Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 82ddeb9de5
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 22 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"encoding/json"
    22. 

  22. 	"errors"
    23. 

  23. 	"fmt"
    24. 

  24. 	"io/ioutil"
    25. 

  25. 	"net/http"
    26. 

  26. 	"os"
    27. 

  27. 	"strconv"
    28. 

  28. 	"strings"
    29. 

  29. 

  30. 	"github.com/go-logr/logr"
    31. 

  31. 	vault "github.com/hashicorp/vault/api"
    32. 

  32. 	"github.com/tidwall/gjson"
    33. 

  33. 	corev1 "k8s.io/api/core/v1"
    34. 

  34. 	"k8s.io/apimachinery/pkg/types"
    35. 

  35. 	ctrl "sigs.k8s.io/controller-runtime"
    36. 

  36. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    37. 

  37. 

  38. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    39. 

  39. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    40. 

  40. 	"github.com/external-secrets/external-secrets/pkg/provider"
    41. 

  41. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    42. 

  42. )
    43. 

  43. 

  44. var (
    45. 

  45. 	_ provider.Provider      = &connector{}
    46. 

  46. 	_ provider.SecretsClient = &client{}
    47. 

  47. )
    48. 

  48. 

  49. const (
    50. 

  50. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    51. 

  51. 

  52. 	errVaultStore         = "received invalid Vault SecretStore resource: %w"
    53. 

  53. 	errVaultClient        = "cannot setup new vault client: %w"
    54. 

  54. 	errVaultCert          = "cannot set Vault CA certificate: %w"
    55. 

  55. 	errReadSecret         = "cannot read secret data from Vault: %w"
    56. 

  56. 	errAuthFormat         = "cannot initialize Vault client: no valid auth method specified"
    57. 

  57. 	errInvalidCredentials = "invalid vault credentials: %w"
    58. 

  58. 	errDataField          = "failed to find data field"
    59. 

  59. 	errJSONUnmarshall     = "failed to unmarshall JSON"
    60. 

  60. 	errSecretFormat       = "secret data not in expected format"
    61. 

  61. 	errVaultToken         = "cannot parse Vault authentication token: %w"
    62. 

  62. 	errVaultReqParams     = "cannot set Vault request parameters: %w"
    63. 

  63. 	errVaultRequest       = "error from Vault request: %w"
    64. 

  64. 	errVaultResponse      = "cannot parse Vault response: %w"
    65. 

  65. 	errServiceAccount     = "cannot read Kubernetes service account token from file system: %w"
    66. 

  66. 

  67. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    68. 

  68. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    69. 

  69. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    70. 

  70. 

  71. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    72. 

  72. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    73. 

  73. 	errConfigMapFmt  = "cannot find config map data for key: %q"
    74. 

  74. 

  75. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    76. 

  76. 

  77. 	errVaultRevokeToken = "error while revoking token: %w"
    78. 

  78. 

  79. 	errUnknownCAProvider = "unknown caProvider type given"
    80. 

  80. 	errCANamespace       = "cannot read secret for CAProvider due to missing namespace on kind ClusterSecretStore"
    81. 

  81. )
    82. 

  82. 

  83. type Client interface {
    84. 

  84. 	NewRequest(method, requestPath string) *vault.Request
    85. 

  85. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    86. 

  86. 	SetToken(v string)
    87. 

  87. 	Token() string
    88. 

  88. 	ClearToken()
    89. 

  89. 	SetNamespace(namespace string)
    90. 

  90. 	AddHeader(key, value string)
    91. 

  91. }
    92. 

  92. 

  93. type client struct {
    94. 

  94. 	kube      kclient.Client
    95. 

  95. 	store     *esv1beta1.VaultProvider
    96. 

  96. 	log       logr.Logger
    97. 

  97. 	client    Client
    98. 

  98. 	namespace string
    99. 

  99. 	storeKind string
    100. 

  100. }
    101. 

  101. 

  102. func init() {
    103. 

  103. 	schema.Register(&connector{
    104. 

  104. 		newVaultClient: newVaultClient,
    105. 

  105. 	}, &esv1beta1.SecretStoreProvider{
    106. 

  106. 		Vault: &esv1beta1.VaultProvider{},
    107. 

  107. 	})
    108. 

  108. }
    109. 

  109. 

  110. func newVaultClient(c *vault.Config) (Client, error) {
    111. 

  111. 	return vault.NewClient(c)
    112. 

  112. }
    113. 

  113. 

  114. type connector struct {
    115. 

