  330. }
    331. 

  331. 

  332. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    333. 

  333. 	secret := &corev1.Secret{}
    334. 

  334. 	ref := types.NamespacedName{
    335. 

  335. 		Namespace: v.namespace,
    336. 

  336. 		Name:      secretRef.Name,
    337. 

  337. 	}
    338. 

  338. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    339. 

  339. 		(secretRef.Namespace != nil) {
    340. 

  340. 		ref.Namespace = *secretRef.Namespace
    341. 

  341. 	}
    342. 

  342. 	err := v.kube.Get(ctx, ref, secret)
    343. 

  343. 	if err != nil {
    344. 

  344. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    345. 

  345. 	}
    346. 

  346. 

  347. 	keyBytes, ok := secret.Data[secretRef.Key]
    348. 

  348. 	if !ok {
    349. 

  349. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    350. 

  350. 	}
    351. 

  351. 

  352. 	value := string(keyBytes)
    353. 

  353. 	valueStr := strings.TrimSpace(value)
    354. 

  354. 	return valueStr, nil
    355. 

  355. }
    356. 

  356. 

  357. // appRoleParameters creates the required body for Vault AppRole Auth.
    358. 

  358. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    359. 

  359. func appRoleParameters(role, secret string) map[string]string {
    360. 

  360. 	return map[string]string{
    361. 

  361. 		"role_id":   role,
    362. 

  362. 		"secret_id": secret,
    363. 

  363. 	}
    364. 

  364. }
    365. 

  365. 

  366. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    367. 

  367. 	roleID := strings.TrimSpace(appRole.RoleID)
    368. 

  368. 

  369. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    370. 

  370. 	if err != nil {
    371. 

  371. 		return "", err
    372. 

  372. 	}
    373. 

  373. 

  374. 	parameters := appRoleParameters(roleID, secretID)
    375. 

  375. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    376. 

  376. 	request := client.NewRequest("POST", url)
    377. 

  377. 

  378. 	err = request.SetJSONBody(parameters)
    379. 

  379. 	if err != nil {
    380. 

  380. 		return "", fmt.Errorf(errVaultReqParams, err)
    381. 

  381. 	}
    382. 

  382. 

  383. 	resp, err := client.RawRequestWithContext(ctx, request)
    384. 

  384. 	if err != nil {
    385. 

  385. 		return "", fmt.Errorf(errVaultRequest, err)
    386. 

  386. 	}
    387. 

  387. 

  388. 	defer resp.Body.Close()
    389. 

  389. 

  390. 	vaultResult := vault.Secret{}
    391. 

  391. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    392. 

  392. 		return "", fmt.Errorf(errVaultResponse, err)
    393. 

  393. 	}
    394. 

  394. 

  395. 	token, err := vaultResult.TokenID()
    396. 

  396. 	if err != nil {
    397. 

  397. 		return "", fmt.Errorf(errVaultToken, err)
    398. 

  398. 	}
    399. 

  399. 

  400. 	return token, nil
    401. 

  401. }
    402. 

  402. 

  403. // kubeParameters creates the required body for Vault Kubernetes auth.
    404. 

  404. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    405. 

  405. func kubeParameters(role, jwt string) map[string]string {
    406. 

  406. 	return map[string]string{
    407. 

  407. 		"role": role,
    408. 

  408. 		"jwt":  jwt,
    409. 

  409. 	}
    410. 

  410. }
    411. 

  411. 

  412. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    413. 

  413. 	jwtString := ""
    414. 

  414. 	if kubernetesAuth.ServiceAccountRef != nil {
    415. 

  415. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    416. 

  416. 		if err != nil {
    417. 

  417. 			return "", err
    418. 

  418. 		}
    419. 

  419. 		jwtString = jwt
    420. 

  420. 	} else if kubernetesAuth.SecretRef != nil {
    421. 

  421. 		tokenRef := kubernetesAuth.SecretRef
    422. 

  422. 		if tokenRef.Key == "" {
    423. 

  423. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    424. 

  424. 			tokenRef.Key = "token"
    425. 

  425. 		}
    426. 

  426. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    427. 

  427. 		if err != nil {
    428. 

  428. 			return "", err
    429. 

  429. 		}
    430. 

  430. 		jwtString = jwt
    431. 

  431. 	} else {
    432. 

  432. 		// Kubernetes authentication is specified, but without a referenced
    433. 

  433. 		// Kubernetes secret. We check if the file path for in-cluster service account
    434. 

  434. 		// exists and attempt to use the token for Vault Kubernetes auth.
    435. 

  435. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    436. 

  436. 			return "", fmt.Errorf(errServiceAccount, err)
    437. 

  437. 		}
    438. 

  438. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    439. 

