Merge pull request #2349 from JoshVanL/2205-kubernetes-auth-path

Changes the vault issuer Kubernetes auth path to require the full *mount* path
2019-11-13 09:58:26 +00:00 · 2019-11-13 09:58:26 +00:00 · 1bfec37482
commit 1bfec37482
parent 299a5d629c 0e739bdde9
8 changed files with 30 additions and 29 deletions
--- a/deploy/charts/cert-manager/crds/clusterissuers.yaml
+++ b/deploy/charts/cert-manager/crds/clusterissuers.yaml
@ -1488,11 +1488,11 @@ spec:
                      - secretRef
                      properties:
                        mountPath:
-                          description: The value here will be used as part of the
-                            path used when authenticating with vault, for example
-                            if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
-                            If unspecified, the default value "kubernetes" will be
-                            used.
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
                          type: string
                        role:
                          description: A required field containing the Vault Role
--- a/deploy/charts/cert-manager/crds/issuers.yaml
+++ b/deploy/charts/cert-manager/crds/issuers.yaml
@ -1488,11 +1488,11 @@ spec:
                      - secretRef
                      properties:
                        mountPath:
-                          description: The value here will be used as part of the
-                            path used when authenticating with vault, for example
-                            if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
-                            If unspecified, the default value "kubernetes" will be
-                            used.
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
                          type: string
                        role:
                          description: A required field containing the Vault Role
--- a/deploy/manifests/00-crds.yaml
+++ b/deploy/manifests/00-crds.yaml
@ -3272,11 +3272,11 @@ spec:
                      - secretRef
                      properties:
                        mountPath:
-                          description: The value here will be used as part of the
-                            path used when authenticating with vault, for example
-                            if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
-                            If unspecified, the default value "kubernetes" will be
-                            used.
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
                          type: string
                        role:
                          description: A required field containing the Vault Role
@ -4942,11 +4942,11 @@ spec:
                      - secretRef
                      properties:
                        mountPath:
-                          description: The value here will be used as part of the
-                            path used when authenticating with vault, for example
-                            if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
-                            If unspecified, the default value "kubernetes" will be
-                            used.
+                          description: The Vault mountPath here is the mount path
+                            to use when authenticating with Vault. For example, setting
+                            a value to `/v1/auth/foo`, will use the path `/v1/auth/foo/login`
+                            to authenticate with Vault. If unspecified, the default
+                            value "/v1/auth/kubernetes" will be used.
                          type: string
                        role:
                          description: A required field containing the Vault Role
--- a/docs/generated/reference/output/reference/api-docs/index.html
+++ b/docs/generated/reference/output/reference/api-docs/index.html
@ -2691,7 +2691,7 @@ Appears In:
 </thead>
 <tbody><tr>
 <td><code>mountPath</code><br /> <em>string</em></td>
-<td>The value here will be used as part of the path used when authenticating with vault, for example if you set a value of &#34;foo&#34;, the path used will be <code>/v1/auth/foo/login</code>. If unspecified, the default value &#34;kubernetes&#34; will be used.</td>
+<td>The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to <code>/v1/auth/foo</code>, will use the path <code>/v1/auth/foo/login</code> to authenticate with Vault. If unspecified, the default value &#34;/v1/auth/kubernetes&#34; will be used.</td>
 </tr>
 <tr>
 <td><code>role</code><br /> <em>string</em></td>
--- a/pkg/apis/certmanager/v1alpha2/const.go
+++ b/pkg/apis/certmanager/v1alpha2/const.go
@ -37,6 +37,7 @@ const (
 	DefaultVaultTokenAuthSecretKey = "token"

 	// Default mount path location for Kubernetes ServiceAccount authentication
-	// (/v1/auth/kubernetes/login)
-	DefaultVaultKubernetesAuthMountPath = "kubernetes"
+	// (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
+	// left as the default, `/v1/auth/kubernetes/login` will be called.
+	DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes"
 )
--- a/pkg/apis/certmanager/v1alpha2/types_issuer.go
+++ b/pkg/apis/certmanager/v1alpha2/types_issuer.go
@ -196,10 +196,10 @@ type VaultAppRole struct {
 // Authenticate against Vault using a Kubernetes ServiceAccount token stored in
 // a Secret.
 type VaultKubernetesAuth struct {
-	// The value here will be used as part of the path used when authenticating
-	// with vault, for example if you set a value of "foo", the path used will be
-	// `/v1/auth/foo/login`. If unspecified, the default value "kubernetes" will
-	// be used.
+	// The Vault mountPath here is the mount path to use when authenticating with
+	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+	// default value "/v1/auth/kubernetes" will be used.
 	// +optional
 	Path string `json:"mountPath,omitempty"`

--- a/pkg/internal/vault/vault.go
+++ b/pkg/internal/vault/vault.go
@ -318,7 +318,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1
 		mountPath = v1alpha2.DefaultVaultKubernetesAuthMountPath
 	}

-	url := filepath.Join("/v1", "auth", mountPath, "login")
+	url := filepath.Join(mountPath, "login")
 	request := client.NewRequest("POST", url)
 	err = request.SetJSONBody(parameters)
 	if err != nil {
--- a/test/e2e/suite/issuers/vault/issuer.go
+++ b/test/e2e/suite/issuers/vault/issuer.go
@ -63,7 +63,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() {
 	vaultKubernetesRoleName := "kubernetes-role"
 	vaultPath := path.Join(intermediateMount, "sign", role)
 	appRoleAuthPath := "approle"
-	kubernetesAuthPath := "kubernetes"
+	kubernetesAuthPath := "/v1/auth/kubernetes"
 	var roleId, secretId string
 	var vaultInit *vaultaddon.VaultInitializer