  115. 	newVaultClient func(c *vault.Config) (Client, error)
    116. 

  116. }
    117. 

  117. 

  118. func (c *connector) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    119. 

  119. 	storeSpec := store.GetSpec()
    120. 

  120. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    121. 

  121. 		return nil, errors.New(errVaultStore)
    122. 

  122. 	}
    123. 

  123. 	vaultSpec := storeSpec.Provider.Vault
    124. 

  124. 

  125. 	vStore := &client{
    126. 

  126. 		kube:      kube,
    127. 

  127. 		store:     vaultSpec,
    128. 

  128. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    129. 

  129. 		namespace: namespace,
    130. 

  130. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    131. 

  131. 	}
    132. 

  132. 

  133. 	cfg, err := vStore.newConfig()
    134. 

  134. 	if err != nil {
    135. 

  135. 		return nil, err
    136. 

  136. 	}
    137. 

  137. 

  138. 	client, err := c.newVaultClient(cfg)
    139. 

  139. 	if err != nil {
    140. 

  140. 		return nil, fmt.Errorf(errVaultClient, err)
    141. 

  141. 	}
    142. 

  142. 

  143. 	if vaultSpec.Namespace != nil {
    144. 

  144. 		client.SetNamespace(*vaultSpec.Namespace)
    145. 

  145. 	}
    146. 

  146. 

  147. 	if vaultSpec.ReadYourWrites && vaultSpec.ForwardInconsistent {
    148. 

  148. 		client.AddHeader("X-Vault-Inconsistent", "forward-active-node")
    149. 

  149. 	}
    150. 

  150. 

  151. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    152. 

  152. 		return nil, err
    153. 

  153. 	}
    154. 

  154. 

  155. 	vStore.client = client
    156. 

  156. 

  157. 	return vStore, nil
    158. 

  158. }
    159. 

  159. 

  160. // Empty GetAllSecrets.
    161. 

  161. func (v *client) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
    162. 

  162. 	// TO be implemented
    163. 

  163. 	return nil, fmt.Errorf("GetAllSecrets not implemented")
    164. 

  164. }
    165. 

  165. 

  166. func (v *client) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
    167. 

  167. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    168. 

  168. 	if err != nil {
    169. 

  169. 		return nil, err
    170. 

  170. 	}
    171. 

  171. 

  172. 	// return raw json if no property is defined
    173. 

  173. 	if ref.Property == "" {
    174. 

  174. 		return data, nil
    175. 

  175. 	}
    176. 

  176. 

  177. 	val := gjson.Get(string(data), ref.Property)
    178. 

  178. 	if !val.Exists() {
    179. 

  179. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    180. 

  180. 	}
    181. 

  181. 	return []byte(val.String()), nil
    182. 

  182. }
    183. 

  183. 

  184. func (v *client) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    185. 

  185. 	data, err := v.GetSecret(ctx, ref)
    186. 

  186. 	if err != nil {
    187. 

  187. 		return nil, err
    188. 

  188. 	}
    189. 

  189. 

  190. 	var secretData map[string]interface{}
    191. 

  191. 	err = json.Unmarshal(data, &secretData)
    192. 

  192. 	if err != nil {
    193. 

  193. 		return nil, err
    194. 

  194. 	}
    195. 

  195. 	byteMap := make(map[string][]byte, len(secretData))
    196. 

  196. 	for k, v := range secretData {
    197. 

  197. 		switch t := v.(type) {
    198. 

  198. 		case string:
    199. 

  199. 			byteMap[k] = []byte(t)
    200. 

  200. 		case map[string]interface{}:
    201. 

  201. 			jsonData, err := json.Marshal(t)
    202. 

  202. 			if err != nil {
    203. 

  203. 				return nil, err
    204. 

  204. 			}
    205. 

  205. 			byteMap[k] = jsonData
    206. 

  206. 		case []byte:
    207. 

  207. 			byteMap[k] = t
    208. 

  208. 		// also covers int and float32 due to json.Marshal
    209. 

  209. 		case float64:
    210. 

  210. 			byteMap[k] = []byte(strconv.FormatFloat(t, 'f', -1, 64))
    211. 

  211. 		case bool:
    212. 

  212. 			byteMap[k] = []byte(strconv.FormatBool(t))
    213. 

  213. 		case nil:
    214. 

  214. 			byteMap[k] = []byte(nil)
    215. 

  215. 		default:
    216. 

  216. 			return nil, errors.New(errSecretFormat)
    217. 

  217. 		}
    218. 

  218. 	}
    219. 

  219. 

  220. 	return byteMap, nil
    221. 

  221. }
    222. 

  222. 

  223. func (v *client) Close(ctx context.Context) error {
    224. 

  224. 	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
    225. 

  225. 	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
    226. 

  226. 		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
    227. 

  227. 		_, err := v.client.RawRequestWithContext(ctx, req)
    228. 

  228. 		if err != nil {
    229. 

  229. 			return fmt.Errorf(errVaultRevokeToken, err)
    230. 

  230. 		}
    231. 

  231. 		v.client.ClearToken()
    232. 

  232. 	}
    233. 

  233. 	return nil
    234. 

  234. }
    235. 

  235. 

  236. func (v *client) Validate() error {
    237. 

  237. 	err := checkToken(context.Background(), v)
    238. 

  238. 	if err != nil {
    239. 

  239. 		return fmt.Errorf(errInvalidCredentials, err)
    240. 

  240. 	}
    241. 

  241. 	return nil
    242. 

  242. }
    243. 

  243. 

  244. func (v *client) buildPath(path string) string {
    245. 

  245. 	optionalMount := v.store.Path
    246. 

  246. 	origPath := strings.Split(path, "/")
    247. 

  247. 	newPath := make([]string, 0)
    248. 

  248. 	cursor := 0
    249. 

  249. 

  250. 	if optionalMount != nil && origPath[0] != *optionalMount {
    251. 

  251. 		// Default case before path was optional
    252. 

  252. 		// Ensure that the requested path includes the SecretStores paths as prefix
    253. 

  253. 		newPath = append(newPath, *optionalMount)
    254. 

  254. 	} else {
    255. 

  255. 		newPath = append(newPath, origPath[cursor])
    256. 

  256. 		cursor++
    257. 

  257. 	}
    258. 

  258. 

  259. 	if v.store.Version == esv1beta1.VaultKVStoreV2 {
    260. 

  260. 		// Add the required `data` part of the URL for the v2 API
    261. 

  261. 		if len(origPath) < 2 || origPath[1] != "data" {
    262. 

  262. 			newPath = append(newPath, "data")
    263. 

  263. 		}
    264. 

  264. 	}
    265. 

  265. 	newPath = append(newPath, origPath[cursor:]...)
    266. 

  266. 	returnPath := strings.Join(newPath, "/")
    267. 

  267. 

  268. 	return returnPath
    269. 

  269. }
    270. 

  270. 

  271. func (v *client) readSecret(ctx context.Context, path, version string) ([]byte, error) {
    272. 

  272. 	dataPath := v.buildPath(path)
    273. 

  273. 

  274. 	// path formated according to vault docs for v1 and v2 API
    275. 

  275. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    276. 

  276. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    277. 

  277. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s", dataPath))
    278. 

  278. 	if version != "" {
    279. 

  279. 		req.Params.Set("version", version)
    280. 

  280. 	}
    281. 

  281. 

  282. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    283. 

  283. 	if err != nil {
    284. 

  284. 		return nil, fmt.Errorf(errReadSecret, err)
    285. 

  285. 	}
    286. 

  286. 

  287. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    288. 

  288. 	if err != nil {
    289. 

  289. 		return nil, err
    290. 

  290. 	}
    291. 

  291. 

  292. 	secretData := vaultSecret.Data
    293. 

  293. 	if v.store.Version == esv1beta1.VaultKVStoreV2 {
    294. 

  294. 		// Vault KV2 has data embedded within sub-field
    295. 

  295. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    296. 

  296. 		dataInt, ok := vaultSecret.Data["data"]
    297. 

  297. 

  298. 		if !ok {
    299. 

  299. 			return nil, errors.New(errDataField)
    300. 

  300. 		}
    301. 

  301. 		secretData, ok = dataInt.(map[string]interface{})
    302. 

  302. 		if !ok {
    303. 

  303. 			return nil, errors.New(errJSONUnmarshall)
    304. 

  304. 		}
    305. 

  305. 	}
    306. 

  306. 

  307. 	// return json string
    308. 

  308. 	return json.Marshal(secretData)
    309. 

  309. }
    310. 

  310. 

  311. func (v *client) newConfig() (*vault.Config, error) {
    312. 

  312. 	cfg := vault.DefaultConfig()
    313. 

  313. 	cfg.Address = v.store.Server
    314. 

  314. 

  315. 	if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
    316. 

  316. 		return cfg, nil
    317. 

  317. 	}
    318. 

  318. 

  319. 	caCertPool := x509.NewCertPool()
    320. 

  320. 