  439. 		if err != nil {
    440. 

  440. 			return "", fmt.Errorf(errServiceAccount, err)
    441. 

  441. 		}
    442. 

  442. 		jwtString = string(jwtByte)
    443. 

  443. 	}
    444. 

  444. 

  445. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    446. 

  446. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    447. 

  447. 	request := client.NewRequest("POST", url)
    448. 

  448. 

  449. 	err := request.SetJSONBody(parameters)
    450. 

  450. 	if err != nil {
    451. 

  451. 		return "", fmt.Errorf(errVaultReqParams, err)
    452. 

  452. 	}
    453. 

  453. 

  454. 	resp, err := client.RawRequestWithContext(ctx, request)
    455. 

  455. 	if err != nil {
    456. 

  456. 		return "", fmt.Errorf(errVaultRequest, err)
    457. 

  457. 	}
    458. 

  458. 

  459. 	defer resp.Body.Close()
    460. 

  460. 	vaultResult := vault.Secret{}
    461. 

  461. 	err = resp.DecodeJSON(&vaultResult)
    462. 

  462. 	if err != nil {
    463. 

  463. 		return "", fmt.Errorf(errVaultResponse, err)
    464. 

  464. 	}
    465. 

  465. 

  466. 	token, err := vaultResult.TokenID()
    467. 

  467. 	if err != nil {
    468. 

  468. 		return "", fmt.Errorf(errVaultToken, err)
    469. 

  469. 	}
    470. 

  470. 

  471. 	return token, nil
    472. 

  472. }
    473. 

  473. 

  474. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    475. 

  475. 	username := strings.TrimSpace(ldapAuth.Username)
    476. 

  476. 

  477. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    478. 

  478. 	if err != nil {
    479. 

  479. 		return "", err
    480. 

  480. 	}
    481. 

  481. 

  482. 	parameters := map[string]string{
    483. 

  483. 		"password": password,
    484. 

  484. 	}
    485. 

  485. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    486. 

  486. 	request := client.NewRequest("POST", url)
    487. 

  487. 

  488. 	err = request.SetJSONBody(parameters)
    489. 

  489. 	if err != nil {
    490. 

  490. 		return "", fmt.Errorf(errVaultReqParams, err)
    491. 

  491. 	}
    492. 

  492. 

  493. 	resp, err := client.RawRequestWithContext(ctx, request)
    494. 

  494. 	if err != nil {
    495. 

  495. 		return "", fmt.Errorf(errVaultRequest, err)
    496. 

  496. 	}
    497. 

  497. 

  498. 	defer resp.Body.Close()
    499. 

  499. 

  500. 	vaultResult := vault.Secret{}
    501. 

  501. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    502. 

  502. 		return "", fmt.Errorf(errVaultResponse, err)
    503. 

  503. 	}
    504. 

  504. 

  505. 	token, err := vaultResult.TokenID()
    506. 

  506. 	if err != nil {
    507. 

  507. 		return "", fmt.Errorf(errVaultToken, err)
    508. 

  508. 	}
    509. 

  509. 

  510. 	return token, nil
    511. 

  511. }
    512. 

  512. 

  513. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    514. 

  514. 	role := strings.TrimSpace(jwtAuth.Role)
    515. 

  515. 

  516. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    517. 

  517. 	if err != nil {
    518. 

  518. 		return "", err
    519. 

  519. 	}
    520. 

  520. 

  521. 	parameters := map[string]string{
    522. 

  522. 		"role": role,
    523. 

  523. 		"jwt":  jwt,
    524. 

  524. 	}
    525. 

  525. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    526. 

  526. 	request := client.NewRequest("POST", url)
    527. 

  527. 

  528. 	err = request.SetJSONBody(parameters)
    529. 

  529. 	if err != nil {
    530. 

  530. 		return "", fmt.Errorf(errVaultReqParams, err)
    531. 

  531. 	}
    532. 

  532. 

  533. 	resp, err := client.RawRequestWithContext(ctx, request)
    534. 

  534. 	if err != nil {
    535. 

  535. 		return "", fmt.Errorf(errVaultRequest, err)
    536. 

  536. 	}
    537. 

  537. 

  538. 	defer resp.Body.Close()
    539. 

  539. 

  540. 	vaultResult := vault.Secret{}
    541. 

  541. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    542. 

  542. 		return "", fmt.Errorf(errVaultResponse, err)
    543. 

  543. 	}
    544. 

  544. 

  545. 	token, err := vaultResult.TokenID()
    546. 

  546. 	if err != nil {
    547. 

  547. 		return "", fmt.Errorf(errVaultToken, err)
    548. 

  548. 	}
    549. 

  549. 

  550. 	return token, nil
    551. 

  551. }
    552.