Update to vault-plugin-auth-kubernetes@master (#10004)

go.mod

@@ -80,7 +80,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe
 	github.com/hashicorp/vault-plugin-auth-jwt v0.7.1
 	github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6
-	github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0
+	github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb
 	github.com/hashicorp/vault-plugin-auth-oci v0.5.5
 	github.com/hashicorp/vault-plugin-database-couchbase v0.1.0
 	github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4

go.sum

@@ -529,8 +529,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.7.1 h1:6nuMtCs/c/rphMv05Z7Y4Nrt6Ae
 github.com/hashicorp/vault-plugin-auth-jwt v0.7.1/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo=
 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 h1:l5wu8J7aiQBLsTtkKhf1QQjGoeVjcfcput+uJ/pu2MM=
 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 h1:tt/kHMFB1qjp2b2ZRSI1KbH2CRV91VHghgr+5x9grgM=
-github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb h1:cLnxjA5VwdkSdPkqI8qsZn3A1HojSUzFQz3JIVNlhZ4=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc=
 github.com/hashicorp/vault-plugin-auth-oci v0.5.5 h1:nIP8g+VZd2V+LY/D5omWhLSnhHuogIJx7Bz6JyLt628=
 github.com/hashicorp/vault-plugin-auth-oci v0.5.5/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw=
 github.com/hashicorp/vault-plugin-database-couchbase v0.1.0 h1:P/ji+KVmIXDyF3dM2PVb5wUpNMeEieFqJpj9derJlPg=

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go

@@ -14,6 +14,11 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
+var (
+	localCACertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+	localJWTPath    = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
 // pathConfig returns the path configuration for CRUD operations on the backend
 // configuration.
 func pathConfig(b *kubeAuthBackend) *framework.Path {
@@ -66,6 +71,14 @@ extracted. Not every installation of Kuberentes exposes these keys.`,
 					Name: "Disable JWT Issuer Validation",
 				},
 			},
+			"disable_local_ca_jwt": {
+				Type:        framework.TypeBool,
+				Description: "Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod",
+				Default:     false,
+				DisplayAttrs: &framework.DisplayAttributes{
+					Name: "Disable use of local CA and service account JWT",
+				},
+			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.UpdateOperation: b.pathConfigWrite,
@@ -93,6 +106,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque
 				"pem_keys":               config.PEMKeys,
 				"issuer":                 config.Issuer,
 				"disable_iss_validation": config.DisableISSValidation,
+				"disable_local_ca_jwt":   config.DisableLocalCAJwt,
 			},
 		}
 
@@ -107,10 +121,13 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		return logical.ErrorResponse("no host provided"), nil
 	}
 
-	localCACert, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
-
-	localTokenReviewer, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
-
+	disableLocalJWT := data.Get("disable_local_ca_jwt").(bool)
+	localCACert := []byte{}
+	localTokenReviewer := []byte{}
+	if !disableLocalJWT {
+		localCACert, _ = ioutil.ReadFile(localCACertPath)
+		localTokenReviewer, _ = ioutil.ReadFile(localJWTPath)
+	}
 	pemList := data.Get("pem_keys").([]string)
 	caCert := data.Get("kubernetes_ca_cert").(string)
 	issuer := data.Get("issuer").(string)
@@ -124,7 +141,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 	}
 
 	tokenReviewer := data.Get("token_reviewer_jwt").(string)
-	if len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 {
+	if !disableLocalJWT && len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 {
 		tokenReviewer = string(localTokenReviewer)
 	}
 
@@ -144,6 +161,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ
 		TokenReviewerJWT:     tokenReviewer,
 		Issuer:               issuer,
 		DisableISSValidation: disableIssValidation,
+		DisableLocalCAJwt:    disableLocalJWT,
 	}
 
 	var err error
@@ -183,6 +201,10 @@ type kubeConfig struct {
 	Issuer string `json:"issuer"`
 	// DisableISSValidation is optional parameter to allow to skip ISS validation
 	DisableISSValidation bool `json:"disable_iss_validation"`
+	// DisableLocalJWT is an optional parameter to disable defaulting to using
+	// the local CA cert and service account jwt when running in a Kubernetes
+	// pod
+	DisableLocalCAJwt bool `json:"disable_local_ca_jwt"`
 }
 
 // PasrsePublicKeyPEM is used to parse RSA and ECDSA public keys from PEMs

vendor/modules.txt

@@ -474,7 +474,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
 github.com/hashicorp/vault-plugin-auth-jwt
 # github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6
 github.com/hashicorp/vault-plugin-auth-kerberos
-# github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0
+# github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb
 github.com/hashicorp/vault-plugin-auth-kubernetes
 # github.com/hashicorp/vault-plugin-auth-oci v0.5.5
 github.com/hashicorp/vault-plugin-auth-oci