Home Esplora Aiuto
Accedi
logic855
/
helm-external-secrets
mirror da https://github.com/external-secrets/external-secrets
1
0
Forka 0
File Problemi 0 Wiki
Albero (Tree): c7fc6b24d3
Rami (Branch) Tag
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 17 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/x509"
    20. 

  20. 	b64 "encoding/base64"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 	clientCertsBasePath = "/auth-certs/"
    49. 

  49. 

  50. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    51. 

  51. 	errVaultClient    = "cannot setup new vault client: %w"
    52. 

  52. 	errVaultTLSClient = "cannot setup new TLS vault client: %w"
    53. 

  53. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    54. 

  54. 	errReadSecret     = "cannot read secret data from Vault: %w"
    55. 

  55. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    56. 

  56. 	errVaultData      = "cannot parse Vault response data: %w"
    57. 

  57. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    58. 

  58. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    59. 

  59. 	errVaultRequest   = "error from Vault request: %w"
    60. 

  60. 	errVaultResponse  = "cannot parse Vault response: %w"
    61. 

  61. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    62. 

  62. 

  63. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    64. 

  64. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    65. 

  65. 

  66. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    67. 

  67. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    68. 

  68. 

  69. 	errGetCertPath     = "cannot get certificates path: %w"
    70. 

  70. 	errOsCreateFile    = "cannot create file to store certificate: %w"
    71. 

  71. 	errCertDecode      = "error decoding certificate: %w"
    72. 

  72. 	errWriteCertToFile = "cannot write certificate to file: %w"
    73. 

  73. 	errCertMkdir       = "cannot create path to store certificate: %w"
    74. 

  74. )
    75. 

  75. 

  76. type Client interface {
    77. 

  77. 	NewRequest(method, requestPath string) *vault.Request
    78. 

  78. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    79. 

  79. 	SetToken(v string)
    80. 

  80. 	SetNamespace(namespace string)
    81. 

  81. }
    82. 

  82. 

  83. type client struct {
    84. 

  84. 	kube      kclient.Client
    85. 

  85. 	store     *esv1alpha1.VaultProvider
    86. 

  86. 	log       logr.Logger
    87. 

  87. 	client    Client
    88. 

  88. 	namespace string
    89. 

  89. 	storeKind string
    90. 

  90. }
    91. 

  91. 

  92. func init() {
    93. 

  93. 	schema.Register(&connector{
    94. 

  94. 		newVaultClient: newVaultClient,
    95. 

  95. 	}, &esv1alpha1.SecretStoreProvider{
    96. 

  96. 		Vault: &esv1alpha1.VaultProvider{},
    97. 

  97. 	})
    98. 

  98. }
    99. 

  99. 

  100. func newVaultClient(c *vault.Config) (Client, error) {
    101. 

  101. 	return vault.NewClient(c)
    102. 

  102. }
    103. 

  103. 

  104. type connector struct {
    105. 

  105. 	newVaultClient func(c *vault.Config) (Client, error)
    106. 

  106. }
    107. 

  107. 

  108. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    109. 

  109. 	storeSpec := store.GetSpec()
    110. 

  110. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    111. 

  111. 		return nil, errors.New(errVaultStore)
    112. 

  112. 	}
    113. 

  113. 	vaultSpec := storeSpec.Provider.Vault
    114. 

  114. 

  115. 	vStore := &client{
    116. 

  116. 		kube:      kube,
    117. 

  117. 		store:     vaultSpec,
    118. 

  118. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    119. 

  119. 		namespace: namespace,
    120. 

  120. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    121. 

  121. 	}
    122. 

  122. 

  123. 	cfg, err := vStore.newConfig(ctx)
    124. 

  124. 

  125. 	if err != nil {
    126. 

  126. 		return nil, err
    127. 

  127. 	}
    128. 

  128. 

  129. 	client, err := c.newVaultClient(cfg)
    130. 

  130. 	if err != nil {
    131. 

  131. 		return nil, fmt.Errorf(errVaultClient, err)
    132. 

  132. 	}
    133. 

  133. 

  134. 	if vaultSpec.Namespace != nil {
    135. 

  135. 		client.SetNamespace(*vaultSpec.Namespace)
    136. 

  136. 	}
    137. 

  137. 

  138. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    139. 

  139. 		return nil, err
    140. 

