Domů Procházet Nápověda
Přihlásit se
logic855
/
helm-external-secrets
zrcadlo https://github.com/external-secrets/external-secrets
1
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 7b40930aba
Větve Značky
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 14 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/x509"
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 

  49. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    50. 

  50. 	errVaultClient    = "cannot setup new vault client: %w"
    51. 

  51. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    52. 

  52. 	errReadSecret     = "cannot read secret data from Vault: %w"
    53. 

  53. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    54. 

  54. 	errVaultData      = "cannot parse Vault response data: %w"
    55. 

  55. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    56. 

  56. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    57. 

  57. 	errVaultRequest   = "error from Vault request: %w"
    58. 

  58. 	errVaultResponse  = "cannot parse Vault response: %w"
    59. 

  59. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    60. 

  60. 

  61. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    62. 

  62. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    63. 

  63. 

  64. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    65. 

  65. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    66. 

  66. )
    67. 

  67. 

  68. type Client interface {
    69. 

  69. 	NewRequest(method, requestPath string) *vault.Request
    70. 

  70. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    71. 

  71. 	SetToken(v string)
    72. 

  72. 	SetNamespace(namespace string)
    73. 

  73. }
    74. 

  74. 

  75. type client struct {
    76. 

  76. 	kube      kclient.Client
    77. 

  77. 	store     *esv1alpha1.VaultProvider
    78. 

  78. 	log       logr.Logger
    79. 

  79. 	client    Client
    80. 

  80. 	namespace string
    81. 

  81. 	storeKind string
    82. 

  82. }
    83. 

  83. 

  84. func init() {
    85. 

  85. 	schema.Register(&connector{
    86. 

  86. 		newVaultClient: newVaultClient,
    87. 

  87. 	}, &esv1alpha1.SecretStoreProvider{
    88. 

  88. 		Vault: &esv1alpha1.VaultProvider{},
    89. 

  89. 	})
    90. 

  90. }
    91. 

  91. 

  92. func newVaultClient(c *vault.Config) (Client, error) {
    93. 

  93. 	return vault.NewClient(c)
    94. 

  94. }
    95. 

  95. 

  96. type connector struct {
    97. 

  97. 	newVaultClient func(c *vault.Config) (Client, error)
    98. 

  98. }
    99. 

  99. 

  100. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    101. 

  101. 	storeSpec := store.GetSpec()
    102. 

  102. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    103. 

  103. 		return nil, errors.New(errVaultStore)
    104. 

  104. 	}
    105. 

  105. 	vaultSpec := storeSpec.Provider.Vault
    106. 

  106. 

  107. 	vStore := &client{
    108. 

  108. 		kube:      kube,
    109. 

  109. 		store:     vaultSpec,
    110. 

  110. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    111. 

  111. 		namespace: namespace,
    112. 

  112. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    113. 

  113. 	}
    114. 

  114. 

  115. 	cfg, err := vStore.newConfig()
    116. 

  116. 	if err != nil {
    117. 

  117. 		return nil, err
    118. 

  118. 	}
    119. 

  119. 

  120. 	client, err := c.newVaultClient(cfg)
    121. 

  121. 	if err != nil {
    122. 

  122. 		return nil, fmt.Errorf(errVaultClient, err)
    123. 

  123. 	}
    124. 

  124. 

  125. 	if vaultSpec.Namespace != nil {
    126. 

  126. 		client.SetNamespace(*vaultSpec.Namespace)
    127. 

  127. 	}
    128. 

  128. 

  129. 	if err := vStore.setAuth(ctx, client); err != nil {
    130. 

  130. 		return nil, err
    131. 

  131. 	}
    132. 

  132. 

  133. 	vStore.client = client
    134. 

  134. 	return vStore, nil
    135. 

  135. }
    136. 

  136. 

  137. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    138. 

  138. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    139. 

  139. 	if err != nil {
    140. 

  140. 		return nil, err
    141. 

  141. 	}
    142. 

  142. 	value, exists := data[ref.Property]
    143. 

  143. 	if !exists {
    144. 

  144. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    145. 

  145. 	}
    146. 

  146. 	return value, nil
    147. 

  147. }
    148. 

