From d2907ea19434a6db67cc79d48dca8a4a39dd2556 Mon Sep 17 00:00:00 2001 From: sbene Date: Fri, 14 Feb 2025 14:43:27 +0100 Subject: [PATCH] feat: Enable caching tokens for multiple vault namespaces Signed-off-by: sbene --- cmd/generate_test.go | 84 +++++++++++++++++++++++++++++++ pkg/auth/vault/approle.go | 8 +-- pkg/auth/vault/approle_test.go | 26 ++++++++-- pkg/auth/vault/github.go | 8 +-- pkg/auth/vault/github_test.go | 22 ++++++-- pkg/auth/vault/kubernetes.go | 17 ++++--- pkg/auth/vault/kubernetes_test.go | 22 ++++++-- pkg/auth/vault/userpass.go | 8 +-- pkg/auth/vault/userpass_test.go | 26 ++++++++-- pkg/backends/vault_test.go | 4 +- pkg/config/config.go | 14 ++++-- pkg/types/constants.go | 1 + 12 files changed, 202 insertions(+), 38 deletions(-) diff --git a/cmd/generate_test.go b/cmd/generate_test.go index f428c690..0676bad8 100644 --- a/cmd/generate_test.go +++ b/cmd/generate_test.go @@ -300,6 +300,90 @@ func TestMain(t *testing.T) { } }) + t.Run("will create cache per namespace when provided", func(t *testing.T) { + + // Purging token cache before launching this test + err := utils.PurgeTokenCache() + if err != nil { + t.Fatalf("fail to purge tocken cache: %s", err.Error()) + } + + args := []string{"../fixtures/input/nonempty"} + cmd := NewGenerateCommand() + + b := bytes.NewBufferString("") + e := bytes.NewBufferString("") + cmd.SetArgs(args) + cmd.SetOut(b) + cmd.SetErr(e) + cmd.Execute() + out, err := io.ReadAll(b) // Read buffer to bytes + if err != nil { + t.Fatal(err) + } + stderr, err := io.ReadAll(e) // Read buffer to bytes + if err != nil { + t.Fatal(err) + } + + buf, err := os.ReadFile("../fixtures/output/all.yaml") + if err != nil { + t.Fatal(err) + } + + // We first check that the command was successful to make sure it reached the token caching part + expected := string(buf) + if string(out) != expected { + t.Fatalf("expected %s\n\nbut got\n\n%s\nerr: %s", expected, string(out), string(stderr)) + } + + // Default namespace cache is expected + _, err = utils.ReadExistingToken(fmt.Sprintf("approle_default_%s", roleid)) + if err != nil { + t.Fatalf("expected cached vault token but got: %s", err) + } + + // Setting the vault namespace environment variable + os.Setenv("VAULT_NAMESPACE", `test-namespace`) + + nsArgs := []string{"../fixtures/input/nonempty"} + nsCmd := NewGenerateCommand() + + nsB := bytes.NewBufferString("") + nsE := bytes.NewBufferString("") + nsCmd.SetArgs(nsArgs) + nsCmd.SetOut(nsB) + nsCmd.SetErr(nsE) + nsCmd.Execute() + nsOut, nsErr := io.ReadAll(nsB) // Read buffer to bytes + if nsErr != nil { + t.Fatal(nsErr) + } + nsStderr, nsErr := io.ReadAll(nsE) // Read buffer to bytes + if nsErr != nil { + t.Fatal(nsErr) + } + + nsBuf, nsErr := os.ReadFile("../fixtures/output/all.yaml") + if nsErr != nil { + t.Fatal(nsErr) + } + + // We first check that the command was successful to make sure it reached the token caching part + nsExpected := string(nsBuf) + if string(nsOut) != nsExpected { + t.Fatalf("expected %s\n\nbut got\n\n%s\nerr: %s", nsExpected, string(nsOut), string(nsStderr)) + } + + // Namespaced cache is expected + _, nsErr = utils.ReadExistingToken(fmt.Sprintf("approle_test-namespace_%s", roleid)) + if nsErr != nil { + t.Fatalf("expected cached vault token but got: %s", nsErr) + } + + os.Unsetenv("VAULT_NAMESPACE") + }) + os.Unsetenv("AVP_TYPE") os.Unsetenv("VAULT_ADDR") os.Unsetenv("AVP_AUTH_TYPE") diff --git a/pkg/auth/vault/approle.go b/pkg/auth/vault/approle.go index 913f2c66..1956e8b6 100644 --- a/pkg/auth/vault/approle.go +++ b/pkg/auth/vault/approle.go @@ -15,14 +15,16 @@ type AppRoleAuth struct { RoleID string SecretID string MountPath string + Namespace string } // NewAppRoleAuth initalizes a new AppRolAuth with role id and secret id -func