Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: c900c8deb5
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 14 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/x509"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"io/ioutil"
    23. 

  23. 	"net/http"
    24. 

  24. 	"os"
    25. 

  25. 	"strings"
    26. 

  26. 

  27. 	"github.com/go-logr/logr"
    28. 

  28. 	vault "github.com/hashicorp/vault/api"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	"k8s.io/apimachinery/pkg/types"
    31. 

  31. 	ctrl "sigs.k8s.io/controller-runtime"
    32. 

  32. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    33. 

  33. 

  34. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    35. 

  35. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    36. 

  36. 	"github.com/external-secrets/external-secrets/pkg/provider"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    38. 

  38. )
    39. 

  39. 

  40. var (
    41. 

  41. 	_ provider.Provider      = &connector{}
    42. 

  42. 	_ provider.SecretsClient = &client{}
    43. 

  43. )
    44. 

  44. 

  45. const (
    46. 

  46. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    47. 

  47. 

  48. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    49. 

  49. 	errVaultClient    = "cannot setup new vault client: %w"
    50. 

  50. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    51. 

  51. 	errReadSecret     = "cannot read secret data from Vault: %w"
    52. 

  52. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    53. 

  53. 	errVaultData      = "cannot parse Vault response data: %w"
    54. 

  54. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    55. 

  55. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    56. 

  56. 	errVaultRequest   = "error from Vault request: %w"
    57. 

  57. 	errVaultResponse  = "cannot parse Vault response: %w"
    58. 

  58. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    59. 

  59. 

  60. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    61. 

  61. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    62. 

  62. 

  63. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    64. 

  64. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    65. 

  65. )
    66. 

  66. 

  67. type Client interface {
    68. 

  68. 	NewRequest(method, requestPath string) *vault.Request
    69. 

  69. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    70. 

  70. 	SetToken(v string)
    71. 

  71. 	SetNamespace(namespace string)
    72. 

  72. }
    73. 

  73. 

  74. type client struct {
    75. 

  75. 	kube      kclient.Client
    76. 

  76. 	store     *esv1alpha1.VaultProvider
    77. 

  77. 	log       logr.Logger
    78. 

  78. 	client    Client
    79. 

  79. 	namespace string
    80. 

  80. 	storeKind string
    81. 

  81. }
    82. 

  82. 

  83. func init() {
    84. 

  84. 	schema.Register(&connector{
    85. 

  85. 		newVaultClient: newVaultClient,
    86. 

  86. 	}, &esv1alpha1.SecretStoreProvider{
    87. 

  87. 		Vault: &esv1alpha1.VaultProvider{},
    88. 

  88. 	})
    89. 

  89. }
    90. 

  90. 

  91. func newVaultClient(c *vault.Config) (Client, error) {
    92. 

  92. 	return vault.NewClient(c)
    93. 

  93. }
    94. 

  94. 

  95. type connector struct {
    96. 

  96. 	newVaultClient func(c *vault.Config) (Client, error)
    97. 

  97. }
    98. 

  98. 

  99. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    100. 

  100. 	storeSpec := store.GetSpec()
    101. 

  101. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    102. 

  102. 		return nil, errors.New(errVaultStore)
    103. 

  103. 	}
    104. 

  104. 	vaultSpec := storeSpec.Provider.Vault
    105. 

  105. 

  106. 	vStore := &client{
    107. 

  107. 		kube:      kube,
    108. 

  108. 		store:     vaultSpec,
    109. 

  109. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    110. 

  110. 		namespace: namespace,
    111. 

  111. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    112. 

  112. 	}
    113. 

  113. 

  114. 	cfg, err := vStore.newConfig()
    115. 

  115. 	if err != nil {
    116. 

  116. 		return nil, err
    117. 

  117. 	}
    118. 

  118. 

  119. 	client, err := c.newVaultClient(cfg)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return nil, fmt.Errorf(errVaultClient, err)
    122. 

  122. 	}
    123. 

  123. 

  124. 	if vaultSpec.Namespace != nil {
    125. 

  125. 		client.SetNamespace(*vaultSpec.Namespace)
    126. 

  126. 	}
    127. 

  127. 

