Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: d3d04080e4
Branches Tags
helm-externa...
/
pkg
/
provider
/
vault
/
vault.go

vault.go 16 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package vault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/tls"
    20. 

  20. 	"crypto/x509"
    21. 

  21. 	"errors"
    22. 

  22. 	"fmt"
    23. 

  23. 	"io/ioutil"
    24. 

  24. 	"net/http"
    25. 

  25. 	"os"
    26. 

  26. 	"strings"
    27. 

  27. 

  28. 	"github.com/go-logr/logr"
    29. 

  29. 	vault "github.com/hashicorp/vault/api"
    30. 

  30. 	corev1 "k8s.io/api/core/v1"
    31. 

  31. 	"k8s.io/apimachinery/pkg/types"
    32. 

  32. 	ctrl "sigs.k8s.io/controller-runtime"
    33. 

  33. 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	"github.com/external-secrets/external-secrets/pkg/provider"
    38. 

  38. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	_ provider.Provider      = &connector{}
    43. 

  43. 	_ provider.SecretsClient = &client{}
    44. 

  44. )
    45. 

  45. 

  46. const (
    47. 

  47. 	serviceAccTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
    48. 

  48. 

  49. 	errVaultStore     = "received invalid Vault SecretStore resource: %w"
    50. 

  50. 	errVaultClient    = "cannot setup new vault client: %w"
    51. 

  51. 	errVaultCert      = "cannot set Vault CA certificate: %w"
    52. 

  52. 	errReadSecret     = "cannot read secret data from Vault: %w"
    53. 

  53. 	errAuthFormat     = "cannot initialize Vault client: no valid auth method specified: %w"
    54. 

  54. 	errDataField      = "failed to find data field"
    55. 

  55. 	errJSONUnmarshall = "failed to unmarshall JSON"
    56. 

  56. 	errSecretFormat   = "secret data not in expected format"
    57. 

  57. 	errVaultToken     = "cannot parse Vault authentication token: %w"
    58. 

  58. 	errVaultReqParams = "cannot set Vault request parameters: %w"
    59. 

  59. 	errVaultRequest   = "error from Vault request: %w"
    60. 

  60. 	errVaultResponse  = "cannot parse Vault response: %w"
    61. 

  61. 	errServiceAccount = "cannot read Kubernetes service account token from file system: %w"
    62. 

  62. 

  63. 	errGetKubeSA        = "cannot get Kubernetes service account %q: %w"
    64. 

  64. 	errGetKubeSASecrets = "cannot find secrets bound to service account: %q"
    65. 

  65. 	errGetKubeSANoToken = "cannot find token in secrets bound to service account: %q"
    66. 

  66. 

  67. 	errGetKubeSecret = "cannot get Kubernetes secret %q: %w"
    68. 

  68. 	errSecretKeyFmt  = "cannot find secret data for key: %q"
    69. 

  69. 

  70. 	errClientTLSAuth = "error from Client TLS Auth: %q"
    71. 

  71. )
    72. 

  72. 

  73. type Client interface {
    74. 

  74. 	NewRequest(method, requestPath string) *vault.Request
    75. 

  75. 	RawRequestWithContext(ctx context.Context, r *vault.Request) (*vault.Response, error)
    76. 

  76. 	SetToken(v string)
    77. 

  77. 	SetNamespace(namespace string)
    78. 

  78. }
    79. 

  79. 

  80. type client struct {
    81. 

  81. 	kube      kclient.Client
    82. 

  82. 	store     *esv1alpha1.VaultProvider
    83. 

  83. 	log       logr.Logger
    84. 

  84. 	client    Client
    85. 

  85. 	namespace string
    86. 

  86. 	storeKind string
    87. 

  87. }
    88. 

  88. 

  89. func init() {
    90. 

  90. 	schema.Register(&connector{
    91. 

  91. 		newVaultClient: newVaultClient,
    92. 

  92. 	}, &esv1alpha1.SecretStoreProvider{
    93. 

