Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: b3a44fdbd0
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 

  49. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    50. 

  50. 	errVaultClient    = "cannot setup new vault client: %w"
    51. 

  51. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    52. 

  52. 	errReadSecret     = "cannot read secret data from Vault: %w"
    53. 

  53. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    54. 

  54. 	errDataField      = "failed to find data field"
    55. 

  55. 	errJSONUnmarshall = "failed to unmarshall JSON"
    56. 

  56. 	errSecretFormat   = "secret data not in expected format"
    57. 

  57. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    58. 

  58. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    59. 

  59. 	errVaultRequest   = "error from Vault request: %w"
    60. 

  60. 	errVaultResponse  = "cannot parse Vault response: %w"
    61. 

  61. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    62. 

  62. 

  63. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    64. 

  64. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    65. 

  65. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    66. 

  66. 

  67. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    68. 

  68. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    69. 

  69. 

  70. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    71. 

  71. 

  72. 	errVaultRevokeToken = "error while revoking token: %w"
    73. 

  73. )
    74. 

  74. 

  75. type Client interface {
    76. 

  76. 	NewRequest(method, requestPath string) *vault.Request
    77. 

  77. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    78. 

  78. 	SetToken(v string)
    79. 

  79. 	Token() string
    80. 

  80. 	ClearToken()
    81. 

  81. 	SetNamespace(namespace string)
    82. 

  82. }
    83. 

  83. 

  84. type client struct {
    85. 

  85. 	kube      kclient.Client
    86. 

  86. 	store     *esv1alpha1.VaultProvider
    87. 

  87. 	log       logr.Logger
    88. 

  88. 	client    Client
    89. 

  89. 	namespace string
    90. 

  90. 	storeKind string
    91. 

  91. }
    92. 

  92. 

  93. func init() {
    94. 

  94. 	schema.Register(&connector{
    95. 

  95. 		newVaultClient: newVaultClient,
    96. 

  96. 	}, &esv1alpha1.SecretStoreProvider{
    97. 

  97. 		Vault: &esv1alpha1.VaultProvider{},
    98. 

  98. 	})
    99. 

  99. }
    100. 

  100. 

  101. func newVaultClient(c *vault.Config) (Client, error) {
    102. 

  102. 	return vault.NewClient(c)
    103. 

  103. }
    104. 

  104. 

  105. type connector struct {
    106. 

  106. 	newVaultClient func(c *vault.Config) (Client, error)
    107. 

  107. }
    108. 

  108. 

  109. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    110. 

  110. 	storeSpec := store.GetSpec()
    111. 

  111. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    112. 

  112. 		return nil, errors.New(errVaultStore)
    113. 

  113. 	}
    114. 

  114. 	vaultSpec := storeSpec.Provider.Vault
    115. 

  115. 

  116. 	vStore := &client{
    117. 

  117. 		kube:      kube,
    118. 

  118. 		store:     vaultSpec,
    119. 

  119. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    120. 

  120. 		namespace: namespace,
    121. 

  121. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    122. 

  122. 	}
    123. 

  123. 

  124. 	cfg, err := vStore.newConfig()
    125. 

  125. 	if err != nil {
    126. 

  126. 		return nil, err
    127. 

  127. 	}
    128. 

  128. 

  129. 	client, err := c.newVaultClient(cfg)
    130. 

  130. 	if err != nil {
    131. 

  131. 		return nil, fmt.Errorf(errVaultClient, err)
    132. 

  132. 	}
    133. 

  133. 

  134. 	if vaultSpec.Namespace != nil {
    135. 

  135. 		client.SetNamespace(*vaultSpec.Namespace)
    136. 

  136. 	}
    137. 

  137. 

  138. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    139. 

  139. 		return nil, err
    140. 

  140. 	}
    141. 

  141. 

  142. 	vStore.client = client
    143. 

  143. 	return vStore, nil
    144. 

  144. }
    145. 

  145. 

  146. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    147. 

  147. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    148. 

  148. 	if err != nil {
    149. 

  149. 		return nil, err
    150. 

  150. 	}
    151. 