  128. 	if err := vStore.setAuth(ctx, client); err != nil {
    129. 

  129. 		return nil, err
    130. 

  130. 	}
    131. 

  131. 

  132. 	vStore.client = client
    133. 

  133. 	return vStore, nil
    134. 

  134. }
    135. 

  135. 

  136. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    137. 

  137. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    138. 

  138. 	if err != nil {
    139. 

  139. 		return nil, err
    140. 

  140. 	}
    141. 

  141. 	value, exists := data[ref.Property]
    142. 

  142. 	if !exists {
    143. 

  143. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    144. 

  144. 	}
    145. 

  145. 	return value, nil
    146. 

  146. }
    147. 

  147. 

  148. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    149. 

  149. 	return v.readSecret(ctx, ref.Key, ref.Version)
    150. 

  150. }
    151. 

  151. 

  152. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    153. 

  153. 	kvPath := v.store.Path
    154. 

  154. 

  155. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    156. 

  156. 		if !strings.HasSuffix(kvPath, "/data") {
    157. 

  157. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    158. 

  158. 		}
    159. 

  159. 	}
    160. 

  160. 

  161. 	// path formated according to vault docs for v1 and v2 API
    162. 

  162. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    163. 

  163. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    164. 

  164. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    165. 

  165. 	if version != "" {
    166. 

  166. 		req.Params.Set("version", version)
    167. 

  167. 	}
    168. 

  168. 

  169. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    170. 

  170. 	if err != nil {
    171. 

  171. 		return nil, fmt.Errorf(errReadSecret, err)
    172. 

  172. 	}
    173. 

  173. 

  174. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    175. 

  175. 	if err != nil {
    176. 

  176. 		return nil, err
    177. 

  177. 	}
    178. 

  178. 

  179. 	secretData := vaultSecret.Data
    180. 

  180. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    181. 

  181. 		// Vault KV2 has data embedded within sub-field
    182. 

  182. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    183. 

  183. 		dataInt, ok := vaultSecret.Data["data"]
    184. 

  184. 		if !ok {
    185. 

  185. 			return nil, errors.New(errVaultData)
    186. 

  186. 		}
    187. 

  187. 		secretData, ok = dataInt.(map[string]interface{})
    188. 

  188. 		if !ok {
    189. 

  189. 			return nil, errors.New(errVaultData)
    190. 

  190. 		}
    191. 

  191. 	}
    192. 

  192. 

  193. 	byteMap := make(map[string][]byte, len(secretData))
    194. 

  194. 	for k, v := range secretData {
    195. 

  195. 		switch t := v.(type) {
    196. 

  196. 		case string:
    197. 

  197. 			byteMap[k] = []byte(t)
    198. 

  198. 		case []byte:
    199. 

  199. 			byteMap[k] = t
    200. 

  200. 		default:
    201. 

  201. 			return nil, errors.New(errVaultData)
    202. 

  202. 		}
    203. 

  203. 	}
    204. 

  204. 

  205. 	return byteMap, nil
    206. 

  206. }
    207. 

  207. 

  208. func (v *client) newConfig() (*vault.Config, error) {
    209. 

  209. 	cfg := vault.DefaultConfig()
    210. 

  210. 	cfg.Address = v.store.Server
    211. 

  211. 

  212. 	if len(v.store.CABundle) == 0 {
    213. 

  213. 		return cfg, nil
    214. 

  214. 	}
    215. 

  215. 

  216. 	caCertPool := x509.NewCertPool()
    217. 

  217. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    218. 

  218. 	if !ok {
    219. 

  219. 		return nil, errors.New(errVaultCert)
    220. 

  220. 	}
    221. 

  221. 

  222. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    223. 

  223. 		transport.TLSClientConfig.RootCAs = caCertPool
    224. 

  224. 	}
    225. 

  225. 

  226. 	return cfg, nil
    227. 

  227. }
    228. 

  228. 

  229. func (v *client) setAuth(ctx context.Context, client Client) error {
    230. 

  230. 	tokenRef := v.store.Auth.TokenSecretRef
    231. 

  231. 	if tokenRef != nil {
    232. 

  232. 		token, err := v.secretKeyRef(ctx, tokenRef)
    233. 

