New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new VaultAuthGlobal type #735
base: main
Are you sure you want to change the base?
Conversation
74dca96
to
7ecc7c0
Compare
4406bf0
to
071ba35
Compare
303ce2f
to
6eaec64
Compare
Relates to #341 |
6eaec64
to
84003e2
Compare
84003e2
to
86c22bc
Compare
The resource provide a resource holding Vault auth configuration that can be shared across VaultAuth resources. A VaultAuth instance only needs to provide the authentication method and a valid vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal with the referring VaultAuth. This allows for a VaultAuth instance to inherit some global authentication configuration. The VaultAuthGlobal resource can be configured with one or more Vault auth method specific configuration. Given the following VaultAuthGlobal: ``` apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuthGlobal metadata: name: default namespace: tenant-ns spec: kubernetes: audiences: - vault namespace: demo-ns mount: demo-auth-mount role: auth-role serviceAccount: default tokenExpirationSeconds: 600 ``` The referring VaultAuth would look like: ``` apiVersion: secrets.hashicorp.com/v1beta1 kind: VaultAuth metadata: name: default namespace: tenant-ns spec: method: kubernetes vaultAuthGlobalRef: default ```
86c22bc
to
b0a73a4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking good to me, my only real concern is that VaultConnectionRef in VaultAuthGlobal doesn't seem to be used.
api/v1beta1/vaultauth_types.go
Outdated
// method will be used. This can be used as a default Vault namespace for all | ||
// auth methods. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this really a default for all auth methods? That sounds like something that would apply in VaultAuthGlobal but not VaultAuth.
controllers/vaultauth_controller.go
Outdated
} else { | ||
o = mObj | ||
condition.Message = fmt.Sprintf("%s:%s:%d", | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 6c44b68
controllers/vaultauth_controller.go
Outdated
FilterFunc: filterOldCacheRefs, | ||
PruneStorage: true, | ||
}); err != nil { | ||
// hash the VaultAut |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// hash the VaultAut | |
// hash the VaultAuth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 6c44b68
controllers/vaultauth_controller.go
Outdated
Watches( | ||
&secretsv1beta1.VaultAuthGlobal{}, | ||
NewEnqueueRefRequestsHandler(VaultAuthGlobal, r.referenceCache, nil, nil), | ||
// builder.WithPredicates(&predicate.GenerationChangedPredicate{}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dropped in 6c44b68
cObj.Spec.Headers = firstNonZeroLen(mapLenFunc[string, string], | ||
cObj.Spec.Headers, globalAuthHeaders, gObj.Spec.DefaultHeaders) | ||
cObj.Spec.Params = firstNonZeroLen(mapLenFunc[string, string], | ||
cObj.Spec.Params, globalAuthParams, gObj.Spec.DefaultParams) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For headers and params, another strategy would be to combine the global and cObj items, where cObj.Spec.Headers
could add to and override globalAuthHeaders
items, for example. Have we considered that style of merge?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was definitely a consideration to take the union of all params/headers, but I hesitant, since there would be no way for a referring VaultAuth to omit specific keys without extending the functionality of the vaultAuthGlobalRef. One thing that we could do is to allow for configurable merge strategies to be set in the VaultAuthSpec. I can put up a spike PR for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
api/v1beta1/vaultauth_types.go
Outdated
Valid bool `json:"valid"` | ||
Error string `json:"error"` | ||
Valid bool `json:"valid"` | ||
Error string `json:"error"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this was already there, but shouldn't this be tagged omitempty
? As in an empty Error with Valid=true would be a valid status?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM, updated in 6c44b68
Valid bool `json:"valid"` | ||
Error string `json:"error"` | ||
Conditions []metav1.Condition `json:"conditions,omitempty"` | ||
SpecHash string `json:"specHash,omitempty"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way for users to see what the merged VaultAuth spec is? I wonder if in the future putting the full merged spec in the status would make sense. Would be a a little crowded though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was definitely a consideration, since the hash of the spec is rather opaque :) I think it could make things easier to debug. I can spike in another PR to see what we think. Since we are introducing Conditions here, we could always extend it later as well.
Fixes: - vaultConnectionRef not be inherited from the global auth - firstNonZeroLen() always returned last - misc doc updates and improvements - some fixes to the credentials providers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's looking good for me.
{ | ||
name: "invalid-nil-auth-config", | ||
c: builder.Build(), | ||
gObj: &secretsv1beta1.VaultAuthGlobal{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: "baz", | ||
Name: "buz", | ||
}, | ||
}, | ||
o: &secretsv1beta1.VaultAuth{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: "baz", | ||
Name: "foo", | ||
}, | ||
Spec: secretsv1beta1.VaultAuthSpec{ | ||
VaultAuthGlobalRef: "buz", | ||
}, | ||
}, | ||
wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
return assert.ErrorContains(t, err, "no auth method set in VaultAuth baz/foo") | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have more test coverages for other auth methods for invalid auth config cases after merged with VaultAuthGlobal?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems reasonable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite sure I understand the usage of conditions on the VaultAuth status, but this all seems to work for me.
// unset - disallow all namespaces except the Operator's the VaultAuthMethod's | ||
// namespace, this is the default behavior. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
except the Operator's the VaultAuthMethod's namespace
Which is it?
Type: "VaultAuthGlobalRef", | ||
Status: "True", | ||
ObservedGeneration: o.Generation, | ||
LastTransitionTime: metav1.NewTime(nowFunc()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem like a transition time, more like an evaluation time?
var errs error | ||
|
||
var conditions []metav1.Condition |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be adding onto the existing conditions on the object's status? It looks like this starts over with a single entry every evaluation.
Status: "True", | ||
ObservedGeneration: o.Generation, | ||
LastTransitionTime: metav1.NewTime(nowFunc()), | ||
Reason: "VaultAuthGlobalRef", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if Type
and Reason
should be different?
The resource provide a resource holding Vault auth configuration that can be shared across VaultAuth resources. A VaultAuth instance only needs to provide the authentication method and a valid vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal with the referring VaultAuth. This allows for a VaultAuth instance to inherit some global authentication configuration.
The VaultAuthGlobal resource can be configured with one or more Vault auth method specific configuration.
Given the following VaultAuthGlobal:
The referring VaultAuth would look like:
If you wanted to override the
kubernetes.role
the VaultAuth would look like:The referring
VaultAuth
's configuration always overrides itsVaultAuthGlobal
's configuration.