Adds Kubernetes authentication type for Vault Issuer

[kunickiaj]

What this PR does / why we need it:

Which issue this PR fixes
fixes #647

Special notes for your reviewer:
So I've actually put together a patch, and just trying to tie up the e2e tests. This requires that the VaultInitializer have a method that configures the kubernetes auth backend which requires at a minimum: the master url and CA cert.

Anyone happen to know what the right way to get these in there are?

Release note:

Adds Kubernetes authentication type for Vault Issuer

This auth method uses the cert-manager's service account token to request a Vault token. See the Vault documentation for instructions on setting up the auth backend as well as the necessary role bindings on the Kubernetes side.

Example configuration for using this auth method:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: vault-issuer
  namespace: default
spec:
  vault:
    path: pki_int/sign/example-dot-com
    server: https://vault
    auth:
      kubernetes:
        role: "cert-manager-role"

[munnerz]

/ok-to-test

[kunickiaj]

Are there any guides on how to work with the e2e tests? For testing a new auth backend, the Vault instance needs to have the backend enabled and configured--which requires the k8s master url and CA cert. It wasn't clear from the current setup if there's any way to get those in the VaultInitializer.

[madjam002]

@kunickiaj Just a suggestion, would be nice to have the kubernetes auth mount path configurable, just like this PR is trying to do for approle #612

At the moment it is hardcoded to /auth/kubernetes

[kunickiaj]

Seems like a reasonable request--right now still stuck on how to make this testable given the dependency on k8s cluster parameters. Any ideas on how the test jobs are setup and how this could be done would be welcome.

[munnerz]

/assign @kragniz

Could you take a look at this and help out with the testing environment pieces?

[munnerz]

@kunickiaj sorry for the lack of response here - could you expand a bit more on the issues you're encountering with the test environment?

If you can rebase your PR, we should be able to get these e2e's running (and hopefully passing too!). There's not too much special about the environment (it is provisioned with minikube at the moment) - what specified requirements of that environment do you have? 😄

[kunickiaj]

I'll get it rebased today. For the e2e environment, the Vault auth backend for k8s needs to have two parameters provided at a minimum: k8s master url and CA cert for the master. If its minikube hopefully that's fairly easy to make deterministic.

[kunickiaj]

Sorry for the delay, rebased the patch, still needs e2e setup.

[rblaine95]

This requires that the VaultInitializer have a method that configures the kubernetes auth backend which requires at a minimum: the master url and CA cert.

Anyone happen to know what the right way to get these in there are?

banzaicloud/bank-vaults is a really good Vault Operator that has an automatic configuration toolset

Full disclosure: I'm a bank-vaults contributor

[vdesjardins]

@kunickiaj

I didn't experiment with this Vault auth method much yet but maybe you could use the helper method in test/e2e/framework/util.go to fetch the config:

kubeConfig, err := LoadConfig(TestContext.KubeConfig, TestContext.KubeContext)
if (err != nil) {
...
}

apiHost := kubeConfig.Host
caCert := kubeConfig.TLSClientConfig.CAFile

Would it give you what you need to setup the Kubernetes auth backend in Vault afterwards?

[munnerz]

Can we change this to be a field specified on the issuer, as a secretRef?

Users can then create a service account with no permissions, dedicated for authentication with Vault on a per-issuer basis.

This would be a lot more secure than handing off/using cert-manager's own service account credentials for all Vault authentication 😄

[kunickiaj]

Sure that sounds reasonable. Just keep in mind that that service account will still need a minimum permission of system:auth-delegator in order to call the TokenReview API.

[kunickiaj]

Not sure why these checks have been stalling -- anywhere I can check on the status of them?

[Dariusch]

hey guys, I am really waiting for the PR to be merged. Is there any way to speed up this PR?

[jetstack-bot]

@kunickiaj: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[retest-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[Mattzr]

Hi,
Also looking forward to service account authentication with kubernetes !

[kunickiaj]

I've been periodically rebasing this patch for about a year now, don't know why it's been so difficult to get merged. I'm about ready to abandon it.

…

On Thu, Jul 18, 2019 at 04:43 Amath SARR ***@***.***> wrote: Hi, Also looking forward to service account authentication with kubernetes ! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#649>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFWH2VUYJJAVRUAMXHCFU3QABJP5ANCNFSM4FEHZATA> .

[phyrog]

Ping @munnerz in case you are not getting notifications about this

Can we somehow move this PR forward to get it merged? There is definitely an interest in this feature and it would be sad to see this not getting merged and @kunickiaj giving up due to missing feedback on this.

[retest-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[martinbaillie]

We're considering forking internally at work in order to use this. Is there any reason not to merge the PR into the main project?

/remove-lifecycle rotten

[Mattzr]

Up, we also need this feature. There's conflicting files that need to be resolved though

[npurdy-tyro]

How close is this to being merged? I was about to implement the exact same thing when I stumbled across this PR.

[martinbaillie]

Happy to help @kunickiaj rebase and fix-up again so long as there's commitment to merge it this time from the maintainers?

[munnerz]

Sorry this hasn't had much attention recently - we have also recently moved some vault initialization things into pkg/internal/vault, so the rebase will probably need to move the changes across.

To clarify, we do want this feature. I'll take a look over the changes today, but otherwise @JoshVanL mind shepherding this one once you're back from holiday? 😄

/assign @JoshVanL

[kunickiaj]

This is def something we'd like as well, and I apologize I just haven't had the bandwidth to get to refactoring this with the latest code. If anyone else wants to take it upon themselves in the meantime, I'd be more than happy to see that happen.

[JoshVanL]

Hello! Yes, happy to pick this up and get it refactored over the next couple of days

[JoshVanL]

/close
in favor of #2040

[jetstack-bot]

@JoshVanL: Closed this PR.

Details

In response to this:

/close
in favor of #2040

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.