From 8a7aa4f7f75c7d9cb02431a2916ed6f7a48d25c6 Mon Sep 17 00:00:00 2001 From: Harry Reeder Date: Tue, 11 May 2021 11:50:51 +0100 Subject: [PATCH 1/4] Add k8s authentication --- CHANGES.md | 4 ++++ README.md | 3 ++- actions/lib/action.py | 6 ++++++ pack.yaml | 2 +- 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e04305a..6c3fe28 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,9 @@ # Change Log +## 1.1.0 + +- Added `kuberentes` auth method. + ## 1.0.0 * Drop Python 2.7 support diff --git a/README.md b/README.md index 9cc097e..12cb92a 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ It should contain: * `cert` - Path to client-side certificate * `verify` - Whether to verify the SSL certificate or not * `auth_method` - Which authentication method to use. - Only `token` (the default) and `approle` are implemented so far. + Only `token` (the default), `approle` and `kubernetes` are implemented so far. Also include the relevant auth_method-specific config: @@ -21,6 +21,7 @@ Also include the relevant auth_method-specific config: also tries using the `VAULT_TOKEN` env var or the `~/.vault-token` file. * `role_id` - Authentication role_id for `auth_method=approle`. * `secret_id` - Authentication secret_id for `auth_method=approle`. +* `role` - Authentication role for `auth_method=kubernetes` You can also use dynamic values from the datastore. See the [docs](https://docs.stackstorm.com/reference/pack_configs.html) for more info. diff --git a/actions/lib/action.py b/actions/lib/action.py index d3e4e5e..352ea7f 100644 --- a/actions/lib/action.py +++ b/actions/lib/action.py @@ -33,6 +33,12 @@ def _get_client(self): role_id=self.config["role_id"], secret_id=self.config["secret_id"], ) + elif auth_method == "kubernetes": + with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as sa_token: + client.auth.kubernetes.login( + self.config["role"], + sa_token.read(), + ) else: raise NotImplementedError( "The {} auth method has a typo or has not been implemented (yet).".format( diff --git a/pack.yaml b/pack.yaml index 48ddb9c..e36603f 100644 --- a/pack.yaml +++ b/pack.yaml @@ -2,7 +2,7 @@ ref: vault name: vault description: HashiCorp Vault -version: 1.0.0 +version: 1.1.0 python_versions: - "3" author: steve.neuharth From a30eaf3e634d40b919ccfe27ca3b0076d3d3841b Mon Sep 17 00:00:00 2001 From: Harry Reeder Date: Tue, 11 May 2021 14:44:36 +0100 Subject: [PATCH 2/4] Apply recommendation around auth method wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12cb92a..53238b7 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ It should contain: * `cert` - Path to client-side certificate * `verify` - Whether to verify the SSL certificate or not * `auth_method` - Which authentication method to use. - Only `token` (the default), `approle` and `kubernetes` are implemented so far. + Available implementations are: `token` (default), `approle` and `kubernetes`. Also include the relevant auth_method-specific config: From e639eb08a1bdef511d2b8b23269846dbfe3bf621 Mon Sep 17 00:00:00 2001 From: Harry Reeder Date: Tue, 11 May 2021 14:46:07 +0100 Subject: [PATCH 3/4] Add kubernetes auth fields to config schema --- config.schema.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config.schema.yaml b/config.schema.yaml index 0eaa02b..d56d891 100644 --- a/config.schema.yaml +++ b/config.schema.yaml @@ -22,6 +22,7 @@ enum: - approle - token + - kubernetes # Not implemented: # - app-id # - ali-cloud @@ -32,7 +33,6 @@ # - gcp # - github # - jwt - # - kubernetes # - ldap # - mfa # - oidc @@ -56,3 +56,7 @@ type: "string" secret: true required: false + role: + description: "Authentication role (method=kubernetes)" + secret: false + required: false From 088b538761a8d9232dee91d749c4aa7d4f224953 Mon Sep 17 00:00:00 2001 From: Harry Reeder Date: Tue, 18 May 2021 10:06:09 +0100 Subject: [PATCH 4/4] feat: Add auth_mount_point support --- CHANGES.md | 1 + actions/lib/action.py | 9 +++++++++ config.schema.yaml | 6 +++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 6c3fe28..42abc37 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,7 @@ ## 1.1.0 - Added `kuberentes` auth method. +- Added `auth_mount_point` config option for specifying custom authentication mount points. ## 1.0.0 diff --git a/actions/lib/action.py b/actions/lib/action.py index 352ea7f..b55cad0 100644 --- a/actions/lib/action.py +++ b/actions/lib/action.py @@ -24,6 +24,13 @@ def _get_client(self): # in favor of: client.auth..login # So, use client.auth. where implemented + # Support for optional kwargs - only passed to login method if defined in config + login_kwargs = {} + + auth_mount_point = self.config.get("auth_mount_point") + if auth_mount_point: + login_kwargs["mount_point"] = auth_mount_point + # token is handled during client init # other auth methods will override it as needed if auth_method == "token": @@ -32,12 +39,14 @@ def _get_client(self): client.auth.approle.login( role_id=self.config["role_id"], secret_id=self.config["secret_id"], + **login_kwargs, ) elif auth_method == "kubernetes": with open("/var/run/secrets/kubernetes.io/serviceaccount/token") as sa_token: client.auth.kubernetes.login( self.config["role"], sa_token.read(), + **login_kwargs, ) else: raise NotImplementedError( diff --git a/config.schema.yaml b/config.schema.yaml index d56d891..5862b3f 100644 --- a/config.schema.yaml +++ b/config.schema.yaml @@ -40,7 +40,11 @@ # - radius # - userpass required: false - + + auth_mount_point: + description: "Custom authentication mount point, if required" + type: "string" + required: false token: description: "Authentication token (method=token)" type: "string"