  148. 

  149. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    150. 

  150. 	return v.readSecret(ctx, ref.Key, ref.Version)
    151. 

  151. }
    152. 

  152. 

  153. func (v *client) Close() error {
    154. 

  154. 	return nil
    155. 

  155. }
    156. 

  156. 

  157. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    158. 

  158. 	kvPath := v.store.Path
    159. 

  159. 

  160. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    161. 

  161. 		if !strings.HasSuffix(kvPath, "/data") {
    162. 

  162. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    163. 

  163. 		}
    164. 

  164. 	}
    165. 

  165. 

  166. 	// path formated according to vault docs for v1 and v2 API
    167. 

  167. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    168. 

  168. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    169. 

  169. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    170. 

  170. 	if version != "" {
    171. 

  171. 		req.Params.Set("version", version)
    172. 

  172. 	}
    173. 

  173. 

  174. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    175. 

  175. 	if err != nil {
    176. 

  176. 		return nil, fmt.Errorf(errReadSecret, err)
    177. 

  177. 	}
    178. 

  178. 

  179. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    180. 

  180. 	if err != nil {
    181. 

  181. 		return nil, err
    182. 

  182. 	}
    183. 

  183. 

  184. 	secretData := vaultSecret.Data
    185. 

  185. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    186. 

  186. 

  187. 		// Vault KV2 has data embedded within sub-field
    188. 

  188. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    189. 

  189. 		dataInt, ok := vaultSecret.Data["data"]
    190. 

  190. 

  191. 		if !ok {
    192. 

  192. 			return nil, errors.New(fmt.Sprintf("failed to find data field: %v", vaultSecret.Data))
    193. 

  193. 		}
    194. 

  194. 		secretData, ok = dataInt.(map[string]interface{})
    195. 

  195. 		if !ok {
    196. 

  196. 			return nil, errors.New(fmt.Sprintf("failed to unmarshall JSON: %v", dataInt))
    197. 

  197. 		}
    198. 

  198. 	}
    199. 

  199. 

  200. 	byteMap := make(map[string][]byte, len(secretData))
    201. 

  201. 	for k, v := range secretData {
    202. 

  202. 		switch t := v.(type) {
    203. 

  203. 		case string:
    204. 

  204. 			byteMap[k] = []byte(t)
    205. 

  205. 		case []byte:
    206. 

  206. 			byteMap[k] = t
    207. 

  207. 		case map[string]interface{}:
    208. 

  208. 			jsonString, err := json.Marshal(t)
    209. 

  209. 			byteMap[k] = jsonString
    210. 

  210. 			if err != nil {
    211. 

  211. 				return nil, err
    212. 

  212. 			}
    213. 

  213. 

  214. 		default:
    215. 

  215. 			return nil, errors.New(fmt.Sprintf("Secret data not in expected format: %v", secretData))
    216. 

  216. 		}
    217. 

  217. 	}
    218. 

  218. 

  219. 	return byteMap, nil
    220. 

  220. }
    221. 

  221. 

  222. func (v *client) newConfig() (*vault.Config, error) {
    223. 

  223. 	cfg := vault.DefaultConfig()
    224. 

  224. 	cfg.Address = v.store.Server
    225. 

  225. 

  226. 	if len(v.store.CABundle) == 0 {
    227. 

  227. 		return cfg, nil
    228. 

  228. 	}
    229. 

  229. 

  230. 	caCertPool := x509.NewCertPool()
    231. 

  231. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    232. 

  232. 	if !ok {
    233. 

  233. 		return nil, errors.New(errVaultCert)
    234. 

  234. 	}
    235. 

  235. 

  236. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    237. 

  237. 		transport.TLSClientConfig.RootCAs = caCertPool
    238. 

  238. 	}
    239. 

  239. 

  240. 	return cfg, nil
    241. 

  241. }
    242. 

  242. 

  243. func (v *client) setAuth(ctx context.Context, client Client) error {
    244. 

  244. 	tokenRef := v.store.Auth.TokenSecretRef
    245. 

  245. 	if tokenRef != nil {
    246. 

  246. 		token, err := v.secretKeyRef(ctx, tokenRef)
    247. 