  321. 	if len(v.store.CABundle) > 0 {
    322. 

  322. 		ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    323. 

  323. 		if !ok {
    324. 

  324. 			return nil, errors.New(errVaultCert)
    325. 

  325. 		}
    326. 

  326. 	}
    327. 

  327. 

  328. 	if v.store.CAProvider != nil && v.storeKind == esv1beta1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
    329. 

  329. 		return nil, errors.New(errCANamespace)
    330. 

  330. 	}
    331. 

  331. 

  332. 	if v.store.CAProvider != nil {
    333. 

  333. 		var cert []byte
    334. 

  334. 		var err error
    335. 

  335. 

  336. 		switch v.store.CAProvider.Type {
    337. 

  337. 		case esv1beta1.CAProviderTypeSecret:
    338. 

  338. 			cert, err = getCertFromSecret(v)
    339. 

  339. 		case esv1beta1.CAProviderTypeConfigMap:
    340. 

  340. 			cert, err = getCertFromConfigMap(v)
    341. 

  341. 		default:
    342. 

  342. 			return nil, errors.New(errUnknownCAProvider)
    343. 

  343. 		}
    344. 

  344. 

  345. 		if err != nil {
    346. 

  346. 			return nil, err
    347. 

  347. 		}
    348. 

  348. 

  349. 		ok := caCertPool.AppendCertsFromPEM(cert)
    350. 

  350. 		if !ok {
    351. 

  351. 			return nil, errors.New(errVaultCert)
    352. 

  352. 		}
    353. 

  353. 	}
    354. 

  354. 

  355. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    356. 

  356. 		transport.TLSClientConfig.RootCAs = caCertPool
    357. 

  357. 	}
    358. 

  358. 

  359. 	// If either read-after-write consistency feature is enabled, enable ReadYourWrites
    360. 

  360. 	cfg.ReadYourWrites = v.store.ReadYourWrites || v.store.ForwardInconsistent
    361. 

  361. 

  362. 	return cfg, nil
    363. 

  363. }
    364. 

  364. 

  365. func getCertFromSecret(v *client) ([]byte, error) {
    366. 

  366. 	secretRef := esmeta.SecretKeySelector{
    367. 

  367. 		Name: v.store.CAProvider.Name,
    368. 

  368. 		Key:  v.store.CAProvider.Key,
    369. 

  369. 	}
    370. 

  370. 

  371. 	if v.store.CAProvider.Namespace != nil {
    372. 

  372. 		secretRef.Namespace = v.store.CAProvider.Namespace
    373. 

  373. 	}
    374. 

  374. 

  375. 	ctx := context.Background()
    376. 

  376. 	res, err := v.secretKeyRef(ctx, &secretRef)
    377. 

  377. 	if err != nil {
    378. 

  378. 		return nil, fmt.Errorf(errVaultCert, err)
    379. 

  379. 	}
    380. 

  380. 

  381. 	return []byte(res), nil
    382. 

  382. }
    383. 

  383. 

  384. func getCertFromConfigMap(v *client) ([]byte, error) {
    385. 

  385. 	objKey := types.NamespacedName{
    386. 

  386. 		Name: v.store.CAProvider.Name,
    387. 

  387. 	}
    388. 

  388. 

  389. 	if v.store.CAProvider.Namespace != nil {
    390. 

  390. 		objKey.Namespace = *v.store.CAProvider.Namespace
    391. 

  391. 	}
    392. 

  392. 

  393. 	configMapRef := &corev1.ConfigMap{}
    394. 

  394. 	ctx := context.Background()
    395. 

  395. 	err := v.kube.Get(ctx, objKey, configMapRef)
    396. 

  396. 	if err != nil {
    397. 

  397. 		return nil, fmt.Errorf(errVaultCert, err)
    398. 

  398. 	}
    399. 

  399. 

  400. 	val, ok := configMapRef.Data[v.store.CAProvider.Key]
    401. 

  401. 	if !ok {
    402. 

  402. 		return nil, fmt.Errorf(errConfigMapFmt, v.store.CAProvider.Key)
    403. 

  403. 	}
    404. 

  404. 

  405. 	return []byte(val), nil
    406. 

  406. }
    407. 

  407. 

  408. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    409. 

  409. 	tokenExists, err := setSecretKeyToken(ctx, v, client)
    410. 

  410. 	if tokenExists {
    411. 

  411. 		return err
    412. 

  412. 	}
    413. 

  413. 

  414. 	tokenExists, err = setAppRoleToken(ctx, v, client)
    415. 

  415. 	if tokenExists {
    416. 