  93. 		Vault: &esv1alpha1.VaultProvider{},
    94. 

  94. 	})
    95. 

  95. }
    96. 

  96. 

  97. func newVaultClient(c *vault.Config) (Client, error) {
    98. 

  98. 	return vault.NewClient(c)
    99. 

  99. }
    100. 

  100. 

  101. type connector struct {
    102. 

  102. 	newVaultClient func(c *vault.Config) (Client, error)
    103. 

  103. }
    104. 

  104. 

  105. func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
    106. 

  106. 	storeSpec := store.GetSpec()
    107. 

  107. 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
    108. 

  108. 		return nil, errors.New(errVaultStore)
    109. 

  109. 	}
    110. 

  110. 	vaultSpec := storeSpec.Provider.Vault
    111. 

  111. 

  112. 	vStore := &client{
    113. 

  113. 		kube:      kube,
    114. 

  114. 		store:     vaultSpec,
    115. 

  115. 		log:       ctrl.Log.WithName("provider").WithName("vault"),
    116. 

  116. 		namespace: namespace,
    117. 

  117. 		storeKind: store.GetObjectKind().GroupVersionKind().Kind,
    118. 

  118. 	}
    119. 

  119. 

  120. 	cfg, err := vStore.newConfig()
    121. 

  121. 	if err != nil {
    122. 

  122. 		return nil, err
    123. 

  123. 	}
    124. 

  124. 

  125. 	client, err := c.newVaultClient(cfg)
    126. 

  126. 	if err != nil {
    127. 

  127. 		return nil, fmt.Errorf(errVaultClient, err)
    128. 

  128. 	}
    129. 

  129. 

  130. 	if vaultSpec.Namespace != nil {
    131. 

  131. 		client.SetNamespace(*vaultSpec.Namespace)
    132. 

  132. 	}
    133. 

  133. 

  134. 	if err := vStore.setAuth(ctx, client, cfg); err != nil {
    135. 

  135. 		return nil, err
    136. 

  136. 	}
    137. 

  137. 

  138. 	vStore.client = client
    139. 

  139. 	return vStore, nil
    140. 

  140. }
    141. 

  141. 

  142. func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
    143. 

  143. 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
    144. 

  144. 	if err != nil {
    145. 

  145. 		return nil, err
    146. 

  146. 	}
    147. 

  147. 	value, exists := data[ref.Property]
    148. 

  148. 	if !exists {
    149. 

  149. 		return nil, fmt.Errorf(errSecretKeyFmt, ref.Property)
    150. 

  150. 	}
    151. 

  151. 	return value, nil
    152. 

  152. }
    153. 

  153. 

  154. func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
    155. 

  155. 	return v.readSecret(ctx, ref.Key, ref.Version)
    156. 

  156. }
    157. 

  157. 

  158. func (v *client) Close() error {
    159. 

  159. 	return nil
    160. 

  160. }
    161. 

  161. 

  162. func (v *client) readSecret(ctx context.Context, path, version string) (map[string][]byte, error) {
    163. 

  163. 	kvPath := v.store.Path
    164. 

  164. 

  165. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    166. 

  166. 		if !strings.HasSuffix(kvPath, "/data") {
    167. 

  167. 			kvPath = fmt.Sprintf("%s/data", kvPath)
    168. 

  168. 		}
    169. 

  169. 	}
    170. 

  170. 

  171. 	// path formated according to vault docs for v1 and v2 API
    172. 

  172. 	// v1: https://www.vaultproject.io/api-docs/secret/kv/kv-v1#read-secret
    173. 

  173. 	// v2: https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    174. 

  174. 	req := v.client.NewRequest(http.MethodGet, fmt.Sprintf("/v1/%s/%s", kvPath, path))
    175. 

  175. 	if version != "" {
    176. 

  176. 		req.Params.Set("version", version)
    177. 

  177. 	}
    178. 

  178. 

  179. 	resp, err := v.client.RawRequestWithContext(ctx, req)
    180. 

  180. 	if err != nil {
    181. 

