Issue#246 (#247)

* updated to vault 1.17 behavior in which vault pod's os CA can be configured.
Also added new api field use_annotations_as_alias_metadata

Signed-off-by: raffaelespazzoli <[email protected]>

* tested

Signed-off-by: raffaelespazzoli <[email protected]>

* added docs

Signed-off-by: raffaelespazzoli <[email protected]>

---------

Signed-off-by: raffaelespazzoli <[email protected]>

api/v1alpha1/gcpauthengineconfig_types.go

@@ -84,14 +84,13 @@ type GCPAuthEngineConfigList struct {
 
 type GCPConfig struct {
 
-
-	// Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. 
+	// Service Account Name. A service account is a special kind of account typically used by an application or compute workload, such as a Compute Engine instance, rather than a person.
 	// A service account is identified by its email address, which is unique to the account.
-	// Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation. 
+	// Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
 	// When an application authenticates as a service account, it has access to all resources that the service account has permission to access.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=""
-	ServiceAccount string `json:"serviceAccount,omitempty"`	
+	ServiceAccount string `json:"serviceAccount,omitempty"`
 
 	// Must be either unique_id or role_id.
 	// If unique_id is specified, the service account's unique ID will be used for alias names during login.
@@ -138,7 +137,7 @@ type GCPConfig struct {
 	CustomEndpoint *apiextensionsv1.JSON `json:"customEndpoint,omitempty"`
 
 	retrievedServiceAccount string `json:"-"`
-	retrievedCredentials string `json:"-"`
+	retrievedCredentials    string `json:"-"`
 }
 
 var _ vaultutils.VaultObject = &GCPAuthEngineConfig{}

api/v1alpha1/kubernetesauthengineconfig_types.go

@@ -144,6 +144,17 @@ type KAECConfig struct {
 	// +kubebuilder:default=false
 	DisableLocalCAJWT bool `json:"disableLocalCAJWT,omitempty"`
 
+	// UseOperatorPodCA . This field is considered only if `kubernetesCACert` is not set and `disableLocalCAJWT` is set to true.
+	// In this case if this field is set to true the operator pod's CA is injected. This is the original behavior before the introduction of this field
+	// If tis field is set to false, the os ca bundle of where vault is running will be used.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	UseOperatorPodCA bool `json:"useOperatorPodCA,omitempty"`
+
+	// UseAnnotationsAsAliasMetadata  Use annotations from the client token's associated service account as alias metadata for the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata- key prefix are targeted as alias metadata and your annotations must be 512 characters or less due to the Vault alias metadata value limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo, Vault saves the string "foo" along with the annotation value to the alias metadata. To save alias metadata, Vault must have permission to read service accounts from the Kubernetes API.
+	// +kubebuilder:validation:Optional
+	UseAnnotationsAsAliasMetadata bool `json:"useAnnotationsAsAliasMetadata,omitempty"`
+
 	retrievedTokenReviewerJWT string `json:"-"`
 }
 
@@ -199,6 +210,8 @@ func (i *KAECConfig) toMap() map[string]interface{} {
 	payload["issuer"] = i.Issuer
 	payload["disable_iss_validation"] = i.DisableISSValidation
 	payload["disable_local_ca_jwt"] = i.DisableLocalCAJWT
+	payload["use_annotations_as_alias_metadata"] = i.UseAnnotationsAsAliasMetadata
+
 	return payload
 }
 

api/v1alpha1/kubernetesauthengineconfig_webhook.go

@@ -45,7 +45,7 @@ var _ webhook.Defaulter = &KubernetesAuthEngineConfig{}
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *KubernetesAuthEngineConfig) Default() {
 	kubernetesauthengineconfiglog.Info("default", "name", r.Name)
-	if r.Spec.KubernetesCACert == "" {
+	if r.Spec.UseOperatorPodCA && r.Spec.KubernetesCACert == "" {
 		b, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
 		if err != nil {
 			kubernetesauthengineconfiglog.Error(err, "unable to read file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt")

config/crd/bases/redhatcop.redhat.io_kubernetesauthengineconfigs.yaml

@@ -180,6 +180,26 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              useAnnotationsAsAliasMetadata:
+                description: UseAnnotationsAsAliasMetadata  Use annotations from the
+                  client token's associated service account as alias metadata for
+                  the Vault entity. Only annotations with the vault.hashicorp.com/alias-metadata-
+                  key prefix are targeted as alias metadata and your annotations must
+                  be 512 characters or less due to the Vault alias metadata value
+                  limit. For example, if you configure the annotation vault.hashicorp.com/alias-metadata-foo,
+                  Vault saves the string "foo" along with the annotation value to
+                  the alias metadata. To save alias metadata, Vault must have permission
+                  to read service accounts from the Kubernetes API.
+                type: boolean
+              useOperatorPodCA:
+                default: true
+                description: UseOperatorPodCA . This field is considered only if `kubernetesCACert`
+                  is not set and `disableLocalCAJWT` is set to true. In this case
+                  if this field is set to true the operator pod's CA is injected.
+                  This is the original behavior before the introduction of this field
+                  If tis field is set to false, the os ca bundle of where vault is
+                  running will be used.
+                type: boolean
             type: object
           status:
             description: KubernetesAuthEngineConfigStatus defines the observed state

config/crd/kustomization.yaml

@@ -32,6 +32,7 @@ resources:
 - bases/redhatcop.redhat.io_groupaliases.yaml
 - bases/redhatcop.redhat.io_azureauthengineconfigs.yaml
 - bases/redhatcop.redhat.io_azureauthengineroles.yaml
+- bases/redhatcop.redhat.io_azuresecretengineconfigs.yaml
 - bases/redhatcop.redhat.io_gcpauthengineconfigs.yaml
 - bases/redhatcop.redhat.io_gcpauthengineroles.yaml
 #+kubebuilder:scaffold:crdkustomizeresource

