Skip to content

Vault k8s auth#2040

Merged
jetstack-bot merged 12 commits intocert-manager:masterfrom
JoshVanL:vault-k8s-auth
Sep 25, 2019
Merged

Vault k8s auth#2040
jetstack-bot merged 12 commits intocert-manager:masterfrom
JoshVanL:vault-k8s-auth

Conversation

@JoshVanL
Copy link
Copy Markdown
Contributor

@JoshVanL JoshVanL commented Sep 6, 2019

fixes #647
Taking over from #649

Adds Kubernetes authentication type for Vault Issue

@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Sep 6, 2019
@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 6, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Issues relating to testing area/vault Indicates a PR directly modifies the Vault Issuer code kind/documentation Categorizes issue or PR as related to documentation. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 6, 2019
@JoshVanL JoshVanL mentioned this pull request Sep 6, 2019
Closed
@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 6, 2019

@kunickiaj

@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 6, 2019

/hold

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 6, 2019
@munnerz munnerz added this to the v0.11 milestone Sep 7, 2019
@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 9, 2019

/hold cancel
/unassign
/assign @munnerz

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 9, 2019
@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 9, 2019

🙃
/retest

munnerz
munnerz reviewed Sep 9, 2019
View reviewed changes
pkg/issuer/vault/setup.go Outdated
v.issuer.GetSpec().Vault.Auth.AppRole.SecretRef.Name == "" {
v.issuer.GetSpec().Vault.Auth.AppRole.SecretRef.Name == "" &&
v.issuer.GetSpec().Vault.Auth.Kubernetes.Role == "" &&
v.issuer.GetSpec().Vault.Auth.Kubernetes.SecretRef.Name == "" {
Copy link
Copy Markdown
Member

@munnerz munnerz Sep 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of checking particular fields of these different auth types, we should make each auth type structure a pointer and then just check if they are nil here. This is super messy right now and could really confuse users IMO.

pkg/issuer/vault/setup.go Outdated
v.issuer.GetSpec().Vault.Auth.Kubernetes.SecretRef.Name != "" &&
(v.issuer.GetSpec().Vault.Auth.AppRole.RoleId != "" ||
v.issuer.GetSpec().Vault.Auth.AppRole.SecretRef.Name != "" ||
v.issuer.GetSpec().Vault.Auth.TokenSecretRef.Name != "") {
Copy link
Copy Markdown
Member

@munnerz munnerz Sep 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not even going to try and parse this combination of &&, (, ) and || to understand this 🙈

test/e2e/framework/addon/vault/setup.go Outdated

// CleanKubernetesRole cleans up the ClusterRoleBinding and ServiceAccount for Kubernetes auth delegation
func (v *VaultInitializer) CleanKubernetesRole(client kubernetes.Interface, namespace, roleName, serviceAccountName string) error {
client.RbacV1().ClusterRoleBindings().Delete(fmt.Sprintf("%s:%s:auth-delegator", namespace, serviceAccountName), nil)
Copy link
Copy Markdown
Member

@munnerz munnerz Sep 9, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit (not essential given this is test code) - is there any way to not have to re-template this? It's a bit annoying and given we don't check errors from this method, if we change something in future it's unlikely we'll notice this line breaking.

@jetstack-bot jetstack-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 9, 2019
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 9, 2019
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 9, 2019
@JoshVanL JoshVanL force-pushed the vault-k8s-auth branch 3 times, most recently from 4e08719 to c4b55c9 Compare September 20, 2019 13:12
@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 20, 2019

/retest

munnerz
munnerz reviewed Sep 23, 2019
View reviewed changes
pkg/internal/apis/certmanager/types_issuer.go Outdated
// `/v1/auth/foo/login`. If unspecified, the default value "kubernetes" will
// be used.
// +optional
Path string `json:"mountPath"`
Copy link
Copy Markdown
Member

@munnerz munnerz Sep 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add ,omitempty to optional fields 😄

@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 23, 2019
Adam Kunicki and others added 11 commits September 23, 2019 13:33
@JoshVanL
Added Kubernetes authentication type for Vault Issuer
7058dfc 
Signed-off-by: Adam Kunicki <adam@streamsets.com>
@JoshVanL
Adds vault kubernetes auth tests
9aea714 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds vault issuer Kubernetes auth docs
a98561b 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds internal vault issuer Kubernetes auth types
452e42b 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Updates vault certificaterequest controller test
05b5f44 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Addresses comments and makes vault auth pointers
f2f5fcc 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds all vault Auth methods to secret checks and stops panic
9b827ee 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Set role name correctly for vault addon with Kube Auth
f6e1964 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Increase scope of vault addon tokenreview permissions to cluster
5f25ffa 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Adds review comments
9ffaae5 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Update generated
68f9546 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 23, 2019
munnerz
munnerz reviewed Sep 23, 2019
View reviewed changes
pkg/apis/acme/v1alpha2/types_issuer.go
apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
Copy link
Copy Markdown
Member

@munnerz munnerz Sep 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: unnecessary/incorrect change

@JoshVanL
Updates apis to v1alpha2/meta
e1875bc 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
@JoshVanL
Copy link
Copy Markdown
Contributor Author

JoshVanL commented Sep 24, 2019

/retest

@munnerz
Copy link
Copy Markdown
Member

munnerz commented Sep 25, 2019

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2019
@retest-bot
Copy link
Copy Markdown

retest-bot commented Sep 25, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to jetstack).
Review the full test history for this PR.
Silence the bot with an /lgtm cancel comment for consistent failures.

@jetstack-bot jetstack-bot merged commit 816bbf5 into cert-manager:master Sep 25, 2019
@jetstack-bot jetstack-bot mentioned this pull request Oct 21, 2019
Closed
@mbrancato mbrancato mentioned this pull request Nov 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@munnerz munnerz munnerz left review comments

@vdesjardins vdesjardins Awaiting requested review from vdesjardins

Assignees

@munnerz munnerz

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing area/vault Indicates a PR directly modifies the Vault Issuer code dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/documentation Categorizes issue or PR as related to documentation. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

v0.11

Development

Successfully merging this pull request may close these issues.

New Feature: Support Vault Kubernetes auth backend

4 participants

@JoshVanL @jetstack-bot @munnerz @retest-bot