  181. 		return nil, fmt.Errorf(errReadSecret, err)
    182. 

  182. 	}
    183. 

  183. 

  184. 	vaultSecret, err := vault.ParseSecret(resp.Body)
    185. 

  185. 	if err != nil {
    186. 

  186. 		return nil, err
    187. 

  187. 	}
    188. 

  188. 

  189. 	secretData := vaultSecret.Data
    190. 

  190. 	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
    191. 

  191. 		// Vault KV2 has data embedded within sub-field
    192. 

  192. 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
    193. 

  193. 		dataInt, ok := vaultSecret.Data["data"]
    194. 

  194. 

  195. 		if !ok {
    196. 

  196. 			return nil, errors.New(errDataField)
    197. 

  197. 		}
    198. 

  198. 		secretData, ok = dataInt.(map[string]interface{})
    199. 

  199. 		if !ok {
    200. 

  200. 			return nil, errors.New(errJSONUnmarshall)
    201. 

  201. 		}
    202. 

  202. 	}
    203. 

  203. 

  204. 	byteMap := make(map[string][]byte, len(secretData))
    205. 

  205. 	for k, v := range secretData {
    206. 

  206. 		switch t := v.(type) {
    207. 

  207. 		case string:
    208. 

  208. 			byteMap[k] = []byte(t)
    209. 

  209. 		case []byte:
    210. 

  210. 			byteMap[k] = t
    211. 

  211. 		default:
    212. 

  212. 			return nil, errors.New(errSecretFormat)
    213. 

  213. 		}
    214. 

  214. 	}
    215. 

  215. 

  216. 	return byteMap, nil
    217. 

  217. }
    218. 

  218. 

  219. func (v *client) newConfig() (*vault.Config, error) {
    220. 

  220. 	cfg := vault.DefaultConfig()
    221. 

  221. 	cfg.Address = v.store.Server
    222. 

  222. 

  223. 	if len(v.store.CABundle) == 0 {
    224. 

  224. 		return cfg, nil
    225. 

  225. 	}
    226. 

  226. 

  227. 	caCertPool := x509.NewCertPool()
    228. 

  228. 	ok := caCertPool.AppendCertsFromPEM(v.store.CABundle)
    229. 

  229. 	if !ok {
    230. 

  230. 		return nil, errors.New(errVaultCert)
    231. 

  231. 	}
    232. 

  232. 

  233. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    234. 

  234. 		transport.TLSClientConfig.RootCAs = caCertPool
    235. 

  235. 	}
    236. 

  236. 

  237. 	return cfg, nil
    238. 

  238. }
    239. 

  239. 

  240. func (v *client) setAuth(ctx context.Context, client Client, cfg *vault.Config) error {
    241. 

  241. 	tokenRef := v.store.Auth.TokenSecretRef
    242. 

  242. 	if tokenRef != nil {
    243. 

  243. 		token, err := v.secretKeyRef(ctx, tokenRef)
    244. 

  244. 		if err != nil {
    245. 

  245. 			return err
    246. 

  246. 		}
    247. 

  247. 		client.SetToken(token)
    248. 

  248. 		return nil
    249. 

  249. 	}
    250. 

  250. 

  251. 	appRole := v.store.Auth.AppRole
    252. 

  252. 	if appRole != nil {
    253. 

  253. 		token, err := v.requestTokenWithAppRoleRef(ctx, client, appRole)
    254. 

  254. 		if err != nil {
    255. 

  255. 			return err
    256. 

  256. 		}
    257. 

  257. 		client.SetToken(token)
    258. 

  258. 		return nil
    259. 

  259. 	}
    260. 

  260. 

  261. 	kubernetesAuth := v.store.Auth.Kubernetes
    262. 

  262. 	if kubernetesAuth != nil {
    263. 

  263. 		token, err := v.requestTokenWithKubernetesAuth(ctx, client, kubernetesAuth)
    264. 

  264. 		if err != nil {
    265. 

  265. 			return err
    266. 

