Skip to content

Commit

Permalink
fix for #143
Browse files Browse the repository at this point in the history
kubernetes path can be provided in vault when creating the auth when running a multicluster setup.
defaults to kubernetes.
  • Loading branch information
Pankaj Jain authored and aviadhahami committed Feb 29, 2024
1 parent 81f8f8b commit a660d8a
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 8 deletions.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,16 @@ vault.write('secret/hello', { value: 'world', lease: '1s' })
.then( () => vault.delete('secret/hello'))
.catch(console.error);
```
### Kubernetes Auth Example
```javascript

//if vault kubernets endpoint is /auth/example-cluster/login and role is example-role
//read token from default token mount path
const token = await fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', { encoding: 'utf8' });
vault.kubernetesLogin({role: 'example-role' ,
jwt: token,
kubernetesPath: 'example-cluster'})
```

## Docs
Just generate [docco] docs via `npm run docs`.
Expand Down
7 changes: 4 additions & 3 deletions example/auth_kubernetes.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ const kubernetesCaCert = process.env.K8S_CA_CERT || 'k8s-ca-certificate-data';

const appName = process.env.APP_NAME || 'some-app';
const appServiceAccountSecretToken = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'app-k8s-token';
const kubernetesPath = process.env.APP_SVC_ACCT_SECRET_TOKEN || 'kubernetes';

vault.auths()
.then((result) => {
Expand All @@ -19,7 +20,7 @@ vault.auths()
description: 'Kubernetes auth',
});
})
.then(() => vault.write('auth/kubernetes/config', {
.then(() => vault.write('auth/${kubernetesPath}/config', {
token_reviewer_jwt: vaultServicAccountSecretToken,
kubernetes_host: kubernetesHostUrl,
kubernetes_ca_cert: kubernetesCaCert,
Expand All @@ -28,12 +29,12 @@ vault.auths()
name: appName,
rules: `path "secret/${appName}/*" { capabilities = ["read"] }`,
}))
.then(() => vault.write(`auth/kubernetes/role/${appName}`, {
.then(() => vault.write(`auth/${kubernetesPath}/role/${appName}`, {
bound_service_account_names: appName,
bound_service_account_namespaces: 'default',
policies: appName,
ttl: '1h',
}))
.then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken }))
.then(() => vault.kubernetesLogin({ role: appName, jwt: appServiceAccountSecretToken, kubernetesPath: kubernetesPath }))
.then(console.log)
.catch((err) => console.error(err.message));
10 changes: 5 additions & 5 deletions src/commands.js
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ module.exports = {
},
addKubernetesRole: {
method: 'POST',
path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
schema: {
req: {
name: {
Expand Down Expand Up @@ -240,14 +240,14 @@ module.exports = {
},
getKubernetesRole: {
method: 'GET',
path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
schema: {
res: kubernetesRoleResponse,
},
},
deleteKubernetesRole: {
method: 'DELETE',
path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/role/{{ role_name }}',
path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/role/{{ role_name }}',
},
addApproleRole: {
method: 'POST',
Expand Down Expand Up @@ -611,7 +611,7 @@ module.exports = {
},
kubernetesLogin: {
method: 'POST',
path: '/auth/{{mount_point}}{{^mount_point}}kubernetes{{/mount_point}}/login',
path: '/auth/{{mount_point}}{{^mount_point}}{{kubernetesPath}}{{/mount_point}}/login',
tokenSource: true,
schema: {
req: {
Expand Down Expand Up @@ -742,7 +742,7 @@ module.exports = {
},
res: tokenResponse,
},
},
},
tokenAccessors: {
method: 'LIST',
path: '/auth/token/accessors',
Expand Down
1 change: 1 addition & 0 deletions src/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ module.exports = (config = {}) => {
client.token = config.token || process.env.VAULT_TOKEN;
client.noCustomHTTPVerbs = config.noCustomHTTPVerbs || false;
client.namespace = config.namespace || process.env.VAULT_NAMESPACE;
client.kubernetesPath = config.kubernetesPath || 'kubernetes';

const requestSchema = {
type: 'object',
Expand Down

0 comments on commit a660d8a

Please sign in to comment.