  151. 	value, exists := data[ref.Property]
    152. 

  152. 	if !exists {
    153. 

  153. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    154. 

  154. 	}
    155. 

  155. 	return value, nil
    156. 

  156. }
    157. 

  157. 

  158. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    159. 

  159. 	return v.readSecret(ctx, ref.Key, ref.Version)
    160. 

  160. }
    161. 

  161. 

  162. func (v *client) Close(ctx context.Context) error {
    163. 

  163. 	// Revoke the token if we have one set and it wasn't sourced from a TokenSecretRef
    164. 

  164. 	if v.client.Token() != "" && v.store.Auth.TokenSecretRef == nil {
    165. 

  165. 		req := v.client.NewRequest(http.MethodPost, "/v1/auth/token/revoke-self")
    166. 

  166. 		_, err := v.client.RawRequestWithContext(ctx, req)
    167. 

  167. 		if err != nil {
    168. 

  168. 			return fmt.Errorf(errVaultRevokeToken, err)
    169. 

  169. 		}
    170. 

  170. 		v.client.ClearToken()
    171. 

  171. 	}
    172. 

  172. 	return nil
    173. 

  173. }
    174. 

  174. 

  175. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    176. 

  176. 	kvPath := v.store.Path
    177. 

  177. 

  178. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    179. 

  179. 		if !strings.HasSuffix(kvPath, "/data") {
    180. 

  180. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    181. 

  181. 		}
    182. 

  182. 	}
    183. 

  183. 

  184. 	// path formated according to vault docs for v1 and v2 API
    185. 

  185. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    186. 

  186. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    187. 

  187. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    188. 

  188. 	if version != "" {
    189. 

  189. 		req.Params.Set("version", version)
    190. 

  190. 	}
    191. 

  191. 

  192. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    193. 

  193. 	if err != nil {
    194. 

  194. 		return nil, fmt.Errorf(errReadSecret, err)
    195. 

  195. 	}
    196. 

  196. 

  197. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    198. 

  198. 	if err != nil {
    199. 

  199. 		return nil, err
    200. 

  200. 	}
    201. 

  201. 

  202. 	secretData := vaultSecret.Data
    203. 

  203. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    204. 

  204. 		// Vault KV2 has data embedded within sub-field
    205. 

  205. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    206. 

  206. 		dataInt, ok := vaultSecret.Data["data"]
    207. 

  207. 

  208. 		if !ok {
    209. 

  209. 			return nil, errors.New(errDataField)
    210. 

  210. 		}
    211. 

  211. 		secretData, ok = dataInt.(map[string]interface{})
    212. 

  212. 		if !ok {
    213. 

  213. 			return nil, errors.New(errJSONUnmarshall)
    214. 

  214. 		}
    215. 

  215. 	}
    216. 

  216. 

  217. 	byteMap := make(map[string][]byte, len(secretData))
    218. 

  218. 	for k, v := range secretData {
    219. 

  219. 		switch t := v.(type) {
    220. 

  220. 		case string:
    221. 

  221. 			byteMap[k] = []byte(t)
    222. 

  222. 		case []byte:
    223. 

  223. 			byteMap[k] = t
    224. 

  224. 		default:
    225. 

  225. 			return nil, errors.New(errSecretFormat)
    226. 

  226. 		}
    227. 

  227. 	}
    228. 

  228. 

  229. 	return byteMap, nil
    230. 

  230. }
    231. 

  231. 

  232. func (v *client) newConfig() (*vault.Config, error) {
    233. 

  233. 	cfg := vault.DefaultConfig()
    234. 

  234. 	cfg.Address = v.store.Server
    235. 

  235. 

  236. 	if len(v.store.CABundle) == 0 && v.store.CAProvider == nil {
    237. 

  237. 		return cfg, nil
    238. 

  238. 	}
    239. 

  239. 

  240. 	caCertPool := x509.NewCertPool()
    241. 

  241. 

  242. 	if len(v.store.CABundle) > 0 {
    243. 

  243. 		ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    244. 

  244. 		if !ok {
    245. 

  245. 			return nil, errors.New(errVaultCert)
    246. 