  140. 	}
    141. 

  141. 

  142. 	vStore.client = client
    143. 

  143. 	return vStore, nil
    144. 

  144. }
    145. 

  145. 

  146. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    147. 

  147. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    148. 

  148. 	if err != nil {
    149. 

  149. 		return nil, err
    150. 

  150. 	}
    151. 

  151. 	value, exists := data[ref.Property]
    152. 

  152. 	if !exists {
    153. 

  153. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    154. 

  154. 	}
    155. 

  155. 	return value, nil
    156. 

  156. }
    157. 

  157. 

  158. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    159. 

  159. 	return v.readSecret(ctx, ref.Key, ref.Version)
    160. 

  160. }
    161. 

  161. 

  162. func (v *client) Close() error {
    163. 

  163. 	return nil
    164. 

  164. }
    165. 

  165. 

  166. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    167. 

  167. 	kvPath := v.store.Path
    168. 

  168. 

  169. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    170. 

  170. 		if !strings.HasSuffix(kvPath, "/data") {
    171. 

  171. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    172. 

  172. 		}
    173. 

  173. 	}
    174. 

  174. 

  175. 	// path formated according to vault docs for v1 and v2 API
    176. 

  176. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    177. 

  177. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    178. 

  178. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    179. 

  179. 	if version != "" {
    180. 

  180. 		req.Params.Set("version", version)
    181. 

  181. 	}
    182. 

  182. 

  183. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    184. 

  184. 	if err != nil {
    185. 

  185. 		return nil, fmt.Errorf(errReadSecret, err)
    186. 

  186. 	}
    187. 

  187. 

  188. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    189. 

  189. 	if err != nil {
    190. 

  190. 		return nil, err
    191. 

  191. 	}
    192. 

  192. 

  193. 	secretData := vaultSecret.Data
    194. 

  194. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    195. 

  195. 		// Vault KV2 has data embedded within sub-field
    196. 

  196. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    197. 

  197. 		dataInt, ok := vaultSecret.Data["data"]
    198. 

  198. 		if !ok {
    199. 

  199. 			return nil, errors.New(errVaultData)
    200. 

  200. 		}
    201. 

  201. 		secretData, ok = dataInt.(map[string]interface{})
    202. 

  202. 		if !ok {
    203. 

  203. 			return nil, errors.New(errVaultData)
    204. 

  204. 		}
    205. 

  205. 	}
    206. 

  206. 

  207. 	byteMap := make(map[string][]byte, len(secretData))
    208. 

  208. 	for k, v := range secretData {
    209. 

  209. 		switch t := v.(type) {
    210. 

  210. 		case string:
    211. 

  211. 			byteMap[k] = []byte(t)
    212. 

  212. 		case []byte:
    213. 

  213. 			byteMap[k] = t
    214. 

  214. 		default:
    215. 

  215. 			return nil, errors.New(errVaultData)
    216. 

  216. 		}
    217. 

  217. 	}
    218. 

  218. 

  219. 	return byteMap, nil
    220. 

  220. }
    221. 

  221. 

  222. func (v *client) newConfig(ctx context.Context) (*vault.Config, error) {
    223. 

  223. 	cfg := vault.DefaultConfig()
    224. 

  224. 	cfg.Address = v.store.Server
    225. 

  225. 

  226. 	if len(v.store.CABundle) == 0 {
    227. 

  227. 		return cfg, nil
    228. 

  228. 	}
    229. 

  229. 

  230. 	caCertPool := x509.NewCertPool()
    231. 

  231. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    232. 

  232. 	if !ok {
    233. 

  233. 		return nil, errors.New(errVaultCert)
    234. 

  234. 	}
    235. 

  235. 

  236. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    237. 

  237. 		transport.TLSClientConfig.RootCAs = caCertPool
    238. 

  238. 	}
    239. 

  239. 

  240. 	return cfg, nil
    241. 

  241. }
    242. 

  242. 

  243. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    244. 

  244. 	tokenRef := v.store.Auth.TokenSecretRef
    245. 

  245. 	if tokenRef != nil {
    246. 

  246. 		token, err := v.secretKeyRef(ctx, tokenRef)
    247. 

  247. 		if err != nil {
    248. 

  248. 			return err
    249. 

  249. 		}
    250. 

  250. 		client.SetToken(token)
    251. 

  251. 		return nil
    252. 

  252. 	}
    253. 

  253. 

  254. 	appRole := v.store.Auth.AppRole
    255. 

  255. 	if appRole != nil {
    256. 

  256. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    257. 

  257. 		if err != nil {
    258. 

  258. 			return err
    259. 

  259. 		}
    260. 

  260. 		client.SetToken(token)
    261. 

  261. 		return nil
    262. 

  262. 	}
    263. 

  263. 

  264. 	kubernetesAuth := v.store.Auth.Kubernetes
    265. 

  265. 	if kubernetesAuth != nil {
    266. 

  266. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    267. 

  267. 		if err != nil {
    268. 

  268. 			return err
    269. 

  269. 		}
    270. 

  270. 		client.SetToken(token)
    271. 

  271. 		return nil
    272. 

  272. 	}
    273. 

  273. 

  274. 	ldapAuth := v.store.Auth.Ldap
    275. 

  275. 	if ldapAuth != nil {
    276. 

  276. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    277. 

  277. 		if err != nil {
    278. 

  278. 			return err
    279. 

  279. 		}
    280. 

  280. 		client.SetToken(token)
    281. 

  281. 		return nil
    282. 

  282. 	}
    283. 

  283. 

  284. 	jwtAuth := v.store.Auth.Jwt
    285. 

  285. 	if jwtAuth != nil {
    286. 

  286. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    287. 

  287. 		if err != nil {
    288. 

  288. 			return err
    289. 

  289. 		}
    290. 

  290. 		client.SetToken(token)
    291. 

  291. 		return nil
    292. 

  292. 	}
    293. 

  293. 

  294. 	certAuth := v.store.Auth.Cert
    295. 

  295. 	if certAuth != nil {
    296. 

  296. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    297. 

  297. 		if err != nil {
    298. 

  298. 			return err
    299. 

  299. 		}
    300. 

  300. 		client.SetToken(token)
    301. 

  301. 		return nil
    302. 

  302. 	}
    303. 

  303. 

  304. 	return errors.New(errAuthFormat)
    305. 

  305. }
    306. 

  306. 

  307. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    308. 

  308. 	serviceAccount := &corev1.ServiceAccount{}
    309. 

  309. 	ref := types.NamespacedName{
    310. 

  310. 		Namespace: v.namespace,
    311. 

  311. 		Name:      serviceAccountRef.Name,
    312. 

  312. 	}
    313. 

  313. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    314. 

  314. 		(serviceAccountRef.Namespace != nil) {
    315. 

  315. 		ref.Namespace = *serviceAccountRef.Namespace
    316. 

  316. 	}
    317. 

  317. 	err := v.kube.Get(ctx, ref, serviceAccount)
    318. 

  318. 	if err != nil {
    319. 

  319. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    320. 

  320. 	}
    321. 

  321. 	if len(serviceAccount.Secrets) == 0 {
    322. 

  322. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    323. 

  323. 	}
    324. 

  324. 	tokenRef := serviceAccount.Secrets[0]
    325. 

  325. 

  326. 	return v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    327. 

  327. 		Name:      tokenRef.Name,
    328. 

  328. 		Namespace: &ref.Namespace,
    329. 

  329. 		Key:       "token",
    330. 

  330. 	})
    331. 

  331. }
    332. 

  332. 

  333. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    334. 

  334. 	secret := &corev1.Secret{}
    335. 

  335. 	ref := types.NamespacedName{
    336. 

  336. 		Namespace: v.namespace,
    337. 

  337. 		Name:      secretRef.Name,
    338. 

  338. 	}
    339. 

  339. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    340. 

  340. 		(secretRef.Namespace != nil) {
    341. 

  341. 		ref.Namespace = *secretRef.Namespace
    342. 

  342. 	}
    343. 

  343. 	err := v.kube.Get(ctx, ref, secret)
    344. 

  344. 	if err != nil {
    345. 

  345. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    346. 

  346. 	}
    347. 

  347. 

  348. 	keyBytes, ok := secret.Data[secretRef.Key]
    349. 

  349. 	if !ok {
    350. 

  350. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    351. 

  351. 	}
    352. 

  352. 

  353. 	value := string(keyBytes)
    354. 

  354. 