  247. 		if err != nil {
    248. 

  248. 			return err
    249. 

  249. 		}
    250. 

  250. 		client.SetToken(token)
    251. 

  251. 		return nil
    252. 

  252. 	}
    253. 

  253. 

  254. 	appRole := v.store.Auth.AppRole
    255. 

  255. 	if appRole != nil {
    256. 

  256. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    257. 

  257. 		if err != nil {
    258. 

  258. 			return err
    259. 

  259. 		}
    260. 

  260. 		client.SetToken(token)
    261. 

  261. 		return nil
    262. 

  262. 	}
    263. 

  263. 

  264. 	kubernetesAuth := v.store.Auth.Kubernetes
    265. 

  265. 	if kubernetesAuth != nil {
    266. 

  266. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    267. 

  267. 		if err != nil {
    268. 

  268. 			return err
    269. 

  269. 		}
    270. 

  270. 		client.SetToken(token)
    271. 

  271. 		return nil
    272. 

  272. 	}
    273. 

  273. 

  274. 	ldapAuth := v.store.Auth.Ldap
    275. 

  275. 	if ldapAuth != nil {
    276. 

  276. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    277. 

  277. 		if err != nil {
    278. 

  278. 			return err
    279. 

  279. 		}
    280. 

  280. 		client.SetToken(token)
    281. 

  281. 		return nil
    282. 

  282. 	}
    283. 

  283. 

  284. 	jwtAuth := v.store.Auth.Jwt
    285. 

  285. 	if jwtAuth != nil {
    286. 

  286. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    287. 

  287. 		if err != nil {
    288. 

  288. 			return err
    289. 

  289. 		}
    290. 

  290. 		client.SetToken(token)
    291. 

  291. 		return nil
    292. 

  292. 	}
    293. 

  293. 

  294. 	return errors.New(errAuthFormat)
    295. 

  295. }
    296. 

  296. 

  297. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    298. 

  298. 	serviceAccount := &corev1.ServiceAccount{}
    299. 

  299. 	ref := types.NamespacedName{
    300. 

  300. 		Namespace: v.namespace,
    301. 

  301. 		Name:      serviceAccountRef.Name,
    302. 

  302. 	}
    303. 

  303. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    304. 

  304. 		(serviceAccountRef.Namespace != nil) {
    305. 

  305. 		ref.Namespace = *serviceAccountRef.Namespace
    306. 

  306. 	}
    307. 

  307. 	err := v.kube.Get(ctx, ref, serviceAccount)
    308. 

  308. 	if err != nil {
    309. 

  309. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    310. 

  310. 	}
    311. 

  311. 	if len(serviceAccount.Secrets) == 0 {
    312. 

  312. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    313. 

  313. 	}
    314. 

  314. 	tokenRef := serviceAccount.Secrets[0]
    315. 

  315. 

  316. 	return v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    317. 

  317. 		Name:      tokenRef.Name,
    318. 

  318. 		Namespace: &ref.Namespace,
    319. 

  319. 		Key:       "token",
    320. 

  320. 	})
    321. 

  321. }
    322. 

  322. 

  323. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    324. 

  324. 	secret := &corev1.Secret{}
    325. 

  325. 	ref := types.NamespacedName{
    326. 

  326. 		Namespace: v.namespace,
    327. 

  327. 		Name:      secretRef.Name,
    328. 

  328. 	}
    329. 

  329. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    330. 

  330. 		(secretRef.Namespace != nil) {
    331. 

  331. 		ref.Namespace = *secretRef.Namespace
    332. 

  332. 	}
    333. 

  333. 	err := v.kube.Get(ctx, ref, secret)
    334. 

  334. 	if err != nil {
    335. 

  335. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    336. 

  336. 	}
    337. 

  337. 

  338. 	keyBytes, ok := secret.Data[secretRef.Key]
    339. 

  339. 	if !ok {
    340. 

  340. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    341. 

  341. 	}
    342. 

  342. 

  343. 	value := string(keyBytes)
    344. 

  344. 	valueStr := strings.TrimSpace(value)
    345. 

  345. 	return valueStr, nil
    346. 

  346. }
    347. 

  347. 