  246. 		}
    247. 

  247. 	}
    248. 

  248. 

  249. 	if v.store.CAProvider != nil {
    250. 

  250. 		if v.store.CAProvider.Type == esv1alpha1.CAProviderTypeSecret {
    251. 

  251. 			secretRef := esmeta.SecretKeySelector{
    252. 

  252. 				Name:      v.store.CAProvider.Name,
    253. 

  253. 				Namespace: &v.store.CAProvider.Namespace,
    254. 

  254. 				Key:       v.store.CAProvider.Key,
    255. 

  255. 			}
    256. 

  256. 			ctx := context.Background()
    257. 

  257. 			res, err := v.secretKeyRef(ctx, &secretRef)
    258. 

  258. 			if err != nil {
    259. 

  259. 				return nil, errors.New(fmt.Sprintf(errVaultCert, err))
    260. 

  260. 			}
    261. 

  261. 

  262. 			ok := caCertPool.AppendCertsFromPEM([]byte(res))
    263. 

  263. 			if !ok {
    264. 

  264. 				return nil, errors.New(errVaultCert)
    265. 

  265. 			}
    266. 

  266. 		}
    267. 

  267. 	}
    268. 

  268. 

  269. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    270. 

  270. 		transport.TLSClientConfig.RootCAs = caCertPool
    271. 

  271. 	}
    272. 

  272. 

  273. 	return cfg, nil
    274. 

  274. }
    275. 

  275. 

  276. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    277. 

  277. 	tokenRef := v.store.Auth.TokenSecretRef
    278. 

  278. 	if tokenRef != nil {
    279. 

  279. 		token, err := v.secretKeyRef(ctx, tokenRef)
    280. 

  280. 		if err != nil {
    281. 

  281. 			return err
    282. 

  282. 		}
    283. 

  283. 		client.SetToken(token)
    284. 

  284. 		return nil
    285. 

  285. 	}
    286. 

  286. 

  287. 	appRole := v.store.Auth.AppRole
    288. 

  288. 	if appRole != nil {
    289. 

  289. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    290. 

  290. 		if err != nil {
    291. 

  291. 			return err
    292. 

  292. 		}
    293. 

  293. 		client.SetToken(token)
    294. 

  294. 		return nil
    295. 

  295. 	}
    296. 

  296. 

  297. 	kubernetesAuth := v.store.Auth.Kubernetes
    298. 

  298. 	if kubernetesAuth != nil {
    299. 

  299. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    300. 

  300. 		if err != nil {
    301. 

  301. 			return err
    302. 

  302. 		}
    303. 

  303. 		client.SetToken(token)
    304. 

  304. 		return nil
    305. 

  305. 	}
    306. 

  306. 

  307. 	ldapAuth := v.store.Auth.Ldap
    308. 

  308. 	if ldapAuth != nil {
    309. 

  309. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    310. 

  310. 		if err != nil {
    311. 

  311. 			return err
    312. 

  312. 		}
    313. 

  313. 		client.SetToken(token)
    314. 

  314. 		return nil
    315. 

  315. 	}
    316. 

  316. 

  317. 	jwtAuth := v.store.Auth.Jwt
    318. 

  318. 	if jwtAuth != nil {
    319. 

  319. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    320. 

  320. 		if err != nil {
    321. 

  321. 			return err
    322. 

  322. 		}
    323. 

  323. 		client.SetToken(token)
    324. 

  324. 		return nil
    325. 

  325. 	}
    326. 

  326. 

  327. 	certAuth := v.store.Auth.Cert
    328. 

  328. 	if certAuth != nil {
    329. 

  329. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    330. 

  330. 		if err != nil {
    331. 

  331. 			return err
    332. 

  332. 		}
    333. 

  333. 		client.SetToken(token)
    334. 

  334. 		return nil
    335. 

  335. 	}
    336. 

  336. 

  337. 	return errors.New(errAuthFormat)
    338. 

  338. }
    339. 

  339. 

  340. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    341. 

  341. 	serviceAccount := &corev1.ServiceAccount{}
    342. 