  416. 		return err
    417. 

  417. 	}
    418. 

  418. 

  419. 	tokenExists, err = setKubernetesAuthToken(ctx, v, client)
    420. 

  420. 	if tokenExists {
    421. 

  421. 		return err
    422. 

  422. 	}
    423. 

  423. 

  424. 	tokenExists, err = setLdapAuthToken(ctx, v, client)
    425. 

  425. 	if tokenExists {
    426. 

  426. 		return err
    427. 

  427. 	}
    428. 

  428. 

  429. 	tokenExists, err = setJwtAuthToken(ctx, v, client)
    430. 

  430. 	if tokenExists {
    431. 

  431. 		return err
    432. 

  432. 	}
    433. 

  433. 

  434. 	tokenExists, err = setCertAuthToken(ctx, v, client, cfg)
    435. 

  435. 	if tokenExists {
    436. 

  436. 		return err
    437. 

  437. 	}
    438. 

  438. 

  439. 	return errors.New(errAuthFormat)
    440. 

  440. }
    441. 

  441. 

  442. func setAppRoleToken(ctx context.Context, v *client, client Client) (bool, error) {
    443. 

  443. 	tokenRef := v.store.Auth.TokenSecretRef
    444. 

  444. 	if tokenRef != nil {
    445. 

  445. 		token, err := v.secretKeyRef(ctx, tokenRef)
    446. 

  446. 		if err != nil {
    447. 

  447. 			return true, err
    448. 

  448. 		}
    449. 

  449. 		client.SetToken(token)
    450. 

  450. 		return true, nil
    451. 

  451. 	}
    452. 

  452. 	return false, nil
    453. 

  453. }
    454. 

  454. 

  455. func setSecretKeyToken(ctx context.Context, v *client, client Client) (bool, error) {
    456. 

  456. 	appRole := v.store.Auth.AppRole
    457. 

  457. 	if appRole != nil {
    458. 

  458. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    459. 

  459. 		if err != nil {
    460. 

  460. 			return true, err
    461. 

  461. 		}
    462. 

  462. 		client.SetToken(token)
    463. 

  463. 		return true, nil
    464. 

  464. 	}
    465. 

  465. 	return false, nil
    466. 

  466. }
    467. 

  467. 

  468. func setKubernetesAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    469. 

  469. 	kubernetesAuth := v.store.Auth.Kubernetes
    470. 

  470. 	if kubernetesAuth != nil {
    471. 

  471. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    472. 

  472. 		if err != nil {
    473. 

  473. 			return true, err
    474. 

  474. 		}
    475. 

  475. 		client.SetToken(token)
    476. 

  476. 		return true, nil
    477. 

  477. 	}
    478. 

  478. 	return false, nil
    479. 

  479. }
    480. 

  480. 

  481. func setLdapAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    482. 

  482. 	ldapAuth := v.store.Auth.Ldap
    483. 

  483. 	if ldapAuth != nil {
    484. 

  484. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    485. 

  485. 		if err != nil {
    486. 

  486. 			return true, err
    487. 

  487. 		}
    488. 

  488. 		client.SetToken(token)
    489. 

  489. 		return true, nil
    490. 

  490. 	}
    491. 

  491. 	return false, nil
    492. 

  492. }
    493. 

  493. 

  494. func setJwtAuthToken(ctx context.Context, v *client, client Client) (bool, error) {
    495. 

  495. 	jwtAuth := v.store.Auth.Jwt
    496. 

  496. 	if jwtAuth != nil {
    497. 

  497. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    498. 

  498. 		if err != nil {
    499. 

  499. 			return true, err
    500. 

  500. 		}
    501. 

  501. 		client.SetToken(token)
    502. 

  502. 		return true, nil
    503. 

  503. 	}
    504. 

  504. 	return false, nil
    505. 

  505. }
    506. 

  506. 

  507. func setCertAuthToken(ctx context.Context, v *client, client Client, cfg *vault.Config) (bool, error) {
    508. 

  508. 	certAuth := v.store.Auth.Cert
    509. 

  509. 	if certAuth != nil {
    510. 

  510. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    511. 

  511. 		if err != nil {
    512. 

  512. 			return true, err
    513. 

  513. 		}
    514. 

  514. 		client.SetToken(token)
    515. 

  515. 		return true, nil
    516. 

  516. 	}
    517. 

  517. 	return false, nil
    518. 

  518. }
    519. 

  519. 

  520. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    521. 

  521. 	serviceAccount := &corev1.ServiceAccount{}
    522. 

