Vault: configurable appRole authentication path#612
Vault: configurable appRole authentication path#612jetstack-bot merged 4 commits intocert-manager:masterfrom
Conversation
|
/ok-to-test |
| path: pki_int/sign/example-dot-com | ||
| server: https://vault | ||
| auth: | ||
| authPath: approle |
There was a problem hiding this comment.
This feels a bit awkward - we have auth.authPath, which actually only applies to AppRole currently, and defaults to something that is specific to the approle auth backend.
I guess this is because token based auth does not use a mounted backend, and we support no others right now.
We can work around this either by making auth.approle.path the key to set (and in future, creating auth.kubernetes.path, auth.pki.path etc). OR we have auth.path, which becomes a required field iff the auth backend selected is not 'token'.
I'm keen to choose whatever is most obvious to users 😄
There was a problem hiding this comment.
Indeed that's the reason why I put it directly under the auth struct. I have no problem moving it under the appRole and supply a specific path for other authentication mechanisms when we implement them.
There was a problem hiding this comment.
s/authPath/path/g (as you changed this as part of review 😄)
| // This Secret contains a AppRole and Secret | ||
| AppRole VaultAppRole `json:"appRole,omitempty"` | ||
| // Where the authentication path is mounted in Vault. | ||
| AuthPath string `json:"authPath,omitempty"` |
There was a problem hiding this comment.
As this is already a child of auth, I think we can shorten this to path
|
|
||
| if authPath == "" { | ||
| authPath = "approle" | ||
| } |
There was a problem hiding this comment.
We're defaulting this field in multiple places - I'd rather return an error if it isn't specified than default to the same value again
test/util/vault/util.go
Outdated
| url := path.Join("/v1/auth/approle/role", v.role) | ||
| _, err = v.callVault("POST", url, "", params) | ||
|
|
||
| baseUrl := path.Join("/v1/auth", v.authPath, "role", v.role) |
There was a problem hiding this comment.
should be path.Join("v1", "auth", v.authPath, "role", v.role) (i.e. let path.Join join v1 and auth)
| certificateName := "test-vault-certificate" | ||
| certificateSecretName := "test-vault-certificate" | ||
| vaultSecretAppRoleName := "vault-role" | ||
| vaultPath := fmt.Sprintf("%s/sign/%s", intermediateMount, role) |
There was a problem hiding this comment.
I think we can use path.Join here?
|
I'd like to suggest to use the same approach like with |
a833406 to
e3f67ec
Compare
| path: pki_int/sign/example-dot-com | ||
| server: https://vault | ||
| auth: | ||
| authPath: approle |
There was a problem hiding this comment.
s/authPath/path/g (as you changed this as part of review 😄)
| references the Kubernetes secret created previously. More specifically, the field | ||
| *name* is the Kubernetes secret name and *key* is the name given as the | ||
| key value that store the *secretId*. | ||
| key value that store the *secretId*. The optional attribute *authPath* specifies |
| key value that store the *secretId*. | ||
| key value that store the *secretId*. The optional attribute *authPath* specifies | ||
| where the AppRole authentication is mounted in Vault. The *authPath* default value | ||
| is *approle*. |
There was a problem hiding this comment.
s/authPath/path - also, is this comment still true?
There was a problem hiding this comment.
Yes if the path is empty it still default to approle.
|
|
||
| type VaultAppRole struct { | ||
| // Where the authentication path is mounted in Vault. | ||
| Path string `json:"path,omitempty"` |
| url := "/v1/auth/approle/login" | ||
| authPath := appRole.Path | ||
| if authPath == "" { | ||
| authPath = "approle" |
There was a problem hiding this comment.
👍 this is okay for now. We will look at moving defaulting etc. out after the webhooks PR has merged
pkg/issuer/vault/issue.go
Outdated
| resp, err := client.RawRequest(request) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error calling Vault server: %s", err.Error()) | ||
| return nil, fmt.Errorf("error logging in to Vault server: %s", err.Error()) |
There was a problem hiding this comment.
I don't think the request made here is to log in? Update error message
pkg/issuer/vault/setup.go
Outdated
| (v.issuer.GetSpec().Vault.Auth.AppRole.RoleId != "" || | ||
| v.issuer.GetSpec().Vault.Auth.AppRole.SecretRef.Name != "") { | ||
| v.issuer.GetSpec().Vault.Auth.AppRole.SecretRef.Name != "" || | ||
| v.issuer.GetSpec().Vault.Auth.AppRole.Path != "") { |
There was a problem hiding this comment.
From what I can tell, v.issuer.GetSpec().Vault.Auth.AppRole.Path might be blank (as we default it elsewhere in memory). Does this not break approle auth where the Path is not set?
There was a problem hiding this comment.
Also, just taking a look over the brace above this block:
Should this not be using || instead of && for the check?
Either way, can we add some comments to each of these if blocks to make it clear what we're checking for? 😄
|
|
||
| if authPath == "" { | ||
| return nil, fmt.Errorf("Error authPath must be set") | ||
| } |
There was a problem hiding this comment.
authPath is an optional field, we needn't require it be set in our fixtures (this causes disparity between tests and docs 😄)
e3f67ec to
51313b8
Compare
|
Sorry for the delay looking at this again - this should land in the 0.4 release later today 😄 /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test chart-verify |
51313b8 to
cb7eaf9
Compare
|
New changes are detected. LGTM label has been removed. |
|
Rebased and run |
What this PR does / why we need it:
Configurable appRole authentication path in Vault.
Which issue this PR fixes
fixes #560
Special notes for your reviewer:
Release note: