Add option for GitHub auth method

README.md

@@ -14,6 +14,7 @@
             - [Vault token authentication method (`--vault-authentication-method=token`)](#vault-token-authentication-method---vault-authentication-methodtoken)
             - [Vault userpass authentication method (`--vault-authentication-method=userpass`)](#vault-userpass-authentication-method---vault-authentication-methoduserpass)
             - [Vault approle authentication method (`--vault-authentication-method=approle`)](#vault-approle-authentication-method---vault-authentication-methodapprole)
+            - [Vault github authentication method (`--vault-authentication-method=github`)](#vault-github-authentication-method---vault-authentication-methodgithub)
         - [Deploying the operator](#deploying-the-operator)
         - [Creating a secret](#creating-a-secret)
         - [Partial secrets](#partial-secrets)
@@ -89,17 +90,24 @@ Environment variable | Required? | Default | Description
 
 Environment variable | Required? | Default | Description
 ---------------------|-----------|---------|------------
-`VAULT_USERNAME` | Y | | The Vault username used to authenticate
+`VAULT_USERNAME` | Y | | The Vault username to use for authentication
 `VAULT_PASSWORD` | Y | | The password corresponding to `VAULT_USERNAME`
 
 #### Vault approle authentication method (`--vault-authentication-method=approle`)
 
 Environment variable | Required? | Default | Description
 ---------------------|-----------|---------|------------
-`VAULT_APPROLE_ROLE_ID` | Y | | The AppRole role id used to authenticate
-`VAULT_APPROLE_SECRET_ID` | Y | | The AppRole secret id used to authenticate
+`VAULT_APPROLE_ROLE_ID` | Y | | The AppRole role id to use for authentication
+`VAULT_APPROLE_SECRET_ID` | Y | | The AppRole secret id to use for authentication
 `VAULT_APPROLE_ENDPOINT` | N | `auth/approle/login` | The Vault endpoint to use for this authentication method
 
+#### Vault github authentication method (`--vault-authentication-method=github`)
+
+Environment variable | Required? | Default | Description
+---------------------|-----------|---------|------------
+`VAULT_GITHUB_TOKEN` | Y | | The GitHub token to use for authentication
+`VAULT_GITHUB_AUTH_ENDPOINT` | N | `auth/github/login` | The Vault endpoint to use for this authentication method
+
 ### Deploying the operator
 
 The `deploy/` directory has some statically defined manifests that you can modify to configure your own keys and deploy. However, this repo also provides a [Helm](https://helm.sh/) template in the `helm/kms-vault-operator` directory, as well as a sample Helm values file for each authentication method above under `deploy/helm-values`. Please note that some of the values assume you have previously created the [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) or other configuration they rely on.

pkg/controller/kmsvaultsecret/kmsvaultsecret_controller.go

@@ -44,6 +44,7 @@ const (
 	TokenAuthenticationMethod    string = "token"
 	UserpassAuthenticationMethod string = "userpass"
 	AppRoleAuthenticationMethod  string = "approle"
+	GitHubAuthenticationMethod   string = "github"
 	KVv1                         string = "v1"
 	KVv2                         string = "v2"
 	DeletedFinalizer             string = "delete.k8s.patoarvizu.dev"
@@ -221,6 +222,8 @@ func vaultAuthentication(vaultAuthenticationMethod string) VaultAuthMethod {
 		return VaultUserpassAuth{}
 	case AppRoleAuthenticationMethod:
 		return VaultAppRoleAuth{}
+	case GitHubAuthenticationMethod:
+		return VaultGitHubAuth{}
 	default:
 		return VaultTokenAuth{}
 	}

pkg/controller/kmsvaultsecret/kmsvaultsecret_githubauth.go

@@ -0,0 +1,37 @@
+package kmsvaultsecret
+
+import (
+	"errors"
+	"os"
+
+	vaultapi "github.com/hashicorp/vault/api"
+)
+
+const (
+	gitHubAuthDefaultEndpoint = "auth/github/login"
+)
+
+type VaultGitHubAuth struct{}
+
+func (k8s VaultGitHubAuth) login(vaultConfig *vaultapi.Config) (string, error) {
+	githubToken, ok := os.LookupEnv("VAULT_GITHUB_TOKEN")
+	if !ok {
+		return "", errors.New("Environment variable VAULT_GITHUB_TOKEN not set")
+	}
+	vaultClient, err := vaultapi.NewClient(vaultConfig)
+	if err != nil {
+		return "", err
+	}
+	data := map[string]interface{}{
+		"token": githubToken,
+	}
+	githubAuthEndpoint, ok := os.LookupEnv("VAULT_GITHUB_AUTH_ENDPOINT")
+	if !ok {
+		githubAuthEndpoint = gitHubAuthDefaultEndpoint
+	}
+	secretAuth, err := vaultClient.Logical().Write(githubAuthEndpoint, data)
+	if err != nil {
+		return "", err
+	}
+	return secretAuth.Auth.ClientToken, nil
+}