  522. 	ref := types.NamespacedName{
    523. 

  523. 		Namespace: v.namespace,
    524. 

  524. 		Name:      serviceAccountRef.Name,
    525. 

  525. 	}
    526. 

  526. 	if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    527. 

  527. 		(serviceAccountRef.Namespace != nil) {
    528. 

  528. 		ref.Namespace = *serviceAccountRef.Namespace
    529. 

  529. 	}
    530. 

  530. 	err := v.kube.Get(ctx, ref, serviceAccount)
    531. 

  531. 	if err != nil {
    532. 

  532. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    533. 

  533. 	}
    534. 

  534. 	if len(serviceAccount.Secrets) == 0 {
    535. 

  535. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    536. 

  536. 	}
    537. 

  537. 	for _, tokenRef := range serviceAccount.Secrets {
    538. 

  538. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    539. 

  539. 			Name:      tokenRef.Name,
    540. 

  540. 			Namespace: &ref.Namespace,
    541. 

  541. 			Key:       "token",
    542. 

  542. 		})
    543. 

  543. 

  544. 		if err != nil {
    545. 

  545. 			continue
    546. 

  546. 		}
    547. 

  547. 

  548. 		return retval, nil
    549. 

  549. 	}
    550. 

  550. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    551. 

  551. }
    552. 

  552. 

  553. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    554. 

  554. 	secret := &corev1.Secret{}
    555. 

  555. 	ref := types.NamespacedName{
    556. 

  556. 		Namespace: v.namespace,
    557. 

  557. 		Name:      secretRef.Name,
    558. 

  558. 	}
    559. 

  559. 	if (v.storeKind == esv1beta1.ClusterSecretStoreKind) &&
    560. 

  560. 		(secretRef.Namespace != nil) {
    561. 

  561. 		ref.Namespace = *secretRef.Namespace
    562. 

  562. 	}
    563. 

  563. 	err := v.kube.Get(ctx, ref, secret)
    564. 

  564. 	if err != nil {
    565. 

  565. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    566. 

  566. 	}
    567. 

  567. 

  568. 	keyBytes, ok := secret.Data[secretRef.Key]
    569. 

  569. 	if !ok {
    570. 

  570. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    571. 

  571. 	}
    572. 

  572. 

  573. 	value := string(keyBytes)
    574. 

  574. 	valueStr := strings.TrimSpace(value)
    575. 

  575. 	return valueStr, nil
    576. 

  576. }
    577. 

  577. 

  578. // checkToken does a lookup and checks if the provided token exists.
    579. 

  579. func checkToken(ctx context.Context, vStore *client) error {
    580. 

  580. 	// https://www.vaultproject.io/api-docs/auth/token#lookup-a-token-self
    581. 

  581. 	req := vStore.client.NewRequest("GET", "/v1/auth/token/lookup-self")
    582. 

  582. 	_, err := vStore.client.RawRequestWithContext(ctx, req)
    583. 

  583. 	return err
    584. 

  584. }
    585. 

  585. 

  586. // appRoleParameters creates the required body for Vault AppRole Auth.
    587. 

  587. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    588. 

  588. func appRoleParameters(role, secret string) map[string]string {
    589. 

  589. 	return map[string]string{
    590. 

  590. 		"role_id":   role,
    591. 

  591. 		"secret_id": secret,
    592. 

  592. 	}
    593. 

  593. }
    594. 

  594. 

  595. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1beta1.VaultAppRole) (string, error) {
    596. 

  596. 	roleID := strings.TrimSpace(appRole.RoleID)
    597. 

  597. 

  598. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    599. 

  599. 	if err != nil {
    600. 

  600. 		return "", err
    601. 

  601. 	}
    602. 

  602. 

  603. 	parameters := appRoleParameters(roleID, secretID)
    604. 

  604. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    605. 

  605. 	request := client.NewRequest("POST", url)
    606. 

  606. 

  607. 	err = request.SetJSONBody(parameters)
    608. 

  608. 	if err != nil {
    609. 

  609. 		return "", fmt.Errorf(errVaultReqParams, err)
    610. 

  610. 	}
    611. 

  611. 

  612. 	resp, err := client.RawRequestWithContext(ctx, request)
    613. 

  613. 	if err != nil {
    614. 

  614. 		return "", fmt.Errorf(errVaultRequest, err)
    615. 

  615. 	}
    616. 

  616. 

  617. 	defer resp.Body.Close()
    618. 

  618. 

  619. 	vaultResult := vault.Secret{}
    620. 

  620. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    621. 

