From 142b47fe5e202c8f4e227af4b0d19016f03f0c46 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 29 Jun 2020 18:44:33 -0400 Subject: [PATCH] auth/k8s: update go.mod (#9328) Co-authored-by: Theron Voran --- go.mod | 2 +- go.sum | 4 ++-- .../vault-plugin-auth-kubernetes/path_config.go | 15 ++++++++++++++- vendor/modules.txt | 2 +- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 134e89706..4caa96cb8 100644 --- a/go.mod +++ b/go.mod @@ -72,7 +72,7 @@ require ( github.com/hashicorp/vault-plugin-auth-gcp v0.6.2-0.20200428223335-82bd3a3ad5b3 github.com/hashicorp/vault-plugin-auth-jwt v0.7.0 github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 - github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.2 + github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 github.com/hashicorp/vault-plugin-auth-oci v0.5.5 github.com/hashicorp/vault-plugin-database-elasticsearch v0.5.4 github.com/hashicorp/vault-plugin-database-mongodbatlas v0.1.2-0.20200520204052-f840e9d4895c diff --git a/go.sum b/go.sum index 4872d587b..2174f1c5d 100644 --- a/go.sum +++ b/go.sum @@ -539,8 +539,8 @@ github.com/hashicorp/vault-plugin-auth-kerberos v0.1.5/go.mod h1:r4UqWITHYKmBeAM github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 h1:l5wu8J7aiQBLsTtkKhf1QQjGoeVjcfcput+uJ/pu2MM= github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6/go.mod h1:IM/n7LY1rIM4MVzOfSH6cRmY/C2rGkrjGrEr0B/yO9c= github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.1/go.mod h1:/Y9W5aZULfPeNVRQK0/nrFGpHWyNm0J3UWhOdsAu0vM= -github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.2 h1:lu6wwyIFPy/kuF+ZveMscp9mzX/14LsmdBVwLMz1Kng= -github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.2/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 h1:tt/kHMFB1qjp2b2ZRSI1KbH2CRV91VHghgr+5x9grgM= +github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0/go.mod h1:2c/k3nsoGPKV+zpAWCiajt4e66vncEq8Li/eKLqErAc= github.com/hashicorp/vault-plugin-auth-oci v0.5.4/go.mod h1:j05O2b9fw2Q82NxDPhHMYVfHKvitUYGWfmqmpBdqmmc= github.com/hashicorp/vault-plugin-auth-oci v0.5.5 h1:nIP8g+VZd2V+LY/D5omWhLSnhHuogIJx7Bz6JyLt628= github.com/hashicorp/vault-plugin-auth-oci v0.5.5/go.mod h1:Cn5cjR279Y+snw8LTaiLTko3KGrbigRbsQPOd2D5xDw= diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go index a32f0cbe9..786584b50 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go @@ -7,6 +7,7 @@ import ( "crypto/x509" "encoding/pem" "errors" + "io/ioutil" "github.com/briankassouf/jose/jws" "github.com/hashicorp/vault/sdk/framework" @@ -106,15 +107,27 @@ func (b *kubeAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Requ return logical.ErrorResponse("no host provided"), nil } + localCACert, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") + + localTokenReviewer, _ := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") + pemList := data.Get("pem_keys").([]string) caCert := data.Get("kubernetes_ca_cert").(string) issuer := data.Get("issuer").(string) disableIssValidation := data.Get("disable_iss_validation").(bool) if len(pemList) == 0 && len(caCert) == 0 { - return logical.ErrorResponse("one of pem_keys or kubernetes_ca_cert must be set"), nil + if len(localCACert) > 0 { + caCert = string(localCACert) + } else { + return logical.ErrorResponse("one of pem_keys or kubernetes_ca_cert must be set"), nil + } } tokenReviewer := data.Get("token_reviewer_jwt").(string) + if len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 { + tokenReviewer = string(localTokenReviewer) + } + if len(tokenReviewer) > 0 { // Validate it's a JWT _, err := jws.ParseJWT([]byte(tokenReviewer)) diff --git a/vendor/modules.txt b/vendor/modules.txt index fe4ac1487..7584352e4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -465,7 +465,7 @@ github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache github.com/hashicorp/vault-plugin-auth-jwt # github.com/hashicorp/vault-plugin-auth-kerberos v0.1.6 github.com/hashicorp/vault-plugin-auth-kerberos -# github.com/hashicorp/vault-plugin-auth-kubernetes v0.6.2 +# github.com/hashicorp/vault-plugin-auth-kubernetes v0.7.0 github.com/hashicorp/vault-plugin-auth-kubernetes # github.com/hashicorp/vault-plugin-auth-oci v0.5.5 github.com/hashicorp/vault-plugin-auth-oci