Strona główna Odkrywaj Pomoc
Zaloguj się
logic855
/
helm-external-secrets
kopia lustrzana https://github.com/external-secrets/external-secrets
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: 7be8db468e
Gałęzie Tagi
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 15 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/x509"
    20. 

  20. 	"encoding/json"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 

  49. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    50. 

  50. 	errVaultClient    = "cannot setup new vault client: %w"
    51. 

  51. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    52. 

  52. 	errReadSecret     = "cannot read secret data from Vault: %w"
    53. 

  53. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    54. 

  54. 	errVaultData      = "cannot parse Vault response data: %w"
    55. 

  55. 	errDataField      = "failed to find data field: %v"
    56. 

  56. 	errJSONUnmarshall = "failed to unmarshall JSON: %v"
    57. 

  57. 	errSecretFormat   = "Secret data not in expected format: %v"
    58. 

  58. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    59. 

  59. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    60. 

  60. 	errVaultRequest   = "error from Vault request: %w"
    61. 

  61. 	errVaultResponse  = "cannot parse Vault response: %w"
    62. 

  62. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    63. 

  63. 

  64. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    65. 

  65. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    66. 

  66. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    67. 

  67. 

  68. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    69. 

  69. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    70. 

  70. )
    71. 

  71. 

  72. type Client interface {
    73. 

  73. 	NewRequest(method, requestPath string) *vault.Request
    74. 

  74. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    75. 

  75. 	SetToken(v string)
    76. 

  76. 	SetNamespace(namespace string)
    77. 

  77. }
    78. 

  78. 

  79. type client struct {
    80. 

  80. 	kube      kclient.Client
    81. 

  81. 	store     *esv1alpha1.VaultProvider
    82. 

  82. 	log       logr.Logger
    83. 

  83. 	client    Client
    84. 

  84. 	namespace string
    85. 

  85. 	storeKind string
    86. 

  86. }
    87. 

  87. 

  88. func init() {
    89. 

  89. 	schema.Register(&connector{
    90. 

  90. 		newVaultClient: newVaultClient,
    91. 

  91. 	}, &esv1alpha1.SecretStoreProvider{
    92. 

  92. 		Vault: &esv1alpha1.VaultProvider{},
    93. 

  93. 	})
    94. 

  94. }
    95. 

  95. 

  96. func newVaultClient(c *vault.Config) (Client, error) {
    97. 

  97. 	return vault.NewClient(c)
    98. 

  98. }
    99. 

  99. 

  100. type connector struct {
    101. 

  101. 	newVaultClient func(c *vault.Config) (Client, error)
    102. 

  102. }
    103. 

  103. 

  104. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    105. 

  105. 	storeSpec := store.GetSpec()
    106. 

  106. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    107. 

  107. 		return nil, errors.New(errVaultStore)
    108. 

  108. 	}
    109. 

  109. 	vaultSpec := storeSpec.Provider.Vault
    110. 

  110. 

  111. 	vStore := &client{
    112. 

  112. 		kube:      kube,
    113. 

  113. 		store:     vaultSpec,
    114. 

  114. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    115. 

  115. 		namespace: namespace,
    116. 

  116. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    117. 

  117. 	}
    118. 

  118. 

  119. 	cfg, err := vStore.newConfig()
    120. 

  120. 	if err != nil {
    121. 

  121. 		return nil, err
    122. 

  122. 	}
    123. 

  123. 

  124. 	client, err := c.newVaultClient(cfg)
    125. 

  125. 	if err != nil {
    126. 

  126. 		return nil, fmt.Errorf(errVaultClient, err)
    127. 

  127. 	}
    128. 

  128. 

  129. 	if vaultSpec.Namespace != nil {
    130. 

  130. 		client.SetNamespace(*vaultSpec.Namespace)
    131. 

  131. 	}
    132. 

  132. 

  133. 	if err := vStore.setAuth(ctx, client); err != nil {
    134. 

  134. 		return nil, err
    135. 

  135. 	}
    136. 

  136. 

  137. 	vStore.client = client
    138. 

  138. 	return vStore, nil
    139. 

  139. }
    140. 

  140. 

  141. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    142. 

  142. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    143. 

  143. 	if err != nil {
    144. 

  144. 		return nil, err
    145. 

  145. 	}
    146. 

  146. 	value, exists := data[ref.Property]
    147. 

  147. 	if !exists {
    148. 

  148. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    149. 

  149. 	}
    150. 

  150. 	return value, nil
    151. 

  151. }
    152. 

  152. 

  153. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    154. 

  154. 	return v.readSecret(ctx, ref.Key, ref.Version)
    155. 

  155. }
    156. 

  156. 

  157. func (v *client) Close() error {
    158. 

  158. 	return nil
    159. 

  159. }
    160. 

  160. 

  161. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    162. 

  162. 	kvPath := v.store.Path
    163. 

  163. 

  164. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    165. 

  165. 		if !strings.HasSuffix(kvPath, "/data") {
    166. 

  166. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    167. 

  167. 		}
    168. 

  168. 	}
    169. 

  169. 

  170. 	// path formated according to vault docs for v1 and v2 API
    171. 

  171. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    172. 

  172. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    173. 

  173. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    174. 

  174. 	if version != "" {
    175. 

  175. 		req.Params.Set("version", version)
    176. 

  176. 	}
    177. 

  177. 

  178. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    179. 

  179. 	if err != nil {
    180. 

  180. 		return nil, fmt.Errorf(errReadSecret, err)
    181. 

  181. 	}
    182. 

  182. 

  183. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    184. 

  184. 	if err != nil {
    185. 

  185. 		return nil, err
    186. 

  186. 	}
    187. 

  187. 

  188. 	secretData := vaultSecret.Data
    189. 

  189. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    190. 

  190. 

  191. 		// Vault KV2 has data embedded within sub-field
    192. 

  192. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    193. 

  193. 		dataInt, ok := vaultSecret.Data["data"]
    194. 

  194. 

  195. 		if !ok {
    196. 

  196. 			return nil, errors.New(fmt.Sprintf(errDataField, vaultSecret.Data))
    197. 

  197. 		}
    198. 

  198. 		secretData, ok = dataInt.(map[string]interface{})
    199. 

  199. 		if !ok {
    200. 

  200. 			return nil, errors.New(fmt.Sprintf(errJSONUnmarshall, dataInt))
    201. 

  201. 		}
    202. 

  202. 	}
    203. 

  203. 

  204. 	byteMap := make(map[string][]byte, len(secretData))
    205. 

  205. 	for k, v := range secretData {
    206. 

  206. 		switch t := v.(type) {
    207. 

  207. 		case string:
    208. 

  208. 			byteMap[k] = []byte(t)
    209. 

  209. 		case []byte:
    210. 

  210. 			byteMap[k] = t
    211. 

  211. 		case map[string]interface{}:
    212. 

  212. 			jsonString, err := json.Marshal(t)
    213. 

  213. 			byteMap[k] = jsonString
    214. 

  214. 			if err != nil {
    215. 

  215. 				return nil, err
    216. 

  216. 			}
    217. 

  217. 

  218. 		default:
    219. 

  219. 			return nil, errors.New(fmt.Sprintf(errSecretFormat, secretData))
    220. 

  220. 		}
    221. 

  221. 	}
    222. 

  222. 

  223. 	return byteMap, nil
    224. 

  224. }
    225. 

  225. 

  226. func (v *client) newConfig() (*vault.Config, error) {
    227. 

  227. 	cfg := vault.DefaultConfig()
    228. 

  228. 	cfg.Address = v.store.Server
    229. 

  229. 

  230. 	if len(v.store.CABundle) == 0 {
    231. 

  231. 		return cfg, nil
    232. 

  232. 	}
    233. 

  233. 

  234. 	caCertPool := x509.NewCertPool()
    235. 

  235. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    236. 

  236. 	if !ok {
    237. 

  237. 		return nil, errors.New(errVaultCert)
    238. 

  238. 	}
    239. 

  239. 

  240. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    241. 

  241. 		transport.TLSClientConfig.RootCAs = caCertPool
    242. 

  242. 	}
    243. 

  243. 

  244. 	return cfg, nil
    245. 

  245. }
    246. 

  246. 

  247. func (v *client) setAuth(ctx context.Context, client Client) error {
    248. 

  248. 	tokenRef := v.store.Auth.TokenSecretRef
    249. 

  249. 	if tokenRef != nil {
    250. 

