diff --git a/README.md b/README.md index 1a8bebc..a688865 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ - [Vault token authentication method (`--vault-authentication-method=token`)](#vault-token-authentication-method---vault-authentication-methodtoken) - [Vault userpass authentication method (`--vault-authentication-method=userpass`)](#vault-userpass-authentication-method---vault-authentication-methoduserpass) - [Vault approle authentication method (`--vault-authentication-method=approle`)](#vault-approle-authentication-method---vault-authentication-methodapprole) + - [Vault github authentication method (`--vault-authentication-method=github`)](#vault-github-authentication-method---vault-authentication-methodgithub) - [Deploying the operator](#deploying-the-operator) - [Creating a secret](#creating-a-secret) - [Partial secrets](#partial-secrets) @@ -89,17 +90,24 @@ Environment variable | Required? | Default | Description Environment variable | Required? | Default | Description ---------------------|-----------|---------|------------ -`VAULT_USERNAME` | Y | | The Vault username used to authenticate +`VAULT_USERNAME` | Y | | The Vault username to use for authentication `VAULT_PASSWORD` | Y | | The password corresponding to `VAULT_USERNAME` #### Vault approle authentication method (`--vault-authentication-method=approle`) Environment variable | Required? | Default | Description ---------------------|-----------|---------|------------ -`VAULT_APPROLE_ROLE_ID` | Y | | The AppRole role id used to authenticate -`VAULT_APPROLE_SECRET_ID` | Y | | The AppRole secret id used to authenticate +`VAULT_APPROLE_ROLE_ID` | Y | | The AppRole role id to use for authentication +`VAULT_APPROLE_SECRET_ID` | Y | | The AppRole secret id to use for authentication `VAULT_APPROLE_ENDPOINT` | N | `auth/approle/login` | The Vault endpoint to use for this authentication method +#### Vault github authentication method (`--vault-authentication-method=github`) + +Environment variable | Required? | Default | Description +---------------------|-----------|---------|------------ +`VAULT_GITHUB_TOKEN` | Y | | The GitHub token to use for authentication +`VAULT_GITHUB_AUTH_ENDPOINT` | N | `auth/github/login` | The Vault endpoint to use for this authentication method + ### Deploying the operator The `deploy/` directory has some statically defined manifests that you can modify to configure your own keys and deploy. However, this repo also provides a [Helm](https://helm.sh/) template in the `helm/kms-vault-operator` directory, as well as a sample Helm values file for each authentication method above under `deploy/helm-values`. Please note that some of the values assume you have previously created the [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) or other configuration they rely on. diff --git a/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go b/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go index 7335396..9396006 100644 --- a/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go +++ b/pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go @@ -44,6 +44,7 @@ const ( TokenAuthenticationMethod string = "token" UserpassAuthenticationMethod string = "userpass" AppRoleAuthenticationMethod string = "approle" + GitHubAuthenticationMethod string = "github" KVv1 string = "v1" KVv2 string = "v2" DeletedFinalizer string = "delete.k8s.patoarvizu.dev" @@ -221,6 +222,8 @@ func vaultAuthentication(vaultAuthenticationMethod string) VaultAuthMethod { return VaultUserpassAuth{} case AppRoleAuthenticationMethod: return VaultAppRoleAuth{} + case GitHubAuthenticationMethod: + return VaultGitHubAuth{} default: return VaultTokenAuth{} } diff --git a/pkg/controller/kmsvaultsecret/kmsvaultsecret_githubauth.go b/pkg/controller/kmsvaultsecret/kmsvaultsecret_githubauth.go new file mode 100644 index 0000000..b987303 --- /dev/null +++ b/pkg/controller/kmsvaultsecret/kmsvaultsecret_githubauth.go @@ -0,0 +1,37 @@ +package kmsvaultsecret + +import ( + "errors" + "os" + + vaultapi "github.com/hashicorp/vault/api" +) + +const ( + gitHubAuthDefaultEndpoint = "auth/github/login" +) + +type VaultGitHubAuth struct{} + +func (k8s VaultGitHubAuth) login(vaultConfig *vaultapi.Config) (string, error) { + githubToken, ok := os.LookupEnv("VAULT_GITHUB_TOKEN") + if !ok { + return "", errors.New("Environment variable VAULT_GITHUB_TOKEN not set") + } + vaultClient, err := vaultapi.NewClient(vaultConfig) + if err != nil { + return "", err + } + data := map[string]interface{}{ + "token": githubToken, + } + githubAuthEndpoint, ok := os.LookupEnv("VAULT_GITHUB_AUTH_ENDPOINT") + if !ok { + githubAuthEndpoint = gitHubAuthDefaultEndpoint + } + secretAuth, err := vaultClient.Logical().Write(githubAuthEndpoint, data) + if err != nil { + return "", err + } + return secretAuth.Auth.ClientToken, nil +}