NewAppRoleAuth(roleID, secretID, mountPath string) *AppRoleAuth { +func NewAppRoleAuth(roleID, secretID, mountPath string, namespace string) *AppRoleAuth { appRoleAuth := &AppRoleAuth{ RoleID: roleID, SecretID: secretID, MountPath: approleMountPath, + Namespace: namespace, } if mountPath != "" { appRoleAuth.MountPath = mountPath @@ -33,7 +35,7 @@ func NewAppRoleAuth(roleID, secretID, mountPath string) *AppRoleAuth { // Authenticate authenticates with Vault using App Role and returns a token func (a *AppRoleAuth) Authenticate(vaultClient *api.Client) error { - err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("approle_%s", a.RoleID)) + err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("approle_%s_%s", a.Namespace, a.RoleID)) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err) } else { @@ -54,7 +56,7 @@ func (a *AppRoleAuth) Authenticate(vaultClient *api.Client) error { utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data) // If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping. - err = utils.SetToken(vaultClient, fmt.Sprintf("approle_%s", a.RoleID), data.Auth.ClientToken) + err = utils.SetToken(vaultClient, fmt.Sprintf("approle_%s_%s", a.Namespace, a.RoleID), data.Auth.ClientToken) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err) } diff --git a/pkg/auth/vault/approle_test.go b/pkg/auth/vault/approle_test.go index c3e57355..f3a4f91c 100644 --- a/pkg/auth/vault/approle_test.go +++ b/pkg/auth/vault/approle_test.go @@ -14,14 +14,14 @@ func TestAppRoleLogin(t *testing.T) { cluster, roleID, secretID := helpers.CreateTestAppRoleVault(t) defer cluster.Cleanup() - appRole := vault.NewAppRoleAuth(roleID, secretID, "") + appRole := vault.NewAppRoleAuth(roleID, secretID, "", "default") err := appRole.Authenticate(cluster.Cores[0].Client) if err != nil { t.Fatalf("expected no errors but got: %s", err) } - cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", roleID)) + cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_default_%s", roleID)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -31,7 +31,7 @@ func TestAppRoleLogin(t *testing.T) { t.Fatalf("expected no errors but got: %s", err) } - newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", roleID)) + newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_default_%s", roleID)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -44,14 +44,14 @@ func TestAppRoleLogin(t *testing.T) { secondCluster, secondRoleID, secondSecretID := helpers.CreateTestAppRoleVault(t) defer secondCluster.Cleanup() - secondAppRole := vault.NewAppRoleAuth(secondRoleID, secondSecretID, "") + secondAppRole := vault.NewAppRoleAuth(secondRoleID, secondSecretID, "", "default") err = secondAppRole.Authenticate(secondCluster.Cores[0].Client) if err != nil { t.Fatalf("expected no errors but got: %s", err) } - secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_%s", secondRoleID)) + secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("approle_default_%s", secondRoleID)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -60,4 +60,20 @@ func TestAppRoleLogin(t *testing.T) { if bytes.Compare(cachedToken, secondCachedToken) == 0 { t.Fatalf("expected different tokens but got %s", secondCachedToken) } + + // We create a new connection to a specific namespace and create a different cache + namespaceCluster, namespaceRoleID, namespaceSecretID := helpers.CreateTestAppRoleVault(t) + defer namespaceCluster.Cleanup() + + namespaceAppRole := vault.NewAppRoleAuth(namespaceRoleID, namespaceSecretID, "", "my-other-namespace") + + err = namespaceAppRole.Authenticate(namespaceCluster.Cores[0].Client) + if err != nil { + t.Fatalf("expected no errors but got: %s", err) + } + + _, err = utils.ReadExistingToken(fmt.Sprintf("approle_my-other-namespace_%s", namespaceRoleID)) + if