  266. 		}
    267. 

  267. 		client.SetToken(token)
    268. 

  268. 		return nil
    269. 

  269. 	}
    270. 

  270. 

  271. 	ldapAuth := v.store.Auth.Ldap
    272. 

  272. 	if ldapAuth != nil {
    273. 

  273. 		token, err := v.requestTokenWithLdapAuth(ctx, client, ldapAuth)
    274. 

  274. 		if err != nil {
    275. 

  275. 			return err
    276. 

  276. 		}
    277. 

  277. 		client.SetToken(token)
    278. 

  278. 		return nil
    279. 

  279. 	}
    280. 

  280. 

  281. 	jwtAuth := v.store.Auth.Jwt
    282. 

  282. 	if jwtAuth != nil {
    283. 

  283. 		token, err := v.requestTokenWithJwtAuth(ctx, client, jwtAuth)
    284. 

  284. 		if err != nil {
    285. 

  285. 			return err
    286. 

  286. 		}
    287. 

  287. 		client.SetToken(token)
    288. 

  288. 		return nil
    289. 

  289. 	}
    290. 

  290. 

  291. 	certAuth := v.store.Auth.Cert
    292. 

  292. 	if certAuth != nil {
    293. 

  293. 		token, err := v.requestTokenWithCertAuth(ctx, client, certAuth, cfg)
    294. 

  294. 		if err != nil {
    295. 

  295. 			return err
    296. 

  296. 		}
    297. 

  297. 		client.SetToken(token)
    298. 

  298. 		return nil
    299. 

  299. 	}
    300. 

  300. 

  301. 	return errors.New(errAuthFormat)
    302. 

  302. }
    303. 

  303. 

  304. func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {
    305. 

  305. 	serviceAccount := &corev1.ServiceAccount{}
    306. 

  306. 	ref := types.NamespacedName{
    307. 

  307. 		Namespace: v.namespace,
    308. 

  308. 		Name:      serviceAccountRef.Name,
    309. 

  309. 	}
    310. 

  310. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    311. 

  311. 		(serviceAccountRef.Namespace != nil) {
    312. 

  312. 		ref.Namespace = *serviceAccountRef.Namespace
    313. 

  313. 	}
    314. 

  314. 	err := v.kube.Get(ctx, ref, serviceAccount)
    315. 

  315. 	if err != nil {
    316. 

  316. 		return "", fmt.Errorf(errGetKubeSA, ref.Name, err)
    317. 

  317. 	}
    318. 

  318. 	if len(serviceAccount.Secrets) == 0 {
    319. 

  319. 		return "", fmt.Errorf(errGetKubeSASecrets, ref.Name)
    320. 

  320. 	}
    321. 

  321. 	for _, tokenRef := range serviceAccount.Secrets {
    322. 

  322. 		retval, err := v.secretKeyRef(ctx, &esmeta.SecretKeySelector{
    323. 

  323. 			Name:      tokenRef.Name,
    324. 

  324. 			Namespace: &ref.Namespace,
    325. 

  325. 			Key:       "token",
    326. 

  326. 		})
    327. 

  327. 

  328. 		if err != nil {
    329. 

  329. 			continue
    330. 

  330. 		}
    331. 

  331. 

  332. 		return retval, nil
    333. 

  333. 	}
    334. 

  334. 	return "", fmt.Errorf(errGetKubeSANoToken, ref.Name)
    335. 

  335. }
    336. 

  336. 

  337. func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySelector) (string, error) {
    338. 

  338. 	secret := &corev1.Secret{}
    339. 

  339. 	ref := types.NamespacedName{
    340. 

  340. 		Namespace: v.namespace,
    341. 

  341. 		Name:      secretRef.Name,
    342. 

  342. 	}
    343. 

  343. 	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
    344. 

  344. 		(secretRef.Namespace != nil) {
    345. 

  345. 		ref.Namespace = *secretRef.Namespace
    346. 

  346. 	}
    347. 