  342. 	ref := types.NamespacedName{
    343. 

  343. 		Namespace: v.namespace,
    344. 

  344. 		Name:      serviceAccountRef.Name,
    345. 

  345. 	}
    346. 

  346. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    347. 

  347. 		(serviceAccountRef.Namespace != nil) {
    348. 

  348. 		ref.Namespace = *serviceAccountRef.Namespace
    349. 

  349. 	}
    350. 

  350. 	err := v.kube.Get(ctx, ref, serviceAccount)
    351. 

  351. 	if err != nil {
    352. 

  352. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    353. 

  353. 	}
    354. 

  354. 	if len(serviceAccount.Secrets) == 0 {
    355. 

  355. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    356. 

  356. 	}
    357. 

  357. 	for _, tokenRef := range serviceAccount.Secrets {
    358. 

  358. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    359. 

  359. 			Name:      tokenRef.Name,
    360. 

  360. 			Namespace: &ref.Namespace,
    361. 

  361. 			Key:       "token",
    362. 

  362. 		})
    363. 

  363. 

  364. 		if err != nil {
    365. 

  365. 			continue
    366. 

  366. 		}
    367. 

  367. 

  368. 		return retval, nil
    369. 

  369. 	}
    370. 

  370. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    371. 

  371. }
    372. 

  372. 

  373. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    374. 

  374. 	secret := &corev1.Secret{}
    375. 

  375. 	ref := types.NamespacedName{
    376. 

  376. 		Namespace: v.namespace,
    377. 

  377. 		Name:      secretRef.Name,
    378. 

  378. 	}
    379. 

  379. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    380. 

  380. 		(secretRef.Namespace != nil) {
    381. 

  381. 		ref.Namespace = *secretRef.Namespace
    382. 

  382. 	}
    383. 

  383. 	err := v.kube.Get(ctx, ref, secret)
    384. 

  384. 	if err != nil {
    385. 

  385. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    386. 

  386. 	}
    387. 

  387. 

  388. 	keyBytes, ok := secret.Data[secretRef.Key]
    389. 

  389. 	if !ok {
    390. 

  390. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    391. 

  391. 	}
    392. 

  392. 

  393. 	value := string(keyBytes)
    394. 

  394. 	valueStr := strings.TrimSpace(value)
    395. 

  395. 	return valueStr, nil
    396. 

  396. }
    397. 

  397. 

  398. // appRoleParameters creates the required body for Vault AppRole Auth.
    399. 

  399. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    400. 

  400. func appRoleParameters(role, secret string) map[string]string {
    401. 

  401. 	return map[string]string{
    402. 

  402. 		"role_id":   role,
    403. 

  403. 		"secret_id": secret,
    404. 

  404. 	}
    405. 

  405. }
    406. 

  406. 

  407. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    408. 

  408. 	roleID := strings.TrimSpace(appRole.RoleID)
    409. 

  409. 

  410. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    411. 

  411. 	if err != nil {
    412. 

  412. 		return "", err
    413. 

  413. 	}
    414. 

  414. 

  415. 	parameters := appRoleParameters(roleID, secretID)
    416. 

  416. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    417. 

  417. 	request := client.NewRequest("POST", url)
    418. 

  418. 

  419. 	err = request.SetJSONBody(parameters)
    420. 

  420. 	if err != nil {
    421. 

  421. 		return "", fmt.Errorf(errVaultReqParams, err)
    422. 

  422. 	}
    423. 

  423. 

  424. 	resp, err := client.RawRequestWithContext(ctx, request)
    425. 

  425. 	if err != nil {
    426. 

  426. 		return "", fmt.Errorf(errVaultRequest, err)
    427. 

  427. 	}
    428. 

  428. 

  429. 	defer resp.Body.Close()
    430. 

  430. 

  431. 	vaultResult := vault.Secret{}
    432. 

  432. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    433. 

  433. 		return "", fmt.Errorf(errVaultResponse, err)
    434. 

  434. 	}
    435. 

  435. 

  436. 	token, err := vaultResult.TokenID()
    437. 

  437. 	if err != nil {
    438. 