  233. 		if err != nil {
    234. 

  234. 			return err
    235. 

  235. 		}
    236. 

  236. 		client.SetToken(token)
    237. 

  237. 		return nil
    238. 

  238. 	}
    239. 

  239. 

  240. 	appRole := v.store.Auth.AppRole
    241. 

  241. 	if appRole != nil {
    242. 

  242. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    243. 

  243. 		if err != nil {
    244. 

  244. 			return err
    245. 

  245. 		}
    246. 

  246. 		client.SetToken(token)
    247. 

  247. 		return nil
    248. 

  248. 	}
    249. 

  249. 

  250. 	kubernetesAuth := v.store.Auth.Kubernetes
    251. 

  251. 	if kubernetesAuth != nil {
    252. 

  252. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    253. 

  253. 		if err != nil {
    254. 

  254. 			return err
    255. 

  255. 		}
    256. 

  256. 		client.SetToken(token)
    257. 

  257. 		return nil
    258. 

  258. 	}
    259. 

  259. 

  260. 	ldapAuth := v.store.Auth.Ldap
    261. 

  261. 	if ldapAuth != nil {
    262. 

  262. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    263. 

  263. 		if err != nil {
    264. 

  264. 			return err
    265. 

  265. 		}
    266. 

  266. 		client.SetToken(token)
    267. 

  267. 		return nil
    268. 

  268. 	}
    269. 

  269. 

  270. 	jwtAuth := v.store.Auth.Jwt
    271. 

  271. 	if jwtAuth != nil {
    272. 

  272. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    273. 

  273. 		if err != nil {
    274. 

  274. 			return err
    275. 

  275. 		}
    276. 

  276. 		client.SetToken(token)
    277. 

  277. 		return nil
    278. 

  278. 	}
    279. 

  279. 

  280. 	return errors.New(errAuthFormat)
    281. 

  281. }
    282. 

  282. 

  283. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    284. 

  284. 	serviceAccount := &corev1.ServiceAccount{}
    285. 

  285. 	ref := types.NamespacedName{
    286. 

  286. 		Namespace: v.namespace,
    287. 

  287. 		Name:      serviceAccountRef.Name,
    288. 

  288. 	}
    289. 

  289. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    290. 

  290. 		(serviceAccountRef.Namespace != nil) {
    291. 

  291. 		ref.Namespace = *serviceAccountRef.Namespace
    292. 

  292. 	}
    293. 

  293. 	err := v.kube.Get(ctx, ref, serviceAccount)
    294. 

  294. 	if err != nil {
    295. 

  295. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    296. 

  296. 	}
    297. 

  297. 	if len(serviceAccount.Secrets) == 0 {
    298. 

  298. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    299. 

  299. 	}
    300. 

  300. 	tokenRef := serviceAccount.Secrets[0]
    301. 

  301. 

  302. 	return v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    303. 

  303. 		Name:      tokenRef.Name,
    304. 

  304. 		Namespace: &ref.Namespace,
    305. 

  305. 		Key:       "token",
    306. 

  306. 	})
    307. 

  307. }
    308. 

  308. 

  309. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    310. 

  310. 	secret := &corev1.Secret{}
    311. 

  311. 	ref := types.NamespacedName{
    312. 

  312. 		Namespace: v.namespace,
    313. 

  313. 		Name:      secretRef.Name,
    314. 

  314. 	}
    315. 

  315. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    316. 

  316. 		(secretRef.Namespace != nil) {
    317. 

  317. 		ref.Namespace = *secretRef.Namespace
    318. 

  318. 	}
    319. 

  319. 	err := v.kube.Get(ctx, ref, secret)
    320. 

  320. 	if err != nil {
    321. 

  321. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    322. 

  322. 	}
    323. 

  323. 

  324. 	keyBytes, ok := secret.Data[secretRef.Key]
    325. 

  325. 	if !ok {
    326. 

  326. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    327. 

  327. 	}
    328. 

  328. 

  329. 	value := string(keyBytes)
    330. 

  330. 	valueStr := strings.TrimSpace(value)
    331. 

  331. 	return valueStr, nil
    332. 

  332. }
    333. 

  333. 

  334. // appRoleParameters creates the required body for Vault AppRole Auth.
    335. 

  335. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    336. 

  336. func appRoleParameters(role, secret string) map[string]string {
    337. 

  337. 	return map[string]string{
    338. 

  338. 		"role_id":   role,
    339. 

  339. 		"secret_id": secret,
    340. 

  340. 	}
    341. 

  341. }
    342. 

  342. 

  343. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    344. 

  344. 	roleID := strings.TrimSpace(appRole.RoleID)
    345. 

  345. 

  346. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    347. 

  347. 	if err != nil {
    348. 

  348. 		return "", err
    349. 

  349. 	}
    350. 

  350. 

  351. 	parameters := appRoleParameters(roleID, secretID)
    352. 

  352. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    353. 

  353. 	request := client.NewRequest("POST", url)
    354. 

  354. 

  355. 	err = request.SetJSONBody(parameters)
    356. 

  356. 	if err != nil {
    357. 

  357. 		return "", fmt.Errorf(errVaultReqParams, err)
    358. 

  358. 	}
    359. 

  359. 

  360. 	resp, err := client.RawRequestWithContext(ctx, request)
    361. 

  361. 	if err != nil {
    362. 

  362. 		return "", fmt.Errorf(errVaultRequest, err)
    363. 

  363. 	}
    364. 

  364. 

  365. 	defer resp.Body.Close()
    366. 

  366. 

  367. 	vaultResult := vault.Secret{}
    368. 

  368. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    369. 

  369. 		return "", fmt.Errorf(errVaultResponse, err)
    370. 

  370. 	}
    371. 

  371. 

  372. 	token, err := vaultResult.TokenID()
    373. 

  373. 	if err != nil {
    374. 

  374. 		return "", fmt.Errorf(errVaultToken, err)
    375. 

  375. 	}
    376. 

  376. 

  377. 	return token, nil
    378. 

  378. }
    379. 

  379. 

  380. // kubeParameters creates the required body for Vault Kubernetes auth.
    381. 

  381. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    382. 

  382. func kubeParameters(role, jwt string) map[string]string {
    383. 

  383. 	return map[string]string{
    384. 

  384. 		"role": role,
    385. 

  385. 		"jwt":  jwt,
    386. 

  386. 	}
    387. 

  387. }
    388. 

  388. 

  389. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    390. 

  390. 	jwtString := ""
    391. 

  391. 	if kubernetesAuth.ServiceAccountRef != nil {
    392. 

  392. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    393. 

  393. 		if err != nil {
    394. 

  394. 			return "", err
    395. 

  395. 		}
    396. 

  396. 		jwtString = jwt
    397. 

  397. 	} else if kubernetesAuth.SecretRef != nil {
    398. 

  398. 		tokenRef := kubernetesAuth.SecretRef
    399. 

  399. 		if tokenRef.Key == "" {
    400. 

  400. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    401. 

  401. 			tokenRef.Key = "token"
    402. 

  402. 		}
    403. 

  403. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    404. 

  404. 		if err != nil {
    405. 

  405. 			return "", err
    406. 

  406. 		}
    407. 

  407. 		jwtString = jwt
    408. 

  408. 	} else {
    409. 

  409. 		// Kubernetes authentication is specified, but without a referenced
    410. 

  410. 		// Kubernetes secret. We check if the file path for in-cluster service account
    411. 

  411. 		// exists and attempt to use the token for Vault Kubernetes auth.
    412. 

  412. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    413. 

  413. 			return "", fmt.Errorf(errServiceAccount, err)
    414. 

  414. 		}
    415. 

  415. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    416. 

  416. 		if err != nil {
    417. 

  417. 			return "", fmt.Errorf(errServiceAccount, err)
    418. 

  418. 		}
    419. 

  419. 		jwtString = string(jwtByte)
    420. 

  420. 	}
    421. 

  421. 

  422. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    423. 

  423. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    424. 

  424. 	request := client.NewRequest("POST", url)
    425. 

  425. 

  426. 	err := request.SetJSONBody(parameters)
    427. 

  427. 	if err != nil {
    428. 

  428. 		return "", fmt.Errorf(errVaultReqParams, err)
    429. 

