added kubernetes auth for vault

This commit is contained in:
jenkins-x-bot 2020-01-12 01:25:22 +02:00
parent a65c4c94a0
commit 409b499217
1 changed files with 46 additions and 14 deletions

View File

@ -50,11 +50,19 @@ class VaultSourcePlugin(SourcePlugin):
"helpMessage": "Version of the Vault KV API to use", "helpMessage": "Version of the Vault KV API to use",
}, },
{ {
"name": "vaultAuthTokenFile", "name": "authenticationMethod",
"type": "select",
"value": "token",
"available": ["token", "kubernetes"],
"required": True,
"helpMessage": "Authentication method to use",
},
{
"name": "tokenFile/VaultRole",
"type": "str", "type": "str",
"required": True, "required": True,
"validation": "(/[^/]+)+", "validation": "^([a-zA-Z0-9/._-]+/?)+$",
"helpMessage": "Must be a valid file path!", "helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
}, },
{ {
"name": "vaultMount", "name": "vaultMount",
@ -85,7 +93,8 @@ class VaultSourcePlugin(SourcePlugin):
cert = [] cert = []
body = "" body = ""
url = self.get_option("vaultUrl", options) url = self.get_option("vaultUrl", options)
token_file = self.get_option("vaultAuthTokenFile", options) auth_method = self.get_option("authenticationMethod", options)
auth_key = self.get_option("tokenFile/vaultRole", options)
mount = self.get_option("vaultMount", options) mount = self.get_option("vaultMount", options)
path = self.get_option("vaultPath", options) path = self.get_option("vaultPath", options)
obj_name = self.get_option("objectName", options) obj_name = self.get_option("objectName", options)
@ -93,10 +102,17 @@ class VaultSourcePlugin(SourcePlugin):
cert_filter = "-----BEGIN CERTIFICATE-----" cert_filter = "-----BEGIN CERTIFICATE-----"
cert_delimiter = "-----END CERTIFICATE-----" cert_delimiter = "-----END CERTIFICATE-----"
with open(token_file, "r") as tfile: client = hvac.Client(url=url)
if auth_method == 'token':
with open(auth_key, "r") as tfile:
token = tfile.readline().rstrip("\n") token = tfile.readline().rstrip("\n")
client.token = token
if auth_method == 'kubernetes':
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
jwt = f.read()
client.auth_kubernetes(auth_key, jwt)
client = hvac.Client(url=url, token=token)
client.secrets.kv.default_kv_version = api_version client.secrets.kv.default_kv_version = api_version
path = "{0}/{1}".format(path, obj_name) path = "{0}/{1}".format(path, obj_name)
@ -160,11 +176,19 @@ class VaultDestinationPlugin(DestinationPlugin):
"helpMessage": "Version of the Vault KV API to use", "helpMessage": "Version of the Vault KV API to use",
}, },
{ {
"name": "vaultAuthTokenFile", "name": "authenticationMethod",
"type": "select",
"value": "token",
"available": ["token", "kubernetes"],
"required": True,
"helpMessage": "Authentication method to use",
},
{
"name": "tokenFile/VaultRole",
"type": "str", "type": "str",
"required": True, "required": True,
"validation": "(/[^/]+)+", "validation": "^([a-zA-Z0-9/._-]+/?)+$",
"helpMessage": "Must be a valid file path!", "helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
}, },
{ {
"name": "vaultMount", "name": "vaultMount",
@ -219,7 +243,8 @@ class VaultDestinationPlugin(DestinationPlugin):
cname = common_name(parse_certificate(body)) cname = common_name(parse_certificate(body))
url = self.get_option("vaultUrl", options) url = self.get_option("vaultUrl", options)
token_file = self.get_option("vaultAuthTokenFile", options) auth_method = self.get_option("authenticationMethod", options)
auth_key = self.get_option("tokenFile/vaultRole", options)
mount = self.get_option("vaultMount", options) mount = self.get_option("vaultMount", options)
path = self.get_option("vaultPath", options) path = self.get_option("vaultPath", options)
bundle = self.get_option("bundleChain", options) bundle = self.get_option("bundleChain", options)
@ -245,10 +270,17 @@ class VaultDestinationPlugin(DestinationPlugin):
exc_info=True, exc_info=True,
) )
with open(token_file, "r") as tfile: client = hvac.Client(url=url)
if auth_method == 'token':
with open(auth_key, "r") as tfile:
token = tfile.readline().rstrip("\n") token = tfile.readline().rstrip("\n")
client.token = token
if auth_method == 'kubernetes':
f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
jwt = f.read()
client.auth_kubernetes(auth_key, jwt)
client = hvac.Client(url=url, token=token)
client.secrets.kv.default_kv_version = api_version client.secrets.kv.default_kv_version = api_version
if obj_name: if obj_name: