Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 731c0ed736
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
auth.go

auth.go 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 

  22. 	vault "github.com/hashicorp/vault/api"
    23. 

  23. 	authv1 "k8s.io/api/authentication/v1"
    24. 

  24. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25. 

  25. 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
    26. 

  26. 

  27. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    28. 

  28. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    29. 

  29. 	"github.com/external-secrets/external-secrets/pkg/constants"
    30. 

  30. 	"github.com/external-secrets/external-secrets/pkg/metrics"
    31. 

  31. 	vaultiamauth "github.com/external-secrets/external-secrets/pkg/provider/vault/iamauth"
    32. 

  32. 	"github.com/external-secrets/external-secrets/pkg/provider/vault/util"
    33. 

  33. )
    34. 

  34. 

  35. const (
    36. 

  36. 	errAuthFormat            = "cannot initialize Vault client: no valid auth method specified"
    37. 

  37. 	errVaultToken            = "cannot parse Vault authentication token: %w"
    38. 

  38. 	errGetKubeSATokenRequest = "cannot request Kubernetes service account token for service account %q: %w"
    39. 

  39. 	errVaultRevokeToken      = "error while revoking token: %w"
    40. 

  40. )
    41. 

  41. 

  42. // setAuth gets a new token using the configured mechanism.
    43. 

  43. // If there's already a valid token, does nothing.
    44. 

  44. func (c *client) setAuth(ctx context.Context, cfg *vault.Config) error {
    45. 

  45. 	// Switch to auth namespace if different from the provider namespace
    46. 

  46. 	restoreNamespace := c.useAuthNamespace(ctx)
    47. 

  47. 	defer restoreNamespace()
    48. 

  48. 

  49. 	tokenExists := false
    50. 

  50. 	var err error
    51. 

  51. 	if c.client.Token() != "" {
    52. 

  52. 		tokenExists, err = checkToken(ctx, c.token)
    53. 

  53. 	}
    54. 

  54. 	if tokenExists {
    55. 

  55. 		c.log.V(1).Info("Re-using existing token")
    56. 

  56. 		return err
    57. 

  57. 	}
    58. 

  58. 

  59. 	tokenExists, err = setSecretKeyToken(ctx, c)
    60. 

  60. 	if tokenExists {
    61. 

  61. 		c.log.V(1).Info("Set token from secret")
    62. 

  62. 		return err
    63. 

  63. 	}
    64. 

  64. 

  65. 	tokenExists, err = setAppRoleToken(ctx, c)
    66. 

  66. 	if tokenExists {
    67. 

  67. 		c.log.V(1).Info("Retrieved new token using AppRole auth")
    68. 

  68. 		return err
    69. 

  69. 	}
    70. 

  70. 

  71. 	tokenExists, err = setKubernetesAuthToken(ctx, c)
    72. 

  72. 	if tokenExists {
    73. 

  73. 		c.log.V(1).Info("Retrieved new token using Kubernetes auth")
    74. 

  74. 		return err
    75. 

  75. 	}
    76. 

  76. 

  77. 	tokenExists, err = setLdapAuthToken(ctx, c)
    78. 

  78. 	if tokenExists {
    79. 

  79. 		c.log.V(1).Info("Retrieved new token using LDAP auth")
    80. 

  80. 		return err
    81. 

  81. 	}
    82. 

  82. 

  83. 	tokenExists, err = setUserPassAuthToken(ctx, c)
    84. 

  84. 	if tokenExists {
    85. 

  85. 		c.log.V(1).Info("Retrieved new token using userPass auth")
    86. 

  86. 		return err
    87. 

  87. 	}
    88. 

  88. 	tokenExists, err = setJwtAuthToken(ctx, c)
    89. 

  89. 	if tokenExists {
    90. 

  90. 		c.log.V(1).Info("Retrieved new token using JWT auth")
    91. 

  91. 		return err
    92. 

  92. 	}
    93. 

  93. 

  94. 	tokenExists, err = setCertAuthToken(ctx, c, cfg)
    95. 

  95. 	if tokenExists {
    96. 

  96. 		c.log.V(1).Info("Retrieved new token using certificate auth")
    97. 

  97. 		return err
    98. 

  98. 	}
    99. 

  99. 

  100. 	tokenExists, err = setIamAuthToken(ctx, c, vaultiamauth.DefaultJWTProvider, vaultiamauth.DefaultSTSProvider)
    101. 

  101. 	if tokenExists {
    102. 

  102. 		c.log.V(1).Info("Retrieved new token using IAM auth")
    103. 

  103. 		return err
    104. 

  104. 	}
    105. 

  105. 

  106. 	return errors.New(errAuthFormat)
    107. 

  107. }
    108. 

  108. 

  109. func createServiceAccountToken(
    110. 

  110. 	ctx context.Context,
    111. 

  111. 	corev1Client typedcorev1.CoreV1Interface,
    112. 

  112. 	storeKind string,
    113. 

  113. 	namespace string,
    114. 

  114. 	serviceAccountRef esmeta.ServiceAccountSelector,
    115. 

  115. 	additionalAud []string,
    116. 

  116. 	expirationSeconds int64) (string, error) {
    117. 

  117. 	audiences := serviceAccountRef.Audiences
    118. 

  118. 	if len(additionalAud) > 0 {
    119. 

  119. 		audiences = append(audiences, additionalAud...)
    120. 

  120. 	}
    121. 

  121. 	tokenRequest := &authv1.TokenRequest{
    122. 

  122. 		ObjectMeta: metav1.ObjectMeta{
    123. 

  123. 			Namespace: namespace,
    124. 

  124. 		},
    125. 

  125. 		Spec: authv1.TokenRequestSpec{
    126. 

  126. 			Audiences:         audiences,
    127. 

  127. 			ExpirationSeconds: &expirationSeconds,
    128. 

  128. 		},
    129. 

  129. 	}
    130. 

  130. 	if (storeKind == esv1beta1.ClusterSecretStoreKind) &&
    131. 

  131. 		(serviceAccountRef.Namespace != nil) {
    132. 

  132. 		tokenRequest.Namespace = *serviceAccountRef.Namespace
    133. 

  133. 	}
    134. 

  134. 	tokenResponse, err := corev1Client.ServiceAccounts(tokenRequest.Namespace).
    135. 

  135. 		CreateToken(ctx, serviceAccountRef.Name, tokenRequest, metav1.CreateOptions{})
    136. 

  136. 	if err != nil {
    137. 

  137. 		return "", fmt.Errorf(errGetKubeSATokenRequest, serviceAccountRef.Name, err)
    138. 

  138. 	}
    139. 

  139. 	return tokenResponse.Status.Token, nil
    140. 

  140. }
    141. 

  141. 

  142. // checkToken does a lookup and checks if the provided token exists.
    143. 

  143. func checkToken(ctx context.Context, token util.Token) (bool, error) {
    144. 

  144. 	// https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
    145. 

  145. 	resp, err := token.LookupSelfWithContext(ctx)
    146. 

  146. 	metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultLookupSelf, err)
    147. 

  147. 	if err != nil {
    148. 

  148. 		return false, err
    149. 

  149. 	}
    150. 

  150. 	t, ok := resp.Data["type"]
    151. 

  151. 	if !ok {
    152. 

  152. 		return false, fmt.Errorf("could not assert token type")
    153. 

  153. 	}
    154. 

  154. 	tokenType := t.(string)
    155. 

  155. 	if tokenType == "batch" {
    156. 

  156. 		return false, nil
    157. 

  157. 	}
    158. 

  158. 	return true, nil
    159. 

  159. }
    160. 

  160. 

  161. func revokeTokenIfValid(ctx context.Context, client util.Client) error {
    162. 

  162. 	valid, err := checkToken(ctx, client.AuthToken())
    163. 

  163. 	if err != nil {
    164. 

  164. 		return fmt.Errorf(errVaultRevokeToken, err)
    165. 

  165. 	}
    166. 

  166. 	if valid {
    167. 

  167. 		err = client.AuthToken().RevokeSelfWithContext(ctx, client.Token())
    168. 

  168. 		metrics.ObserveAPICall(constants.ProviderHCVault, constants.CallHCVaultRevokeSelf, err)
    169. 

  169. 		if err != nil {
    170. 

  170. 			return fmt.Errorf(errVaultRevokeToken, err)
    171. 

  171. 		}
    172. 

  172. 		client.ClearToken()
    173. 

  173. 	}
    174. 

  174. 	return nil
    175. 

  175. }
    176. 

  176. 

  177. func (c *client) useAuthNamespace(_ context.Context) func() {
    178. 

  178. 	ns := ""
    179. 

  179. 	if c.store.Namespace != nil {
    180. 

  180. 		ns = *c.store.Namespace
    181. 

  181. 	}
    182. 

  182. 

  183. 	if c.store.Auth.Namespace != nil {
    184. 

  184. 		// Different Auth Vault Namespace than Secret Vault Namespace
    185. 

  185. 		// Switch namespaces then switch back at the end
    186. 

  186. 		if c.store.Auth.Namespace != nil && *c.store.Auth.Namespace != ns {
    187. 

  187. 			c.log.V(1).Info("Using namespace=%s for the vault login", *c.store.Auth.Namespace)
    188. 

  188. 			c.client.SetNamespace(*c.store.Auth.Namespace)
    189. 

  189. 			// use this as a defer to reset the namespace
    190. 

  190. 			return func() {
    191. 

  191. 				c.log.V(1).Info("Restoring client namespace to namespace=%s", ns)
    192. 

  192. 				c.client.SetNamespace(ns)
    193. 

  193. 			}
    194. 

  194. 		}
    195. 

  195. 	}
    196. 

  196. 

  197. 	// no-op
    198. 

  198. 	return func() {}
    199. 

  199. }
    200.