  438. 		return "", fmt.Errorf(errVaultToken, err)
    439. 

  439. 	}
    440. 

  440. 

  441. 	return token, nil
    442. 

  442. }
    443. 

  443. 

  444. // kubeParameters creates the required body for Vault Kubernetes auth.
    445. 

  445. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    446. 

  446. func kubeParameters(role, jwt string) map[string]string {
    447. 

  447. 	return map[string]string{
    448. 

  448. 		"role": role,
    449. 

  449. 		"jwt":  jwt,
    450. 

  450. 	}
    451. 

  451. }
    452. 

  452. 

  453. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    454. 

  454. 	jwtString := ""
    455. 

  455. 	if kubernetesAuth.ServiceAccountRef != nil {
    456. 

  456. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    457. 

  457. 		if err != nil {
    458. 

  458. 			return "", err
    459. 

  459. 		}
    460. 

  460. 		jwtString = jwt
    461. 

  461. 	} else if kubernetesAuth.SecretRef != nil {
    462. 

  462. 		tokenRef := kubernetesAuth.SecretRef
    463. 

  463. 		if tokenRef.Key == "" {
    464. 

  464. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    465. 

  465. 			tokenRef.Key = "token"
    466. 

  466. 		}
    467. 

  467. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    468. 

  468. 		if err != nil {
    469. 

  469. 			return "", err
    470. 

  470. 		}
    471. 

  471. 		jwtString = jwt
    472. 

  472. 	} else {
    473. 

  473. 		// Kubernetes authentication is specified, but without a referenced
    474. 

  474. 		// Kubernetes secret. We check if the file path for in-cluster service account
    475. 

  475. 		// exists and attempt to use the token for Vault Kubernetes auth.
    476. 

  476. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    477. 

  477. 			return "", fmt.Errorf(errServiceAccount, err)
    478. 

  478. 		}
    479. 

  479. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    480. 

  480. 		if err != nil {
    481. 

  481. 			return "", fmt.Errorf(errServiceAccount, err)
    482. 

  482. 		}
    483. 

  483. 		jwtString = string(jwtByte)
    484. 

  484. 	}
    485. 

  485. 

  486. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    487. 

  487. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    488. 

  488. 	request := client.NewRequest("POST", url)
    489. 

  489. 

  490. 	err := request.SetJSONBody(parameters)
    491. 

  491. 	if err != nil {
    492. 

  492. 		return "", fmt.Errorf(errVaultReqParams, err)
    493. 

  493. 	}
    494. 

  494. 

  495. 	resp, err := client.RawRequestWithContext(ctx, request)
    496. 

  496. 	if err != nil {
    497. 

  497. 		return "", fmt.Errorf(errVaultRequest, err)
    498. 

  498. 	}
    499. 

  499. 

  500. 	defer resp.Body.Close()
    501. 

  501. 	vaultResult := vault.Secret{}
    502. 

  502. 	err = resp.DecodeJSON(&vaultResult)
    503. 

  503. 	if err != nil {
    504. 

  504. 		return "", fmt.Errorf(errVaultResponse, err)
    505. 

  505. 	}
    506. 

  506. 

  507. 	token, err := vaultResult.TokenID()
    508. 

  508. 	if err != nil {
    509. 

  509. 		return "", fmt.Errorf(errVaultToken, err)
    510. 

  510. 	}
    511. 

  511. 

  512. 	return token, nil
    513. 

  513. }
    514. 

  514. 

  515. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    516. 

  516. 	username := strings.TrimSpace(ldapAuth.Username)
    517. 

  517. 

  518. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    519. 

  519. 	if err != nil {
    520. 

  520. 		return "", err
    521. 

  521. 	}
    522. 

  522. 

  523. 	parameters := map[string]string{
    524. 

  524. 		"password": password,
    525. 

  525. 	}
    526. 

  526. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    527. 

  527. 	request := client.NewRequest("POST", url)
    528. 

  528. 

  529. 	err = request.SetJSONBody(parameters)
    530. 

  530. 	if err != nil {
    531. 

  531. 		return "", fmt.Errorf(errVaultReqParams, err)
    532. 