  355. 	valueStr := strings.TrimSpace(value)
    356. 

  356. 	return valueStr, nil
    357. 

  357. }
    358. 

  358. 

  359. // appRoleParameters creates the required body for Vault AppRole Auth.
    360. 

  360. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    361. 

  361. func appRoleParameters(role, secret string) map[string]string {
    362. 

  362. 	return map[string]string{
    363. 

  363. 		"role_id":   role,
    364. 

  364. 		"secret_id": secret,
    365. 

  365. 	}
    366. 

  366. }
    367. 

  367. 

  368. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    369. 

  369. 	roleID := strings.TrimSpace(appRole.RoleID)
    370. 

  370. 

  371. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    372. 

  372. 	if err != nil {
    373. 

  373. 		return "", err
    374. 

  374. 	}
    375. 

  375. 

  376. 	parameters := appRoleParameters(roleID, secretID)
    377. 

  377. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    378. 

  378. 	request := client.NewRequest("POST", url)
    379. 

  379. 

  380. 	err = request.SetJSONBody(parameters)
    381. 

  381. 	if err != nil {
    382. 

  382. 		return "", fmt.Errorf(errVaultReqParams, err)
    383. 

  383. 	}
    384. 

  384. 

  385. 	resp, err := client.RawRequestWithContext(ctx, request)
    386. 

  386. 	if err != nil {
    387. 

  387. 		return "", fmt.Errorf(errVaultRequest, err)
    388. 

  388. 	}
    389. 

  389. 

  390. 	defer resp.Body.Close()
    391. 

  391. 

  392. 	vaultResult := vault.Secret{}
    393. 

  393. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    394. 

  394. 		return "", fmt.Errorf(errVaultResponse, err)
    395. 

  395. 	}
    396. 

  396. 

  397. 	token, err := vaultResult.TokenID()
    398. 

  398. 	if err != nil {
    399. 

  399. 		return "", fmt.Errorf(errVaultToken, err)
    400. 

  400. 	}
    401. 

  401. 

  402. 	return token, nil
    403. 

  403. }
    404. 

  404. 

  405. // kubeParameters creates the required body for Vault Kubernetes auth.
    406. 

  406. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    407. 

  407. func kubeParameters(role, jwt string) map[string]string {
    408. 

  408. 	return map[string]string{
    409. 

  409. 		"role": role,
    410. 

  410. 		"jwt":  jwt,
    411. 

  411. 	}
    412. 

  412. }
    413. 

  413. 

  414. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    415. 

  415. 	jwtString := ""
    416. 

  416. 	if kubernetesAuth.ServiceAccountRef != nil {
    417. 

  417. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    418. 

  418. 		if err != nil {
    419. 

  419. 			return "", err
    420. 

  420. 		}
    421. 

  421. 		jwtString = jwt
    422. 

  422. 	} else if kubernetesAuth.SecretRef != nil {
    423. 

  423. 		tokenRef := kubernetesAuth.SecretRef
    424. 

  424. 		if tokenRef.Key == "" {
    425. 

  425. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    426. 

  426. 			tokenRef.Key = "token"
    427. 

  427. 		}
    428. 

  428. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    429. 

  429. 		if err != nil {
    430. 

  430. 			return "", err
    431. 

  431. 		}
    432. 

  432. 		jwtString = jwt
    433. 

  433. 	} else {
    434. 

  434. 		// Kubernetes authentication is specified, but without a referenced
    435. 

  435. 		// Kubernetes secret. We check if the file path for in-cluster service account
    436. 

  436. 		// exists and attempt to use the token for Vault Kubernetes auth.
    437. 

  437. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    438. 

  438. 			return "", fmt.Errorf(errServiceAccount, err)
    439. 

  439. 		}
    440. 

  440. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    441. 

  441. 		if err != nil {
    442. 

  442. 			return "", fmt.Errorf(errServiceAccount, err)
    443. 

  443. 		}
    444. 

  444. 		jwtString = string(jwtByte)
    445. 

  445. 	}
    446. 

  446. 

  447. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    448. 

  448. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    449. 

  449. 	request := client.NewRequest("POST", url)
    450. 

  450. 

  451. 	err := request.SetJSONBody(parameters)
    452. 

  452. 	if err != nil {
    453. 

  453. 		return "", fmt.Errorf(errVaultReqParams, err)
    454. 