err != nil { + t.Fatalf("expected cached vault token but got: %s", err) + } } diff --git a/pkg/auth/vault/github.go b/pkg/auth/vault/github.go index dfd6403e..2ec615a1 100644 --- a/pkg/auth/vault/github.go +++ b/pkg/auth/vault/github.go @@ -15,13 +15,15 @@ const ( type GithubAuth struct { AccessToken string MountPath string + Namespace string } // NewGithubAuth initializes a new GithubAuth with token -func NewGithubAuth(token, mountPath string) *GithubAuth { +func NewGithubAuth(token, mountPath string, namespace string) *GithubAuth { githubAuth := &GithubAuth{ AccessToken: token, MountPath: githubMountPath, + Namespace: namespace, } if mountPath != "" { githubAuth.MountPath = mountPath @@ -32,7 +34,7 @@ func NewGithubAuth(token, mountPath string) *GithubAuth { // Authenticate authenticates with Vault and returns a token func (g *GithubAuth) Authenticate(vaultClient *api.Client) error { - err := utils.LoginWithCachedToken(vaultClient, "github") + err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("github_%s", g.Namespace)) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err) } else { @@ -52,7 +54,7 @@ func (g *GithubAuth) Authenticate(vaultClient *api.Client) error { utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data) // If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping. - err = utils.SetToken(vaultClient, "github", data.Auth.ClientToken) + err = utils.SetToken(vaultClient, fmt.Sprintf("github_%s", g.Namespace), data.Auth.ClientToken) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err) } diff --git a/pkg/auth/vault/github_test.go b/pkg/auth/vault/github_test.go index 2f98d529..74f799b1 100644 --- a/pkg/auth/vault/github_test.go +++ b/pkg/auth/vault/github_test.go @@ -14,14 +14,14 @@ func TestGithubLogin(t *testing.T) { cluster := helpers.CreateTestAuthVault(t) defer cluster.Cleanup() - github := vault.NewGithubAuth("123", "") + github := vault.NewGithubAuth("123", "", "default") err := github.Authenticate(cluster.Cores[0].Client) if err != nil { t.Fatalf("expected no errors but got: %s", err) } - cachedToken, err := utils.ReadExistingToken("github") + cachedToken, err := utils.ReadExistingToken("github_default") if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -31,7 +31,7 @@ func TestGithubLogin(t *testing.T) { t.Fatalf("expected no errors but got: %s", err) } - newCachedToken, err := utils.ReadExistingToken("github") + newCachedToken, err := utils.ReadExistingToken("github_default") if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -39,4 +39,20 @@ func TestGithubLogin(t *testing.T) { if bytes.Compare(cachedToken, newCachedToken) != 0 { t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken) } + + // We create a new connection to a specific namespace and create a different cache + namespaceCluster := helpers.CreateTestAuthVault(t) + defer namespaceCluster.Cleanup() + + namespaceGithub := vault.NewGithubAuth("123", "", "my-other-namespace") + + err = namespaceGithub.Authenticate(namespaceCluster.Cores[0].Client) + if err != nil { + t.Fatalf("expected no errors but got: %s", err) + } + + _, err = utils.ReadExistingToken("github_my-other-namespace") + if err != nil { + t.Fatalf("expected cached vault token but got: %s", err) + } } diff --git a/pkg/auth/vault/kubernetes.go b/pkg/auth/vault/kubernetes.go index 196404df..69ad0ac0 100644 --- a/pkg/auth/vault/kubernetes.go +++ b/pkg/auth/vault/kubernetes.go @@ -17,21 +17,22 @@ const ( // K8sAuth TODO type K8sAuth struct { - // Optional, will use default path of auth/kubernetes if left blank - MountPath string - + Role string // Optional, will use default service account if left blank TokenPath string - - Role string + // Optional, will use default path of auth/kubernetes if left blank + MountPath