  348. // appRoleParameters creates the required body for Vault AppRole Auth.
    349. 

  349. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    350. 

  350. func appRoleParameters(role, secret string) map[string]string {
    351. 

  351. 	return map[string]string{
    352. 

  352. 		"role_id":   role,
    353. 

  353. 		"secret_id": secret,
    354. 

  354. 	}
    355. 

  355. }
    356. 

  356. 

  357. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    358. 

  358. 	roleID := strings.TrimSpace(appRole.RoleID)
    359. 

  359. 

  360. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    361. 

  361. 	if err != nil {
    362. 

  362. 		return "", err
    363. 

  363. 	}
    364. 

  364. 

  365. 	parameters := appRoleParameters(roleID, secretID)
    366. 

  366. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    367. 

  367. 	request := client.NewRequest("POST", url)
    368. 

  368. 

  369. 	err = request.SetJSONBody(parameters)
    370. 

  370. 	if err != nil {
    371. 

  371. 		return "", fmt.Errorf(errVaultReqParams, err)
    372. 

  372. 	}
    373. 

  373. 

  374. 	resp, err := client.RawRequestWithContext(ctx, request)
    375. 

  375. 	if err != nil {
    376. 

  376. 		return "", fmt.Errorf(errVaultRequest, err)
    377. 

  377. 	}
    378. 

  378. 

  379. 	defer resp.Body.Close()
    380. 

  380. 

  381. 	vaultResult := vault.Secret{}
    382. 

  382. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    383. 

  383. 		return "", fmt.Errorf(errVaultResponse, err)
    384. 

  384. 	}
    385. 

  385. 

  386. 	token, err := vaultResult.TokenID()
    387. 

  387. 	if err != nil {
    388. 

  388. 		return "", fmt.Errorf(errVaultToken, err)
    389. 

  389. 	}
    390. 

  390. 

  391. 	return token, nil
    392. 

  392. }
    393. 

  393. 

  394. // kubeParameters creates the required body for Vault Kubernetes auth.
    395. 

  395. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    396. 

  396. func kubeParameters(role, jwt string) map[string]string {
    397. 

  397. 	return map[string]string{
    398. 

  398. 		"role": role,
    399. 

  399. 		"jwt":  jwt,
    400. 

  400. 	}
    401. 

  401. }
    402. 

  402. 

  403. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    404. 

  404. 	jwtString := ""
    405. 

  405. 	if kubernetesAuth.ServiceAccountRef != nil {
    406. 

  406. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    407. 

  407. 		if err != nil {
    408. 

  408. 			return "", err
    409. 

  409. 		}
    410. 

  410. 		jwtString = jwt
    411. 

  411. 	} else if kubernetesAuth.SecretRef != nil {
    412. 

  412. 		tokenRef := kubernetesAuth.SecretRef
    413. 

  413. 		if tokenRef.Key == "" {
    414. 

  414. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    415. 

  415. 			tokenRef.Key = "token"
    416. 

  416. 		}
    417. 

  417. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    418. 

  418. 		if err != nil {
    419. 

  419. 			return "", err
    420. 

  420. 		}
    421. 

  421. 		jwtString = jwt
    422. 

  422. 	} else {
    423. 

  423. 		// Kubernetes authentication is specified, but without a referenced
    424. 

  424. 		// Kubernetes secret. We check if the file path for in-cluster service account
    425. 

  425. 		// exists and attempt to use the token for Vault Kubernetes auth.
    426. 

  426. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    427. 

  427. 			return "", fmt.Errorf(errServiceAccount, err)
    428. 

  428. 		}
    429. 

  429. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    430. 

  430. 		if err != nil {
    431. 

  431. 			return "", fmt.Errorf(errServiceAccount, err)
    432. 

  432. 		}
    433. 

  433. 		jwtString = string(jwtByte)
    434. 

  434. 	}
    435. 

  435. 

  436. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    437. 

  437. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    438. 

  438. 	request := client.NewRequest("POST", url)
    439. 

  439. 

  440. 	err := request.SetJSONBody(parameters)
    441. 

  441. 	if err != nil {
    442. 

  442. 		return "", fmt.Errorf(errVaultReqParams, err)
    443. 

  443. 	}
    444. 

  444. 

  445. 	resp, err := client.RawRequestWithContext(ctx, request)
    446. 

  446. 	if err != nil {
    447. 

  447. 		return "", fmt.Errorf(errVaultRequest, err)
    448. 

  448. 	}
    449. 

  449. 

  450. 	defer resp.Body.Close()
    451. 

  451. 	vaultResult := vault.Secret{}
    452. 

  452. 	err = resp.DecodeJSON(&vaultResult)
    453. 

  453. 	if err != nil {
    454. 

  454. 		return "", fmt.Errorf(errVaultResponse, err)
    455. 

  455. 	}
    456. 

  456. 

  457. 	token, err := vaultResult.TokenID()
    458. 

  458. 	if err != nil {
    459. 

  459. 		return "", fmt.Errorf(errVaultToken, err)
    460. 

  460. 	}
    461. 

  461. 

  462. 	return token, nil
    463. 

  463. }
    464. 

  464. 

  465. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    466. 

  466. 	username := strings.TrimSpace(ldapAuth.Username)
    467. 

  467. 

  468. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    469. 

  469. 	if err != nil {
    470. 

  470. 		return "", err
    471. 

  471. 	}
    472. 

  472. 

  473. 	parameters := map[string]string{
    474. 

  474. 		"password": password,
    475. 

  475. 	}
    476. 

  476. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    477. 

  477. 	request := client.NewRequest("POST", url)
    478. 

  478. 

  479. 	err = request.SetJSONBody(parameters)
    480. 

  480. 	if err != nil {
    481. 

  481. 		return "", fmt.Errorf(errVaultReqParams, err)
    482. 

  482. 	}
    483. 

  483. 

  484. 	resp, err := client.RawRequestWithContext(ctx, request)
    485. 

  485. 	if err != nil {
    486. 

  486. 		return "", fmt.Errorf(errVaultRequest, err)
    487. 

  487. 	}
    488. 

  488. 

  489. 	defer resp.Body.Close()
    490. 

  490. 

  491. 	vaultResult := vault.Secret{}
    492. 

  492. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    493. 

  493. 		return "", fmt.Errorf(errVaultResponse, err)
    494. 

  494. 	}
    495. 

  495. 

  496. 	token, err := vaultResult.TokenID()
    497. 

  497. 	if err != nil {
    498. 

  498. 		return "", fmt.Errorf(errVaultToken, err)
    499. 

  499. 	}
    500. 

  500. 

  501. 	return token, nil
    502. 

  502. }
    503. 

  503. 

  504. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    505. 

  505. 	role := strings.TrimSpace(jwtAuth.Role)
    506. 

  506. 

  507. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    508. 

  508. 	if err != nil {
    509. 

  509. 		return "", err
    510. 

  510. 	}
    511. 

  511. 

  512. 	parameters := map[string]string{
    513. 

  513. 		"role": role,
    514. 

  514. 		"jwt":  jwt,
    515. 

  515. 	}
    516. 

  516. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    517. 

  517. 	request := client.NewRequest("POST", url)
    518. 

  518. 

  519. 	err = request.SetJSONBody(parameters)
    520. 

  520. 	if err != nil {
    521. 

  521. 		return "", fmt.Errorf(errVaultReqParams, err)
    522. 

  522. 	}
    523. 

  523. 

  524. 	resp, err := client.RawRequestWithContext(ctx, request)
    525. 

  525. 	if err != nil {
    526. 

  526. 		return "", fmt.Errorf(errVaultRequest, err)
    527. 

  527. 	}
    528. 

  528. 

  529. 	defer resp.Body.Close()
    530. 

  530. 

  531. 	vaultResult := vault.Secret{}
    532. 

  532. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    533. 

  533. 		return "", fmt.Errorf(errVaultResponse, err)
    534. 

  534. 	}
    535. 

  535. 

  536. 	token, err := vaultResult.TokenID()
    537. 

  537. 	if err != nil {
    538. 

  538. 		return "", fmt.Errorf(errVaultToken, err)
    539. 

  539. 	}
    540. 

  540. 

  541. 	return token, nil
    542. 

  542. }
    543.