  621. 		return "", fmt.Errorf(errVaultResponse, err)
    622. 

  622. 	}
    623. 

  623. 

  624. 	token, err := vaultResult.TokenID()
    625. 

  625. 	if err != nil {
    626. 

  626. 		return "", fmt.Errorf(errVaultToken, err)
    627. 

  627. 	}
    628. 

  628. 

  629. 	return token, nil
    630. 

  630. }
    631. 

  631. 

  632. // kubeParameters creates the required body for Vault Kubernetes auth.
    633. 

  633. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    634. 

  634. func kubeParameters(role, jwt string) map[string]string {
    635. 

  635. 	return map[string]string{
    636. 

  636. 		"role": role,
    637. 

  637. 		"jwt":  jwt,
    638. 

  638. 	}
    639. 

  639. }
    640. 

  640. 

  641. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
    642. 

  642. 	jwtString, err := getJwtString(ctx, v, kubernetesAuth)
    643. 

  643. 	if err != nil {
    644. 

  644. 		return "", err
    645. 

  645. 	}
    646. 

  646. 

  647. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    648. 

  648. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    649. 

  649. 	request := client.NewRequest("POST", url)
    650. 

  650. 

  651. 	err = request.SetJSONBody(parameters)
    652. 

  652. 	if err != nil {
    653. 

  653. 		return "", fmt.Errorf(errVaultReqParams, err)
    654. 

  654. 	}
    655. 

  655. 

  656. 	resp, err := client.RawRequestWithContext(ctx, request)
    657. 

  657. 	if err != nil {
    658. 

  658. 		return "", fmt.Errorf(errVaultRequest, err)
    659. 

  659. 	}
    660. 

  660. 

  661. 	defer resp.Body.Close()
    662. 

  662. 	vaultResult := vault.Secret{}
    663. 

  663. 	err = resp.DecodeJSON(&vaultResult)
    664. 

  664. 	if err != nil {
    665. 

  665. 		return "", fmt.Errorf(errVaultResponse, err)
    666. 

  666. 	}
    667. 

  667. 

  668. 	token, err := vaultResult.TokenID()
    669. 

  669. 	if err != nil {
    670. 

  670. 		return "", fmt.Errorf(errVaultToken, err)
    671. 

  671. 	}
    672. 

  672. 

  673. 	return token, nil
    674. 

  674. }
    675. 

  675. 

  676. func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1beta1.VaultKubernetesAuth) (string, error) {
    677. 

  677. 	if kubernetesAuth.ServiceAccountRef != nil {
    678. 

  678. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    679. 

  679. 		if err != nil {
    680. 

  680. 			return "", err
    681. 

  681. 		}
    682. 

  682. 		return jwt, nil
    683. 

  683. 	} else if kubernetesAuth.SecretRef != nil {
    684. 

  684. 		tokenRef := kubernetesAuth.SecretRef
    685. 

  685. 		if tokenRef.Key == "" {
    686. 

  686. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    687. 

  687. 			tokenRef.Key = "token"
    688. 

  688. 		}
    689. 

  689. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    690. 

  690. 		if err != nil {
    691. 

  691. 			return "", err
    692. 

  692. 		}
    693. 

  693. 		return jwt, nil
    694. 

  694. 	} else {
    695. 

  695. 		// Kubernetes authentication is specified, but without a referenced
    696. 

  696. 		// Kubernetes secret. We check if the file path for in-cluster service account
    697. 

  697. 		// exists and attempt to use the token for Vault Kubernetes auth.
    698. 

  698. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    699. 

  699. 			return "", fmt.Errorf(errServiceAccount, err)
    700. 

  700. 		}
    701. 

  701. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    702. 

  702. 		if err != nil {
    703. 

  703. 			return "", fmt.Errorf(errServiceAccount, err)
    704. 

  704. 		}
    705. 

  705. 		return string(jwtByte), nil
    706. 

  706. 	}
    707. 

  707. }
    708. 

  708. 

  709. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1beta1.VaultLdapAuth) (string, error) {
    710. 

  710. 	username := strings.TrimSpace(ldapAuth.Username)
    711. 

  711. 

  712. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    713. 

  713. 	if err != nil {
    714. 

  714. 		return "", err
    715. 

  715. 	}
    716. 

  716. 

  717. 	parameters := map[string]string{
    718. 

  718. 		"password": password,
    719. 

  719. 	}
    720. 

  720. 	url := strings.Join([]string{"/v1", "auth", ldapAuth.Path, "login", username}, "/")
    721. 