  347. 	err := v.kube.Get(ctx, ref, secret)
    348. 

  348. 	if err != nil {
    349. 

  349. 		return "", fmt.Errorf(errGetKubeSecret, ref.Name, err)
    350. 

  350. 	}
    351. 

  351. 

  352. 	keyBytes, ok := secret.Data[secretRef.Key]
    353. 

  353. 	if !ok {
    354. 

  354. 		return "", fmt.Errorf(errSecretKeyFmt, secretRef.Key)
    355. 

  355. 	}
    356. 

  356. 

  357. 	value := string(keyBytes)
    358. 

  358. 	valueStr := strings.TrimSpace(value)
    359. 

  359. 	return valueStr, nil
    360. 

  360. }
    361. 

  361. 

  362. // appRoleParameters creates the required body for Vault AppRole Auth.
    363. 

  363. // Reference - https://www.vaultproject.io/api-docs/auth/approle#login-with-approle
    364. 

  364. func appRoleParameters(role, secret string) map[string]string {
    365. 

  365. 	return map[string]string{
    366. 

  366. 		"role_id":   role,
    367. 

  367. 		"secret_id": secret,
    368. 

  368. 	}
    369. 

  369. }
    370. 

  370. 

  371. func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
    372. 

  372. 	roleID := strings.TrimSpace(appRole.RoleID)
    373. 

  373. 

  374. 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
    375. 

  375. 	if err != nil {
    376. 

  376. 		return "", err
    377. 

  377. 	}
    378. 

  378. 

  379. 	parameters := appRoleParameters(roleID, secretID)
    380. 

  380. 	url := strings.Join([]string{"/v1", "auth", appRole.Path, "login"}, "/")
    381. 

  381. 	request := client.NewRequest("POST", url)
    382. 

  382. 

  383. 	err = request.SetJSONBody(parameters)
    384. 

  384. 	if err != nil {
    385. 

  385. 		return "", fmt.Errorf(errVaultReqParams, err)
    386. 

  386. 	}
    387. 

  387. 

  388. 	resp, err := client.RawRequestWithContext(ctx, request)
    389. 

  389. 	if err != nil {
    390. 

  390. 		return "", fmt.Errorf(errVaultRequest, err)
    391. 

  391. 	}
    392. 

  392. 

  393. 	defer resp.Body.Close()
    394. 

  394. 

  395. 	vaultResult := vault.Secret{}
    396. 

  396. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    397. 

  397. 		return "", fmt.Errorf(errVaultResponse, err)
    398. 

  398. 	}
    399. 

  399. 

  400. 	token, err := vaultResult.TokenID()
    401. 

  401. 	if err != nil {
    402. 

  402. 		return "", fmt.Errorf(errVaultToken, err)
    403. 

  403. 	}
    404. 

  404. 

  405. 	return token, nil
    406. 

  406. }
    407. 

  407. 

  408. // kubeParameters creates the required body for Vault Kubernetes auth.
    409. 

  409. // Reference - https://www.vaultproject.io/api/auth/kubernetes#login
    410. 

  410. func kubeParameters(role, jwt string) map[string]string {
    411. 

  411. 	return map[string]string{
    412. 

  412. 		"role": role,
    413. 

  413. 		"jwt":  jwt,
    414. 

  414. 	}
    415. 

  415. }
    416. 

  416. 

  417. func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
    418. 

  418. 	jwtString := ""
    419. 

  419. 	if kubernetesAuth.ServiceAccountRef != nil {
    420. 

  420. 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
    421. 

  421. 		if err != nil {
    422. 

  422. 			return "", err
    423. 

  423. 		}
    424. 

  424. 		jwtString = jwt
    425. 

  425. 	} else if kubernetesAuth.SecretRef != nil {
    426. 

  426. 		tokenRef := kubernetesAuth.SecretRef
    427. 

  427. 		if tokenRef.Key == "" {
    428. 

  428. 			tokenRef = kubernetesAuth.SecretRef.DeepCopy()
    429. 