  250. 		token, err := v.secretKeyRef(ctx, tokenRef)
    251. 

  251. 		if err != nil {
    252. 

  252. 			return err
    253. 

  253. 		}
    254. 

  254. 		client.SetToken(token)
    255. 

  255. 		return nil
    256. 

  256. 	}
    257. 

  257. 

  258. 	appRole := v.store.Auth.AppRole
    259. 

  259. 	if appRole != nil {
    260. 

  260. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    261. 

  261. 		if err != nil {
    262. 

  262. 			return err
    263. 

  263. 		}
    264. 

  264. 		client.SetToken(token)
    265. 

  265. 		return nil
    266. 

  266. 	}
    267. 

  267. 

  268. 	kubernetesAuth := v.store.Auth.Kubernetes
    269. 

  269. 	if kubernetesAuth != nil {
    270. 

  270. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    271. 

  271. 		if err != nil {
    272. 

  272. 			return err
    273. 

  273. 		}
    274. 

  274. 		client.SetToken(token)
    275. 

  275. 		return nil
    276. 

  276. 	}
    277. 

  277. 

  278. 	ldapAuth := v.store.Auth.Ldap
    279. 

  279. 	if ldapAuth != nil {
    280. 

  280. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    281. 

  281. 		if err != nil {
    282. 

  282. 			return err
    283. 

  283. 		}
    284. 

  284. 		client.SetToken(token)
    285. 

  285. 		return nil
    286. 

  286. 	}
    287. 

  287. 

  288. 	jwtAuth := v.store.Auth.Jwt
    289. 

  289. 	if jwtAuth != nil {
    290. 

  290. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    291. 

  291. 		if err != nil {
    292. 

  292. 			return err
    293. 

  293. 		}
    294. 

  294. 		client.SetToken(token)
    295. 

  295. 		return nil
    296. 

  296. 	}
    297. 

  297. 

  298. 	return errors.New(errAuthFormat)
    299. 

  299. }
    300. 

  300. 

  301. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    302. 

  302. 	serviceAccount := &corev1.ServiceAccount{}
    303. 

  303. 	ref := types.NamespacedName{
    304. 

  304. 		Namespace: v.namespace,
    305. 

  305. 		Name:      serviceAccountRef.Name,
    306. 

  306. 	}
    307. 

  307. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    308. 

  308. 		(serviceAccountRef.Namespace != nil) {
    309. 

  309. 		ref.Namespace = *serviceAccountRef.Namespace
    310. 

  310. 	}
    311. 

  311. 	err := v.kube.Get(ctx, ref, serviceAccount)
    312. 

  312. 	if err != nil {
    313. 

  313. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    314. 

  314. 	}
    315. 

  315. 	if len(serviceAccount.Secrets) == 0 {
    316. 

  316. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    317. 

  317. 	}
    318. 

  318. 	for _, tokenRef := range serviceAccount.Secrets {
    319. 

  319. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    320. 

  320. 			Name:      tokenRef.Name,
    321. 

  321. 			Namespace: &ref.Namespace,
    322. 

  322. 			Key:       "token",
    323. 

  323. 		})
    324. 

  324. 

  325. 		if err != nil {
    326. 

  326. 			continue
    327. 

  327. 		}
    328. 

  328. 

  329. 		return retval, nil
    330. 

  330. 	}
    331. 

  331. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    332. 

  332. }
    333. 

  333. 

  334. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    335. 

  335. 	secret := &corev1.Secret{}
    336. 

  336. 	ref := types.NamespacedName{
    337. 

  337. 		Namespace: v.namespace,
    338. 

  338. 		Name:      secretRef.Name,
    339. 

  339. 	}
    340. 

  340. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    341. 

  341. 		(secretRef.Namespace != nil) {
    342. 

  342. 		ref.Namespace = *secretRef.Namespace
    343. 

  343. 	}
    344. 

  344. 	err := v.kube.Get(ctx, ref, secret)
    345. 

  345. 	if err != nil {
    346. 

  346. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    347. 

  347. 	}
    348. 

  348. 

  349. 	keyBytes, ok := secret.Data[secretRef.Key]
    350. 

  350. 	if !ok {
    351. 

  351. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    352. 

  352. 	}
    353. 

  353. 

  354. 	value := string(keyBytes)
    355. 

  355. 	valueStr := strings.TrimSpace(value)
    356. 

  356. 	return valueStr, nil
    357. 

  357. }
    358. 

  358. 

  359. // appRoleParameters creates the required body for Vault AppRole Auth.
    360. 

  360. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    361. 

  361. func appRoleParameters(role, secret string) map[string]string {
    362. 

  362. 	return map[string]string{
    363. 

  363. 		"role_id":   role,
    364. 

  364. 		"secret_id": secret,
    365. 

  365. 	}
    366. 

  366. }
    367. 

  367. 

  368. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    369. 

  369. 	roleID := strings.TrimSpace(appRole.RoleID)
    370. 

  370. 

  371. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    372. 

  372. 	if err != nil {
    373. 

  373. 		return "", err
    374. 

  374. 	}
    375. 

  375. 

  376. 	parameters := appRoleParameters(roleID, secretID)
    377. 

  377. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    378. 

  378. 	request := client.NewRequest("POST", url)
    379. 

  379. 

  380. 	err = request.SetJSONBody(parameters)
    381. 

  381. 	if err != nil {
    382. 

  382. 		return "", fmt.Errorf(errVaultReqParams, err)
    383. 

  383. 	}
    384. 

  384. 

  385. 	resp, err := client.RawRequestWithContext(ctx, request)
    386. 

  386. 	if err != nil {
    387. 

  387. 		return "", fmt.Errorf(errVaultRequest, err)
    388. 

  388. 	}
    389. 

  389. 

  390. 	defer resp.Body.Close()
    391. 

  391. 

  392. 	vaultResult := vault.Secret{}
    393. 

  393. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    394. 

  394. 		return "", fmt.Errorf(errVaultResponse, err)
    395. 

  395. 	}
    396. 

  396. 

  397. 	token, err := vaultResult.TokenID()
    398. 

  398. 	if err != nil {
    399. 

  399. 		return "", fmt.Errorf(errVaultToken, err)
    400. 

  400. 	}
    401. 

  401. 

  402. 	return token, nil
    403. 

  403. }
    404. 

  404. 

  405. // kubeParameters creates the required body for Vault Kubernetes auth.
    406. 

  406. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    407. 

  407. func kubeParameters(role, jwt string) map[string]string {
    408. 

  408. 	return map[string]string{
    409. 

  409. 		"role": role,
    410. 

  410. 		"jwt":  jwt,
    411. 

  411. 	}
    412. 

  412. }
    413. 

  413. 

  414. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    415. 

  415. 	jwtString := ""
    416. 

  416. 	if kubernetesAuth.ServiceAccountRef != nil {
    417. 

  417. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    418. 

  418. 		if err != nil {
    419. 

  419. 			return "", err
    420. 

  420. 		}
    421. 

  421. 		jwtString = jwt
    422. 

  422. 	} else if kubernetesAuth.SecretRef != nil {
    423. 

  423. 		tokenRef := kubernetesAuth.SecretRef
    424. 

  424. 		if tokenRef.Key == "" {
    425. 

  425. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    426. 

  426. 			tokenRef.Key = "token"
    427. 

  427. 		}
    428. 

  428. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    429. 

  429. 		if err != nil {
    430. 

  430. 			return "", err
    431. 

  431. 		}
    432. 

  432. 		jwtString = jwt
    433. 

  433. 	} else {
    434. 

  434. 		// Kubernetes authentication is specified, but without a referenced
    435. 

  435. 		// Kubernetes secret. We check if the file path for in-cluster service account
    436. 

  436. 		// exists and attempt to use the token for Vault Kubernetes auth.
    437. 

  437. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    438. 

  438. 			return "", fmt.Errorf(errServiceAccount, err)
    439. 

  439. 		}
    440. 

  440. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    441. 

  441. 		if err != nil {
    442. 

  442. 			return "", fmt.Errorf(errServiceAccount, err)
    443. 

  443. 		}
    444. 

  444. 		jwtString = string(jwtByte)
    445. 

  445. 	}
    446. 

  446. 

  447. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    448. 

  448. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    449. 

  449. 	request := client.NewRequest("POST", url)
    450. 

  450. 

  451. 	err := request.SetJSONBody(parameters)
    452. 

  452. 	if err != nil {
    453. 

  453. 		return "", fmt.Errorf(errVaultReqParams, err)
    454. 

  454. 	}
    455. 

  455. 

  456. 	resp, err := client.RawRequestWithContext(ctx, request)
    457. 

  457. 	if err != nil {
    458. 

  458. 		return "", fmt.Errorf(errVaultRequest, err)
    459. 

  459. 	}
    460. 

  460. 

  461. 	defer resp.Body.Close()
    462. 

  462. 	vaultResult := vault.Secret{}
    463. 

  463. 	err = resp.DecodeJSON(&vaultResult)
    464. 

  464. 	if err != nil {
    465. 

  465. 		return "", fmt.Errorf(errVaultResponse, err)
    466. 

  466. 	}
    467. 

  467. 

  468. 	token, err := vaultResult.TokenID()
    469. 

  469. 	if err != nil {
    470. 

  470. 		return "", fmt.Errorf(errVaultToken, err)
    471. 

  471. 	}
    472. 

  472. 

  473. 	return token, nil
    474. 

  474. }
    475. 

  475. 

  476. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    477. 

  477. 	username := strings.TrimSpace(ldapAuth.Username)
    478. 

  478. 

  479. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    480. 

  480. 	if err != nil {
    481. 

  481. 		return "", err
    482. 

  482. 	}
    483. 

  483. 

  484. 	parameters := map[string]string{
    485. 

  485. 		"password": password,
    486. 

  486. 	}
    487. 

  487. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    488. 

  488. 	request := client.NewRequest("POST", url)
    489. 

  489. 

  490. 	err = request.SetJSONBody(parameters)
    491. 

  491. 	if err != nil {
    492. 

  492. 		return "", fmt.Errorf(errVaultReqParams, err)
    493. 

  493. 	}
    494. 

  494. 

  495. 	resp, err := client.RawRequestWithContext(ctx, request)
    496. 

  496. 	if err != nil {
    497. 

  497. 		return "", fmt.Errorf(errVaultRequest, err)
    498. 

  498. 	}
    499. 

  499. 

  500. 	defer resp.Body.Close()
    501. 

  501. 

  502. 	vaultResult := vault.Secret{}
    503. 

  503. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    504. 

  504. 		return "", fmt.Errorf(errVaultResponse, err)
    505. 

  505. 	}
    506. 

  506. 

  507. 	token, err := vaultResult.TokenID()
    508. 

  508. 	if err != nil {
    509. 

  509. 		return "", fmt.Errorf(errVaultToken, err)
    510. 

  510. 	}
    511. 

  511. 

  512. 	return token, nil
    513. 

  513. }
    514. 

  514. 

  515. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    516. 

  516. 	role := strings.TrimSpace(jwtAuth.Role)
    517. 

  517. 

  518. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    519. 

  519. 	if err != nil {
    520. 

  520. 		return "", err
    521. 

  521. 	}
    522. 

  522. 

  523. 	parameters := map[string]string{
    524. 

  524. 		"role": role,
    525. 

  525. 		"jwt":  jwt,
    526. 

  526. 	}
    527. 

  527. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    528. 

  528. 	request := client.NewRequest("POST", url)
    529. 

  529. 

  530. 	err = request.SetJSONBody(parameters)
    531. 

  531. 	if err != nil {
    532. 

  532. 		return "", fmt.Errorf(errVaultReqParams, err)
    533. 

  533. 	}
    534. 

  534. 

  535. 	resp, err := client.RawRequestWithContext(ctx, request)
    536. 

  536. 	if err != nil {
    537. 

  537. 		return "", fmt.Errorf(errVaultRequest, err)
    538. 

  538. 	}
    539. 

  539. 

  540. 	defer resp.Body.Close()
    541. 

  541. 

  542. 	vaultResult := vault.Secret{}
    543. 

  543. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    544. 

  544. 		return "", fmt.Errorf(errVaultResponse, err)
    545. 

  545. 	}
    546. 

  546. 

  547. 	token, err := vaultResult.TokenID()
    548. 

  548. 	if err != nil {
    549. 

  549. 		return "", fmt.Errorf(errVaultToken, err)
    550. 

  550. 	}
    551. 

  551. 

  552. 	return token, nil
    553. 

  553. }
    554.