  721. 	request := client.NewRequest("POST", url)
    722. 

  722. 

  723. 	err = request.SetJSONBody(parameters)
    724. 

  724. 	if err != nil {
    725. 

  725. 		return "", fmt.Errorf(errVaultReqParams, err)
    726. 

  726. 	}
    727. 

  727. 

  728. 	resp, err := client.RawRequestWithContext(ctx, request)
    729. 

  729. 	if err != nil {
    730. 

  730. 		return "", fmt.Errorf(errVaultRequest, err)
    731. 

  731. 	}
    732. 

  732. 

  733. 	defer resp.Body.Close()
    734. 

  734. 

  735. 	vaultResult := vault.Secret{}
    736. 

  736. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    737. 

  737. 		return "", fmt.Errorf(errVaultResponse, err)
    738. 

  738. 	}
    739. 

  739. 

  740. 	token, err := vaultResult.TokenID()
    741. 

  741. 	if err != nil {
    742. 

  742. 		return "", fmt.Errorf(errVaultToken, err)
    743. 

  743. 	}
    744. 

  744. 

  745. 	return token, nil
    746. 

  746. }
    747. 

  747. 

  748. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1beta1.VaultJwtAuth) (string, error) {
    749. 

  749. 	role := strings.TrimSpace(jwtAuth.Role)
    750. 

  750. 

  751. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    752. 

  752. 	if err != nil {
    753. 

  753. 		return "", err
    754. 

  754. 	}
    755. 

  755. 

  756. 	parameters := map[string]string{
    757. 

  757. 		"role": role,
    758. 

  758. 		"jwt":  jwt,
    759. 

  759. 	}
    760. 

  760. 	url := strings.Join([]string{"/v1", "auth", jwtAuth.Path, "login"}, "/")
    761. 

  761. 	request := client.NewRequest("POST", url)
    762. 

  762. 

  763. 	err = request.SetJSONBody(parameters)
    764. 

  764. 	if err != nil {
    765. 

  765. 		return "", fmt.Errorf(errVaultReqParams, err)
    766. 

  766. 	}
    767. 

  767. 

  768. 	resp, err := client.RawRequestWithContext(ctx, request)
    769. 

  769. 	if err != nil {
    770. 

  770. 		return "", fmt.Errorf(errVaultRequest, err)
    771. 

  771. 	}
    772. 

  772. 

  773. 	defer resp.Body.Close()
    774. 

  774. 

  775. 	vaultResult := vault.Secret{}
    776. 

  776. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    777. 

  777. 		return "", fmt.Errorf(errVaultResponse, err)
    778. 

  778. 	}
    779. 

  779. 

  780. 	token, err := vaultResult.TokenID()
    781. 

  781. 	if err != nil {
    782. 

  782. 		return "", fmt.Errorf(errVaultToken, err)
    783. 

  783. 	}
    784. 

  784. 

  785. 	return token, nil
    786. 

  786. }
    787. 

  787. 

  788. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1beta1.VaultCertAuth, cfg *vault.Config) (string, error) {
    789. 

  789. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    790. 

  790. 	if err != nil {
    791. 

  791. 		return "", err
    792. 

  792. 	}
    793. 

  793. 

  794. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    795. 

  795. 	if err != nil {
    796. 

  796. 		return "", err
    797. 

  797. 	}
    798. 

  798. 

  799. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    800. 

  800. 	if err != nil {
    801. 

  801. 		return "", fmt.Errorf(errClientTLSAuth, err)
    802. 

  802. 	}
    803. 

  803. 

  804. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    805. 

  805. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    806. 

  806. 	}
    807. 

  807. 

  808. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    809. 

  809. 	request := client.NewRequest("POST", url)
    810. 

  810. 

  811. 	resp, err := client.RawRequestWithContext(ctx, request)
    812. 

  812. 	if err != nil {
    813. 

  813. 		return "", fmt.Errorf(errVaultRequest, err)
    814. 

  814. 	}
    815. 

  815. 

  816. 	defer resp.Body.Close()
    817. 

  817. 

  818. 	vaultResult := vault.Secret{}
    819. 

  819. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    820. 

  820. 		return "", fmt.Errorf(errVaultResponse, err)
    821. 

  821. 	}
    822. 

  822. 

  823. 	token, err := vaultResult.TokenID()
    824. 

  824. 	if err != nil {
    825. 

  825. 		return "", fmt.Errorf(errVaultToken, err)
    826. 

  826. 	}
    827. 

  827. 

  828. 	return token, nil
    829. 

  829. }
    830.