  429. 	}
    430. 

  430. 

  431. 	resp, err := client.RawRequestWithContext(ctx, request)
    432. 

  432. 	if err != nil {
    433. 

  433. 		return "", fmt.Errorf(errVaultRequest, err)
    434. 

  434. 	}
    435. 

  435. 

  436. 	defer resp.Body.Close()
    437. 

  437. 	vaultResult := vault.Secret{}
    438. 

  438. 	err = resp.DecodeJSON(&vaultResult)
    439. 

  439. 	if err != nil {
    440. 

  440. 		return "", fmt.Errorf(errVaultResponse, err)
    441. 

  441. 	}
    442. 

  442. 

  443. 	token, err := vaultResult.TokenID()
    444. 

  444. 	if err != nil {
    445. 

  445. 		return "", fmt.Errorf(errVaultToken, err)
    446. 

  446. 	}
    447. 

  447. 

  448. 	return token, nil
    449. 

  449. }
    450. 

  450. 

  451. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    452. 

  452. 	username := strings.TrimSpace(ldapAuth.Username)
    453. 

  453. 

  454. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    455. 

  455. 	if err != nil {
    456. 

  456. 		return "", err
    457. 

  457. 	}
    458. 

  458. 

  459. 	parameters := map[string]string{
    460. 

  460. 		"password": password,
    461. 

  461. 	}
    462. 

  462. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    463. 

  463. 	request := client.NewRequest("POST", url)
    464. 

  464. 

  465. 	err = request.SetJSONBody(parameters)
    466. 

  466. 	if err != nil {
    467. 

  467. 		return "", fmt.Errorf(errVaultReqParams, err)
    468. 

  468. 	}
    469. 

  469. 

  470. 	resp, err := client.RawRequestWithContext(ctx, request)
    471. 

  471. 	if err != nil {
    472. 

  472. 		return "", fmt.Errorf(errVaultRequest, err)
    473. 

  473. 	}
    474. 

  474. 

  475. 	defer resp.Body.Close()
    476. 

  476. 

  477. 	vaultResult := vault.Secret{}
    478. 

  478. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    479. 

  479. 		return "", fmt.Errorf(errVaultResponse, err)
    480. 

  480. 	}
    481. 

  481. 

  482. 	token, err := vaultResult.TokenID()
    483. 

  483. 	if err != nil {
    484. 

  484. 		return "", fmt.Errorf(errVaultToken, err)
    485. 

  485. 	}
    486. 

  486. 

  487. 	return token, nil
    488. 

  488. }
    489. 

  489. 

  490. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    491. 

  491. 	role := strings.TrimSpace(jwtAuth.Role)
    492. 

  492. 

  493. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    494. 

  494. 	if err != nil {
    495. 

  495. 		return "", err
    496. 

  496. 	}
    497. 

  497. 

  498. 	parameters := map[string]string{
    499. 

  499. 		"role": role,
    500. 

  500. 		"jwt":  jwt,
    501. 

  501. 	}
    502. 

  502. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    503. 

  503. 	request := client.NewRequest("POST", url)
    504. 

  504. 

  505. 	err = request.SetJSONBody(parameters)
    506. 

  506. 	if err != nil {
    507. 

  507. 		return "", fmt.Errorf(errVaultReqParams, err)
    508. 

  508. 	}
    509. 

  509. 

  510. 	resp, err := client.RawRequestWithContext(ctx, request)
    511. 

  511. 	if err != nil {
    512. 

  512. 		return "", fmt.Errorf(errVaultRequest, err)
    513. 

  513. 	}
    514. 

  514. 

  515. 	defer resp.Body.Close()
    516. 

  516. 

  517. 	vaultResult := vault.Secret{}
    518. 

  518. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    519. 

  519. 		return "", fmt.Errorf(errVaultResponse, err)
    520. 

  520. 	}
    521. 

  521. 

  522. 	token, err := vaultResult.TokenID()
    523. 

  523. 	if err != nil {
    524. 

  524. 		return "", fmt.Errorf(errVaultToken, err)
    525. 

  525. 	}
    526. 

  526. 

  527. 	return token, nil
    528. 

  528. }
    529.