Add UpstreamAuthority 'vault' plugin as built-in

[hiyosi]

Pull Request check list

• Commit conforms to CONTRIBUTING.md?
• Proper tests/regressions included?
• Documentation updated?

Affected functionality

UpstreamAuthority plugin

Description of change

Add a new UpstreamAuthority vault plugin.
This plugin treats the Vault PKI Secret Engine as an Upstream PKI and issues intermediate CA certificates for the SPIRE Server.

Which issue this PR fixes

[azdagron]

Thank you @hiyosi for the PR! This will be exciting to get merged. Please feel free to reach out if there is any question or concerns with any suggestions or comments.

[azdagron]

Suggested change

	The vault plugin requests to sign intermediate certificate (for signing X.509 SVIDs)to Vault PKI Engine.
	The plugin doesn't support `PublishJWTKeyRequest` and `PublishJWTKeyResponse`,
	this means that you **SHOULD NOT** use `JWT SVID` in multiple SPIRE environment with this plugin.
	The vault plugin signs intermediate CA certificates for SPIRE using the Vault PKI Engine.
	The plugin does not support the `PublishJWTKey` RPC and is therefore not appropriate for use in nested SPIRE topologies where JWT-SVIDs are in use.

[azdagron]

I know the vault client takes a URL, but I wonder if our configuration should be a little more strict and just take a host with optional port (defaulting to 443) so that we can built the URL ourselves and force https://? Is there ever a need for the URL to have anything other than the host and port, e.g., userinfo or a path component?

If we keep this as-is, I'd suggest the the following:

Suggested change

	| vault_addr | string | | A URL of Vault server. (e.g., https://vault.example.com:8443/) | `${VAULT_ADDR}` |
	| vault_addr | string | | The URL of the Vault server. (e.g., https://vault.example.com:8443/) | `${VAULT_ADDR}` |

[hiyosi]

Is there ever a need for the URL to have anything other than the host and port, e.g., userinfo or a path component?

I've read in the documentation(https://www.vaultproject.io/docs/auth), it doesn't seem to be necessary .
Therefore I think we can set a host and port instead of the URL.

[hiyosi]

I've tried to fix it, please check.
4394dd6

[azdagron]

Suggested change

	| pki_mount_point | string | | Name of mount point where PKI secret engine is mounted | pki |
	| pki_mount_point | string | | Name of the mount point where PKI secret engine is mounted | pki |

[azdagron]

Suggested change

	| ca_cert_path | string | | Path to a CA certificate file that the client verifies the server certificate. Only PEM format is supported. | `${VAULT_CACERT}` |
	| ca_cert_path | string | | Path to a CA certificate file used to verify the Vault server certificate. Only PEM format is supported. | `${VAULT_CACERT}` |

[azdagron]

We usually preface the insecure flags with insecure_:

Suggested change

	| tls_skip_verify | string | | If true, vault client accepts any server certificates | false |
	| insecure_skip_verify | string | | If true, the Vault server certificate is not verified (not for production use) | false |

[azdagron]

We do these two steps together a lot. Can we just have one helper that loads from a file and creates the request? If it is a member of the suite then it can even assert success directly instead of returning an error that each test has to assert individually:

Suggested change

	csr, err := ioutil.ReadFile(testReqCSR)
	vps.Require().NoError(err)
	req, err := getTestMintX509CARequest(csr)
	vps.Require().NoError(err)
	req := vps.loadMintX509CARequestFromTestFile(testReqCSR)

[hiyosi]

I agree.
I added a helper func (vps *VaultPluginSuite) loadMintX509CARequestFromTestFile(csrFile string) *upstreamauthority.MintX509CARequest { ... }
3fc46ac

[azdagron]

This is a lot of boilerplate for each test case do repeat. Is there a way we can DRY this up a little bit?

[hiyosi]

I added a helper function func (vps *VaultPluginSuite) newPlugin() *Plugin { ... }
3fc46ac

[azdagron]

Suggested change

	for i := range res.X509CaChain {
	cert, err := x509.ParseCertificate(res.X509CaChain[i])
	for _, certDER := range res.X509CaChain {
	cert, err := x509.ParseCertificate(certDER)

[azdagron]

Suggested change

	for i := range res.UpstreamX509Roots {
	upstream, err := x509.ParseCertificate(res.UpstreamX509Roots[i])
	for _, upstreamDER := range res.UpstreamX509Roots {
	upstream, err := x509.ParseCertificate(upstreamDER)

[azdagron]

The structure of these tests might align better with table-driven tests, but that's something we can improve later.

[hiyosi]

I agree with some cases are better with table driven tests.
If we should improve the tests within this PR, I think I can do.

[hiyosi]

@azdagron
Awesome! Thank you for your review!!
I fixed and commit you pointed out. Please check it again.
(I committed with fixup! , so they should be rebased before merging.)

[azdagron]

Thank you for addressing the comments, @hiyosi! Just a few more comments and I think this is good.

[azdagron]

My concern about vault_addr was that it required a URL but all that it seemed practical for people to change would be the host and port, since the scheme should be https and I didn't see a reason to specify a path.

If deploying behind behind a reverse proxy is a normal thing for people to do, where there might be a need to have a path prefix, and considering that the vault client APIs document the configurable as being a URL then maybe the original configurable was good? 😬

[hiyosi]

OK. I'll revert the commits.
In original case, Should we check the URI scheme ?
e.g., If it's not https, outputs some warn logs.

[hiyosi]

revert: 73782ba

[azdagron]

I'm ok with the original code here, i.e., passing everything needed to construct the renewer in this function, I just thought maybe the logger could also be passed as a parameter instead of using a default logger.

[hiyosi]

I understand the intent of the your comment😀
I think there is no problem with passing all the argument including logger, so I'll fix it.

[hiyosi]

fix: 8e74413

[azdagron]

This is great. Thanks for this contribution, @hiyosi !

[azdagron]

@hiyosi, would you mind squashing and rebasing this? I'm happy to merge afterwards. Thanks!

[azdagron]

I apologize, I didn't see you had updated this and merged a different PR. Can you rebase again?

[amartinezfayo]

Hi @hiyosi, thank you for this contribution. This is really great!
I have a couple of suggestions that I missed when I first looked at this. I'm commenting here but I'm happy to move this to an issue if you feel that is appropriate. Thanks again!

[amartinezfayo]

I'm wondering if having pointers to the config structs would be better. Looks like the configuration settings in all authentication methods have either default values or can be alternatively defined through environment variables, which makes empty auth configs valid. I.e.: I want to use TOKEN authentication method and I have defined the VAULT_TOKEN environment variable. In that case I could just have token_auth { } as a valid configuration, but currently there is no way to identify that I set an empty token_auth config so the configuration would be rejected even if I have set the environment variable. If we use a pointer we may check if config.TokenAuth != nil in parseAuthMethod.

[hiyosi]

@amartinezfayo
Thank you for your suggestion.
I understand the problem. I'll fix it.

[amartinezfayo]

We may validate that only one of the auth methods is set?

[amartinezfayo]

Should we document any permissions required depending on the authentication method? E.g.: if a token is used, does the token need to be attached to a policy with certain capabilities?

[hiyosi]

I agree with you.
I'll try to improve the document.