config/local-development/vault-values.yaml

@@ -9,21 +9,21 @@ injector:
   enabled: false
   image:
     repository: "registry.connect.redhat.com/hashicorp/vault-k8s"
-    tag: "1.2.1-ubi"
+    tag: "1.4.2-ubi"
 
   agentImage:
     repository: "registry.connect.redhat.com/hashicorp/vault"
-    tag: "1.14.0-ubi"    
+    tag: "1.17.1-ubi"    
 
 csi:
   image:
     repository: "docker.io/hashicorp/vault-csi-provider"
-    tag: "1.2.1"
+    tag: "1.4.2"
     pullPolicy: IfNotPresent     
 
 server:
   image:
-    tag: "1.14.0-ubi"
+    tag: "1.17.1-ubi"
     repository: registry.connect.redhat.com/hashicorp/vault
 
   extraEnvironmentVars:
@@ -108,7 +108,7 @@ server:
   extraContainers:
     # you should not do this in production
     - name: auto-initializer
-      image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi
+      image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi
       env: 
       - name: NAMESPACE
         valueFrom:
@@ -145,7 +145,7 @@ server:
           mountPath: /usr/local/libexec/vault          
     # you should not do this in production      
     - name: auto-unsealer
-      image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi
+      image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi
       env: 
       - name: VAULT_SKIP_VERIFY
         value: "true"        
@@ -178,7 +178,7 @@ server:
         - name: vault-root-token
           mountPath: /vault-root-token  
     - name: github-module-loader
-      image: registry.connect.redhat.com/hashicorp/vault:1.14.0-ubi
+      image: registry.connect.redhat.com/hashicorp/vault:1.17.1-ubi
       env: 
       - name: VAULT_SKIP_VERIFY
         value: "true"        

config/webhook/manifests.yaml

@@ -63,6 +63,25 @@ webhooks:
     resources:
     - azureauthengineroles
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-redhatcop-redhat-io-v1alpha1-azuresecretengineconfig
+  failurePolicy: Fail
+  name: mazuresecretengineconfig.kb.io
+  rules:
+  - apiGroups:
+    - redhatcop.redhat.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - azuresecretengineconfigs
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1beta1

controllers/azuresecretengineconfig_controller.go

@@ -192,7 +192,6 @@ func (r *AzureSecretEngineConfigReconciler) SetupWithManager(mgr ctrl.Manager) e
 
 }
 
-
 func (r *AzureSecretEngineConfigReconciler) findApplicableASEForSecret(ctx context.Context, secret *corev1.Secret) ([]redhatcopv1alpha1.AzureSecretEngineConfig, error) {
 	result := []redhatcopv1alpha1.AzureSecretEngineConfig{}
 	vrl := &redhatcopv1alpha1.AzureSecretEngineConfigList{}

docs/auth-engines.md

@@ -58,7 +58,15 @@ The `path` field specifies the path to configure. the complete path of the confi
 
 The `tokenReviewerServiceAccount.name` field specifies the service account to be used to perform the token review. This account must exists and must be granted the TokenReviews create permission. If not specified it will default to `default`.
 
-The `kubernetesCACert` field is the base64 encoded CA certificate that can be used to validate the connection to the master API. It will default to the content of the file `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"`. This default should work for most cases.
+The `kubernetesCACert` field is the base64 encoded CA certificate that can be used to validate the connection to the master API. If passed, that CA bundle will be used. Consult the following table to see what happens when the field is not passed
+
+| `kubernetesCACert`    | `disableLocalCAJWT` | `useOperatorPodCA` | Behaviour |
+| -------- | ------- | -------- | ------- |
+| set | ignored | ignored | the set CA is used |
+| unset | false | ignored | the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` of the Vault's pod is used. If Vault is not running in a pod, then the behavior is undefined |
+| unset | true  | false | the default os CA where Vault is running is used |
+| unset | true  | true  | the `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` the operator pod is inject and used |
+
 
 The `kubernetesHost` field defines the master api endpoint. It defaults to `https://kubernetes.default.svc:443` and it should work most cases.
 

main.go

@@ -302,7 +302,7 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "AzureAuthEngineRole")
 			os.Exit(1)
 		}
-    
+
 		if err = (&redhatcopv1alpha1.GCPAuthEngineConfig{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineConfig")
 			os.Exit(1)
@@ -311,7 +311,7 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "GCPAuthEngineRole")
 			os.Exit(1)
 		}
-    
+
 		if err = (&redhatcopv1alpha1.VaultSecret{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "VaultSecret")
 			os.Exit(1)

readme.md

@@ -526,6 +526,13 @@ oc apply -f ./test/kube-auth-engine-config.yaml -n vault-admin
 oc apply -f ./test/kube-auth-engine-role.yaml -n vault-admin
 ```
 
+Kube auth engine use vault pod OS ca bundle
+
+```sh
+oc apply -f ./test/kube-auth-engine-mount.yaml -n vault-admin
+oc apply -f ./test/kube-auth-engine-config-vault-pod-ca.yaml -n vault-admin
+```
+
 Github secret engine
 
 create a github application following the instructions [here](https://github.com/martinbaillie/vault-plugin-secrets-github#setup-github).

test/kube-auth-engine-config-vault-pod-ca.yaml

@@ -0,0 +1,13 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: KubernetesAuthEngineConfig
+metadata:
+  name: authenginemount-sample
+spec:
+  authentication: 
+    path: kubernetes
+    role: policy-admin
+  path: kube-authengine-mount-sample
+  disableISSValidation: true
+  disableLocalCAJWT: true
+  useOperatorPodCA: false
+  kubernetesHost: https://api.${cluster_base_domain}:6443