weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Changes the vault issuer Kubernetes auth path to require the full path

Browse Source 
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
This commit is contained in:
JoshVanL 2019-11-11 12:19:10 +00:00
parent f46029b999
commit 7ec3103eb4
8 changed files with 23 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deploy/charts/cert-manager/crds/clusterissuers.yaml
View File

@ -1473,11 +1473,10 @@ spec:
- secretRef
properties:
mountPath:
description: The value here will be used as part of the
path used when authenticating with vault, for example
if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
If unspecified, the default value "kubernetes" will be
used.
description: The vault here is the path to use when authenticating
with vault, for example setting a value to `/v1/auth/foo/login`.
If unspecified, the default value "/v1/auth/kubernetes/login"
will be used.
type: string
role:
description: A required field containing the Vault Role

9
deploy/charts/cert-manager/crds/issuers.yaml
View File

@ -1473,11 +1473,10 @@ spec:
- secretRef
properties:
mountPath:
description: The value here will be used as part of the
path used when authenticating with vault, for example
if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
If unspecified, the default value "kubernetes" will be
used.
description: The vault here is the path to use when authenticating
with vault, for example setting a value to `/v1/auth/foo/login`.
If unspecified, the default value "/v1/auth/kubernetes/login"
will be used.
type: string
role:
description: A required field containing the Vault Role

18
deploy/manifests/00-crds.yaml
View File

@ -3257,11 +3257,10 @@ spec:
- secretRef
properties:
mountPath:
description: The value here will be used as part of the
path used when authenticating with vault, for example
if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
If unspecified, the default value "kubernetes" will be
used.
description: The vault here is the path to use when authenticating
with vault, for example setting a value to `/v1/auth/foo/login`.
If unspecified, the default value "/v1/auth/kubernetes/login"
will be used.
type: string
role:
description: A required field containing the Vault Role
@ -4912,11 +4911,10 @@ spec:
- secretRef
properties:
mountPath:
description: The value here will be used as part of the
path used when authenticating with vault, for example
if you set a value of "foo", the path used will be `/v1/auth/foo/login`.
If unspecified, the default value "kubernetes" will be
used.
description: The vault here is the path to use when authenticating
with vault, for example setting a value to `/v1/auth/foo/login`.
If unspecified, the default value "/v1/auth/kubernetes/login"
will be used.
type: string
role:
description: A required field containing the Vault Role

2
docs/generated/reference/output/reference/api-docs/index.html
View File

@ -2691,7 +2691,7 @@ Appears In:
</thead>
<tbody><tr>
<td><code>mountPath</code><br /> <em>string</em></td>
<td>The value here will be used as part of the path used when authenticating with vault, for example if you set a value of &#34;foo&#34;, the path used will be <code>/v1/auth/foo/login</code>. If unspecified, the default value &#34;kubernetes&#34; will be used.</td>
<td>The vault here is the path to use when authenticating with vault, for example setting a value to <code>/v1/auth/foo/login</code>. If unspecified, the default value &#34;/v1/auth/kubernetes/login&#34; will be used.</td>
</tr>
<tr>
<td><code>role</code><br /> <em>string</em></td>

2
pkg/apis/certmanager/v1alpha2/const.go
View File

@ -38,5 +38,5 @@ const (
// Default mount path location for Kubernetes ServiceAccount authentication
// (/v1/auth/kubernetes/login)
DefaultVaultKubernetesAuthMountPath = "kubernetes"
DefaultVaultKubernetesAuthMountPath = "/v1/auth/kubernetes/login"
)

7
pkg/apis/certmanager/v1alpha2/types_issuer.go
View File

@ -193,10 +193,9 @@ type VaultAppRole struct {
// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
// a Secret.
type VaultKubernetesAuth struct {
// The value here will be used as part of the path used when authenticating
// with vault, for example if you set a value of "foo", the path used will be
// `/v1/auth/foo/login`. If unspecified, the default value "kubernetes" will
// be used.
// The vault here is the path to use when authenticating with vault, for
// example setting a value to `/v1/auth/foo/login`. If unspecified, the
// default value "/v1/auth/kubernetes/login" will be used.
// +optional
Path string `json:"mountPath,omitempty"`

4
pkg/internal/vault/vault.go
View File

@ -22,7 +22,6 @@ import (
"fmt"
"net/http"
"path"
"path/filepath"
"strings"
"time"
@ -318,8 +317,7 @@ func (v *Vault) requestTokenWithKubernetesAuth(client Client, kubernetesAuth *v1
mountPath = v1alpha2.DefaultVaultKubernetesAuthMountPath
}
url := filepath.Join("/v1", "auth", mountPath, "login")
request := client.NewRequest("POST", url)
request := client.NewRequest("POST", mountPath)
err = request.SetJSONBody(parameters)
if err != nil {
return "", fmt.Errorf("error encoding Vault parameters: %s", err.Error())

2
test/e2e/suite/issuers/vault/issuer.go
View File

@ -63,7 +63,7 @@ var _ = framework.CertManagerDescribe("Vault Issuer", func() {
vaultKubernetesRoleName := "kubernetes-role"
vaultPath := path.Join(intermediateMount, "sign", role)
appRoleAuthPath := "approle"
kubernetesAuthPath := "kubernetes"
kubernetesAuthPath := "/v1/auth/kubernetes/login"
var roleId, secretId string
var vaultInit *vaultaddon.VaultInitializer