string + // Optional, will use "default" if not provided + Namespace string } // NewK8sAuth initializes and returns a K8sAuth Struct -func NewK8sAuth(role, mountPath, tokenPath string) *K8sAuth { +func NewK8sAuth(role, mountPath, tokenPath string, namespace string) *K8sAuth { k8sAuth := &K8sAuth{ Role: role, MountPath: mountPath, TokenPath: tokenPath, + Namespace: namespace, } return k8sAuth @@ -39,7 +40,7 @@ func NewK8sAuth(role, mountPath, tokenPath string) *K8sAuth { // Authenticate authenticates with Vault via K8s and returns a token func (k *K8sAuth) Authenticate(vaultClient *api.Client) error { - err := utils.LoginWithCachedToken(vaultClient, "kubernetes") + err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("kubernetes_%s", k.Namespace)) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err) } else { @@ -70,7 +71,7 @@ func (k *K8sAuth) Authenticate(vaultClient *api.Client) error { utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data) // If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping. - err = utils.SetToken(vaultClient, "kubernetes", data.Auth.ClientToken) + err = utils.SetToken(vaultClient, fmt.Sprintf("kubernetes_%s", k.Namespace), data.Auth.ClientToken) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err) } diff --git a/pkg/auth/vault/kubernetes_test.go b/pkg/auth/vault/kubernetes_test.go index fbabd133..f955f4d8 100644 --- a/pkg/auth/vault/kubernetes_test.go +++ b/pkg/auth/vault/kubernetes_test.go @@ -46,14 +46,14 @@ func TestKubernetesAuth(t *testing.T) { t.Fatalf("error writing token: %s", err) } - k8s := vault.NewK8sAuth("role", "", string(filepath.Join(saPath, "token"))) + k8s := vault.NewK8sAuth("role", "", string(filepath.Join(saPath, "token")), "default") err = k8s.Authenticate(cluster.Cores[0].Client) if err != nil { t.Fatalf("expected no errors but got: %s", err) } - cachedToken, err := utils.ReadExistingToken("kubernetes") + cachedToken, err := utils.ReadExistingToken("kubernetes_default") if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -63,7 +63,7 @@ func TestKubernetesAuth(t *testing.T) { t.Fatalf("expected no errors but got: %s", err) } - newCachedToken, err := utils.ReadExistingToken("kubernetes") + newCachedToken, err := utils.ReadExistingToken("kubernetes_default") if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -72,6 +72,22 @@ func TestKubernetesAuth(t *testing.T) { t.Fatalf("expected same token %s but got %s", cachedToken, newCachedToken) } + // We create a new connection to a specific namespace and create a different cache + namespaceCluster := helpers.CreateTestAuthVault(t) + defer namespaceCluster.Cleanup() + + namespaceK8s := vault.NewK8sAuth("role", "", string(filepath.Join(saPath, "token")), "my-other-namespace") + + err = namespaceK8s.Authenticate(namespaceCluster.Cores[0].Client) + if err != nil { + t.Fatalf("expected no errors but got: %s", err) + } + + _, err = utils.ReadExistingToken("kubernetes_my-other-namespace") + if err != nil { + t.Fatalf("expected cached vault token but got: %s", err) + } + err = removeK8sToken() if err != nil { fmt.Println(err) diff --git a/pkg/auth/vault/userpass.go b/pkg/auth/vault/userpass.go index 027d20f9..9e559047 100644 --- a/pkg/auth/vault/userpass.go +++ b/pkg/auth/vault/userpass.go @@ -15,14 +15,16 @@ type UserPassAuth struct { Username string Password string MountPath string + Namespace string } // NewUserPassAuth initalizes a new NewUserPassAuth with username & password -func NewUserPassAuth(username, password, mountPath string) *UserPassAuth { +func NewUserPassAuth(username, password, mountPath string, namespace string) *UserPassAuth { userpassAuth := &UserPassAuth{ Username: username, Password: password, MountPath: userpassMountPath, + Namespace: namespace, } if mountPath != "" { userpassAuth.MountPath = mountPath @@ -33,7 +35,7 @@ func NewUserPassAuth(username, password, mountPath string) *UserPassAuth { // Authenticate authenticates with Vault using userpass and returns a token func (a *UserPassAuth) Authenticate(vaultClient *api.Client) error { - err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("userpass_%s", a.Username)) + err := utils.LoginWithCachedToken(vaultClient, fmt.Sprintf("userpass_%s_%s", a.Namespace, a.Username)) if err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot retrieve cached token: %v. Generating a new one", err) } else { @@ -53,7 +55,7 @@ func (a *UserPassAuth) Authenticate(vaultClient *api.Client) error { utils.VerboseToStdErr("Hashicorp Vault authentication response: %v", data) // If we cannot write the Vault token, we'll just have to login next time. Nothing showstopping. - if err = utils.SetToken(vaultClient, fmt.Sprintf("userpass_%s", a.Username), data.Auth.ClientToken); err != nil { + if err = utils.SetToken(vaultClient, fmt.Sprintf("userpass_%s_%s", a.Namespace, a.Username), data.Auth.ClientToken); err != nil { utils.VerboseToStdErr("Hashicorp Vault cannot cache token for future runs: %v", err) } diff --git a/pkg/auth/vault/userpass_test.go b/pkg/auth/vault/userpass_test.go index 4cdc1bea..b8024bff 100644 --- a/pkg/auth/vault/userpass_test.go +++ b/pkg/auth/vault/userpass_test.go @@ -14,13 +14,13 @@ func TestUserPassLogin(t *testing.T) { cluster, username, password := helpers.CreateTestUserPassVault(t) defer cluster.Cleanup() - userpass := vault.NewUserPassAuth(username, password, "") + userpass := vault.NewUserPassAuth(username, password, "", "default") if err := userpass.Authenticate(cluster.Cores[0].Client); err != nil { t.Fatalf("expected no errors but got: %s", err) } - cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", username)) + cachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_default_%s", username)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -30,7 +30,7 @@ func TestUserPassLogin(t *testing.T) { t.Fatalf("expected no errors but got: %s", err) } - newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", username)) + newCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_default_%s", username)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -43,14 +43,14 @@ func TestUserPassLogin(t *testing.T) { secondCluster, secondUsername, secondPassword := helpers.CreateTestUserPassVault(t) defer secondCluster.Cleanup() - secondUserpass := vault.NewUserPassAuth(secondUsername, secondPassword, "") + secondUserpass := vault.NewUserPassAuth(secondUsername, secondPassword, "", "default") err = secondUserpass.Authenticate(secondCluster.Cores[0].Client) if err != nil { t.Fatalf("expected no errors but got: %s", err) } - secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_%s", secondUsername)) + secondCachedToken, err := utils.ReadExistingToken(fmt.Sprintf("userpass_default_%s", secondUsername)) if err != nil { t.Fatalf("expected cached vault token but got: %s", err) } @@ -59,4 +59,20 @@ func TestUserPassLogin(t *testing.T) { if bytes.Compare(cachedToken, secondCachedToken) == 0 { t.Fatalf("expected different tokens but got %s", secondCachedToken) } + + // We create a new connection to a specific namespace and create a different cache + namespaceCluster, namespaceUsername, namespacePassword := helpers.CreateTestUserPassVault(t) + defer namespaceCluster.Cleanup() + + namespaceUserpass := vault.NewUserPassAuth(namespaceUsername, namespacePassword, "", "my-other-namespace") + + err = namespaceUserpass.Authenticate(namespaceCluster.Cores[0].Client) + if err != nil { + t.Fatalf("expected no errors but got: %s", err) + } + + _, err = utils.ReadExistingToken(fmt.Sprintf("userpass_my-other-namespace_%s", namespaceUsername)) + if