  454. 	}
    455. 

  455. 

  456. 	resp, err := client.RawRequestWithContext(ctx, request)
    457. 

  457. 	if err != nil {
    458. 

  458. 		return "", fmt.Errorf(errVaultRequest, err)
    459. 

  459. 	}
    460. 

  460. 

  461. 	defer resp.Body.Close()
    462. 

  462. 	vaultResult := vault.Secret{}
    463. 

  463. 	err = resp.DecodeJSON(&vaultResult)
    464. 

  464. 	if err != nil {
    465. 

  465. 		return "", fmt.Errorf(errVaultResponse, err)
    466. 

  466. 	}
    467. 

  467. 

  468. 	token, err := vaultResult.TokenID()
    469. 

  469. 	if err != nil {
    470. 

  470. 		return "", fmt.Errorf(errVaultToken, err)
    471. 

  471. 	}
    472. 

  472. 

  473. 	return token, nil
    474. 

  474. }
    475. 

  475. 

  476. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    477. 

  477. 	username := strings.TrimSpace(ldapAuth.Username)
    478. 

  478. 

  479. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    480. 

  480. 	if err != nil {
    481. 

  481. 		return "", err
    482. 

  482. 	}
    483. 

  483. 

  484. 	parameters := map[string]string{
    485. 

  485. 		"password": password,
    486. 

  486. 	}
    487. 

  487. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    488. 

  488. 	request := client.NewRequest("POST", url)
    489. 

  489. 

  490. 	err = request.SetJSONBody(parameters)
    491. 

  491. 	if err != nil {
    492. 

  492. 		return "", fmt.Errorf(errVaultReqParams, err)
    493. 

  493. 	}
    494. 

  494. 

  495. 	resp, err := client.RawRequestWithContext(ctx, request)
    496. 

  496. 	if err != nil {
    497. 

  497. 		return "", fmt.Errorf(errVaultRequest, err)
    498. 

  498. 	}
    499. 

  499. 

  500. 	defer resp.Body.Close()
    501. 

  501. 

  502. 	vaultResult := vault.Secret{}
    503. 

  503. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    504. 

  504. 		return "", fmt.Errorf(errVaultResponse, err)
    505. 

  505. 	}
    506. 

  506. 

  507. 	token, err := vaultResult.TokenID()
    508. 

  508. 	if err != nil {
    509. 

  509. 		return "", fmt.Errorf(errVaultToken, err)
    510. 

  510. 	}
    511. 

  511. 

  512. 	return token, nil
    513. 

  513. }
    514. 

  514. 

  515. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    516. 

  516. 	role := strings.TrimSpace(jwtAuth.Role)
    517. 

  517. 

  518. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    519. 

  519. 	if err != nil {
    520. 

  520. 		return "", err
    521. 

  521. 	}
    522. 

  522. 

  523. 	parameters := map[string]string{
    524. 

  524. 		"role": role,
    525. 

  525. 		"jwt":  jwt,
    526. 

  526. 	}
    527. 

  527. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    528. 

  528. 	request := client.NewRequest("POST", url)
    529. 

  529. 

  530. 	err = request.SetJSONBody(parameters)
    531. 

  531. 	if err != nil {
    532. 

  532. 		return "", fmt.Errorf(errVaultReqParams, err)
    533. 

  533. 	}
    534. 

  534. 

  535. 	resp, err := client.RawRequestWithContext(ctx, request)
    536. 

  536. 	if err != nil {
    537. 

  537. 		return "", fmt.Errorf(errVaultRequest, err)
    538. 

  538. 	}
    539. 

  539. 

  540. 	defer resp.Body.Close()
    541. 

  541. 

  542. 	vaultResult := vault.Secret{}
    543. 

  543. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    544. 

  544. 		return "", fmt.Errorf(errVaultResponse, err)
    545. 

  545. 	}
    546. 

  546. 

  547. 	token, err := vaultResult.TokenID()
    548. 

  548. 	if err != nil {
    549. 

  549. 		return "", fmt.Errorf(errVaultToken, err)
    550. 

  550. 	}
    551. 

  551. 

  552. 	return token, nil
    553. 

  553. }
    554. 

  554. 

  555. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
    556. 

  556. 

  557. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    558. 

  558. 	if err != nil {
    559. 

  559. 		return "", err
    560. 

  560. 	}
    561. 

  561. 

  562. 	clientKeyPath, err := getCertPath(clientKey, "client.key")
    563. 

  563. 	if err != nil {
    564. 

  564. 		return "", fmt.Errorf(errGetCertPath, err)
    565. 

  565. 	}
    566. 

  566. 

  567. 	clientCertPath, err := getCertPath(certAuth.ClientCert, "client.crt")
    568. 

  568. 	if err != nil {
    569. 

  569. 		return "", fmt.Errorf(errGetCertPath, err)
    570. 

  570. 	}
    571. 

  571. 

  572. 	caCertPath, err := getCertPath(certAuth.CACert, "ca.crt")
    573. 

  573. 	if err != nil {
    574. 

  574. 		return "", fmt.Errorf(errGetCertPath, err)
    575. 

  575. 	}
    576. 

  576. 

  577. 	tlscfg := vault.TLSConfig{
    578. 

  578. 		ClientCert: clientCertPath,
    579. 

  579. 		ClientKey:  clientKeyPath,
    580. 

  580. 		CACert:     caCertPath,
    581. 

  581. 	}
    582. 

  582. 

  583. 	err = cfg.ConfigureTLS(&tlscfg)
    584. 

  584. 

  585. 	if err != nil {
    586. 

  586. 		return "", fmt.Errorf(errVaultCert, err)
    587. 

  587. 	}
    588. 

  588. 

  589. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    590. 

  590. 	request := client.NewRequest("POST", url)
    591. 

  591. 

  592. 	resp, err := client.RawRequestWithContext(ctx, request)
    593. 

  593. 	if err != nil {
    594. 

  594. 		return "", fmt.Errorf(errVaultRequest, err)
    595. 

  595. 	}
    596. 

  596. 

  597. 	defer resp.Body.Close()
    598. 

  598. 

  599. 	vaultResult := vault.Secret{}
    600. 

  600. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    601. 

  601. 		return "", fmt.Errorf(errVaultResponse, err)
    602. 

  602. 	}
    603. 

  603. 

  604. 	token, err := vaultResult.TokenID()
    605. 

  605. 	if err != nil {
    606. 

  606. 		return "", fmt.Errorf(errVaultToken, err)
    607. 

  607. 	}
    608. 

  608. 

  609. 	return token, nil
    610. 

  610. }
    611. 

  611. 

  612. func getCertPath(cert, filename string) (string, error) {
    613. 

  613. 

  614. 	certPath := clientCertsBasePath + filename
    615. 

  615. 

  616. 	if _, err := os.Stat(clientCertsBasePath); os.IsNotExist(err) {
    617. 

  617. 		_, err := MkdirToStoreCertificate(clientCertsBasePath)
    618. 

  618. 		return "", err
    619. 

  619. 	}
    620. 

  620. 

  621. 	f, err := os.Create(certPath)
    622. 

  622. 	if err != nil {
    623. 

  623. 		return "", fmt.Errorf(errOsCreateFile, err)
    624. 

  624. 	}
    625. 

  625. 

  626. 	defer f.Close()
    627. 

  627. 

  628. 	if filename == "client.crt" || filename == "ca.crt" {
    629. 

  629. 

  630. 		decodedCert, err := b64.StdEncoding.DecodeString(cert)
    631. 

  631. 		if err != nil {
    632. 

  632. 			return "", fmt.Errorf(errCertDecode, err)
    633. 

  633. 		}
    634. 

  634. 		cert = string(decodedCert)
    635. 

  635. 	}
    636. 

  636. 	_, err = f.WriteString(cert)
    637. 

  637. 	if err != nil {
    638. 

  638. 		return "", fmt.Errorf(errWriteCertToFile, err)
    639. 

  639. 	}
    640. 

  640. 

  641. 	return certPath, nil
    642. 

  642. }
    643. 

  643. 

  644. func MkdirToStoreCertificate(clientCertsBasePath string) (string, error) {
    645. 

  645. 

  646. 	if err := os.MkdirAll(clientCertsBasePath, 0700); err != nil {
    647. 

  647. 		return "", fmt.Errorf(errCertMkdir, err)
    648. 

  648. 	}
    649. 

  649. 

  650. 	return "", nil
    651. 

  651. }
    652.