  532. 	}
    533. 

  533. 

  534. 	resp, err := client.RawRequestWithContext(ctx, request)
    535. 

  535. 	if err != nil {
    536. 

  536. 		return "", fmt.Errorf(errVaultRequest, err)
    537. 

  537. 	}
    538. 

  538. 

  539. 	defer resp.Body.Close()
    540. 

  540. 

  541. 	vaultResult := vault.Secret{}
    542. 

  542. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    543. 

  543. 		return "", fmt.Errorf(errVaultResponse, err)
    544. 

  544. 	}
    545. 

  545. 

  546. 	token, err := vaultResult.TokenID()
    547. 

  547. 	if err != nil {
    548. 

  548. 		return "", fmt.Errorf(errVaultToken, err)
    549. 

  549. 	}
    550. 

  550. 

  551. 	return token, nil
    552. 

  552. }
    553. 

  553. 

  554. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    555. 

  555. 	role := strings.TrimSpace(jwtAuth.Role)
    556. 

  556. 

  557. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    558. 

  558. 	if err != nil {
    559. 

  559. 		return "", err
    560. 

  560. 	}
    561. 

  561. 

  562. 	parameters := map[string]string{
    563. 

  563. 		"role": role,
    564. 

  564. 		"jwt":  jwt,
    565. 

  565. 	}
    566. 

  566. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    567. 

  567. 	request := client.NewRequest("POST", url)
    568. 

  568. 

  569. 	err = request.SetJSONBody(parameters)
    570. 

  570. 	if err != nil {
    571. 

  571. 		return "", fmt.Errorf(errVaultReqParams, err)
    572. 

  572. 	}
    573. 

  573. 

  574. 	resp, err := client.RawRequestWithContext(ctx, request)
    575. 

  575. 	if err != nil {
    576. 

  576. 		return "", fmt.Errorf(errVaultRequest, err)
    577. 

  577. 	}
    578. 

  578. 

  579. 	defer resp.Body.Close()
    580. 

  580. 

  581. 	vaultResult := vault.Secret{}
    582. 

  582. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    583. 

  583. 		return "", fmt.Errorf(errVaultResponse, err)
    584. 

  584. 	}
    585. 

  585. 

  586. 	token, err := vaultResult.TokenID()
    587. 

  587. 	if err != nil {
    588. 

  588. 		return "", fmt.Errorf(errVaultToken, err)
    589. 

  589. 	}
    590. 

  590. 

  591. 	return token, nil
    592. 

  592. }
    593. 

  593. 

  594. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
    595. 

  595. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    596. 

  596. 	if err != nil {
    597. 

  597. 		return "", err
    598. 

  598. 	}
    599. 

  599. 

  600. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    601. 

  601. 	if err != nil {
    602. 

  602. 		return "", err
    603. 

  603. 	}
    604. 

  604. 

  605. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    606. 

  606. 	if err != nil {
    607. 

  607. 		return "", fmt.Errorf(errClientTLSAuth, err)
    608. 

  608. 	}
    609. 

  609. 

  610. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    611. 

  611. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    612. 

  612. 	}
    613. 

  613. 

  614. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    615. 

  615. 	request := client.NewRequest("POST", url)
    616. 

  616. 

  617. 	resp, err := client.RawRequestWithContext(ctx, request)
    618. 

  618. 	if err != nil {
    619. 

  619. 		return "", fmt.Errorf(errVaultRequest, err)
    620. 

  620. 	}
    621. 

  621. 

  622. 	defer resp.Body.Close()
    623. 

  623. 

  624. 	vaultResult := vault.Secret{}
    625. 

  625. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    626. 

  626. 		return "", fmt.Errorf(errVaultResponse, err)
    627. 

  627. 	}
    628. 

  628. 

  629. 	token, err := vaultResult.TokenID()
    630. 

  630. 	if err != nil {
    631. 

  631. 		return "", fmt.Errorf(errVaultToken, err)
    632. 

  632. 	}
    633. 

  633. 

  634. 	return token, nil
    635. 

  635. }
    636.