  429. 			tokenRef.Key = "token"
    430. 

  430. 		}
    431. 

  431. 		jwt, err := v.secretKeyRef(ctx, tokenRef)
    432. 

  432. 		if err != nil {
    433. 

  433. 			return "", err
    434. 

  434. 		}
    435. 

  435. 		jwtString = jwt
    436. 

  436. 	} else {
    437. 

  437. 		// Kubernetes authentication is specified, but without a referenced
    438. 

  438. 		// Kubernetes secret. We check if the file path for in-cluster service account
    439. 

  439. 		// exists and attempt to use the token for Vault Kubernetes auth.
    440. 

  440. 		if _, err := os.Stat(serviceAccTokenPath); err != nil {
    441. 

  441. 			return "", fmt.Errorf(errServiceAccount, err)
    442. 

  442. 		}
    443. 

  443. 		jwtByte, err := ioutil.ReadFile(serviceAccTokenPath)
    444. 

  444. 		if err != nil {
    445. 

  445. 			return "", fmt.Errorf(errServiceAccount, err)
    446. 

  446. 		}
    447. 

  447. 		jwtString = string(jwtByte)
    448. 

  448. 	}
    449. 

  449. 

  450. 	parameters := kubeParameters(kubernetesAuth.Role, jwtString)
    451. 

  451. 	url := strings.Join([]string{"/v1", "auth", kubernetesAuth.Path, "login"}, "/")
    452. 

  452. 	request := client.NewRequest("POST", url)
    453. 

  453. 

  454. 	err := request.SetJSONBody(parameters)
    455. 

  455. 	if err != nil {
    456. 

  456. 		return "", fmt.Errorf(errVaultReqParams, err)
    457. 

  457. 	}
    458. 

  458. 

  459. 	resp, err := client.RawRequestWithContext(ctx, request)
    460. 

  460. 	if err != nil {
    461. 

  461. 		return "", fmt.Errorf(errVaultRequest, err)
    462. 

  462. 	}
    463. 

  463. 

  464. 	defer resp.Body.Close()
    465. 

  465. 	vaultResult := vault.Secret{}
    466. 

  466. 	err = resp.DecodeJSON(&vaultResult)
    467. 

  467. 	if err != nil {
    468. 

  468. 		return "", fmt.Errorf(errVaultResponse, err)
    469. 

  469. 	}
    470. 

  470. 

  471. 	token, err := vaultResult.TokenID()
    472. 

  472. 	if err != nil {
    473. 

  473. 		return "", fmt.Errorf(errVaultToken, err)
    474. 

  474. 	}
    475. 

  475. 

  476. 	return token, nil
    477. 

  477. }
    478. 

  478. 

  479. func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
    480. 

  480. 	username := strings.TrimSpace(ldapAuth.Username)
    481. 

  481. 

  482. 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
    483. 

  483. 	if err != nil {
    484. 

  484. 		return "", err
    485. 

  485. 	}
    486. 

  486. 

  487. 	parameters := map[string]string{
    488. 

  488. 		"password": password,
    489. 

  489. 	}
    490. 

  490. 	url := strings.Join([]string{"/v1", "auth", "ldap", "login", username}, "/")
    491. 

  491. 	request := client.NewRequest("POST", url)
    492. 

  492. 

  493. 	err = request.SetJSONBody(parameters)
    494. 

  494. 	if err != nil {
    495. 

  495. 		return "", fmt.Errorf(errVaultReqParams, err)
    496. 

  496. 	}
    497. 

  497. 

  498. 	resp, err := client.RawRequestWithContext(ctx, request)
    499. 

  499. 	if err != nil {
    500. 

  500. 		return "", fmt.Errorf(errVaultRequest, err)
    501. 

  501. 	}
    502. 

  502. 

  503. 	defer resp.Body.Close()
    504. 

  504. 

  505. 	vaultResult := vault.Secret{}
    506. 

  506. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    507. 

  507. 		return "", fmt.Errorf(errVaultResponse, err)
    508. 

  508. 	}
    509. 

  509. 

  510. 	token, err := vaultResult.TokenID()
    511. 

  511. 	if err != nil {
    512. 

  512. 		return "", fmt.Errorf(errVaultToken, err)
    513. 

  513. 	}
    514. 

  514. 

  515. 	return token, nil
    516. 

  516. }
    517. 

  517. 

  518. func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
    519. 

  519. 	role := strings.TrimSpace(jwtAuth.Role)
    520. 

  520. 

  521. 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
    522. 

  522. 	if err != nil {
    523. 

  523. 		return "", err
    524. 

  524. 	}
    525. 

  525. 

  526. 	parameters := map[string]string{
    527. 

  527. 		"role": role,
    528. 

  528. 		"jwt":  jwt,
    529. 

  529. 	}
    530. 

  530. 	url := strings.Join([]string{"/v1", "auth", "jwt", "login"}, "/")
    531. 

  531. 	request := client.NewRequest("POST", url)
    532. 

  532. 

  533. 	err = request.SetJSONBody(parameters)
    534. 

  534. 	if err != nil {
    535. 

  535. 		return "", fmt.Errorf(errVaultReqParams, err)
    536. 

  536. 	}
    537. 

  537. 

  538. 	resp, err := client.RawRequestWithContext(ctx, request)
    539. 

  539. 	if err != nil {
    540. 

  540. 		return "", fmt.Errorf(errVaultRequest, err)
    541. 

  541. 	}
    542. 

  542. 

  543. 	defer resp.Body.Close()
    544. 

  544. 

  545. 	vaultResult := vault.Secret{}
    546. 

  546. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    547. 

  547. 		return "", fmt.Errorf(errVaultResponse, err)
    548. 

  548. 	}
    549. 

  549. 

  550. 	token, err := vaultResult.TokenID()
    551. 

  551. 	if err != nil {
    552. 

  552. 		return "", fmt.Errorf(errVaultToken, err)
    553. 

  553. 	}
    554. 

  554. 

  555. 	return token, nil
    556. 

  556. }
    557. 

  557. 

  558. func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
    559. 

  559. 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
    560. 

  560. 	if err != nil {
    561. 

  561. 		return "", err
    562. 

  562. 	}
    563. 

  563. 

  564. 	clientCert, err := v.secretKeyRef(ctx, &certAuth.ClientCert)
    565. 

  565. 	if err != nil {
    566. 

  566. 		return "", err
    567. 

  567. 	}
    568. 

  568. 

  569. 	cert, err := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
    570. 

  570. 	if err != nil {
    571. 

  571. 		return "", fmt.Errorf(errClientTLSAuth, err)
    572. 

  572. 	}
    573. 

  573. 

  574. 	if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
    575. 

  575. 		transport.TLSClientConfig.Certificates = []tls.Certificate{cert}
    576. 

  576. 	}
    577. 

  577. 

  578. 	url := strings.Join([]string{"/v1", "auth", "cert", "login"}, "/")
    579. 

  579. 	request := client.NewRequest("POST", url)
    580. 

  580. 

  581. 	resp, err := client.RawRequestWithContext(ctx, request)
    582. 

  582. 	if err != nil {
    583. 

  583. 		return "", fmt.Errorf(errVaultRequest, err)
    584. 

  584. 	}
    585. 

  585. 

  586. 	defer resp.Body.Close()
    587. 

  587. 

  588. 	vaultResult := vault.Secret{}
    589. 

  589. 	if err = resp.DecodeJSON(&vaultResult); err != nil {
    590. 

  590. 		return "", fmt.Errorf(errVaultResponse, err)
    591. 

  591. 	}
    592. 

  592. 

  593. 	token, err := vaultResult.TokenID()
    594. 

  594. 	if err != nil {
    595. 

  595. 		return "", fmt.Errorf(errVaultToken, err)
    596. 

  596. 	}
    597. 

  597. 

  598. 	return token, nil
    599. 

  599. }
    600.