Add new VaultAuthGlobal type #735
Conversation
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
2 times, most recently
from
74dca96
to
7ecc7c0
Compare
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
5 times, most recently
from
4406bf0
to
071ba35
Compare
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
2 times, most recently
from
303ce2f
to
6eaec64
Compare
|
Relates to #341 |
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
6eaec64
to
84003e2
Compare
benashz
changed the title
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
84003e2
to
86c22bc
Compare
The resource provide a resource holding Vault auth configuration that
can be shared across VaultAuth resources. A VaultAuth instance only
needs to provide the authentication method and a valid
vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal
with the referring VaultAuth. This allows for a VaultAuth instance to
inherit some global authentication configuration.
The VaultAuthGlobal resource can be configured with one or more Vault
auth method specific configuration.
Given the following VaultAuthGlobal:
```
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuthGlobal
metadata:
name: default
namespace: tenant-ns
spec:
kubernetes:
audiences:
- vault
namespace: demo-ns
mount: demo-auth-mount
role: auth-role
serviceAccount: default
tokenExpirationSeconds: 600
```
The referring VaultAuth would look like:
```
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: tenant-ns
spec:
method: kubernetes
vaultAuthGlobalRef: default
```
benashz
force-pushed
the
VAULT-23381/add-support-global-vault-auth-config
branch
from
86c22bc
to
b0a73a4
Compare
api/v1beta1/vaultauth_types.go
Outdated
| // method will be used. This can be used as a default Vault namespace for all | ||
| // auth methods. |
There was a problem hiding this comment.
Is this really a default for all auth methods? That sounds like something that would apply in VaultAuthGlobal but not VaultAuth.
controllers/vaultauth_controller.go
Outdated
| } else { | ||
| o = mObj | ||
| condition.Message = fmt.Sprintf("%s:%s:%d", | ||
|
|
controllers/vaultauth_controller.go
Outdated
| FilterFunc: filterOldCacheRefs, | ||
| PruneStorage: true, | ||
| }); err != nil { | ||
| // hash the VaultAut |
There was a problem hiding this comment.
| // hash the VaultAut | |
| // hash the VaultAuth |
controllers/vaultauth_controller.go
Outdated
| Watches( | ||
| &secretsv1beta1.VaultAuthGlobal{}, | ||
| NewEnqueueRefRequestsHandler(VaultAuthGlobal, r.referenceCache, nil, nil), | ||
| // builder.WithPredicates(&predicate.GenerationChangedPredicate{}), |
There was a problem hiding this comment.
Dropped in 6c44b68
| cObj.Spec.Headers = firstNonZeroLen(mapLenFunc[string, string], | ||
| cObj.Spec.Headers, globalAuthHeaders, gObj.Spec.DefaultHeaders) | ||
| cObj.Spec.Params = firstNonZeroLen(mapLenFunc[string, string], | ||
| cObj.Spec.Params, globalAuthParams, gObj.Spec.DefaultParams) |
There was a problem hiding this comment.
For headers and params, another strategy would be to combine the global and cObj items, where cObj.Spec.Headers could add to and override globalAuthHeaders items, for example. Have we considered that style of merge?
There was a problem hiding this comment.
It was definitely a consideration to take the union of all params/headers, but I hesitant, since there would be no way for a referring VaultAuth to omit specific keys without extending the functionality of the vaultAuthGlobalRef. One thing that we could do is to allow for configurable merge strategies to be set in the VaultAuthSpec. I can put up a spike PR for that.
api/v1beta1/vaultauth_types.go
Outdated
| Valid bool `json:"valid"` | ||
| Error string `json:"error"` | ||
| Valid bool `json:"valid"` | ||
| Error string `json:"error"` |
There was a problem hiding this comment.
I know this was already there, but shouldn't this be tagged omitempty? As in an empty Error with Valid=true would be a valid status?
There was a problem hiding this comment.
SGTM, updated in 6c44b68
| Valid bool `json:"valid"` | ||
| Error string `json:"error"` | ||
| Conditions []metav1.Condition `json:"conditions,omitempty"` | ||
| SpecHash string `json:"specHash,omitempty"` | ||
| } |
There was a problem hiding this comment.
Is there a way for users to see what the merged VaultAuth spec is? I wonder if in the future putting the full merged spec in the status would make sense. Would be a a little crowded though.
There was a problem hiding this comment.
It was definitely a consideration, since the hash of the spec is rather opaque :) I think it could make things easier to debug. I can spike in another PR to see what we think. Since we are introducing Conditions here, we could always extend it later as well.
Fixes: - vaultConnectionRef not be inherited from the global auth - firstNonZeroLen() always returned last - misc doc updates and improvements - some fixes to the credentials providers
| { | ||
| name: "invalid-nil-auth-config", | ||
| c: builder.Build(), | ||
| gObj: &secretsv1beta1.VaultAuthGlobal{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Namespace: "baz", | ||
| Name: "buz", | ||
| }, | ||
| }, | ||
| o: &secretsv1beta1.VaultAuth{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Namespace: "baz", | ||
| Name: "foo", | ||
| }, | ||
| Spec: secretsv1beta1.VaultAuthSpec{ | ||
| VaultAuthGlobalRef: "buz", | ||
| }, | ||
| }, | ||
| wantErr: func(t assert.TestingT, err error, i ...interface{}) bool { | ||
| return assert.ErrorContains(t, err, "no auth method set in VaultAuth baz/foo") | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Could we have more test coverages for other auth methods for invalid auth config cases after merged with VaultAuthGlobal?
| // unset - disallow all namespaces except the Operator's the VaultAuthMethod's | ||
| // namespace, this is the default behavior. |
There was a problem hiding this comment.
except the Operator's the VaultAuthMethod's namespace
Which is it?
| Type: "VaultAuthGlobalRef", | ||
| Status: "True", | ||
| ObservedGeneration: o.Generation, | ||
| LastTransitionTime: metav1.NewTime(nowFunc()), |
There was a problem hiding this comment.
This doesn't seem like a transition time, more like an evaluation time?
| var errs error | ||
|
|
||
| var conditions []metav1.Condition |
There was a problem hiding this comment.
Should this be adding onto the existing conditions on the object's status? It looks like this starts over with a single entry every evaluation.
| Status: "True", | ||
| ObservedGeneration: o.Generation, | ||
| LastTransitionTime: metav1.NewTime(nowFunc()), | ||
| Reason: "VaultAuthGlobalRef", |
There was a problem hiding this comment.
I wonder if Type and Reason should be different?
The resource provide a resource holding Vault auth configuration that can be shared across VaultAuth resources. A VaultAuth instance only needs to provide the authentication method and a valid vaultAuthGlobalRef. VSO will automatically merge the VaultAuthGlobal with the referring VaultAuth. This allows for a VaultAuth instance to inherit some global authentication configuration.
The VaultAuthGlobal resource can be configured with one or more Vault auth method specific configuration.
Given the following VaultAuthGlobal:
The referring VaultAuth would look like:
If you wanted to override the
kubernetes.rolethe VaultAuth would look like:The referring
VaultAuth's configuration always overrides itsVaultAuthGlobal's configuration.