From caa123a9d0db34e263e98e2f6dfe4f37b6a2c2ec Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 24 Sep 2020 15:44:06 -0700 Subject: [PATCH] Update to vault-plugin-auth-kubernetes@master (#10004) --- go.mod | 2 +- go.sum | 4 +-- .../path_config.go | 32 ++++++++++++++++--- vendor/modules.txt | 2 +- 4 files changed, 31 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 899a0a6c3b..55d701944a 100644 --- a/go.mod +++ b/go.mod @@ -80,7 +80,7 @@ require ( github.com/hashicorp/vault-plugin-auth-gcp v0.7.1-0.20200721115240-07ff53341dfe github.com/hashicorp/vault-plugin-auth-jwt v0.7.1 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 - github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 + github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb github.com/hashicorp/vault-plugin-auth-oci v0.5.5 github.com/hashicorp/vault-plugin-database-couchbase v0.1.0 github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 diff --git a/go.sum b/go.sum index 275a3a4a1d..dcbb0fda2e 100644 --- a/go.sum +++ b/go.sum @@ -529,8 +529,8 @@ github.com/hashicorp/vault-plugin-auth-jwt v0.7.1 h1:6nuMtCs/c/rphMv05Z7Y4Nrt6Ae github.com/hashicorp/vault-plugin-auth-jwt v0.7.1/go.mod h1:pyR4z5f2Vuz9TXucuN0rivUJTtSdlOtDdZ16IqBjZVo= github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 h1:l5wu8J7aiQBLsTtkKhf1QQjGoeVjcfcput+uJ/pu2MM= github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c= -github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 h1:tt/kHMFB1qjp2b2ZRSI1KbH2CRV91VHghgr+5x9grgM= -github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb h1:cLnxjA5VwdkSdPkqI8qsZn3A1HojSUzFQz3JIVNlhZ4= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= github.com/hashicorp/vault-plugin-auth-oci v0.5.5 h1:nIP8g+VZd2V+LY/D5omWhLSnhHuogIJx7Bz6JyLt628= github.com/hashicorp/vault-plugin-auth-oci v0.5.5/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw= github.com/hashicorp/vault-plugin-database-couchbase v0.1.0 h1:P/ji+KVmIXDyF3dM2PVb5wUpNMeEieFqJpj9derJlPg= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go index 786584b505..dd41444786 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go @@ -14,6 +14,11 @@ import ( "github.com/hashicorp/vault/sdk/logical" ) +var ( + localCACertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + localJWTPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" +) + // pathConfig returns the path configuration for CRUD operations on the backend // configuration. func pathConfig(b *kubeAuthBackend) *framework.Path { @@ -66,6 +71,14 @@ extracted. Not every installation of Kuberentes exposes these keys.`, Name: "Disable JWT Issuer Validation", }, }, + "disable_local_ca_jwt": { + Type: framework.TypeBool, + Description: "Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod", + Default: false, + DisplayAttrs: &framework.DisplayAttributes{ + Name: "Disable use of local CA and service account JWT", + }, + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: b.pathConfigWrite, @@ -93,6 +106,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque "pem_keys": config.PEMKeys, "issuer": config.Issuer, "disable_iss_validation": config.DisableISSValidation, + "disable_local_ca_jwt": config.DisableLocalCAJwt, }, } @@ -107,10 +121,13 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ return logical.ErrorResponse("no host provided"), nil } - localCACert, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") - - localTokenReviewer, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") - + disableLocalJWT := data.Get("disable_local_ca_jwt").(bool) + localCACert := []byte{} + localTokenReviewer := []byte{} + if !disableLocalJWT { + localCACert, _ = ioutil.ReadFile(localCACertPath) + localTokenReviewer, _ = ioutil.ReadFile(localJWTPath) + } pemList := data.Get("pem_keys").([]string) caCert := data.Get("kubernetes_ca_cert").(string) issuer := data.Get("issuer").(string) @@ -124,7 +141,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ } tokenReviewer := data.Get("token_reviewer_jwt").(string) - if len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 { + if !disableLocalJWT && len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 { tokenReviewer = string(localTokenReviewer) } @@ -144,6 +161,7 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ TokenReviewerJWT: tokenReviewer, Issuer: issuer, DisableISSValidation: disableIssValidation, + DisableLocalCAJwt: disableLocalJWT, } var err error @@ -183,6 +201,10 @@ type kubeConfig struct { Issuer string `json:"issuer"` // DisableISSValidation is optional parameter to allow to skip ISS validation DisableISSValidation bool `json:"disable_iss_validation"` + // DisableLocalJWT is an optional parameter to disable defaulting to using + // the local CA cert and service account jwt when running in a Kubernetes + // pod + DisableLocalCAJwt bool `json:"disable_local_ca_jwt"` } // PasrsePublicKeyPEM is used to parse RSA and ECDSA public keys from PEMs diff --git a/vendor/modules.txt b/vendor/modules.txt index 6ff922af8e..d1323f120c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -474,7 +474,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 github.com/hashicorp/vault-plugin-auth-kerberos -# github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 +# github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.1-0.20200921171209-a8c355e565cb github.com/hashicorp/vault-plugin-auth-kubernetes # github.com/hashicorp/vault-plugin-auth-oci v0.5.5 github.com/hashicorp/vault-plugin-auth-oci