From 248313d94b94db4cdc118a03bf051457918e48e1 Mon Sep 17 00:00:00 2001 From: Zoe O'Connell Date: Thu, 1 Feb 2024 21:19:19 +0000 Subject: [PATCH] K8s Auth non-default mount points (#147) * Kubernetes Vault mount path support * README updates --- README.md | 19 ++++++++++--------- cmd/cmd.go | 1 + cmd/delete.go | 3 ++- cmd/export.go | 3 ++- cmd/import.go | 3 ++- docs/examples/kubernetes/cronjob/README.md | 2 ++ pkg/vaultengine/vaultclient.go | 15 +++++++++++++-- 7 files changed, 32 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index f073d3f..3c783f9 100644 --- a/README.md +++ b/README.md @@ -312,13 +312,14 @@ Available Commands: version Print the version number of Medusa Flags: - -a, --address string Address of the Vault server - -h, --help help for medusa - -k, --insecure Allow insecure server connections when using SSL - --kubernetes Authenticate using the Kubernetes JWT token - -n, --namespace string Namespace within the Vault server (Enterprise only) - -r, --role string Vault role for Kubernetes JWT authentication - -t, --token string Vault authentication token - -Use "medusa [command] --help" for more information about a command + -a, --address string Address of the Vault server + -h, --help help for medusa + -k, --insecure Allow insecure server connections when using SSL + --kubernetes Authenticate using the Kubernetes JWT token + --kubernetes-auth-path string Authentication mount point within Vault for Kubernetes + -n, --namespace string Namespace within the Vault server (Enterprise only) + -r, --role string Vault role for Kubernetes JWT authentication + -t, --token string Vault authentication token + +Use "medusa [command] --help" for more information about a command. ``` diff --git a/cmd/cmd.go b/cmd/cmd.go index 4d8643f..37b2ebf 100644 --- a/cmd/cmd.go +++ b/cmd/cmd.go @@ -82,6 +82,7 @@ func init() { rootCmd.PersistentFlags().StringP("token", "t", "", "Vault authentication token") rootCmd.PersistentFlags().StringP("role", "r", "", "Vault role for Kubernetes JWT authentication") rootCmd.PersistentFlags().BoolP("kubernetes", "", false, "Authenticate using the Kubernetes JWT token") + rootCmd.PersistentFlags().StringP("kubernetes-auth-path", "", "", "Authentication mount point within Vault for Kubernetes") rootCmd.PersistentFlags().BoolP("insecure", "k", false, "Allow insecure server connections when using SSL") rootCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace within the Vault server (Enterprise only)") diff --git a/cmd/delete.go b/cmd/delete.go index aec8294..57db2cf 100644 --- a/cmd/delete.go +++ b/cmd/delete.go @@ -27,12 +27,13 @@ var deleteCmd = &cobra.Command{ insecure, _ := cmd.Flags().GetBool("insecure") vaultRole, _ := cmd.Flags().GetString("role") kubernetes, _ := cmd.Flags().GetBool("kubernetes") + authPath, _ := cmd.Flags().GetString("kubernetes-auth-path") namespace, _ := cmd.Flags().GetString("namespace") engineType, _ := cmd.Flags().GetString("engine-type") isApproved, _ := cmd.Flags().GetBool("auto-approve") // Setup Vault client - client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes) + client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath) engine, path, err := client.MountpathSplitPrefix(path) if err != nil { fmt.Println(err) diff --git a/cmd/export.go b/cmd/export.go index 6a0355f..12506d9 100644 --- a/cmd/export.go +++ b/cmd/export.go @@ -30,6 +30,7 @@ var exportCmd = &cobra.Command{ vaultToken, _ := cmd.Flags().GetString("token") vaultRole, _ := cmd.Flags().GetString("role") kubernetes, _ := cmd.Flags().GetBool("kubernetes") + authPath, _ := cmd.Flags().GetString("kubernetes-auth-path") insecure, _ := cmd.Flags().GetBool("insecure") namespace, _ := cmd.Flags().GetString("namespace") engineType, _ := cmd.Flags().GetString("engine-type") @@ -37,7 +38,7 @@ var exportCmd = &cobra.Command{ exportFormat, _ := cmd.Flags().GetString("format") output, _ := cmd.Flags().GetString("output") - client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes) + client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath) engine, path, err := client.MountpathSplitPrefix(path) if err != nil { fmt.Println(err) diff --git a/cmd/import.go b/cmd/import.go index 8b0c20d..cf61f57 100644 --- a/cmd/import.go +++ b/cmd/import.go @@ -33,12 +33,13 @@ var importCmd = &cobra.Command{ insecure, _ := cmd.Flags().GetBool("insecure") vaultRole, _ := cmd.Flags().GetString("role") kubernetes, _ := cmd.Flags().GetBool("kubernetes") + authPath, _ := cmd.Flags().GetString("kubernetes-auth-path") namespace, _ := cmd.Flags().GetString("namespace") engineType, _ := cmd.Flags().GetString("engine-type") doDecrypt, _ := cmd.Flags().GetBool("decrypt") privateKey, _ := cmd.Flags().GetString("private-key") - client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes) + client := vaultengine.NewClient(vaultAddr, vaultToken, insecure, namespace, vaultRole, kubernetes, authPath) engine, prefix, err := client.MountpathSplitPrefix(path) if err != nil { fmt.Println(err) diff --git a/docs/examples/kubernetes/cronjob/README.md b/docs/examples/kubernetes/cronjob/README.md index da2cb27..880357d 100644 --- a/docs/examples/kubernetes/cronjob/README.md +++ b/docs/examples/kubernetes/cronjob/README.md @@ -133,6 +133,8 @@ medusa-1615982160-4b527 0/1 Completed 0 9s ### Using Kubernetes authentication If you are using the kubernetes authentication method in Vault, it is also possible to use the kubernetes provided JWT token inside a Pod and auth role in order to authenticate. +If your authentication mount point is different from the default of `kubernetes`, for example if your vault instance is supporting multiple clusters, this can be changed with the +`--kubernetes-auth-path` option. ```yaml command: ["./medusa", "export", "$(VAULT_PATH)", "--kubernetes", "--role=default", "-o", "/backup/backup.vault"] diff --git a/pkg/vaultengine/vaultclient.go b/pkg/vaultengine/vaultclient.go index c18c750..d0fe6b9 100644 --- a/pkg/vaultengine/vaultclient.go +++ b/pkg/vaultengine/vaultclient.go @@ -18,12 +18,13 @@ type Client struct { engineType string role string kubernetes bool + authPath string insecure bool vc *vault.Client } // NewClient creates a instance of the VaultClient struct -func NewClient(addr, token string, insecure bool, namespace string, role string, kubernetes bool) *Client { +func NewClient(addr, token string, insecure bool, namespace string, role string, kubernetes bool, authPath string) *Client { client := &Client{ token: token, addr: addr, @@ -31,6 +32,7 @@ func NewClient(addr, token string, insecure bool, namespace string, role string, namespace: namespace, role: role, kubernetes: kubernetes, + authPath: authPath, } client.newVaultClient() @@ -107,13 +109,22 @@ func (client *Client) newVaultClient() error { } // Authenticate using Kubernetes JWT if kubernetes flag is set + var authPath string + if client.kubernetes { - kubernetesAuth, err := auth.NewKubernetesAuth(client.role) + if client.authPath != "" { + authPath = client.authPath + } else { + authPath = "kubernetes" + } + + kubernetesAuth, err := auth.NewKubernetesAuth(client.role, auth.WithMountPath(authPath)) if err != nil { return err } authInfo, err := vc.Auth().Login(context.Background(), kubernetesAuth) + if err != nil { return err }