err != nil { + t.Fatalf("expected cached vault token but got: %s", err) + } } diff --git a/pkg/backends/vault_test.go b/pkg/backends/vault_test.go index 99c67035..a0d40e39 100644 --- a/pkg/backends/vault_test.go +++ b/pkg/backends/vault_test.go @@ -19,7 +19,7 @@ func TestVaultLogin(t *testing.T) { } t.Run("will authenticate with approle", func(t *testing.T) { - backend.AuthType = vault.NewAppRoleAuth(roleID, secretID, "") + backend.AuthType = vault.NewAppRoleAuth(roleID, secretID, "", "default") err := backend.Login() if err != nil { @@ -32,7 +32,7 @@ func TestVaultGetSecrets(t *testing.T) { cluster, roleID, secretID := helpers.CreateTestAppRoleVault(t) defer cluster.Cleanup() - auth := vault.NewAppRoleAuth(roleID, secretID, "") + auth := vault.NewAppRoleAuth(roleID, secretID, "", "default") backend := backends.NewVaultBackend(auth, cluster.Cores[0].Client, "") t.Run("will get data from vault with kv1", func(t *testing.T) { diff --git a/pkg/config/config.go b/pkg/config/config.go index bc896701..d7ae8026 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -87,16 +87,22 @@ func New(v *viper.Viper, co *Options) (*Config, error) { return nil, err } + // get namespace (if any) to allow caching tokens from multiple auth methods + vaultNamespace := strings.TrimSpace(v.GetString(types.EnvVaultNamespace)) // strip whitespace and newlines + if vaultNamespace == "" { + vaultNamespace = "default" + } + switch authType { case types.ApproleAuth: if v.IsSet(types.EnvAvpRoleID) && v.IsSet(types.EnvAvpSecretID) { - auth = vault.NewAppRoleAuth(v.GetString(types.EnvAvpRoleID), v.GetString(types.EnvAvpSecretID), v.GetString(types.EnvAvpMountPath)) + auth = vault.NewAppRoleAuth(v.GetString(types.EnvAvpRoleID), v.GetString(types.EnvAvpSecretID), v.GetString(types.EnvAvpMountPath), vaultNamespace) } else { return nil, fmt.Errorf("%s and %s for approle authentication cannot be empty", types.EnvAvpRoleID, types.EnvAvpSecretID) } case types.GithubAuth: if v.IsSet(types.EnvAvpGithubToken) { - auth = vault.NewGithubAuth(v.GetString(types.EnvAvpGithubToken), v.GetString(types.EnvAvpMountPath)) + auth = vault.NewGithubAuth(v.GetString(types.EnvAvpGithubToken), v.GetString(types.EnvAvpMountPath), vaultNamespace) } else { return nil, fmt.Errorf("%s for github authentication cannot be empty", types.EnvAvpGithubToken) } @@ -108,12 +114,14 @@ func New(v *viper.Viper, co *Options) (*Config, error) { v.GetString(types.EnvAvpK8sRole), v.GetString(types.EnvAvpK8sMountPath), v.GetString(types.EnvAvpK8sTokenPath), + vaultNamespace, ) } else { auth = vault.NewK8sAuth( v.GetString(types.EnvAvpK8sRole), v.GetString(types.EnvAvpMountPath), v.GetString(types.EnvAvpK8sTokenPath), + vaultNamespace, ) } } else { @@ -127,7 +135,7 @@ func New(v *viper.Viper, co *Options) (*Config, error) { } case types.UserPass: if v.IsSet(types.EnvAvpUsername) && v.IsSet(types.EnvAvpPassword) { - auth = vault.NewUserPassAuth(v.GetString(types.EnvAvpUsername), v.GetString(types.EnvAvpPassword), v.GetString(types.EnvAvpMountPath)) + auth = vault.NewUserPassAuth(v.GetString(types.EnvAvpUsername), v.GetString(types.EnvAvpPassword), v.GetString(types.EnvAvpMountPath), vaultNamespace) } else { return nil, fmt.Errorf("%s and %s for userpass authentication cannot be empty", types.EnvAvpUsername, types.EnvAvpPassword) } diff --git a/pkg/types/constants.go b/pkg/types/constants.go index 49abbdef..f336197a 100644 --- a/pkg/types/constants.go +++ b/pkg/types/constants.go @@ -20,6 +20,7 @@ const ( EnvAvpPathPrefix = "AVP_PATH_PREFIX" EnvAWSRegion = "AWS_REGION" EnvVaultAddress = "VAULT_ADDR" + EnvVaultNamespace = "VAULT_NAMESPACE" EnvYCLKeyID = "AVP_YCL_KEY_ID" EnvYCLServiceAccountID = "AVP_YCL_SERVICE_ACCOUNT_ID" EnvYCLPrivateKey = "AVP_YCL_PRIVATE_KEY"